Add helper method to check for invalid message source.

This CL refactors the check for invalid render_frame_message_source_ to a common method and uses it in all of the relevant IPC handlers. Ideally it will all be removed once RenderViewHost disappears or all of its IPC handling is removed. BUG=451932, 449777 TBR=isherman@chromium.org NOTRY=true Review URL: https://codereview.chromium.org/877203002 Cr-Commit-Position: refs/heads/master@{#313445} (cherry picked from commit 907fcb65c9ff242000395d8e4483ebdca8b77cbe) Review URL: https://codereview.chromium.org/943083003 Cr-Commit-Position: refs/branch-heads/2272@{#363} Cr-Branched-From: 827a380cfdb31aa54c8d56e63ce2c3fd8c3ba4d4-refs/heads/master@{#310958}
author: nasko <nasko@chromium.org> 2015-02-23 11:54:25 -0800
committer: Commit bot <commit-bot@chromium.org> 2015-02-23 19:55:17 +0000
commit: fce51c8ed52fd9a0e90fad89bd8b2fd309dea889 (patch)
tree: 8734948325c44bc7482b1c96e90379fe299bf9f5
parent: 11694b0ca87a690eb0d32e97204df04f1510cdf2 (diff)
download: chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.zip
chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.tar.gz
chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.tar.bz2
3 files changed, 42 insertions, 10 deletions
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index 25d8762..ac0a7dc 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -567,6 +567,17 @@ bool WebContentsImpl::OnMessageReceived(RenderViewHost* render_view_host,
   return handled;
 }
 
+bool WebContentsImpl::HasValidFrameSource() {
+  if (!render_frame_message_source_) {
+    DCHECK(render_view_message_source_);
+    RecordAction(base::UserMetricsAction("BadMessageTerminate_WC"));
+    GetRenderProcessHost()->ReceivedBadMessage();
+    return false;
+  }
+
+  return true;
+}
+
 void WebContentsImpl::RunFileChooser(
     RenderViewHost* render_view_host,
     const FileChooserParams& params) {
@@ -2723,21 +2734,18 @@ void WebContentsImpl::OnDidRunInsecureContent(
 }
 
 void WebContentsImpl::OnDocumentLoadedInFrame() {
-  CHECK(render_frame_message_source_);
-  CHECK(!render_view_message_source_);
+  if (!HasValidFrameSource())
+    return;
+
   RenderFrameHostImpl* rfh =
       static_cast<RenderFrameHostImpl*>(render_frame_message_source_);
   FOR_EACH_OBSERVER(
       WebContentsObserver, observers_, DocumentLoadedInFrame(rfh));
 }
 
-void WebContentsImpl::OnDidFinishLoad(
-    const GURL& url) {
-  if (!render_frame_message_source_) {
-    RecordAction(base::UserMetricsAction("BadMessageTerminate_RVD2"));
-    GetRenderProcessHost()->ReceivedBadMessage();
+void WebContentsImpl::OnDidFinishLoad(const GURL& url) {
+  if (!HasValidFrameSource())
     return;
-  }
 
   GURL validated_url(url);
   RenderProcessHost* render_process_host =
@@ -2751,6 +2759,9 @@ void WebContentsImpl::OnDidFinishLoad(
 }
 
 void WebContentsImpl::OnDidStartLoading(bool to_different_document) {
+  if (!HasValidFrameSource())
+    return;
+
   RenderFrameHostImpl* rfh =
       static_cast<RenderFrameHostImpl*>(render_frame_message_source_);
   int64 render_frame_id = rfh->frame_tree_node()->frame_tree_node_id();
@@ -2789,6 +2800,9 @@ void WebContentsImpl::OnDidStartLoading(bool to_different_document) {
 }
 
 void WebContentsImpl::OnDidStopLoading() {
+  if (!HasValidFrameSource())
+    return;
+
   RenderFrameHostImpl* rfh =
       static_cast<RenderFrameHostImpl*>(render_frame_message_source_);
   int64 render_frame_id = rfh->frame_tree_node()->frame_tree_node_id();
@@ -2816,6 +2830,9 @@ void WebContentsImpl::OnDidStopLoading() {
 }
 
 void WebContentsImpl::OnDidChangeLoadProgress(double load_progress) {
+  if (!HasValidFrameSource())
+    return;
+
   RenderFrameHostImpl* rfh =
       static_cast<RenderFrameHostImpl*>(render_frame_message_source_);
   int64 render_frame_id = rfh->frame_tree_node()->frame_tree_node_id();
@@ -2952,9 +2969,9 @@ void WebContentsImpl::OnOpenColorChooser(
     int color_chooser_id,
     SkColor color,
     const std::vector<ColorSuggestion>& suggestions) {
-  // Protect against malicious renderer. See http://crbug.com/449777
-  if (!render_frame_message_source_)
+  if (!HasValidFrameSource())
     return;
+
   ColorChooser* new_color_chooser = delegate_ ?
       delegate_->OpenColorChooser(this, color, suggestions) :
       NULL;
@@ -4371,6 +4388,9 @@ void WebContentsImpl::OnPreferredSizeChanged(const gfx::Size& old_size) {
 
 void WebContentsImpl::AddMediaPlayerEntry(int64 player_cookie,
                                           ActiveMediaPlayerMap* player_map) {
+  if (!HasValidFrameSource())
+    return;
+
   const uintptr_t key =
       reinterpret_cast<uintptr_t>(render_frame_message_source_);
   DCHECK(std::find((*player_map)[key].begin(),
@@ -4381,6 +4401,9 @@ void WebContentsImpl::AddMediaPlayerEntry(int64 player_cookie,
 
 void WebContentsImpl::RemoveMediaPlayerEntry(int64 player_cookie,
                                              ActiveMediaPlayerMap* player_map) {
+  if (!HasValidFrameSource())
+    return;
+
   const uintptr_t key =
       reinterpret_cast<uintptr_t>(render_frame_message_source_);
   ActiveMediaPlayerMap::iterator it = player_map->find(key);
diff --git a/content/browser/web_contents/web_contents_impl.h b/content/browser/web_contents/web_contents_impl.h
index 7158107..376c19f 100644
--- a/content/browser/web_contents/web_contents_impl.h
+++ b/content/browser/web_contents/web_contents_impl.h
@@ -741,6 +741,10 @@ class CONTENT_EXPORT WebContentsImpl
                          RenderFrameHost* render_frame_host,
                          const IPC::Message& message);
 
+  // Checks whether render_frame_message_source_ is set to non-null value,
+  // otherwise it terminates the main frame renderer process.
+  bool HasValidFrameSource();
+
   // IPC message handlers.
   void OnThemeColorChanged(SkColor theme_color);
   void OnDidLoadResourceFromMemoryCache(const GURL& url,
diff --git a/tools/metrics/actions/actions.xml b/tools/metrics/actions/actions.xml
index b438d74..e823561 100644
--- a/tools/metrics/actions/actions.xml
+++ b/tools/metrics/actions/actions.xml
@@ -1250,6 +1250,11 @@ should be able to be added at any place in this file.
   <description>Please enter the description of this user action.</description>
 </action>
 
+<action name="BadMessageTerminate_WC">
+  <owner>Please list the metric's owners. Add more owner tags as needed.</owner>
+  <description>Please enter the description of the metric.</description>
+</action>
+
 <action name="BadMessageTerminate_WPH">
   <owner>Please list the metric's owners. Add more owner tags as needed.</owner>
   <description>Please enter the description of this user action.</description>
author	nasko <nasko@chromium.org>	2015-02-23 11:54:25 -0800
committer	Commit bot <commit-bot@chromium.org>	2015-02-23 19:55:17 +0000
commit	fce51c8ed52fd9a0e90fad89bd8b2fd309dea889 (patch)
tree	8734948325c44bc7482b1c96e90379fe299bf9f5
parent	11694b0ca87a690eb0d32e97204df04f1510cdf2 (diff)
download	chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.zip chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.tar.gz chromium_src-fce51c8ed52fd9a0e90fad89bd8b2fd309dea889.tar.bz2