diff options
| author | yzshen@chromium.org <yzshen@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-12 01:36:00 +0000 |
|---|---|---|
| committer | yzshen@chromium.org <yzshen@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-04-12 01:36:00 +0000 |
| commit | 1dffd5857eb90590cb732530f7ab105391b72415 (patch) | |
| tree | 608ce57d1bdc28356234a32dc5c7595bfbb83001 | |
| parent | 852a15c06fc2d4b87a1e2af5692b150c93123299 (diff) | |
| download | chromium_src-1dffd5857eb90590cb732530f7ab105391b72415.zip chromium_src-1dffd5857eb90590cb732530f7ab105391b72415.tar.gz chromium_src-1dffd5857eb90590cb732530f7ab105391b72415.tar.bz2 | |
Avoid sending DidChangeView notification if the plugin rect is too big.
This mirrors the behavior of NPAPI-handling code.
BUG=122657
TEST=None
Review URL: http://codereview.chromium.org/10053006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@131891 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | content/renderer/webplugin_delegate_proxy.cc | 10 | ||||
| -rw-r--r-- | webkit/plugins/plugin_constants.cc | 6 | ||||
| -rw-r--r-- | webkit/plugins/plugin_constants.h | 9 | ||||
| -rw-r--r-- | webkit/plugins/ppapi/ppapi_plugin_instance.cc | 11 |
4 files changed, 30 insertions, 6 deletions
diff --git a/content/renderer/webplugin_delegate_proxy.cc b/content/renderer/webplugin_delegate_proxy.cc index c6f0af5..5bc6084 100644 --- a/content/renderer/webplugin_delegate_proxy.cc +++ b/content/renderer/webplugin_delegate_proxy.cc @@ -49,6 +49,7 @@ #include "webkit/glue/webkit_glue.h" #include "webkit/plugins/npapi/plugin_group.h" #include "webkit/plugins/npapi/webplugin.h" +#include "webkit/plugins/plugin_constants.h" #include "webkit/plugins/sad_plugin.h" #if defined(OS_POSIX) @@ -549,10 +550,11 @@ void WebPluginDelegateProxy::UpdateGeometry(const gfx::Rect& window_rect, // window_rect becomes either a window in native windowing system // coords, or a backing buffer. In either case things will go bad // if the rectangle is very large. - if (window_rect.width() < 0 || window_rect.width() > (1<<15) || - window_rect.height() < 0 || window_rect.height() > (1<<15) || - // Clip to 8m pixels; we know this won't overflow due to above checks. - window_rect.width() * window_rect.height() > (8<<20)) { + if (window_rect.width() < 0 || window_rect.width() > kMaxPluginSideLength || + window_rect.height() < 0 || window_rect.height() > kMaxPluginSideLength || + // We know this won't overflow due to above checks. + static_cast<uint32>(window_rect.width()) * + static_cast<uint32>(window_rect.height()) > kMaxPluginSize) { return; } diff --git a/webkit/plugins/plugin_constants.cc b/webkit/plugins/plugin_constants.cc index 05d35be..52d5aa2 100644 --- a/webkit/plugins/plugin_constants.cc +++ b/webkit/plugins/plugin_constants.cc @@ -1,4 +1,4 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. @@ -11,3 +11,7 @@ const char kFlashPluginSwfDescription[] = "Shockwave Flash"; const char kFlashPluginSplMimeType[] = "application/futuresplash"; const char kFlashPluginSplExtension[] = "spl"; const char kFlashPluginSplDescription[] = "FutureSplash Player"; + +const uint16 kMaxPluginSideLength = 1 << 15; +// 8m pixels. +const uint32 kMaxPluginSize = 8 << 20; diff --git a/webkit/plugins/plugin_constants.h b/webkit/plugins/plugin_constants.h index b53c22a..643d282 100644 --- a/webkit/plugins/plugin_constants.h +++ b/webkit/plugins/plugin_constants.h @@ -1,10 +1,11 @@ -// Copyright (c) 2011 The Chromium Authors. All rights reserved. +// Copyright (c) 2012 The Chromium Authors. All rights reserved. // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. #ifndef WEBKIT_PLUGINS_PLUGIN_CONSTANTS_H_ #define WEBKIT_PLUGINS_PLUGIN_CONSTANTS_H_ +#include "base/basictypes.h" #include "webkit/plugins/webkit_plugins_export.h" WEBKIT_PLUGINS_EXPORT extern const char kFlashPluginName[]; @@ -15,4 +16,10 @@ WEBKIT_PLUGINS_EXPORT extern const char kFlashPluginSplMimeType[]; WEBKIT_PLUGINS_EXPORT extern const char kFlashPluginSplExtension[]; WEBKIT_PLUGINS_EXPORT extern const char kFlashPluginSplDescription[]; +// The maximum plugin width and height. +WEBKIT_PLUGINS_EXPORT extern const uint16 kMaxPluginSideLength; +// The maximum plugin size, defined as the number of pixels occupied by the +// plugin. +WEBKIT_PLUGINS_EXPORT extern const uint32 kMaxPluginSize; + #endif // WEBKIT_PLUGINS_PLUGIN_CONSTANTS_H_ diff --git a/webkit/plugins/ppapi/ppapi_plugin_instance.cc b/webkit/plugins/ppapi/ppapi_plugin_instance.cc index 09554fa..037e1a9 100644 --- a/webkit/plugins/ppapi/ppapi_plugin_instance.cc +++ b/webkit/plugins/ppapi/ppapi_plugin_instance.cc @@ -57,6 +57,7 @@ #include "third_party/WebKit/Source/WebKit/chromium/public/platform/WebURLRequest.h" #include "third_party/WebKit/Source/WebKit/chromium/public/WebView.h" #include "ui/base/range/range.h" +#include "webkit/plugins/plugin_constants.h" #include "webkit/plugins/ppapi/common.h" #include "webkit/plugins/ppapi/event_conversion.h" #include "webkit/plugins/ppapi/fullscreen_container.h" @@ -1075,6 +1076,16 @@ void PluginInstance::SendDidChangeView(const ViewData& previous_view) { (sent_initial_did_change_view_ && previous_view.Equals(view_data_))) return; // Nothing to update. + const PP_Size& size = view_data_.rect.size; + // Avoid sending a notification with a huge rectangle. + if (size.width < 0 || size.width > kMaxPluginSideLength || + size.height < 0 || size.height > kMaxPluginSideLength || + // We know this won't overflow due to above checks. + static_cast<uint32>(size.width) * static_cast<uint32>(size.height) > + kMaxPluginSize) { + return; + } + sent_initial_did_change_view_ = true; ScopedPPResource resource( ScopedPPResource::PassRef(), |