Add a second line of defense for receiving a bad message in the renderer.

BUG=88949
TEST=none

Review URL: http://codereview.chromium.org/8142009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@104010 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 9 insertions, 1 deletions

diff --git a/content/renderer/render_view.cc b/content/renderer/render_view.cc
index 5248e3e..708b874d 100644
--- a/content/renderer/render_view.cc
+++ b/content/renderer/render_view.cc
@@ -588,7 +588,8 @@ bool RenderView::OnMessageReceived(const IPC::Message& message) {
       return true;
 
   bool handled = true;
-  IPC_BEGIN_MESSAGE_MAP(RenderView, message)
+  bool msg_is_ok = true;
+  IPC_BEGIN_MESSAGE_MAP_EX(RenderView, message, msg_is_ok)
     IPC_MESSAGE_HANDLER(ViewMsg_Navigate, OnNavigate)
     IPC_MESSAGE_HANDLER(ViewMsg_Stop, OnStop)
     IPC_MESSAGE_HANDLER(ViewMsg_ReloadFrame, OnReloadFrame)
@@ -695,6 +696,13 @@ bool RenderView::OnMessageReceived(const IPC::Message& message) {
     // Have the super handle all other messages.
     IPC_MESSAGE_UNHANDLED(handled = RenderWidget::OnMessageReceived(message))
   IPC_END_MESSAGE_MAP()
+
+  if (!msg_is_ok) {
+    // The message had a handler, but its deserialization failed.
+    // Kill the renderer to avoid potential spoofing attacks.
+    CHECK(false) << "Unable to deserialize message in RenderView.";
+  }
+
   return handled;
 }