From c27e411de097d9da503f6d122e9df1083938ee45 Mon Sep 17 00:00:00 2001 From: "yusukes@google.com" Date: Fri, 18 Dec 2009 01:33:49 +0000 Subject: Returns an error immediately without sending IPC message when a font family name to resolve is too long. This change is important when a site has @font-face rule like: // http://paulirish.com/webkit-fontface-hang.html @font-face{font-family:testfont;src:url('data:font/ttf;base64,AA.....<>.....aQ==')} In such a case, WebCore first calls SkFontHost::CreateTypeface() with the (possibly very long) data-uri string itself, then calls SkFontHost::CreateTypefaceFromStream() with decoded byte stream. Since render_sandbox_host_linux.cc just ignores too long IPC message, the renderer process could block indefinitely waiting for a reply inside recvmsg() system call called from SkFontHost::CreateTypeface(). I'm not sure if the WebCore behavior (i.e. calling CreateTypeface with data-uris) is reasonable, but I believe the Skia part is better to be fixed anyway. Non data-uri font family names could be very long too: @font-face{font-family:testfont;src:local('AA........AA');} BUG=29861 TEST=First, set up your Linux SUID Sandbox binary: http://code.google.com/p/chromium/wiki/LinuxSUIDSandboxDevelopment. Then start Chromium and visit http://paulirish.com/webkit-fontface-hang.html or http://typekit.com/. Verify that the renderer does not freeze. Review URL: http://codereview.chromium.org/507037 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@34915 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/browser/renderer_host/render_sandbox_host_linux.cc | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'chrome') diff --git a/chrome/browser/renderer_host/render_sandbox_host_linux.cc b/chrome/browser/renderer_host/render_sandbox_host_linux.cc index f1c3b03..2e89799 100644 --- a/chrome/browser/renderer_host/render_sandbox_host_linux.cc +++ b/chrome/browser/renderer_host/render_sandbox_host_linux.cc @@ -100,11 +100,20 @@ class SandboxIPCProcess { void HandleRequestFromRenderer(int fd) { std::vector fds; - static const unsigned kMaxMessageLength = 2048; - char buf[kMaxMessageLength]; + + // A FontConfigIPC::METHOD_MATCH message could be kMaxFontFamilyLength + // bytes long (this is the largest message type). + // 128 bytes padding are necessary so recvmsg() does not return MSG_TRUNC + // error for a maximum length message. + char buf[FontConfigInterface::kMaxFontFamilyLength + 128]; + const ssize_t len = base::RecvMsg(fd, buf, sizeof(buf), &fds); - if (len == -1) + if (len == -1) { + // TODO: should send an error reply, or the sender might block forever. + NOTREACHED() + << "Sandbox host message is larger than kMaxFontFamilyLength"; return; + } if (fds.size() == 0) return; -- cgit v1.1