Google Git
Sign in
chromium / chromium / src / 2706470a422dec8f4ae2538e80f0e7e3c4f4f7f6
commit2706470a422dec8f4ae2538e80f0e7e3c4f4f7f6[log] [tgz]
authorRouslan Solomakhin <rouslan@chromium.org>Fri Dec 14 21:15:33 2018
committerCommit Bot <commit-bot@chromium.org>Fri Dec 14 21:15:33 2018
treefc2bec12badd270c9c287763936eaa1c62af482c
parent1429311c4725dba41c4aeef9a9330ce3cd7f02b7 [diff]
[Payment Request][Desktop] Prevent use after free.

Before this patch, a compromised renderer on desktop could make IPC
methods into Payment Request in an unexpected ordering and cause use
after free in the browser.

This patch will disconnect the IPC pipes if:
 - Init() is called more than once.
 - Any other method is called before Init().
 - Show() is called more than once.
 - Retry(), UpdateWith(), NoupdatedPaymentDetails(), Abort(), or
   Complete() are called before Show().

This patch re-orders the IPC methods in payment_request.cc to match the
order in payment_request.h, which eases verifying correctness of their
error handling.

This patch prints more errors to the developer console, if available, to
improve debuggability by web developers, who rarely check where LOG
prints.

After this patch, unexpected ordering of calls into the Payment Request
IPC from the renderer to the browser on desktop will print an error in
the developer console and disconnect the IPC pipes. The binary might
increase slightly in size because more logs are included in the release
version instead of being stripped at compile time.

Bug: 912947
Change-Id: Iac2131181c64cd49b4e5ec99f4b4a8ae5d8df57a
Reviewed-on: https://chromium-review.googlesource.com/c/1370198
Reviewed-by: anthonyvd <anthonyvd@chromium.org>
Commit-Queue: Rouslan Solomakhin <rouslan@chromium.org>
Cr-Commit-Position: refs/heads/master@{#616822}
2 files changed
tree: fc2bec12badd270c9c287763936eaa1c62af482c
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. cc/
  8. chrome/
  9. chrome_elf/
  10. chromecast/
  11. chromeos/
  12. cloud_print/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. gin/
  22. google_apis/
  23. google_update/
  24. gpu/
  25. headless/
  26. infra/
  27. ios/
  28. ipc/
  29. jingle/
  30. mash/
  31. media/
  32. mojo/
  33. native_client_sdk/
  34. net/
  35. pdf/
  36. ppapi/
  37. printing/
  38. remoting/
  39. rlz/
  40. sandbox/
  41. services/
  42. skia/
  43. sql/
  44. storage/
  45. styleguide/
  46. testing/
  47. third_party/
  48. tools/
  49. ui/
  50. url/
  51. webrunner/
  52. .clang-format
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .vpython
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. ENG_REVIEW_OWNERS
  65. LICENSE
  66. LICENSE.chromium_os
  67. OWNERS
  68. PRESUBMIT.py
  69. PRESUBMIT_test.py
  70. PRESUBMIT_test_mocks.py
  71. README.md
  72. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .