Issue 652610 link

Starred by 1 user

Issue metadata

Status:	Verified
Owner:	maxmorin@chromium.org
Closed:	Oct 2016
Cc:	█ olka@chromium.org
Components:	Internals>Media
EstimatedDays:	----
NextAction:	----
OS:	All
Pri:	2
Type:	Bug

AudioRendererHost CHECKs on bad renderer behaviour

Project Member Reported by maxmorin@chromium.org, Oct 4 2016

Issue description

Version: M53 (and later)
OS: all

What steps will reproduce the problem?
(1) Renderer sends AudioHostMsg_RequestDeviceAuthorization with a non-default device ID.
(2) Before authorization is completed, renderer sends AudioHostMsg_CreateStream for the stream.

This doesn't happen during normal operation, only with buggy/compromised renderer

What is the expected output?
Either renderer kill by bad_message::ReceivedBadMessage or error reported to renderer.

What do you see instead?
Browser crash, because of the CHECK at https://cs.chromium.org/chromium/src/content/browser/renderer_host/media/audio_renderer_host.cc?sq=package:chromium&rcl=1475536681&l=498.

Comment 1 by maxmorin@chromium.org, Oct 4 2016

According to https://www.chromium.org/Home/chromium-security/education/security-tips-for-ipc#TOC-Safely-handle-known-bad-input, we shouldn't crash the browser on bad renderer behaviour.

Project Member

Comment 2 by bugdroid1@chromium.org, Oct 6 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17fe3c43c3dcfa4c81486e63548a3f985402f68f

commit 17fe3c43c3dcfa4c81486e63548a3f985402f68f
Author: maxmorin <maxmorin@chromium.org>
Date: Thu Oct 06 09:04:38 2016

Remove dangerous CHECK. Add unit test.

New unit test failed before changes, passes now.

BUG= 652610 

Review-Url: https://codereview.chromium.org/2396463002
Cr-Commit-Position: refs/heads/master@{#423483}

[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/bad_message.h
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/renderer_host/media/audio_renderer_host.cc
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/renderer_host/media/audio_renderer_host_unittest.cc
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/tools/metrics/histograms/histograms.xml

Comment 3 by maxmorin@chromium.org, Oct 7 2016

Status: Verified (was: Assigned)

Project Member

Comment 4 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17fe3c43c3dcfa4c81486e63548a3f985402f68f

commit 17fe3c43c3dcfa4c81486e63548a3f985402f68f
Author: maxmorin <maxmorin@chromium.org>
Date: Thu Oct 06 09:04:38 2016

Remove dangerous CHECK. Add unit test.

New unit test failed before changes, passes now.

BUG= 652610 

Review-Url: https://codereview.chromium.org/2396463002
Cr-Commit-Position: refs/heads/master@{#423483}

[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/bad_message.h
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/renderer_host/media/audio_renderer_host.cc
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/content/browser/renderer_host/media/audio_renderer_host_unittest.cc
[modify] https://crrev.com/17fe3c43c3dcfa4c81486e63548a3f985402f68f/tools/metrics/histograms/histograms.xml

Comment 5 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840

[Automated comment] removing mislabelled merge-merged-2840

►

Issue 652610 link

Issue metadata

AudioRendererHost CHECKs on bad renderer behaviour

Issue description

Comment 1 by maxmorin@chromium.org, Oct 4 2016

Comment 1 Deleted

Comment 2 by bugdroid1@chromium.org, Oct 6 2016

Comment 2 Deleted

Comment 3 by maxmorin@chromium.org, Oct 7 2016

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Oct 27 2016

Comment 4 Deleted

Comment 5 by dimu@google.com, Nov 4 2016

Comment 5 Deleted

Sign in to add a comment