Bug 1532708. r=botond
authorKartikaya Gupta <kgupta@mozilla.com>
Fri, 08 Mar 2019 20:00:37 +0000
changeset 521191 041549532c29c1f72fcded366fd59ae1dd28c22c
parent 521190 25bc4683d006d58b75a79d4a6b27383619102bc6
child 521192 b064bf107f894dd0eb7b138978466c02ca802688
push id10862
push userffxbld-merge
push dateMon, 11 Mar 2019 13:01:11 +0000
treeherdermozilla-beta@a2e7f5c935da [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbotond
bugs1532708
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1532708. r=botond Differential Revision: https://phabricator.services.mozilla.com/D22756
gfx/layers/ipc/LayerTransactionParent.cpp
gfx/layers/wr/WebRenderBridgeParent.cpp
--- a/gfx/layers/ipc/LayerTransactionParent.cpp
+++ b/gfx/layers/ipc/LayerTransactionParent.cpp
@@ -795,16 +795,25 @@ mozilla::ipc::IPCResult LayerTransaction
 mozilla::ipc::IPCResult LayerTransactionParent::RecvRequestProperty(
     const nsString& aProperty, float* aValue) {
   *aValue = -1;
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult LayerTransactionParent::RecvSetConfirmedTargetAPZC(
     const uint64_t& aBlockId, nsTArray<ScrollableLayerGuid>&& aTargets) {
+  for (size_t i = 0; i < aTargets.Length(); i++) {
+    if (aTargets[i].mLayersId != GetId()) {
+      // Guard against bad data from hijacked child processes
+      NS_ERROR(
+          "Unexpected layers id in RecvSetConfirmedTargetAPZC; dropping "
+          "message...");
+      return IPC_FAIL(this, "Bad layers id");
+    }
+  }
   mCompositorBridge->SetConfirmedTargetAPZC(GetId(), aBlockId, aTargets);
   return IPC_OK();
 }
 
 bool LayerTransactionParent::Attach(Layer* aLayer,
                                     CompositableHost* aCompositable,
                                     bool aIsAsync) {
   if (!aCompositable || !aLayer) {
--- a/gfx/layers/wr/WebRenderBridgeParent.cpp
+++ b/gfx/layers/wr/WebRenderBridgeParent.cpp
@@ -1542,16 +1542,25 @@ mozilla::ipc::IPCResult WebRenderBridgeP
   // that we've done everything we can to flush stuff on the compositor.
   mAsyncImageManager->ProcessPipelineUpdates();
 
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebRenderBridgeParent::RecvSetConfirmedTargetAPZC(
     const uint64_t& aBlockId, nsTArray<ScrollableLayerGuid>&& aTargets) {
+  for (size_t i = 0; i < aTargets.Length(); i++) {
+    if (aTargets[i].mLayersId != GetLayersId()) {
+      // Guard against bad data from hijacked child processes
+      NS_ERROR(
+          "Unexpected layers id in RecvSetConfirmedTargetAPZC; dropping "
+          "message...");
+      return IPC_FAIL(this, "Bad layers id");
+    }
+  }
   if (mDestroyed) {
     return IPC_OK();
   }
   mCompositorBridge->SetConfirmedTargetAPZC(GetLayersId(), aBlockId, aTargets);
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebRenderBridgeParent::RecvSetTestSampleTime(