Bug 1532708. r=botond a=lizzard
authorKartikaya Gupta <kgupta@mozilla.com>
Fri, 08 Mar 2019 10:54:45 -0500
changeset 516318 51d306795184276ba5b837b644a8802b5aa29eb2
parent 516317 233a047f681dcb48ff12eb54fe79e4b5e10abdeb
child 516319 13616d2ad00049ffa76ebdfc8b9702317a269d0c
push id1953
push userffxbld-merge
push dateMon, 11 Mar 2019 12:10:20 +0000
treeherdermozilla-release@9c35dcbaa899 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbotond, lizzard
bugs1532708
milestone66.0
Bug 1532708. r=botond a=lizzard Differential Revision: https://phabricator.services.mozilla.com/D22756
gfx/layers/ipc/LayerTransactionParent.cpp
gfx/layers/wr/WebRenderBridgeParent.cpp
--- a/gfx/layers/ipc/LayerTransactionParent.cpp
+++ b/gfx/layers/ipc/LayerTransactionParent.cpp
@@ -795,16 +795,25 @@ mozilla::ipc::IPCResult LayerTransaction
 mozilla::ipc::IPCResult LayerTransactionParent::RecvRequestProperty(
     const nsString& aProperty, float* aValue) {
   *aValue = -1;
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult LayerTransactionParent::RecvSetConfirmedTargetAPZC(
     const uint64_t& aBlockId, nsTArray<ScrollableLayerGuid>&& aTargets) {
+  for (size_t i = 0; i < aTargets.Length(); i++) {
+    if (aTargets[i].mLayersId != GetId()) {
+      // Guard against bad data from hijacked child processes
+      NS_ERROR(
+          "Unexpected layers id in RecvSetConfirmedTargetAPZC; dropping "
+          "message...");
+      return IPC_FAIL(this, "Bad layers id");
+    }
+  }
   mCompositorBridge->SetConfirmedTargetAPZC(GetId(), aBlockId, aTargets);
   return IPC_OK();
 }
 
 bool LayerTransactionParent::Attach(Layer* aLayer,
                                     CompositableHost* aCompositable,
                                     bool aIsAsync) {
   if (!aCompositable || !aLayer) {
--- a/gfx/layers/wr/WebRenderBridgeParent.cpp
+++ b/gfx/layers/wr/WebRenderBridgeParent.cpp
@@ -1533,16 +1533,25 @@ mozilla::ipc::IPCResult WebRenderBridgeP
   // that we've done everything we can to flush stuff on the compositor.
   mAsyncImageManager->ProcessPipelineUpdates();
 
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebRenderBridgeParent::RecvSetConfirmedTargetAPZC(
     const uint64_t& aBlockId, nsTArray<ScrollableLayerGuid>&& aTargets) {
+  for (size_t i = 0; i < aTargets.Length(); i++) {
+    if (aTargets[i].mLayersId != GetLayersId()) {
+      // Guard against bad data from hijacked child processes
+      NS_ERROR(
+          "Unexpected layers id in RecvSetConfirmedTargetAPZC; dropping "
+          "message...");
+      return IPC_FAIL(this, "Bad layers id");
+    }
+  }
   if (mDestroyed) {
     return IPC_OK();
   }
   mCompositorBridge->SetConfirmedTargetAPZC(GetLayersId(), aBlockId, aTargets);
   return IPC_OK();
 }
 
 mozilla::ipc::IPCResult WebRenderBridgeParent::RecvSetTestSampleTime(