[Backport] CVE-2020-16001: Use after free in media.

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2472397:
Validate input of MediaStreamDispatcherHost::OpenDevice()

This method forwards to MediaStreamManager::OpenDevice(), which
DCHECKs for the stream type to be device video or audio capture
(i.e., webcam or mic). However, MSDH admits other stream types,
which cause MSM::OpenDevice to hit this DCHECK.

This CL ensures that a message containing an incorrect stream type,
which could be sent by a malicious renderer, results in killing the
renderer process.

Bug: 1135018
Change-Id: I3884dde95d92c41f44966a8ab1dd7bdfd4b23b9b
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

3 files changed, 10 insertions, 1 deletions

diff --git a/chromium/content/browser/bad_message.h b/chromium/content/browser/bad_message.h
index f5e39320ca6..626b4a3cd58 100644
--- a/chromium/content/browser/bad_message.h
+++ b/chromium/content/browser/bad_message.h
@@ -230,7 +230,7 @@ enum BadMessageReason {
   PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR = 202,
   RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 203,
   RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL = 204,
-
+  MSDH_INVALID_STREAM_TYPE = 234,
   // Please add new elements here. The naming convention is abbreviated class
   // name (e.g. RenderFrameHost becomes RFH) plus a unique description of the
   // reason. After making changes, you MUST update histograms.xml by running:
diff --git a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
index 1125662f127..ecf96705a0b 100644
--- a/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
+++ b/chromium/content/browser/renderer_host/media/media_stream_dispatcher_host.cc
@@ -10,6 +10,7 @@
 #include "base/bind_helpers.h"
 #include "base/logging.h"
 #include "base/task_runner_util.h"
+#include "content/browser/bad_message.h"
 #include "content/browser/renderer_host/media/media_stream_manager.h"
 #include "content/public/browser/browser_thread.h"
 #include "content/public/browser/render_frame_host.h"
@@ -164,6 +165,13 @@ void MediaStreamDispatcherHost::OpenDevice(int32_t page_request_id,
                                            MediaStreamType type,
                                            OpenDeviceCallback callback) {
   DCHECK_CURRENTLY_ON(BrowserThread::IO);
+  // OpenDevice is only supported for microphone or webcam capture.
+  if (type != MediaStreamType::MEDIA_DEVICE_AUDIO_CAPTURE &&
+      type != MediaStreamType::MEDIA_DEVICE_VIDEO_CAPTURE) {
+    bad_message::ReceivedBadMessage(
+        render_process_id_, bad_message::MDDH_INVALID_DEVICE_TYPE_REQUEST);
+    return;
+  }
 
   base::PostTaskAndReplyWithResult(
       BrowserThread::GetTaskRunnerForThread(BrowserThread::UI).get(), FROM_HERE,
diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml
index 43bd4157f4f..2077e428be9 100644
--- a/chromium/tools/metrics/histograms/enums.xml
+++ b/chromium/tools/metrics/histograms/enums.xml
@@ -3342,6 +3342,7 @@ uploading your change for review.  These are checked by presubmit scripts.
   <int value="202" label="PERMISSION_SERVICE_BAD_PERMISSION_DESCRIPTOR"/>
   <int value="203" label="RFH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/>
   <int value="204" label="RFPH_BLOB_URL_TOKEN_FOR_NON_BLOB_URL"/>
+  <int value="234" label="MSDH_INVALID_STREAM_TYPE"/>
 </enum>
 
 <enum name="BadMessageReasonExtensions">