[ MimeHandlerView ] Fix for a renderer crash

HTMLPlugInElement::PluginWrapper() can be called for a plugin element that does not have a document node frame. This causes a crash in MimeHandlerViewContainerManager::Get() which expects the passed |render_frame_| to be nullptr. Bug: 966371 Change-Id: I6ba558efdf416f421d1a540f947d79203b0bc985 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1627267 Reviewed-by: Ehsan Karamad <ekaramad@chromium.org> Reviewed-by: James MacLean <wjmaclean@chromium.org> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org> Cr-Commit-Position: refs/heads/master@{#662741}
marcosholgado · May 23, 2019 · 1e1bf5b · 1e1bf5b
1 parent d36d34d
commit 1e1bf5b
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 1 deletion.
diff --git a/chrome/test/data/extensions/api_test/mime_handler_view/adopt_node_in_onload_no_crash.html b/chrome/test/data/extensions/api_test/mime_handler_view/adopt_node_in_onload_no_crash.html
@@ -0,0 +1,12 @@
+<div id="container">
+<object id="object" type="application/ecmascript" onload="load_handler()"><iframe id="iframe"></iframe></object>
+<script>
+  function load_handler() {
+    iframe.contentDocument.adoptNode(container);
+  }
+  function content_load_handler() {
+    object.width = 50;
+  }
+  document.addEventListener("DOMContentLoaded", content_load_handler);
+</script>
+</div>
diff --git a/extensions/browser/guest_view/mime_handler_view/mime_handler_view_browsertest.cc b/extensions/browser/guest_view/mime_handler_view/mime_handler_view_browsertest.cc
@@ -626,4 +626,17 @@ IN_PROC_BROWSER_TEST_P(MimeHandlerViewCrossProcessTest,
   // PostMessageSupport). Run some JS to Ensure no DCHECKs have fired in the
   // embedder process.
   ASSERT_TRUE(content::ExecJs(GetEmbedderWebContents(), "foo = 0;"));
-}
+}
+
+// This is a minimized repro for a clusterfuzz crasher and is not really related
+// to MimeHandlerView. The test verifies that when
+// HTMLPlugInElement::PluginWrapper is called for a plugin with no node document
+// frame, the renderer does not crash (see https://966371).
+IN_PROC_BROWSER_TEST_P(MimeHandlerViewCrossProcessTest,
+                       AdoptNodeInOnLoadDoesNotCrash) {
+  ui_test_utils::NavigateToURL(
+      browser(),
+      embedded_test_server()->GetURL("/adopt_node_in_onload_no_crash.html"));
+  // Run some JavaScript in embedder and make sure it is not crashed.
+  ASSERT_TRUE(content::ExecJs(GetEmbedderWebContents(), "true"));
+}
diff --git a/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container_manager.cc b/extensions/renderer/guest_view/mime_handler_view/mime_handler_view_container_manager.cc
@@ -55,6 +55,11 @@ void MimeHandlerViewContainerManager::BindRequest(
 MimeHandlerViewContainerManager* MimeHandlerViewContainerManager::Get(
     content::RenderFrame* render_frame,
     bool create_if_does_not_exits) {
+  if (!render_frame) {
+    // Through some |adoptNode| magic, blink could still call this method for
+    // a plugin element which does not have a frame (https://crbug.com/966371).
+    return nullptr;
+  }
   int32_t routing_id = render_frame->GetRoutingID();
   auto& map = *GetRenderFrameMap();
   if (base::ContainsKey(map, routing_id))