Cherry-pick 252432.1035@safari-7614-branch (b9851bb). https://bugs.we…

…bkit.org/show_bug.cgi?id=250722

    IPC hardening for MediaConstraint subclasses
    https://bugs.webkit.org/show_bug.cgi?id=250722
    rdar://103012405

    Reviewed by Jonathan Bedard and David Kilzer.

    Make sure we validate the constraint type whenever we IPC-deserialize a
    MediaConstraint subclass.

    * Source/WebCore/platform/mediastream/MediaConstraints.h:
    (WebCore::NumericConstraint::decode):
    (WebCore::StringConstraint::decode):

    Canonical link: https://commits.webkit.org/252432.1035@safari-7614-branch

Source/WebCore/platform/mediastream/MediaConstraints.h

@@ -351,7 +351,14 @@ class NumericConstraint : public MediaConstraint {
     {
         if (!MediaConstraint::decode(decoder, constraint))
             return false;
-
+        static_assert(std::is_same_v<ValueType, int> || std::is_same_v<ValueType, double>);
+        if constexpr(std::is_same_v<ValueType, int>) {
+            if (!constraint.isInt())
+                return false;
+        } else if constexpr(std::is_same_v<ValueType, double>) {
+            if (!constraint.isDouble())
+                return false;
+        }
         if (!decoder.decode(constraint.m_min))
             return false;
         if (!decoder.decode(constraint.m_max))
@@ -525,6 +532,8 @@ class BooleanConstraint final : public MediaConstraint {
     {
         if (!MediaConstraint::decode(decoder, constraint))
             return false;
+        if (!constraint.isBoolean())
+            return false;
 
         if (!decoder.decode(constraint.m_exact))
             return false;
@@ -611,6 +620,8 @@ class StringConstraint : public MediaConstraint {
     {
         if (!MediaConstraint::decode(decoder, constraint))
             return false;
+        if (!constraint.isString())
+            return false;
 
         if (!decoder.decode(constraint.m_exact))
             return false;