Fix unsafe type casting in BindTextSuggestionHost

RenderWidgetHost::GetView can be of type RenderWidgetHostViewChildFrame which is not suitable to get TextSuggestionHost from. Wrong type conversion made here was a potential security issue. This CL ensures the type is right before doing the conversion. (cherry picked from commit 7a7e482) Bug: 1491459 Change-Id: I27d95021b1b8cdaec3291d9f42e473a911bcf404 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4975648 Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Reviewed-by: Bo Liu <boliu@chromium.org> Commit-Queue: Jinsuk Kim <jinsukkim@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1221798} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5038793 Reviewed-by: Chris Bookholt <bookholt@chromium.org> Cr-Commit-Position: refs/branch-heads/6045@{#1389} Cr-Branched-From: 905e8bd-refs/heads/main@{#1204232}
chromium · Nov 17, 2023 · 89c6b11 · 89c6b11
1 parent 2f65e1f
commit 89c6b11
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/content/browser/browser_interface_binders.cc b/content/browser/browser_interface_binders.cc
@@ -346,7 +346,8 @@ void BindDateTimeChooserForFrame(
 void BindTextSuggestionHostForFrame(
     RenderFrameHost* host,
     mojo::PendingReceiver<blink::mojom::TextSuggestionHost> receiver) {
-  auto* view = static_cast<RenderWidgetHostViewAndroid*>(host->GetView());
+  auto* view =
+      RenderWidgetHostViewAndroid::FromRenderWidgetHostView(host->GetView());
   if (!view || !view->text_suggestion_host())
     return;
 

diff --git a/content/browser/renderer_host/render_widget_host_view_android.cc b/content/browser/renderer_host/render_widget_host_view_android.cc
@@ -216,6 +216,17 @@ bool IsFullscreenSurfaceSyncSupported() {
 
 }  // namespace
 
+// static
+RenderWidgetHostViewAndroid*
+RenderWidgetHostViewAndroid::FromRenderWidgetHostView(
+    RenderWidgetHostView* view) {
+  if (!view || static_cast<RenderWidgetHostViewBase*>(view)
+                   ->IsRenderWidgetHostViewChildFrame()) {
+    return nullptr;
+  }
+  return static_cast<RenderWidgetHostViewAndroid*>(view);
+}
+
 RenderWidgetHostViewAndroid::ScreenStateChangeHandler::ScreenStateChangeHandler(
     RenderWidgetHostViewAndroid* rwhva)
     : rwhva_(rwhva) {}

diff --git a/content/browser/renderer_host/render_widget_host_view_android.h b/content/browser/renderer_host/render_widget_host_view_android.h
@@ -86,6 +86,9 @@ class CONTENT_EXPORT RenderWidgetHostViewAndroid
       public ui::ViewAndroidObserver,
       public ui::WindowAndroidObserver {
  public:
+  static RenderWidgetHostViewAndroid* FromRenderWidgetHostView(
+      RenderWidgetHostView* view);
+
   // Note: The tree of `gfx::NativeView` might not match the tree of
   // `cc::slim::Layer`.
   RenderWidgetHostViewAndroid(RenderWidgetHostImpl* widget,