[inspector] Gracefully ignore non-dictionary values as session state.

The V8InspectorSessionImpl constructor accepts a state, as either text or CBOR encoded, and generally ignores all invalid inputs, except for the case where it's a valid value, but not a dictionary value, in which case it'll leak the value and crash upon casting to a `DictionaryValue`. This is purely an issue with the test driver, so no security impact on Chromium in the wild. Fixed: chromium:1281031 Change-Id: I7b4d0aea83370499b1274d3fa214a14dc098d2f2 Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/3361838 Commit-Queue: Benedikt Meurer <bmeurer@chromium.org> Auto-Submit: Benedikt Meurer <bmeurer@chromium.org> Reviewed-by: Yang Guo <yangguo@chromium.org> Cr-Commit-Position: refs/heads/main@{#78490}
2022-01-05 11:27:58 +01:00 · 2022-01-05 11:27:58 +01:00 · dc3eb44971
commit dc3eb44971
parent c91d9eace7
4 changed files with 20 additions and 3 deletions
--- a/src/inspector/v8-inspector-session-impl.cc
+++ b/src/inspector/v8-inspector-session-impl.cc
@ -56,7 +56,9 @@ std::unique_ptr<protocol::DictionaryValue> ParseState(StringView state) {
  if (!cbor.empty()) {
    std::unique_ptr<protocol::Value> value =
        protocol::Value::parseBinary(cbor.data(), cbor.size());
-    if (value) return protocol::DictionaryValue::cast(std::move(value));
+    std::unique_ptr<protocol::DictionaryValue> dictionaryValue =
+        protocol::DictionaryValue::cast(std::move(value));
+    if (dictionaryValue) return dictionaryValue;
  }
  return protocol::DictionaryValue::create();
 }
--- a/test/inspector/regress/regress-crbug-1281031-expected.txt
+++ b/test/inspector/regress/regress-crbug-1281031-expected.txt
@ -0,0 +1,2 @@
+Did not crash upon invalid non-dictionary state passed to utils.connectSession()
+
--- a/test/inspector/regress/regress-crbug-1281031.js
+++ b/test/inspector/regress/regress-crbug-1281031.js
@ -0,0 +1,9 @@
+// Copyright 2021 the V8 project authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+const contextGroupId = utils.createContextGroup();
+const sessionId = utils.connectSession(contextGroupId, '0', () => {});
+utils.disconnectSession(sessionId);
+utils.print('Did not crash upon invalid non-dictionary state passed to utils.connectSession()');
+utils.quit();
--- a/third_party/inspector_protocol/lib/Values_h.template
+++ b/third_party/inspector_protocol/lib/Values_h.template
@ -165,7 +165,9 @@ public:

    static std::unique_ptr<DictionaryValue> cast(std::unique_ptr<Value> value)
    {
-        return std::unique_ptr<DictionaryValue>(DictionaryValue::cast(value.release()));
+        DictionaryValue* dictionaryValue = cast(value.get());
+        if (dictionaryValue) value.release();
+        return std::unique_ptr<DictionaryValue>(dictionaryValue);
    }

    void AppendSerialized(std::vector<uint8_t>* bytes) const override;
@ -231,7 +233,9 @@ public:

    static std::unique_ptr<ListValue> cast(std::unique_ptr<Value> value)
    {
-        return std::unique_ptr<ListValue>(ListValue::cast(value.release()));
+        ListValue* listValue = cast(value.get());
+        if (listValue) value.release();
+        return std::unique_ptr<ListValue>(listValue);
    }

    ~ListValue() override;
				`@ -0,0 +1,2 @@`
				`Did not crash upon invalid non-dictionary state passed to utils.connectSession()`