Bug 1393600: Ensure that the handler sends a known interface to exter…

…nal clients; r=jimm MozReview-Commit-ID: F5vxF2pB347
dothq · Sep 24, 2017 · aa44e53 · aa44e53
1 parent 35c65ef
commit aa44e53
Show file tree

Hide file tree

Showing 6 changed files with 110 additions and 5 deletions.
diff --git a/accessible/ipc/win/handler/AccessibleHandler.cpp b/accessible/ipc/win/handler/AccessibleHandler.cpp
@@ -244,6 +244,22 @@ AccessibleHandler::MarshalAs(REFIID aIid)
   return aIid;
 }
 
+HRESULT
+AccessibleHandler::GetMarshalInterface(REFIID aMarshalAsIid,
+                                       NotNull<IUnknown*> aProxy,
+                                       NotNull<IID*> aOutIid,
+                                       NotNull<IUnknown**> aOutUnk)
+{
+  if (aMarshalAsIid == NEWEST_IA2_IID) {
+    *aOutIid = IID_IAccessible;
+  } else {
+    *aOutIid = aMarshalAsIid;
+  }
+
+  return aProxy->QueryInterface(aMarshalAsIid,
+      reinterpret_cast<void**>(static_cast<IUnknown**>(aOutUnk)));
+}
+
 HRESULT
 AccessibleHandler::GetHandlerPayloadSize(REFIID aIid, DWORD* aOutPayloadSize)
 {

diff --git a/accessible/ipc/win/handler/AccessibleHandler.h b/accessible/ipc/win/handler/AccessibleHandler.h
@@ -59,6 +59,9 @@ class AccessibleHandler final : public mscom::Handler
   HRESULT ReadHandlerPayload(IStream* aStream, REFIID aIid) override;
 
   REFIID MarshalAs(REFIID aRequestedIid) override;
+  HRESULT GetMarshalInterface(REFIID aMarshalAsIid, NotNull<IUnknown*> aProxy,
+                              NotNull<IID*> aOutIid,
+                              NotNull<IUnknown**> aOutUnk) override;
   HRESULT GetHandlerPayloadSize(REFIID aIid, DWORD* aOutPayloadSize) override;
   HRESULT WriteHandlerPayload(IStream* aStream, REFIID aIId) override;
 

diff --git a/ipc/mscom/Objref.cpp b/ipc/mscom/Objref.cpp
@@ -9,6 +9,7 @@
 #include "mozilla/Assertions.h"
 #include "mozilla/mscom/Utils.h"
 #include "mozilla/RefPtr.h"
+#include "mozilla/ScopeExit.h"
 #include "mozilla/UniquePtr.h"
 
 #include <guiddef.h>
@@ -112,6 +113,28 @@ enum OBJREF_FLAGS
 
 struct OBJREF
 {
+  static size_t SizeOfFixedLenHeader(OBJREF_FLAGS aFlags)
+  {
+    size_t size = sizeof(mSignature) + sizeof(mFlags) + sizeof(mIid);
+
+    switch (aFlags) {
+      case OBJREF_TYPE_STANDARD:
+        size += OBJREF_STANDARD::SizeOfFixedLenHeader();
+        break;
+      case OBJREF_TYPE_HANDLER:
+        size += OBJREF_HANDLER::SizeOfFixedLenHeader();
+        break;
+      case OBJREF_TYPE_CUSTOM:
+        size += OBJREF_CUSTOM::SizeOfFixedLenHeader();
+        break;
+      default:
+        MOZ_ASSERT_UNREACHABLE("Unsupported OBJREF type");
+        return 0;
+    }
+
+    return size;
+  }
+
   size_t SizeOf() const
   {
     size_t size = sizeof(mSignature) + sizeof(mFlags) + sizeof(mIid);
@@ -387,5 +410,34 @@ GetOBJREFSize(NotNull<IStream*> aStream)
   return accumulatedSize;
 }
 
+bool
+SetIID(NotNull<IStream*> aStream, const uint64_t aStart, REFIID aNewIid)
+{
+  ULARGE_INTEGER initialStreamPos;
+
+  LARGE_INTEGER seekTo;
+  seekTo.QuadPart = 0LL;
+  HRESULT hr = aStream->Seek(seekTo, STREAM_SEEK_CUR, &initialStreamPos);
+  if (FAILED(hr)) {
+    return false;
+  }
+
+  auto resetStreamPos = MakeScopeExit([&]() {
+    seekTo.QuadPart = initialStreamPos.QuadPart;
+    hr = aStream->Seek(seekTo, STREAM_SEEK_SET, nullptr);
+    MOZ_DIAGNOSTIC_ASSERT(SUCCEEDED(hr));
+  });
+
+  seekTo.QuadPart = aStart + sizeof(OBJREF::mSignature) + sizeof(OBJREF::mFlags);
+  hr = aStream->Seek(seekTo, STREAM_SEEK_SET, nullptr);
+  if (FAILED(hr)) {
+    return false;
+  }
+
+  ULONG bytesWritten;
+  hr = aStream->Write(&aNewIid, sizeof(IID), &bytesWritten);
+  return SUCCEEDED(hr) && bytesWritten == sizeof(IID);
+}
+
 } // namespace mscom
 } // namespace mozilla
diff --git a/ipc/mscom/Objref.h b/ipc/mscom/Objref.h
@@ -8,6 +8,9 @@
 #define mozilla_mscom_Objref_h
 
 #include "mozilla/NotNull.h"
+#include "mozilla/RefPtr.h"
+
+#include <guiddef.h>
 
 struct IStream;
 
@@ -39,6 +42,15 @@ StripHandlerFromOBJREF(NotNull<IStream*> aStream,
 uint32_t
 GetOBJREFSize(NotNull<IStream*> aStream);
 
+/**
+ * Overrides the IID in a serialized proxy with the specified IID.
+ * @param aStream Pointer to a stream containing a serialized proxy.
+ * @param aStart Offset to the beginning of the serialized proxy within aStream.
+ * @param aNewIid The replacement IID to apply to the serialized proxy.
+ */
+bool
+SetIID(NotNull<IStream*> aStream, const uint64_t aStart, REFIID aNewIid);
+
 } // namespace mscom
 } // namespace mozilla
 

diff --git a/ipc/mscom/oop/Handler.cpp b/ipc/mscom/oop/Handler.cpp
@@ -164,6 +164,17 @@ Handler::GetMarshalSizeMax(REFIID riid, void* pv, DWORD dwDestContext,
 #endif // defined(MOZ_MSCOM_REMARSHAL_NO_HANDLER)
 }
 
+HRESULT
+Handler::GetMarshalInterface(REFIID aMarshalAsIid,
+                             NotNull<IUnknown*> aProxy,
+                             NotNull<IID*> aOutIid,
+                             NotNull<IUnknown**> aOutUnk)
+{
+  *aOutIid = aMarshalAsIid;
+  return aProxy->QueryInterface(aMarshalAsIid,
+      reinterpret_cast<void**>(static_cast<IUnknown**>(aOutUnk)));
+}
+
 HRESULT
 Handler::MarshalInterface(IStream* pStm, REFIID riid, void* pv,
                           DWORD dwDestContext, void* pvDestContext,
@@ -187,14 +198,14 @@ Handler::MarshalInterface(IStream* pStm, REFIID riid, void* pv,
   if (FAILED(hr)) {
     return hr;
   }
+#endif // defined(MOZ_MSCOM_REMARSHAL_NO_HANDLER)
 
-  // When marshaling without a handler, we just use the riid as passed in.
-  REFIID marshalAs = riid;
-#else
   REFIID marshalAs = MarshalAs(riid);
-#endif // defined(MOZ_MSCOM_REMARSHAL_NO_HANDLER)
+  IID marshalOutAs;
 
-  hr = mInnerUnk->QueryInterface(marshalAs, getter_AddRefs(unkToMarshal));
+  hr = GetMarshalInterface(marshalAs, WrapNotNull<IUnknown*>(mInnerUnk),
+                           WrapNotNull(&marshalOutAs),
+                           WrapNotNull<IUnknown**>(getter_AddRefs(unkToMarshal)));
   if (FAILED(hr)) {
     return hr;
   }
@@ -219,6 +230,11 @@ Handler::MarshalInterface(IStream* pStm, REFIID riid, void* pv,
     return E_FAIL;
   }
 
+  // Fix the IID
+  if (!SetIID(WrapNotNull(pStm), objrefPos.QuadPart, marshalOutAs)) {
+    return E_FAIL;
+  }
+
   return S_OK;
 #else
   if (!HasPayload()) {

diff --git a/ipc/mscom/oop/Handler.h b/ipc/mscom/oop/Handler.h
@@ -14,6 +14,7 @@
 #include <objidl.h>
 
 #include "mozilla/mscom/Aggregation.h"
+#include "mozilla/NotNull.h"
 #include "mozilla/RefPtr.h"
 
 /* WARNING! The code in this file may be loaded into the address spaces of other
@@ -80,6 +81,11 @@ class Handler : public IMarshal
    */
   virtual REFIID MarshalAs(REFIID aRequestedIid) { return aRequestedIid; }
 
+  virtual HRESULT GetMarshalInterface(REFIID aMarshalAsIid,
+                                      NotNull<IUnknown*> aProxy,
+                                      NotNull<IID*> aOutIid,
+                                      NotNull<IUnknown**> aOutUnk);
+
   /**
    * Called when the implementer must provide the size of the payload.
    */