File: image_sanitizer.cc

package info (click to toggle)
chromium 139.0.7258.127-1
  • links: PTS, VCS
  • area: main
  • in suites:
  • size: 6,122,068 kB
  • sloc: cpp: 35,100,771; ansic: 7,163,530; javascript: 4,103,002; python: 1,436,920; asm: 946,517; xml: 746,709; pascal: 187,653; perl: 88,691; sh: 88,436; objc: 79,953; sql: 51,488; cs: 44,583; fortran: 24,137; makefile: 22,147; tcl: 15,277; php: 13,980; yacc: 8,984; ruby: 7,485; awk: 3,720; lisp: 3,096; lex: 1,327; ada: 727; jsp: 228; sed: 36
file content (223 lines) | stat: -rw-r--r-- 8,229 bytes parent folder | download | duplicates (6) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
 
// Copyright 2018 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.

#include "extensions/browser/image_sanitizer.h"

#include <optional>

#include "base/debug/dump_without_crashing.h"
#include "base/files/file_util.h"
#include "base/functional/bind.h"
#include "base/task/sequenced_task_runner.h"
#include "extensions/browser/extension_file_task_runner.h"
#include "extensions/common/extension_resource_path_normalizer.h"
#include "services/data_decoder/public/cpp/decode_image.h"
#include "ui/gfx/codec/png_codec.h"

namespace extensions {

namespace {

// We don't expect icons and other extension's images to be big.
// We use this limit to prevent from opening too large images.
const int kMaxImageCanvas = 4096 * 4096;  // 16MB

// Reads the file in |path| and then deletes it.
// Returns a tuple containing: the file content, whether the read was
// successful, whether the delete was successful.
std::tuple<std::vector<uint8_t>, bool, bool> ReadAndDeleteBinaryFile(
    const base::FilePath& path) {
  std::vector<uint8_t> contents;
  bool read_success = false;
  std::optional<int64_t> file_size = base::GetFileSize(path);
  if (file_size.has_value()) {
    int64_t size = file_size.value();
    contents.resize(size);
    read_success =
        base::ReadFile(path, reinterpret_cast<char*>(contents.data()), size) ==
        size;
  }
  bool delete_success = base::DeleteFile(path);
  return std::make_tuple(std::move(contents), read_success, delete_success);
}

bool WriteFile(const base::FilePath& path,
               const std::vector<unsigned char>& data) {
  return base::WriteFile(path, data);
}

}  // namespace

// static
std::unique_ptr<ImageSanitizer> ImageSanitizer::CreateAndStart(
    scoped_refptr<Client> client,
    const base::FilePath& image_dir,
    const std::set<base::FilePath>& image_paths,
    const scoped_refptr<base::SequencedTaskRunner>& io_task_runner) {
  std::unique_ptr<ImageSanitizer> sanitizer(
      new ImageSanitizer(client, image_dir, image_paths, io_task_runner));
  sanitizer->Start();
  return sanitizer;
}

ImageSanitizer::ImageSanitizer(
    scoped_refptr<Client> client,
    const base::FilePath& image_dir,
    const std::set<base::FilePath>& image_relative_paths,
    const scoped_refptr<base::SequencedTaskRunner>& io_task_runner)
    : image_dir_(image_dir),
      image_paths_(image_relative_paths),
      client_(std::move(client)),
      io_task_runner_(io_task_runner) {
  DCHECK(client_);
}

ImageSanitizer::~ImageSanitizer() = default;
ImageSanitizer::Client::~Client() = default;

void ImageSanitizer::Start() {
  if (image_paths_.empty()) {
    base::SequencedTaskRunner::GetCurrentDefault()->PostTask(
        FROM_HERE, base::BindOnce(&ImageSanitizer::ReportSuccess,
                                  weak_factory_.GetWeakPtr()));
    return;
  }

  std::set<base::FilePath> normalized_image_paths;
  for (const base::FilePath& path : image_paths_) {
    // Normalize paths as |image_paths_| can contain duplicates like "icon.png"
    // and "./icon.png" to avoid unpacking the same image twice.
    base::FilePath normalized_path;
    if (path.IsAbsolute() || path.ReferencesParent() ||
        !NormalizeExtensionResourcePath(path, &normalized_path)) {
      // Report the error asynchronously so the caller stack has chance to
      // unwind.
      base::SequencedTaskRunner::GetCurrentDefault()->PostTask(
          FROM_HERE, base::BindOnce(&ImageSanitizer::ReportError,
                                    weak_factory_.GetWeakPtr(),
                                    Status::kImagePathError, path));
      return;
    }
    normalized_image_paths.insert(normalized_path);
  }
  // Update |image_paths_| as some of the path might have been changed by
  // normalization.
  image_paths_ = std::move(normalized_image_paths);

  // Note that we use 2 for loops instead of one to prevent a race and flakyness
  // in tests: if |image_paths_| contains 2 paths, a valid one that points to a
  // file that does not exist and an invalid one, there is a race that can cause
  // either error to be reported (kImagePathError or kFileReadError).
  for (const base::FilePath& path : image_paths_) {
    base::FilePath full_image_path = image_dir_.Append(path);
    io_task_runner_->PostTaskAndReplyWithResult(
        FROM_HERE, base::BindOnce(&ReadAndDeleteBinaryFile, full_image_path),
        base::BindOnce(&ImageSanitizer::ImageFileRead,
                       weak_factory_.GetWeakPtr(), path));
  }
}

void ImageSanitizer::ImageFileRead(
    const base::FilePath& image_path,
    std::tuple<std::vector<uint8_t>, bool, bool> read_and_delete_result) {
  if (!std::get<1>(read_and_delete_result)) {
    ReportError(Status::kFileReadError, image_path);
    return;
  }
  if (!std::get<2>(read_and_delete_result)) {
    ReportError(Status::kFileDeleteError, image_path);
    return;
  }
  const std::vector<uint8_t>& image_data = std::get<0>(read_and_delete_result);
  data_decoder::DecodeImage(
      client_->GetDataDecoder(), image_data,
      data_decoder::mojom::ImageCodec::kDefault,
      /*shrink_to_fit=*/false, kMaxImageCanvas, gfx::Size(),
      base::BindOnce(&ImageSanitizer::ImageDecoded, weak_factory_.GetWeakPtr(),
                     image_path));
}

void ImageSanitizer::ImageDecoded(const base::FilePath& image_path,
                                  const SkBitmap& decoded_image) {
  if (decoded_image.isNull()) {
    ReportError(Status::kDecodingError, image_path);
    return;
  }
  if (decoded_image.colorType() != kN32_SkColorType) {
    // The renderer should be sending us N32 32bpp bitmaps in reply, otherwise
    // this can lead to out-of-bounds mistakes when transferring the pixels out
    // of the bitmap into other buffers.
    base::debug::DumpWithoutCrashing();
    ReportError(Status::kDecodingError, image_path);
    return;
  }

  io_task_runner_->PostTaskAndReplyWithResult(
      FROM_HERE,
      base::BindOnce(gfx::PNGCodec::EncodeBGRASkBitmap, decoded_image,
                     /*discard_transparency=*/false),
      base::BindOnce(&ImageSanitizer::ImageReencoded,
                     weak_factory_.GetWeakPtr(), image_path));

  client_->OnImageDecoded(image_path, decoded_image);
  // Note that the `client` callback could potentially delete `this` object.
}

void ImageSanitizer::ImageReencoded(
    const base::FilePath& image_path,
    std::optional<std::vector<uint8_t>> result) {
  bool success = result.has_value();
  if (!success) {
    ReportError(Status::kEncodingError, image_path);
    return;
  }

  io_task_runner_->PostTaskAndReplyWithResult(
      FROM_HERE,
      base::BindOnce(&WriteFile, image_dir_.Append(image_path),
                     std::move(result.value())),
      base::BindOnce(&ImageSanitizer::ImageWritten, weak_factory_.GetWeakPtr(),
                     image_path));
}

void ImageSanitizer::ImageWritten(const base::FilePath& image_path,
                                  bool success) {
  if (!success) {
    ReportError(Status::kFileWriteError, image_path);
    return;
  }
  // We have finished with this path.
  size_t removed_count = image_paths_.erase(image_path);
  DCHECK_EQ(1U, removed_count);

  if (image_paths_.empty()) {
    // This was the last path, we are done.
    ReportSuccess();
  }
}

void ImageSanitizer::ReportSuccess() {
  // Reset `client_` early, before the callback potentially deletes `this`.
  scoped_refptr<Client> client = std::move(client_);
  DCHECK(!client_);

  // The `client_` callback is the last statement, because it can potentially
  // delete `this` object.
  client->OnImageSanitizationDone(Status::kSuccess, base::FilePath());
}

void ImageSanitizer::ReportError(Status status, const base::FilePath& path) {
  // Prevent any other task from reporting, we want to notify only once.
  weak_factory_.InvalidateWeakPtrs();

  // Reset `client_` early, before the callback potentially deletes `this`.
  scoped_refptr<Client> client = std::move(client_);
  DCHECK(!client_);

  // The `client_` callback is the last statement, because it can potentially
  // delete `this` object.
  client->OnImageSanitizationDone(status, path);
}

}  // namespace extensions