Vikram Pasupathy (Gerrit)

unread,

Apr 21, 2026, 2:23:37 PM (2 days ago) Apr 21

to Dale Curtis, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Dale Curtis

New activity on the change

Open in Gerrit

Related details

Attention is currently required from:

Dale Curtis

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dale Curtis (Gerrit)

unread,

Apr 21, 2026, 3:44:29 PM (2 days ago) Apr 21

to Vikram Pasupathy, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Vikram Pasupathy

Dale Curtis added 3 comments

File media/mojo/services/mojo_audio_decoder_service.cc

Line 87, Patchset 1 (Latest): std::move(callback).Run(DecoderStatus::Codes::kFailed, false,

Dale Curtis . unresolved

No need to run the callback I think since it'll initiate teardown? Also does `this` have a ReportBadMessage method on it? That should be preferred over the mojo:: version if it exists.

File media/mojo/services/mojo_decryptor_service.cc

Line 324, Patchset 1 (Latest): mojo::ReportBadMessage("Unexpected stream_type");

Dale Curtis . unresolved

Ditto.

File media/mojo/services/mojo_video_decoder_service.cc

Line 301, Patchset 1 (Latest): mojo::ReportBadMessage("The caller should not switch CDM");

Dale Curtis . unresolved

Ditto.

Open in Gerrit

Related details

Attention is currently required from:

Vikram Pasupathy

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Vikram Pasupathy (Gerrit)

unread,

Apr 22, 2026, 12:19:39 PM (yesterday) Apr 22

to Dale Curtis, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Dale Curtis

Vikram Pasupathy added 3 comments

File media/mojo/services/mojo_audio_decoder_service.cc

Line 87, Patchset 1: std::move(callback).Run(DecoderStatus::Codes::kFailed, false,

Dale Curtis . resolved

No need to run the callback I think since it'll initiate teardown? Also does `this` have a ReportBadMessage method on it? That should be preferred over the mojo:: version if it exists.

Vikram Pasupathy

Done for the cb.

`this` does not have the method, so keeping as `mojo::`.

File media/mojo/services/mojo_decryptor_service.cc

Line 324, Patchset 1: mojo::ReportBadMessage("Unexpected stream_type");

Dale Curtis . resolved

Ditto.

Vikram Pasupathy

Done

File media/mojo/services/mojo_video_decoder_service.cc

Line 301, Patchset 1: mojo::ReportBadMessage("The caller should not switch CDM");

Dale Curtis . resolved

Ditto.

Vikram Pasupathy

Done

Open in Gerrit

Related details

Attention is currently required from:

Dale Curtis

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dale Curtis (Gerrit)

unread,

Apr 22, 2026, 12:42:13 PM (yesterday) Apr 22

to Vikram Pasupathy, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Vikram Pasupathy

Dale Curtis added 1 comment

File media/mojo/services/mojo_video_decoder_service.cc

Line 241, Patchset 3 (Latest): CHECK(mojo::IsInMessageDispatch());

Dale Curtis . unresolved

ISTR ReportBadMessage only working if this check is true, otherwise you need to use `GetBadMessageCallback` and pass to where the message is handled. Are we in message handling for each of the cases you've added? Some I think yes, some it's unclear.

Open in Gerrit

Related details

Attention is currently required from:

Vikram Pasupathy

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review

No-Unresolved-Comments

Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Vikram Pasupathy (Gerrit)

unread,

12:43 PM (6 hours ago) 12:43 PM

to Dale Curtis, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Dale Curtis

Vikram Pasupathy added 1 comment

File media/mojo/services/mojo_video_decoder_service.cc

Line 241, Patchset 3: CHECK(mojo::IsInMessageDispatch());

Dale Curtis . unresolved

ISTR ReportBadMessage only working if this check is true, otherwise you need to use `GetBadMessageCallback` and pass to where the message is handled. Are we in message handling for each of the cases you've added? Some I think yes, some it's unclear.

Vikram Pasupathy

I see, PTAL. Went around media/ to see where else to add this check.

Open in Gerrit

Related details

Attention is currently required from:

Dale Curtis

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dale Curtis (Gerrit)

unread,

2:29 PM (4 hours ago) 2:29 PM

to Vikram Pasupathy, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Vikram Pasupathy

Dale Curtis added 1 comment

File media/mojo/services/mojo_video_decoder_service.cc

Line 241, Patchset 3: CHECK(mojo::IsInMessageDispatch());

Dale Curtis . unresolved

ISTR ReportBadMessage only working if this check is true, otherwise you need to use `GetBadMessageCallback` and pass to where the message is handled. Are we in message handling for each of the cases you've added? Some I think yes, some it's unclear.

Vikram Pasupathy

I see, PTAL. Went around media/ to see where else to add this check.

Dale Curtis

The method internally has a DCHECK:

https://source.chromium.org/chromium/chromium/src/+/main:mojo/public/cpp/bindings/lib/message.cc;l=697;drc=1001d131f46da375ba4af6457b194cab5ac9e858

Do you think the CHECK adds much value? I was more suggesting that for cases which don't have test coverage of the bad message delivery it'll be important to audit since we'll end up with a low-high priority process crash otherwise.

Open in Gerrit

Related details

Attention is currently required from:

Vikram Pasupathy

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Vikram Pasupathy (Gerrit)

unread,

2:49 PM (4 hours ago) 2:49 PM

to Dale Curtis, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Dale Curtis

Vikram Pasupathy added 1 comment

File media/mojo/services/mojo_video_decoder_service.cc

Line 241, Patchset 3: CHECK(mojo::IsInMessageDispatch());

Dale Curtis . unresolved

ISTR ReportBadMessage only working if this check is true, otherwise you need to use `GetBadMessageCallback` and pass to where the message is handled. Are we in message handling for each of the cases you've added? Some I think yes, some it's unclear.

Vikram Pasupathy

I see, PTAL. Went around media/ to see where else to add this check.

Dale Curtis

The method internally has a DCHECK:
https://source.chromium.org/chromium/chromium/src/+/main:mojo/public/cpp/bindings/lib/message.cc;l=697;drc=1001d131f46da375ba4af6457b194cab5ac9e858
Do you think the CHECK adds much value? I was more suggesting that for cases which don't have test coverage of the bad message delivery it'll be important to audit since we'll end up with a low-high priority process crash otherwise.

Vikram Pasupathy

I think CHECK is recommended regardless right? and I don't expect this CHECK to hit, it should be safe. I imagine the DCHECK was added in 2016, so noone got up to upgrading it to a CHECK.

Would you want NotFatalUntil? i.e https://chromium-review.googlesource.com/c/chromium/src/+/6360824

https://chromium.googlesource.com/chromium/src/+/main/styleguide/c++/checks.md

Open in Gerrit

Related details

Attention is currently required from:

Dale Curtis

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Dale Curtis (Gerrit)

unread,

3:07 PM (3 hours ago) 3:07 PM

to Vikram Pasupathy, Chromium LUCI CQ, chromium...@chromium.org, feature-me...@chromium.org

Attention needed from Vikram Pasupathy

Dale Curtis added 1 comment

File media/mojo/services/mojo_video_decoder_service.cc

Line 241, Patchset 3: CHECK(mojo::IsInMessageDispatch());

Dale Curtis . unresolved

ISTR ReportBadMessage only working if this check is true, otherwise you need to use `GetBadMessageCallback` and pass to where the message is handled. Are we in message handling for each of the cases you've added? Some I think yes, some it's unclear.

Vikram Pasupathy

I see, PTAL. Went around media/ to see where else to add this check.

Dale Curtis

The method internally has a DCHECK:
https://source.chromium.org/chromium/chromium/src/+/main:mojo/public/cpp/bindings/lib/message.cc;l=697;drc=1001d131f46da375ba4af6457b194cab5ac9e858
Do you think the CHECK adds much value? I was more suggesting that for cases which don't have test coverage of the bad message delivery it'll be important to audit since we'll end up with a low-high priority process crash otherwise.

Vikram Pasupathy

I think CHECK is recommended regardless right? and I don't expect this CHECK to hit, it should be safe. I imagine the DCHECK was added in 2016, so noone got up to upgrading it to a CHECK.
Would you want NotFatalUntil? i.e https://chromium-review.googlesource.com/c/chromium/src/+/6360824
https://chromium.googlesource.com/chromium/src/+/main/styleguide/c++/checks.md

Dale Curtis

Sorry, I'm not that concerned about the CHECK/DCHECK, though upgrading the one in Mojo may be reasonable if we can delete all the ones elsewhere. I'm more stating that almost none of these BadMessage instances have test coverage, so we don't know that they're actually even in message dispatch without manually auditing. Hence, is that something you've already done?

Open in Gerrit

Related details

Attention is currently required from:

Vikram Pasupathy

Submit Requirements:

Code-Coverage
Code-Owners
Code-Review
No-Unresolved-Comments
Review-Enforcement

Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings.

Gerrit

satisfied_requirement

unsatisfied_requirement

open

diffy

Reply all

Reply to author

Forward

media: Handle untrusted Mojo input with ReportBadMessage [chromium/src : main]

Vikram Pasupathy (Gerrit)

New activity on the change

Related details

Dale Curtis (Gerrit)

Dale Curtis added 3 comments

Related details

Vikram Pasupathy (Gerrit)

Vikram Pasupathy added 3 comments

Related details

Dale Curtis (Gerrit)

Dale Curtis added 1 comment

Related details

Vikram Pasupathy (Gerrit)

Vikram Pasupathy added 1 comment

Related details

Dale Curtis (Gerrit)

Dale Curtis added 1 comment

Related details

Vikram Pasupathy (Gerrit)

Vikram Pasupathy added 1 comment

Related details

Dale Curtis (Gerrit)

Dale Curtis added 1 comment

Related details