diff options
author | Michael Brüning <michael.bruning@qt.io> | 2018-08-15 18:05:18 +0200 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2018-08-16 06:15:29 +0000 |
commit | 3e6d0c72f3e4801a736e0ed6d3eef383e4958987 (patch) | |
tree | edd5cb3aee341f41f04de5535c16f38c2ce78563 | |
parent | f4115a6cd997969532bb59afd3f885c69aefbfb3 (diff) |
[Backport] Security fix for Chromium bug 839197
Fix a use-after-free in PermissionContextBase
Currently we assume that there will only be at most one of each
PermissionType in a call to PermissionServiceImpl::RequestPermissions.
However we never actually verify this and if it turns out to be true, it
triggers a use-after-free in PermissionContextBase. Verify that this is
the case otherwise call ReceivedBadMessage.
Bug: 839197
Reviewed-on: https://chromium-review.googlesource.com/1053333
Change-Id: Iad5e4b104bbed7caa927c131332bb51898816616
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
-rw-r--r-- | chromium/content/browser/permissions/permission_service_impl.cc | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/chromium/content/browser/permissions/permission_service_impl.cc b/chromium/content/browser/permissions/permission_service_impl.cc index c92ebfa274b..d8586c0917b 100644 --- a/chromium/content/browser/permissions/permission_service_impl.cc +++ b/chromium/content/browser/permissions/permission_service_impl.cc @@ -7,6 +7,7 @@ #include <stddef.h> #include <memory> +#include <set> #include <utility> #include "base/bind.h" @@ -175,11 +176,18 @@ void PermissionServiceImpl::RequestPermissions( } std::vector<PermissionType> types(permissions.size()); + std::set<PermissionType> duplicates_check; for (size_t i = 0; i < types.size(); ++i) { if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) { ReceivedBadMessage(); return; } + // Each permission should appear at most once in the message. + bool inserted = duplicates_check.insert(types[i]).second; + if (!inserted) { + ReceivedBadMessage(); + return; + } } std::unique_ptr<PendingRequest> pending_request = |