[Backport] Security fix for Chromium bug 839197

Fix a use-after-free in PermissionContextBase

Currently we assume that there will only be at most one of each
PermissionType in a call to PermissionServiceImpl::RequestPermissions.
However we never actually verify this and if it turns out to be true, it
triggers a use-after-free in PermissionContextBase. Verify that this is
the case otherwise call ReceivedBadMessage.

Bug: 839197
Reviewed-on: https://chromium-review.googlesource.com/1053333

Change-Id: Iad5e4b104bbed7caa927c131332bb51898816616
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>

1 files changed, 8 insertions, 0 deletions

diff --git a/chromium/content/browser/permissions/permission_service_impl.cc b/chromium/content/browser/permissions/permission_service_impl.cc
index c92ebfa274b..d8586c0917b 100644
--- a/chromium/content/browser/permissions/permission_service_impl.cc
+++ b/chromium/content/browser/permissions/permission_service_impl.cc
@@ -7,6 +7,7 @@
 #include <stddef.h>
 
 #include <memory>
+#include <set>
 #include <utility>
 
 #include "base/bind.h"
@@ -175,11 +176,18 @@ void PermissionServiceImpl::RequestPermissions(
   }
 
   std::vector<PermissionType> types(permissions.size());
+  std::set<PermissionType> duplicates_check;
   for (size_t i = 0; i < types.size(); ++i) {
     if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) {
       ReceivedBadMessage();
       return;
     }
+    // Each permission should appear at most once in the message.
+    bool inserted = duplicates_check.insert(types[i]).second;
+    if (!inserted) {
+      ReceivedBadMessage();
+      return;
+    }
   }
 
   std::unique_ptr<PendingRequest> pending_request =