From 3e6d0c72f3e4801a736e0ed6d3eef383e4958987 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Michael=20Br=C3=BCning?= Date: Wed, 15 Aug 2018 18:05:18 +0200 Subject: [Backport] Security fix for Chromium bug 839197 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix a use-after-free in PermissionContextBase Currently we assume that there will only be at most one of each PermissionType in a call to PermissionServiceImpl::RequestPermissions. However we never actually verify this and if it turns out to be true, it triggers a use-after-free in PermissionContextBase. Verify that this is the case otherwise call ReceivedBadMessage. Bug: 839197 Reviewed-on: https://chromium-review.googlesource.com/1053333 Change-Id: Iad5e4b104bbed7caa927c131332bb51898816616 Reviewed-by: Jüri Valdmann --- chromium/content/browser/permissions/permission_service_impl.cc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/chromium/content/browser/permissions/permission_service_impl.cc b/chromium/content/browser/permissions/permission_service_impl.cc index c92ebfa274b..d8586c0917b 100644 --- a/chromium/content/browser/permissions/permission_service_impl.cc +++ b/chromium/content/browser/permissions/permission_service_impl.cc @@ -7,6 +7,7 @@ #include #include +#include #include #include "base/bind.h" @@ -175,11 +176,18 @@ void PermissionServiceImpl::RequestPermissions( } std::vector types(permissions.size()); + std::set duplicates_check; for (size_t i = 0; i < types.size(); ++i) { if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) { ReceivedBadMessage(); return; } + // Each permission should appear at most once in the message. + bool inserted = duplicates_check.insert(types[i]).second; + if (!inserted) { + ReceivedBadMessage(); + return; + } } std::unique_ptr pending_request = -- cgit v1.2.3