[Backport] CVE-2023-0701: Heap buffer overflow in WebUI.

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4166946: ClearBrowsingData: Prevent heap overflow with false data type Users can call ClearBrowsingDataHandler::HandleClearBrowsingData with false arguments through devtools. This usually results in a clean crash. Passing an invalid data type results in a heap overflow. This is turned into a clean crash by changing a DCHECK into a CHECK. Bug: 1405123 Change-Id: I00c7d7aefcd8b1d68a285fce62edf8ebdf2e3b4b Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4166946 Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org> Commit-Queue: Demetrios Papadopoulos <dpapad@chromium.org> Auto-Submit: Christian Dullweber <dullweber@chromium.org> Reviewed-by: Martin Šrámek <msramek@chromium.org> Cr-Commit-Position: refs/heads/main@{#1093506} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460496 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Christian Dullweber <dullweber@chromium.org> 2023-01-17 20:34:36 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-02-15 14:00:49 +0000
commit: 702735ee969634a9527280ff8ae39dacd177e576 (patch)
tree: e7544385664b13b9a06064f5698a2520514b8a4e
parent: f40ad614a15a5f2a93eb42f3e21940a0957ac2d3 (diff)
download: qtwebengine-chromium-702735ee969634a9527280ff8ae39dacd177e576.tar.gz
3 files changed, 13 insertions, 7 deletions
diff --git a/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc b/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
index b1bc8a1447a..324e8d7439e 100644
--- a/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
+++ b/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
@@ -258,11 +258,12 @@ void ClearBrowsingDataHandler::HandleClearBrowsingData(
   base::Value::ConstListView data_type_list = args_list[1].GetListDeprecated();
   for (const base::Value& type : data_type_list) {
     const std::string pref_name = type.GetString();
-    BrowsingDataType data_type =
+    absl::optional<BrowsingDataType> data_type =
         browsing_data::GetDataTypeFromDeletionPreference(pref_name);
-    data_type_vector.push_back(data_type);
+    CHECK(data_type);
+    data_type_vector.push_back(*data_type);
 
-    switch (data_type) {
+    switch (*data_type) {
       case BrowsingDataType::HISTORY:
         if (prefs->GetBoolean(prefs::kAllowDeletingBrowserHistory))
           remove_mask |= chrome_browsing_data_remover::DATA_TYPE_HISTORY;
diff --git a/chromium/components/browsing_data/core/browsing_data_utils.cc b/chromium/components/browsing_data/core/browsing_data_utils.cc
index c6fdb552bdf..5e91ab5b32d 100644
--- a/chromium/components/browsing_data/core/browsing_data_utils.cc
+++ b/chromium/components/browsing_data/core/browsing_data_utils.cc
@@ -17,6 +17,7 @@
 #include "components/browsing_data/core/pref_names.h"
 #include "components/prefs/pref_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "ui/base/l10n/l10n_util.h"
 
 namespace browsing_data {
@@ -362,7 +363,7 @@ bool GetDeletionPreferenceFromDataType(
   return false;
 }
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name) {
   using DataTypeMap = base::flat_map<std::string, BrowsingDataType>;
   static base::NoDestructor<DataTypeMap> preference_to_datatype(
@@ -381,8 +382,10 @@ BrowsingDataType GetDataTypeFromDeletionPreference(
       });
 
   auto iter = preference_to_datatype->find(pref_name);
-  DCHECK(iter != preference_to_datatype->end());
-  return iter->second;
+  if (iter != preference_to_datatype->end()) {
+    return iter->second;
+  }
+  return absl::nullopt;
 }
 
 }  // namespace browsing_data
diff --git a/chromium/components/browsing_data/core/browsing_data_utils.h b/chromium/components/browsing_data/core/browsing_data_utils.h
index 209d9601294..9bc3f2b55cb 100644
--- a/chromium/components/browsing_data/core/browsing_data_utils.h
+++ b/chromium/components/browsing_data/core/browsing_data_utils.h
@@ -11,6 +11,7 @@
 #include "build/build_config.h"
 #include "components/browsing_data/core/clear_browsing_data_tab.h"
 #include "components/browsing_data/core/counters/browsing_data_counter.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace browsing_data {
 
@@ -76,7 +77,8 @@ bool GetDeletionPreferenceFromDataType(
     ClearBrowsingDataTab clear_browsing_data_tab,
     std::string* out_pref);
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+// Returns a BrowsingDataType if a type matching |pref_name| is found.
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name);
 
 }  // namespace browsing_data
author	Christian Dullweber <dullweber@chromium.org>	2023-01-17 20:34:36 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-02-15 14:00:49 +0000
commit	702735ee969634a9527280ff8ae39dacd177e576 (patch)
tree	e7544385664b13b9a06064f5698a2520514b8a4e
parent	f40ad614a15a5f2a93eb42f3e21940a0957ac2d3 (diff)
download	qtwebengine-chromium-702735ee969634a9527280ff8ae39dacd177e576.tar.gz