[Backport] Security fix for Chromium bug 839197

Fix a use-after-free in PermissionContextBase

Currently we assume that there will only be at most one of each
PermissionType in a call to PermissionServiceImpl::RequestPermissions.
However we never actually verify this and if it turns out to be true, it
triggers a use-after-free in PermissionContextBase. Verify that this is
the case otherwise call ReceivedBadMessage.

Bug: 839197
Change-Id: I2ee78cedbe18ab8a011cbcd5d8882e33c97a5bee
Reviewed-on: https://chromium-review.googlesource.com/1053333
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 10 insertions, 0 deletions

diff --git a/chromium/content/browser/permissions/permission_service_impl.cc b/chromium/content/browser/permissions/permission_service_impl.cc
index 0dc7a3fd9ca..a8eefaefd6a 100644
--- a/chromium/content/browser/permissions/permission_service_impl.cc
+++ b/chromium/content/browser/permissions/permission_service_impl.cc
@@ -5,6 +5,9 @@
 #include "content/browser/permissions/permission_service_impl.h"
 
 #include <stddef.h>
+
+#include <memory>
+#include <set>
 #include <utility>
 
 #include "base/bind.h"
@@ -189,11 +192,18 @@ void PermissionServiceImpl::RequestPermissions(
   }
 
   std::vector<PermissionType> types(permissions.size());
+  std::set<PermissionType> duplicates_check;
   for (size_t i = 0; i < types.size(); ++i) {
     if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) {
       ReceivedBadMessage();
       return;
     }
+    // Each permission should appear at most once in the message.
+    bool inserted = duplicates_check.insert(types[i]).second;
+    if (!inserted) {
+      ReceivedBadMessage();
+      return;
+    }
   }
 
   int pending_request_id = pending_requests_.Add(