diff options
author | Michael BrĂ¼ning <michael.bruning@qt.io> | 2018-08-15 18:05:18 +0200 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2018-09-11 09:16:32 +0000 |
commit | 91e04d13ea711db3fd6cb711cbf5012b11db2a96 (patch) | |
tree | 1493570c7f4d958f08f602bb86625ebd7ea870a3 | |
parent | d0c78ff5e1ecfcf07666e049dcedbe166a52e4cb (diff) | |
download | qtwebengine-chromium-91e04d13ea711db3fd6cb711cbf5012b11db2a96.tar.gz |
[Backport] Security fix for Chromium bug 839197
Fix a use-after-free in PermissionContextBase
Currently we assume that there will only be at most one of each
PermissionType in a call to PermissionServiceImpl::RequestPermissions.
However we never actually verify this and if it turns out to be true, it
triggers a use-after-free in PermissionContextBase. Verify that this is
the case otherwise call ReceivedBadMessage.
Bug: 839197
Change-Id: I2ee78cedbe18ab8a011cbcd5d8882e33c97a5bee
Reviewed-on: https://chromium-review.googlesource.com/1053333
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/content/browser/permissions/permission_service_impl.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/chromium/content/browser/permissions/permission_service_impl.cc b/chromium/content/browser/permissions/permission_service_impl.cc index 0dc7a3fd9ca..a8eefaefd6a 100644 --- a/chromium/content/browser/permissions/permission_service_impl.cc +++ b/chromium/content/browser/permissions/permission_service_impl.cc @@ -5,6 +5,9 @@ #include "content/browser/permissions/permission_service_impl.h" #include <stddef.h> + +#include <memory> +#include <set> #include <utility> #include "base/bind.h" @@ -189,11 +192,18 @@ void PermissionServiceImpl::RequestPermissions( } std::vector<PermissionType> types(permissions.size()); + std::set<PermissionType> duplicates_check; for (size_t i = 0; i < types.size(); ++i) { if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) { ReceivedBadMessage(); return; } + // Each permission should appear at most once in the message. + bool inserted = duplicates_check.insert(types[i]).second; + if (!inserted) { + ReceivedBadMessage(); + return; + } } int pending_request_id = pending_requests_.Add( |