[Backport] CVE-2019-5829

Manual backport with adjustments:
Early return if a download Id is already used when creating a download

This is protect against download Id overflow and use-after-free
issue.

BUG=958533

Change-Id: Ib7501ceaefd87390369e3206f645f0e8622220a1
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 11 insertions, 1 deletions

diff --git a/chromium/content/browser/download/download_manager_impl.cc b/chromium/content/browser/download/download_manager_impl.cc
index 04d76dfb4ea..44a49ee1fb6 100644
--- a/chromium/content/browser/download/download_manager_impl.cc
+++ b/chromium/content/browser/download/download_manager_impl.cc
@@ -192,7 +192,10 @@ DownloadItemImpl* DownloadManagerImpl::CreateActiveItem(
     uint32_t id,
     const DownloadCreateInfo& info) {
   DCHECK_CURRENTLY_ON(BrowserThread::UI);
-  DCHECK(!base::ContainsKey(downloads_, id));
+
+  if (base::ContainsKey(downloads_, id))
+    return nullptr;
+
   net::NetLogWithSource net_log =
       net::NetLogWithSource::Make(net_log_, net::NetLogSourceType::DOWNLOAD);
   DownloadItemImpl* download =
@@ -354,6 +357,13 @@ void DownloadManagerImpl::StartDownloadWithId(
     download = item_iterator->second.get();
   }
 
+  if (!download) {
+    if (!on_started.is_null())
+      on_started.Run(nullptr, DOWNLOAD_INTERRUPT_REASON_USER_CANCELED);
+
+    return;
+  }
+
   base::FilePath default_download_directory;
   if (delegate_) {
     base::FilePath website_save_directory;  // Unused