[Backport] CVE-2020-6530: Out of bounds memory access in

 developer tools

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2154228:
DevTools: check whether Fetch domain is enabled before handling commands

Bug: 1016278
Change-Id: Icd80e3b287f090ffb4ac67437e7e1ebae392c98b
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 8 insertions, 0 deletions

diff --git a/chromium/content/browser/devtools/protocol/fetch_handler.cc b/chromium/content/browser/devtools/protocol/fetch_handler.cc
index fad1d3ccb74..de13df7a67a 100644
--- a/chromium/content/browser/devtools/protocol/fetch_handler.cc
+++ b/chromium/content/browser/devtools/protocol/fetch_handler.cc
@@ -316,6 +316,10 @@ void FetchHandler::ContinueWithAuth(
 void FetchHandler::GetResponseBody(
     const String& requestId,
     std::unique_ptr<GetResponseBodyCallback> callback) {
+  if (!interceptor_) {
+    callback->sendFailure(Response::Error("Fetch domain is not enabled"));
+    return;
+  }
   auto weapped_callback = std::make_unique<CallbackWrapper<
       GetResponseBodyCallback,
       DevToolsURLLoaderInterceptor::GetResponseBodyForInterceptionCallback,
@@ -326,6 +330,10 @@ void FetchHandler::GetResponseBody(
 void FetchHandler::TakeResponseBodyAsStream(
     const String& requestId,
     std::unique_ptr<TakeResponseBodyAsStreamCallback> callback) {
+  if (!interceptor_) {
+    callback->sendFailure(Response::Error("Fetch domain is not enabled"));
+    return;
+  }
   interceptor_->TakeResponseBodyPipe(
       requestId,
       base::BindOnce(&FetchHandler::OnResponseBodyPipeTaken,