[Backport] CVE-2023-0129: Heap buffer overflow in Network Service

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4048289:
Align NetworkContext::SetNetworkConditions better with devtools emulateNetworkConditions

The former used values of 0 to disable particular throttles, while the
later documents -1, and looks to be pretty much a direct client, and the
only one. So make NetworkService handle everything <= 0 as a disable,
clamping at intake of config.

Bug: 1382033

(cherry picked from commit ce463c2c939818a12bbcec5e2c91c35f2a0a1f0e)

Change-Id: I2fd3f075d5071cb0cf647838782115b5c00405bf
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4035891
Reviewed-by: Ken Buchanan <kenrb@chromium.org>
Reviewed-by: Eric Orth <ericorth@chromium.org>
Commit-Queue: Maks Orlovich <morlovich@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1073566}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4048289
Cr-Commit-Position: refs/branch-heads/5414@{#188}
Cr-Branched-From: 4417ee59d7bf6df7a9c9ea28f7722d2ee6203413-refs/heads/main@{#1070088}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/454382
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

3 files changed, 9 insertions, 5 deletions

diff --git a/chromium/services/network/public/mojom/network_context.mojom b/chromium/services/network/public/mojom/network_context.mojom
index 7a5ed4b72e1..04f9bf2a6c2 100644
--- a/chromium/services/network/public/mojom/network_context.mojom
+++ b/chromium/services/network/public/mojom/network_context.mojom
@@ -483,11 +483,11 @@ struct NetworkConditions {
   // response received.
   mojo_base.mojom.TimeDelta latency;
 
-  // Maximal aggregated download throughput (bytes/sec). 0 disables download
+  // Maximal aggregated download throughput (bytes/sec). <=0 disables download
   // throttling.
   double download_throughput;
 
-  // Maximal aggregated upload throughput (bytes/sec). 0 disables upload
+  // Maximal aggregated upload throughput (bytes/sec). <=0 disables upload
   // throttling.
   double upload_throughput;
 };
diff --git a/chromium/services/network/throttling/network_conditions.cc b/chromium/services/network/throttling/network_conditions.cc
index 71cd4ac0e52..18b2b6e0efd 100644
--- a/chromium/services/network/throttling/network_conditions.cc
+++ b/chromium/services/network/throttling/network_conditions.cc
@@ -4,6 +4,8 @@
 
 #include "services/network/throttling/network_conditions.h"
 
+#include <algorithm>
+
 namespace network {
 
 NetworkConditions::NetworkConditions() : NetworkConditions(false) {}
@@ -16,9 +18,9 @@ NetworkConditions::NetworkConditions(bool offline,
                                      double download_throughput,
                                      double upload_throughput)
     : offline_(offline),
-      latency_(latency),
-      download_throughput_(download_throughput),
-      upload_throughput_(upload_throughput) {}
+      latency_(std::max(latency, 0.0)),
+      download_throughput_(std::max(download_throughput, 0.0)),
+      upload_throughput_(std::max(upload_throughput, 0.0)) {}
 
 NetworkConditions::~NetworkConditions() {}
 
diff --git a/chromium/services/network/throttling/network_conditions.h b/chromium/services/network/throttling/network_conditions.h
index 7b34446f654..2c08c88e9b5 100644
--- a/chromium/services/network/throttling/network_conditions.h
+++ b/chromium/services/network/throttling/network_conditions.h
@@ -28,6 +28,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkConditions {
   bool IsThrottling() const;
 
   bool offline() const { return offline_; }
+
+  // These are 0 if the corresponding throttle is disabled, >0 otherwise.
   double latency() const { return latency_; }
   double download_throughput() const { return download_throughput_; }
   double upload_throughput() const { return upload_throughput_; }