[Backport] CVE-2021-30516: Heap buffer overflow in History.

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2859102:
Guard WebContents::DownloadImage() against malformed renderer response

Callers expect that ImageDownloadCallback gets invoked with two vectors
having the same number of elements (one containing the bitmaps and the
other one the corresponding sizes).

However, these vectors are populated directly from the Mojo response,
so there needs to be some browser-process sanitization to protect
against buggy or compromised renderers.

In this patch, WebContentsImpl::OnDidDownloadImage() mimics a 400 error
if the response is malformed, similarly to how it's done in other edge
cases (renderer process dead upon download). Because this scenario is
a violation of the Mojo API contract, the browser process also issues
a bad message log (newly-introduced WCI_INVALID_DOWNLOAD_IMAGE_RESULT)
and shuts down the renderer process.

Change-Id: I29baa421b3590e9a9eeaee95a6e331c08dce5096
Fixed: 1201446
Reviewed-by: Avi Drissman <avi@chromium.org>
Reviewed-by: Kentaro Hara <haraken@chromium.org>
Commit-Queue: Mikel Astiz <mastiz@chromium.org>
Cr-Commit-Position: refs/heads/master@{#877817}
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>

1 files changed, 1 insertions, 0 deletions

diff --git a/chromium/tools/metrics/histograms/enums.xml b/chromium/tools/metrics/histograms/enums.xml
index f524d6df7fe..e4c8f6896b0 100644
--- a/chromium/tools/metrics/histograms/enums.xml
+++ b/chromium/tools/metrics/histograms/enums.xml
@@ -6487,6 +6487,7 @@ Called by update_bad_message_reasons.py.-->
   <int value="232" label="RFH_RECEIVED_ASSOCIATED_MESSAGE_WHILE_BFCACHED"/>
   <int value="233" label="RWH_CLOSE_PORTAL"/>
   <int value="234" label="MSDH_INVALID_STREAM_TYPE"/>
+  <int value="243" label="WCI_INVALID_DOWNLOAD_IMAGE_RESULT"/>
 </enum>
 
 <enum name="BadMessageReasonExtensions">