From 702735ee969634a9527280ff8ae39dacd177e576 Mon Sep 17 00:00:00 2001
From: Christian Dullweber <dullweber@chromium.org>
Date: Tue, 17 Jan 2023 20:34:36 +0000
Subject: [Backport] CVE-2023-0701: Heap buffer overflow in WebUI.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4166946:
ClearBrowsingData: Prevent heap overflow with false data type

Users can call ClearBrowsingDataHandler::HandleClearBrowsingData with
false arguments through devtools. This usually results in a clean crash.
Passing an invalid data type results in a heap overflow. This is turned
into a clean crash by changing a DCHECK into a CHECK.

Bug: 1405123
Change-Id: I00c7d7aefcd8b1d68a285fce62edf8ebdf2e3b4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4166946
Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org>
Commit-Queue: Demetrios Papadopoulos <dpapad@chromium.org>
Auto-Submit: Christian Dullweber <dullweber@chromium.org>
Reviewed-by: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1093506}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/460496
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../ui/webui/settings/settings_clear_browsing_data_handler.cc    | 7 ++++---
 chromium/components/browsing_data/core/browsing_data_utils.cc    | 9 ++++++---
 chromium/components/browsing_data/core/browsing_data_utils.h     | 4 +++-
 3 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc b/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
index b1bc8a1447a..324e8d7439e 100644
--- a/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
+++ b/chromium/chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc
@@ -258,11 +258,12 @@ void ClearBrowsingDataHandler::HandleClearBrowsingData(
   base::Value::ConstListView data_type_list = args_list[1].GetListDeprecated();
   for (const base::Value& type : data_type_list) {
     const std::string pref_name = type.GetString();
-    BrowsingDataType data_type =
+    absl::optional<BrowsingDataType> data_type =
         browsing_data::GetDataTypeFromDeletionPreference(pref_name);
-    data_type_vector.push_back(data_type);
+    CHECK(data_type);
+    data_type_vector.push_back(*data_type);
 
-    switch (data_type) {
+    switch (*data_type) {
       case BrowsingDataType::HISTORY:
         if (prefs->GetBoolean(prefs::kAllowDeletingBrowserHistory))
           remove_mask |= chrome_browsing_data_remover::DATA_TYPE_HISTORY;
diff --git a/chromium/components/browsing_data/core/browsing_data_utils.cc b/chromium/components/browsing_data/core/browsing_data_utils.cc
index c6fdb552bdf..5e91ab5b32d 100644
--- a/chromium/components/browsing_data/core/browsing_data_utils.cc
+++ b/chromium/components/browsing_data/core/browsing_data_utils.cc
@@ -17,6 +17,7 @@
 #include "components/browsing_data/core/pref_names.h"
 #include "components/prefs/pref_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "ui/base/l10n/l10n_util.h"
 
 namespace browsing_data {
@@ -362,7 +363,7 @@ bool GetDeletionPreferenceFromDataType(
   return false;
 }
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name) {
   using DataTypeMap = base::flat_map<std::string, BrowsingDataType>;
   static base::NoDestructor<DataTypeMap> preference_to_datatype(
@@ -381,8 +382,10 @@ BrowsingDataType GetDataTypeFromDeletionPreference(
       });
 
   auto iter = preference_to_datatype->find(pref_name);
-  DCHECK(iter != preference_to_datatype->end());
-  return iter->second;
+  if (iter != preference_to_datatype->end()) {
+    return iter->second;
+  }
+  return absl::nullopt;
 }
 
 }  // namespace browsing_data
diff --git a/chromium/components/browsing_data/core/browsing_data_utils.h b/chromium/components/browsing_data/core/browsing_data_utils.h
index 209d9601294..9bc3f2b55cb 100644
--- a/chromium/components/browsing_data/core/browsing_data_utils.h
+++ b/chromium/components/browsing_data/core/browsing_data_utils.h
@@ -11,6 +11,7 @@
 #include "build/build_config.h"
 #include "components/browsing_data/core/clear_browsing_data_tab.h"
 #include "components/browsing_data/core/counters/browsing_data_counter.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace browsing_data {
 
@@ -76,7 +77,8 @@ bool GetDeletionPreferenceFromDataType(
     ClearBrowsingDataTab clear_browsing_data_tab,
     std::string* out_pref);
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+// Returns a BrowsingDataType if a type matching |pref_name| is found.
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name);
 
 }  // namespace browsing_data
-- 
cgit v1.2.1