Add end() check to fix security bug

Fix the bug by checking we have not reached the end before accessing. BUG=1095560 Change-Id: I309237562ddd5058c3b3b99d58a03c526cf49b6a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2276511 Commit-Queue: Becca Hughes <beccahughes@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#784113}

Add end() check to fix security bug
Fix the bug by checking we have not reached the end before accessing. BUG=1095560 Change-Id: I309237562ddd5058c3b3b99d58a03c526cf49b6a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2276511 Commit-Queue: Becca Hughes <beccahughes@chromium.org> Reviewed-by: Robert Sesek <rsesek@chromium.org> Cr-Commit-Position: refs/heads/master@{#784113}
1755fa3e · Becca Hughes · Commit Bot · affe0911 · 1755fa3e · 1755fa3e
Commit 1755fa3e authored Jun 30, 2020 by Becca Hughes Committed by Commit Bot Jun 30, 2020
2 changed files
--- a/chrome/browser/media/history/media_history_keyed_service.cc
+++ b/chrome/browser/media/history/media_history_keyed_service.cc
@@ -157,8 +157,10 @@ void MediaHistoryKeyedService::OnURLsDeleted(
    const auto& origin_count =
        deletion_info.deleted_urls_origin_map().find(origin.GetURL());

-    if (origin_count->second.first > 0)
+    if (origin_count == deletion_info.deleted_urls_origin_map().end() ||
+        origin_count->second.first > 0) {
      continue;
+    }

    deleted_origins.insert(origin);
  }

--- a/chrome/browser/media/history/media_history_keyed_service_unittest.cc
+++ b/chrome/browser/media/history/media_history_keyed_service_unittest.cc
@@ -1012,4 +1012,17 @@ TEST_P(MediaHistoryKeyedServiceTest, CleanUpDatabaseWhenURLIsDeleted) {
  }
 }

+TEST_P(MediaHistoryKeyedServiceTest, SecurityRegressionTest) {
+  history::URLRows urls_to_delete = {
+      history::URLRow(GURL("https://www.google.com/test1A"))};
+  history::DeletionInfo deletion_info =
+      history::DeletionInfo::ForUrls(urls_to_delete, std::set<GURL>());
+  deletion_info.set_deleted_urls_origin_map({
+      {GURL("https://www.google.com/test1B"), {0, base::Time::Now()}},
+      {GURL("https://www.google.com/test1C"), {0, base::Time::Now()}},
+  });
+
+  service()->OnURLsDeleted(nullptr, deletion_info);
+}
+
 }  // namespace media_history