CertVerifyProcMac: limit cert trimming loop to chains at most 10 certs long.

The initial verification attempt will still use the full input chain.

Bug: 992267
Change-Id: Ia26f8400cf76defffd9b46d43badfe5dcf74f379
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1746961Reviewed-by: Ryan Sleevi <rsleevi@chromium.org>
Commit-Queue: Matt Mueller <mattm@chromium.org>
Cr-Commit-Position: refs/heads/master@{#686284}

net/cert/cert_verify_proc_mac.cc

@@ -879,7 +879,18 @@ int VerifyWithGivenFlags(X509Certificate* cert,
       // Short-circuit when a current, trusted chain is found.
       if (!untrusted && !weak_chain)
         break;
-      CFArrayRemoveValueAtIndex(cert_array, CFArrayGetCount(cert_array) - 1);
+      // Trim a cert off the end of chain, but if the chain is longer that 10
+      // certs, trim to at most 10 certs.
+      constexpr int kMaxTrimmedChainLength = 10;
+      if (CFArrayGetCount(cert_array) > kMaxTrimmedChainLength) {
+        CFArrayReplaceValues(
+            cert_array,
+            CFRangeMake(kMaxTrimmedChainLength,
+                        CFArrayGetCount(cert_array) - kMaxTrimmedChainLength),
+            /*newValues=*/nullptr, /*newCount=*/0);
+      } else {
+        CFArrayRemoveValueAtIndex(cert_array, CFArrayGetCount(cert_array) - 1);
+      }
     }
     // Short-circuit when a current, trusted chain is found.
     if (!candidate_untrusted && !candidate_weak)