Fix a use-after-free in PermissionContextBase

Currently we assume that there will only be at most one of each
PermissionType in a call to PermissionServiceImpl::RequestPermissions.
However we never actually verify this and if it turns out to be true, it
triggers a use-after-free in PermissionContextBase. Verify that this is
the case otherwise call ReceivedBadMessage.

Bug: 839197
Change-Id: I1270486ed942f20422a068c686c46d02e5f10da2
Reviewed-on: https://chromium-review.googlesource.com/1053333Reviewed-by: Timothy Loh <timloh@chromium.org>
Reviewed-by: Kinuko Yasuda <kinuko@chromium.org>
Commit-Queue: Raymes Khoury <raymes@chromium.org>
Cr-Commit-Position: refs/heads/master@{#558569}

content/browser/permissions/permission_service_impl.cc

@@ -7,6 +7,7 @@
 #include <stddef.h>
 
 #include <memory>
+#include <set>
 #include <utility>
 
 #include "base/bind.h"
@@ -168,11 +169,18 @@ void PermissionServiceImpl::RequestPermissions(
   }
 
   std::vector<PermissionType> types(permissions.size());
+  std::set<PermissionType> duplicates_check;
   for (size_t i = 0; i < types.size(); ++i) {
     if (!PermissionDescriptorToPermissionType(permissions[i], &types[i])) {
       ReceivedBadMessage();
       return;
     }
+    // Each permission should appear at most once in the message.
+    bool inserted = duplicates_check.insert(types[i]).second;
+    if (!inserted) {
+      ReceivedBadMessage();
+      return;
+    }
   }
 
   std::unique_ptr<PendingRequest> pending_request =