Fix invalid StringPiece to string conversion.

Found by the newly-added fuzzer. Fortunately this is not a problem for any existing callers, which only ever passed a StringPiece derived from a full std::string (which promises to be NUL-terminated). Bug: 954703, 954760 Change-Id: I274de66b785d9f272a25264980e21878c5a77872 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1577580Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Auto-Submit: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#652868}

Fix invalid StringPiece to string conversion.
Found by the newly-added fuzzer. Fortunately this is not a problem for any existing callers, which only ever passed a StringPiece derived from a full std::string (which promises to be NUL-terminated). Bug: 954703, 954760 Change-Id: I274de66b785d9f272a25264980e21878c5a77872 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1577580Reviewed-by: Matt Mueller <mattm@chromium.org> Commit-Queue: Matt Mueller <mattm@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Auto-Submit: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#652868}
545e4cfa · David Benjamin · Commit Bot · b114a689 · 545e4cfa · 545e4cfa
Commit 545e4cfa authored Apr 22, 2019 by David Benjamin Committed by Commit Bot Apr 22, 2019
Showing with 14 additions and 4 deletions

components/domain_reliability/header.cc components/domain_reliability/header.cc +4 -2

components/domain_reliability/header_unittest.cc components/domain_reliability/header_unittest.cc +10 -2

No files found.
--- a/components/domain_reliability/header.cc
+++ b/components/domain_reliability/header.cc
@@ -28,8 +28,8 @@ class DirectiveHeaderValueParser {
    SYNTAX_ERROR
  };
-  DirectiveHeaderValueParser(base::StringPiece value)
+  explicit DirectiveHeaderValueParser(base::StringPiece value)
-      : value_(value.data()),
+      : value_(value.as_string()),
        tokenizer_(value_.begin(), value_.end(), ";= "),
        stopped_with_error_(false) {
    tokenizer_.set_options(base::StringTokenizer::RETURN_DELIMS);
@@ -134,6 +134,8 @@ class DirectiveHeaderValueParser {
    return BEFORE_VALUE;
  }
+  // TODO(https://crbug.com/820198): This could take a StringPiece once
+  // StringTokenizer is made StringPiece-friendly.
  std::string value_;
  base::StringTokenizer tokenizer_;

--- a/components/domain_reliability/header_unittest.cc
+++ b/components/domain_reliability/header_unittest.cc
@@ -4,7 +4,10 @@
 #include "components/domain_reliability/header.h"
+#include <algorithm>
 #include "base/strings/string_number_conversions.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/string_split.h"
 #include "base/strings/stringprintf.h"
 #include "components/domain_reliability/config.h"
@@ -18,8 +21,13 @@ class DomainReliabilityHeaderTest : public testing::Test {
  DomainReliabilityHeaderTest() {}
  ~DomainReliabilityHeaderTest() override {}
-  void Parse(std::string value) {
+  void Parse(base::StringPiece value) {
-    parsed_ = DomainReliabilityHeader::Parse(value);
+    // Run the parser over a non-NUL-terminated buffer, so ASan will catch
+    // StringPiece misuses.
+    std::unique_ptr<char[]> copy(new char[value.size()]);
+    std::copy(value.begin(), value.end(), copy.get());
+    parsed_ = DomainReliabilityHeader::Parse(
+        base::StringPiece(copy.get(), value.size()));
  }
  const DomainReliabilityHeader* parsed() const { return parsed_.get(); }