[FileAPI] Ensure we're not trying to create blob with bogus data.

The file system provider API passed metadata back from the extensions
without any kind of sanitization. This means that for example "valid"
blobs with negative sizes could exist. We don't want to have to deal
with these weird beasts on the blob size, so add some assertions to the
blob code to make sure this doesn't happen, and sanitize negative sizes
on the file system provider side before passing them back.

This is part of a series of changes to improve consistency surrounding how
snapshot state of files/blobs is implemented.

Bug: 844874
Change-Id: Ie3dd1de9d49b071b615e969ec68529bf3074c875
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1976431Reviewed-by: Daniel Murphy <dmurph@chromium.org>
Reviewed-by: Naoki Fukino <fukino@chromium.org>
Reviewed-by: Jeremy Roman <jbroman@chromium.org>
Commit-Queue: Marijn Kruisselbrink <mek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#728006}

chrome/browser/chromeos/file_system_provider/fileapi/provider_async_file_util.cc

@@ -73,7 +73,7 @@ void OnGetFileInfo(int fields,
   if (fields & storage::FileSystemOperation::GET_METADATA_FIELD_IS_DIRECTORY)
     file_info.is_directory = *metadata->is_directory;
   if (fields & storage::FileSystemOperation::GET_METADATA_FIELD_SIZE)
-    file_info.size = *metadata->size;
+    file_info.size = std::max(int64_t{0}, *metadata->size);
 
   if (fields & storage::FileSystemOperation::GET_METADATA_FIELD_LAST_MODIFIED) {
     file_info.last_modified = *metadata->modification_time;

third_party/blink/renderer/bindings/core/v8/serialization/v8_script_value_serializer_test.cc

@@ -1481,8 +1481,10 @@ TEST(V8ScriptValueSerializerTest, RoundTripFileNonNativeSnapshot) {
   // Preserving behavior, filesystem URL is not preserved across cloning.
   V8TestingScope scope;
   KURL url("filesystem:http://example.com/isolated/hash/non-native-file");
+  FileMetadata metadata;
+  metadata.length = 0;
   File* file =
-      File::CreateForFileSystemFile(url, FileMetadata(), File::kIsUserVisible);
+      File::CreateForFileSystemFile(url, metadata, File::kIsUserVisible);
   v8::Local<v8::Value> wrapper = ToV8(file, scope.GetScriptState());
   v8::Local<v8::Value> result = RoundTrip(wrapper, scope);
   ASSERT_TRUE(V8File::HasInstance(result, scope.GetIsolate()));

third_party/blink/renderer/core/clipboard/data_object_test.cc

@@ -128,8 +128,10 @@ TEST_F(DataObjectTest, fileSystemId) {
 
   data_object_->AddFilename(file_path, String(), String());
   data_object_->AddFilename(file_path, String(), "fileSystemIdForFilename");
+  FileMetadata metadata;
+  metadata.length = 0;
   data_object_->Add(
-      File::CreateForFileSystemFile(url, FileMetadata(), File::kIsUserVisible),
+      File::CreateForFileSystemFile(url, metadata, File::kIsUserVisible),
       "fileSystemIdForFileSystemFile");
 
   ASSERT_EQ(3U, data_object_->length());

third_party/blink/renderer/core/fileapi/file.cc

@@ -271,9 +271,9 @@ File::File(const KURL& file_system_url,
       name_(DecodeURLEscapeSequences(file_system_url.LastPathComponent(),
                                      DecodeURLMode::kUTF8OrIsomorphic)),
       file_system_url_(file_system_url),
+      snapshot_size_(metadata.length),
       snapshot_modification_time_(metadata.modification_time) {
-  if (metadata.length >= 0)
-    snapshot_size_ = metadata.length;
+  DCHECK_GE(metadata.length, 0);
 }
 
 File::File(const File& other)

third_party/blink/renderer/core/fileapi/file_list_test.cc

@@ -42,8 +42,10 @@ TEST(FileListTest, pathsForUserVisibleFiles) {
   {
     KURL url(
         "filesystem:http://example.com/isolated/hash/visible-non-native-file");
-    file_list->Append(File::CreateForFileSystemFile(url, FileMetadata(),
-                                                    File::kIsUserVisible));
+    FileMetadata metadata;
+    metadata.length = 0;
+    file_list->Append(
+        File::CreateForFileSystemFile(url, metadata, File::kIsUserVisible));
   }
 
   // Not user visible file system URL file.
@@ -51,8 +53,10 @@ TEST(FileListTest, pathsForUserVisibleFiles) {
     KURL url(
         "filesystem:http://example.com/isolated/hash/"
         "not-visible-non-native-file");
-    file_list->Append(File::CreateForFileSystemFile(url, FileMetadata(),
-                                                    File::kIsNotUserVisible));
+    FileMetadata metadata;
+    metadata.length = 0;
+    file_list->Append(
+        File::CreateForFileSystemFile(url, metadata, File::kIsNotUserVisible));
   }
 
   Vector<base::FilePath> paths = file_list->PathsForUserVisibleFiles();

third_party/blink/renderer/core/fileapi/file_test.cc

@@ -214,6 +214,7 @@ TEST(FileTest, FileSystemFileWithApocalypseTimestamp) {
 TEST(FileTest, fileSystemFileWithoutNativeSnapshot) {
   KURL url("filesystem:http://example.com/isolated/hash/non-native-file");
   FileMetadata metadata;
+  metadata.length = 0;
   File* const file =
       File::CreateForFileSystemFile(url, metadata, File::kIsUserVisible);
   EXPECT_FALSE(file->HasBackingFile());
@@ -239,6 +240,7 @@ TEST(FileTest, hsaSameSource) {
   KURL url_a("filesystem:http://example.com/isolated/hash/non-native-file-A");
   KURL url_b("filesystem:http://example.com/isolated/hash/non-native-file-B");
   FileMetadata metadata;
+  metadata.length = 0;
   File* const file_system_file_a1 =
       File::CreateForFileSystemFile(url_a, metadata, File::kIsUserVisible);
   File* const file_system_file_a2 =

third_party/blink/renderer/platform/blob/blob_data.cc

@@ -103,7 +103,7 @@ RawData::RawData() = default;
 BlobData::BlobData(FileCompositionStatus composition)
     : file_composition_(composition) {}
 
-BlobData::~BlobData() {}
+BlobData::~BlobData() = default;
 
 Vector<mojom::blink::DataElementPtr> BlobData::ReleaseElements() {
   return std::move(elements_);
@@ -173,6 +173,7 @@ void BlobData::AppendFile(
          "create a blob with a single file with unknown size, use "
          "BlobData::createForFileWithUnknownSize. Otherwise please provide the "
          "file size.";
+  DCHECK_GE(length, 0);
   // Skip zero-byte items, as they don't matter for the contents of the blob.
   if (length == 0)
     return;
@@ -201,6 +202,7 @@ void BlobData::AppendFileSystemURL(
     const base::Optional<base::Time>& expected_modification_time) {
   DCHECK_EQ(file_composition_, FileCompositionStatus::NO_UNKNOWN_SIZE_FILES)
       << "Blobs with a unknown-size file cannot have other items.";
+  DCHECK_GE(length, 0);
   // Skip zero-byte items, as they don't matter for the contents of the blob.
   if (length == 0)
     return;
@@ -359,8 +361,7 @@ BlobDataHandle::BlobDataHandle(
   DCHECK(blob_remote_.is_valid());
 }
 
-BlobDataHandle::~BlobDataHandle() {
-}
+BlobDataHandle::~BlobDataHandle() = default;
 
 mojo::PendingRemote<mojom::blink::Blob> BlobDataHandle::CloneBlobRemote() {
   MutexLocker locker(blob_remote_mutex_);