Fix missing bounds check in MerkleIntegritySourceStream.

Also use base::StringPiece rather than a std::string reference. It avoids some unnecessary copies in the substrings. Bug: 814591 Change-Id: I7a1a0387b09038f7e084b2baf7b67716c729710a Reviewed-on: https://chromium-review.googlesource.com/953744Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#541652}

Fix missing bounds check in MerkleIntegritySourceStream.
Also use base::StringPiece rather than a std::string reference. It avoids some unnecessary copies in the substrings. Bug: 814591 Change-Id: I7a1a0387b09038f7e084b2baf7b67716c729710a Reviewed-on: https://chromium-review.googlesource.com/953744Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: David Benjamin <davidben@chromium.org> Cr-Commit-Position: refs/heads/master@{#541652}
d3c6f1b7 · David Benjamin · Commit Bot · 2ce8b7e0 · d3c6f1b7 · d3c6f1b7
Commit d3c6f1b7 authored Mar 08, 2018 by David Benjamin Committed by Commit Bot Mar 08, 2018
3 changed files
--- a/content/browser/loader/merkle_integrity_source_stream.cc
+++ b/content/browser/loader/merkle_integrity_source_stream.cc
@@ -17,19 +17,20 @@ namespace {
 constexpr uint64_t kMaxRecordSize = 5 * 1024 * 1024;
 constexpr char kMiSha256Header[] = "mi-sha256=";
-constexpr int kMiSha256HeaderLength = sizeof(kMiSha256Header) - 1;
+constexpr size_t kMiSha256HeaderLength = sizeof(kMiSha256Header) - 1;
 }  // namespace
 MerkleIntegritySourceStream::MerkleIntegritySourceStream(
-    const std::string& mi_header_value,
+    base::StringPiece mi_header_value,
    std::unique_ptr<SourceStream> upstream)
    // TODO(ksakamoto): Use appropriate SourceType.
    : net::FilterSourceStream(SourceStream::TYPE_NONE, std::move(upstream)),
      record_size_(0),
      failed_(false) {
  // TODO(ksakamoto): Support quoted parameter value.
-  if (mi_header_value.substr(0, kMiSha256HeaderLength) != kMiSha256Header ||
+  if (mi_header_value.size() < kMiSha256HeaderLength ||
+      mi_header_value.substr(0, kMiSha256HeaderLength) != kMiSha256Header ||
      !base::Base64UrlDecode(mi_header_value.substr(kMiSha256HeaderLength),
                             base::Base64UrlDecodePolicy::DISALLOW_PADDING,
                             &next_proof_) ||

--- a/content/browser/loader/merkle_integrity_source_stream.h
+++ b/content/browser/loader/merkle_integrity_source_stream.h
@@ -9,6 +9,7 @@
 #include <string>
 #include "base/macros.h"
+#include "base/strings/string_piece.h"
 #include "content/common/content_export.h"
 #include "net/filter/filter_source_stream.h"
@@ -21,7 +22,7 @@ namespace content {
 class CONTENT_EXPORT MerkleIntegritySourceStream
    : public net::FilterSourceStream {
 public:
-  MerkleIntegritySourceStream(const std::string& mi_header_value,
+  MerkleIntegritySourceStream(base::StringPiece mi_header_value,
                              std::unique_ptr<SourceStream> upstream);
  ~MerkleIntegritySourceStream() override;

--- a/content/browser/loader/merkle_integrity_source_stream_unittest.cc
+++ b/content/browser/loader/merkle_integrity_source_stream_unittest.cc
@@ -161,6 +161,14 @@ TEST_P(MerkleIntegritySourceStreamTest, EmptyStream) {
  EXPECT_EQ(net::ERR_CONTENT_DECODING_FAILED, result);
 }
+TEST_P(MerkleIntegritySourceStreamTest, TooShortMIHeader) {
+  Init("z");
+  source()->AddReadResult(nullptr, 0, net::OK, GetParam().mode);
+  std::string actual_output;
+  int result = ReadStream(&actual_output);
+  EXPECT_EQ(net::ERR_CONTENT_DECODING_FAILED, result);
+}
 TEST_P(MerkleIntegritySourceStreamTest, MalformedMIHeader) {
  Init("invalid-MI-header-value");
  source()->AddReadResult(nullptr, 0, net::OK, GetParam().mode);