[push_messaging] Check ArrayBuffer size in PushEvent::create

This CL replaces calls to DeprecatedByteLengthAsUnsigned by calls to
ByteLengthAsSizeT. Unfortunately the current implementation cannot deal
with huge ArrayBuffers yet. Therefore I reject the incoming
ArrayBuffers with a RangeError if its size is too big.

Background: we prepare ArrayBuffers to be bigger than 4GB. Therefore we
changed the size field to size_t. Now we are changing all uses of
ByteLength to be able to deal with size_t, either by accepting a size_t,
or by throwing an exception if the size is too big.

Bug: chromium:1008840

Change-Id: I87f083e72858ae2ca119cb8adc2e021d540e4e4d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2000922Reviewed-by: Peter Beverloo <peter@chromium.org>
Commit-Queue: Andreas Haas <ahaas@chromium.org>
Cr-Commit-Position: refs/heads/master@{#731984}

third_party/blink/renderer/modules/push_messaging/push_event.cc

@@ -14,10 +14,28 @@ PushEvent::PushEvent(const AtomicString& type,
     : ExtendableEvent(type, ExtendableEventInit::Create(), observer),
       data_(data) {}
 
-PushEvent::PushEvent(const AtomicString& type, const PushEventInit* initializer)
+PushEvent::PushEvent(const AtomicString& type,
+                     const PushEventInit* initializer,
+                     ExceptionState& exception_state)
     : ExtendableEvent(type, initializer) {
-  if (initializer->hasData())
+  if (initializer->hasData()) {
+    const ArrayBufferOrArrayBufferViewOrUSVString& message_data =
+        initializer->data();
+    if (message_data.IsArrayBuffer() || message_data.IsArrayBufferView()) {
+      DOMArrayBuffer* buffer =
+          message_data.IsArrayBufferView()
+              ? message_data.GetAsArrayBufferView().View()->buffer()
+              : message_data.GetAsArrayBuffer();
+      if (!base::CheckedNumeric<uint32_t>(buffer->ByteLengthAsSizeT())
+               .IsValid()) {
+        exception_state.ThrowRangeError(
+            "The provided ArrayBuffer exceeds the maximum supported size "
+            "(4294967295)");
+        return;
+      }
+    }
     data_ = PushMessageData::Create(initializer->data());
+  }
 }
 
 PushEvent::~PushEvent() = default;

third_party/blink/renderer/modules/push_messaging/push_event.h

@@ -27,14 +27,17 @@ class MODULES_EXPORT PushEvent final : public ExtendableEvent {
     return MakeGarbageCollected<PushEvent>(type, data, observer);
   }
   static PushEvent* Create(const AtomicString& type,
-                           const PushEventInit* initializer) {
-    return MakeGarbageCollected<PushEvent>(type, initializer);
+                           const PushEventInit* initializer,
+                           ExceptionState& exception_state) {
+    return MakeGarbageCollected<PushEvent>(type, initializer, exception_state);
   }
 
   PushEvent(const AtomicString& type,
             PushMessageData* data,
             WaitUntilObserver* observer);
-  PushEvent(const AtomicString& type, const PushEventInit* initializer);
+  PushEvent(const AtomicString& type,
+            const PushEventInit* initializer,
+            ExceptionState& exception_state);
   ~PushEvent() override;
 
   // ExtendableEvent interface.

third_party/blink/renderer/modules/push_messaging/push_event.idl

@@ -8,6 +8,6 @@
     Exposed=ServiceWorker,
     RuntimeEnabled=PushMessaging
 ] interface PushEvent : ExtendableEvent {
-    constructor(DOMString type, optional PushEventInit eventInitDict);
+    [RaisesException] constructor(DOMString type, optional PushEventInit eventInitDict);
     readonly attribute PushMessageData? data;
 };

third_party/blink/renderer/modules/push_messaging/push_message_data.cc

@@ -40,7 +40,7 @@ PushMessageData* PushMessageData::Create(
 
     return MakeGarbageCollected<PushMessageData>(
         static_cast<const char*>(buffer->Data()),
-        buffer->DeprecatedByteLengthAsUnsigned());
+        base::checked_cast<wtf_size_t>(buffer->ByteLengthAsSizeT()));
   }
 
   if (message_data.IsUSVString()) {