Sanitize chrome://extension-icon/ URL inputs.

chrome/browser/ui/webui/extension_icon_source.cc

Index: chrome/browser/ui/webui/extension_icon_source.cc
diff --git a/chrome/browser/ui/webui/extension_icon_source.cc b/chrome/browser/ui/webui/extension_icon_source.cc
index 8981179d13862d799b7e1f068e0bd4d0feb31dd3..0bfa3008c1fb055d97ae4d2f52abc36839f372c8 100644
--- a/chrome/browser/ui/webui/extension_icon_source.cc
+++ b/chrome/browser/ui/webui/extension_icon_source.cc
@@ -264,12 +264,18 @@ bool ExtensionIconSource::ParseData(const std::string& path,
   if (!base::StringToInt(size_param, &size_num))
     return false;
   size = static_cast<Extension::Icons>(size_num);
+  if (size <= 0)
+    return false;
 
   ExtensionIconSet::MatchType match_type;
   int match_num;
   if (!base::StringToInt(match_param, &match_num))
     return false;
   match_type = static_cast<ExtensionIconSet::MatchType>(match_num);
+  if (!(match_type == ExtensionIconSet::MATCH_EXACTLY ||
+        match_type == ExtensionIconSet::MATCH_SMALLER ||
+        match_type == ExtensionIconSet::MATCH_BIGGER))
+    match_type = ExtensionIconSet::MATCH_EXACTLY;
 
   std::string extension_id = path_parts.at(0);
   const Extension* extension =