Fix NavController buffer overflow found by IPC fuzzer.

Fix NavController buffer overflow found by IPC fuzzer.

Not possible in normal execution, but a compromised renderer process
can trigger a replacement operation when there are no committed
entries.

BUG=516088
TEST=ClusterFuzz reports as fixed.

Committed: https://crrev.com/37979a6e6ef37ba75a6ce2e7a894eb012571f632
Cr-Commit-Position: refs/heads/master@{#341765}

[Charlie Reis, 2015-08-04 15:59:01]

creis@chromium.org changed reviewers:
+ avi@chromium.org

[Charlie Reis, 2015-08-04 16:01:37]

Avi, can you take a look?  This is closer to the old flow before
https://codereview.chromium.org/1245433002/.

I haven't yet reproduced the issue from ClusterFuzz so I'm not sure how the fake
IPCs caused |replace| to be true, but this seems like the most likely reason.

[Avi (use Gerrit), 2015-08-04 18:19:51]

lgtm

This looks reasonable. In this case, we skip both if() blocks, end up appending,
and life goes on? I don't think that would cause any real problems, now that
we're not dropping navigations based on offset.

[Charlie Reis, 2015-08-04 19:02:30]

On 2015/08/04 18:19:51, Avi wrote:
> lgtm
> 
> This looks reasonable. In this case, we skip both if() blocks, end up
appending,
> and life goes on? I don't think that would cause any real problems, now that
> we're not dropping navigations based on offset.

Yep, that's the idea.

[Charlie Reis, 2015-08-04 19:02:35]

The CQ bit was checked by creis@chromium.org

[commit-bot: I haz the power, 2015-08-04 19:03:54]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1272453002/1
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1272453002/1

[commit-bot: I haz the power, 2015-08-04 19:49:28]

Committed patchset #1 (id:1)

[commit-bot: I haz the power, 2015-08-04 19:53:00]

Patchset 1 (id:??) landed as
https://crrev.com/37979a6e6ef37ba75a6ce2e7a894eb012571f632
Cr-Commit-Position: refs/heads/master@{#341765}