Implement MediaMetadata artwork in content

content/common/media/media_metadata_sanitizer.cc

Index: content/common/media/media_metadata_sanitizer.cc
diff --git a/content/common/media/media_metadata_sanitizer.cc b/content/common/media/media_metadata_sanitizer.cc
new file mode 100644
index 0000000000000000000000000000000000000000..ad3bf029516719d94113314ad298b72a24ee7420
--- /dev/null
+++ b/content/common/media/media_metadata_sanitizer.cc
@@ -0,0 +1,113 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "content/common/media/media_metadata_sanitizer.h"
+
+#include <algorithm>
+#include <string>
+
+namespace content {
+
+namespace {
+
+// Maximum length for all the strings inside the MediaMetadata when it is sent
+// over IPC. The renderer process should truncate the strings before sending
+// the MediaMetadata and the browser process must do the same when receiving
+// it.
+const size_t kMaxIPCStringLength = 4 * 1024;
+
+// Maximum type length of Artwork, which conforms to RFC 4288
+// (https://tools.ietf.org/html/rfc4288).
+const size_t kMaxArtworkTypeLength = 2 * 127 + 1;
+
+// Maximum number of artwork images inside the MediaMetadata.
+const size_t kMaxNumberOfArtworkImages = 10;
+
+// Maximum of sizes in an artwork image.
+const size_t kMaxNumberOfArtworkSizes = 10;
+
+bool CheckArtworkSrcSanity(const GURL& src) {
+  if (!src.is_valid())
+    return false;
+  if (!src.SchemeIsHTTPOrHTTPS() && !src.SchemeIs(url::kDataScheme))
+    return false;
+  if (src.spec().size() > url::kMaxURLChars)
+    return false;
+
+  return true;
+}
+
+bool CheckArtworkSanity(const MediaMetadata::Artwork& artwork) {
+  if (!CheckArtworkSrcSanity(artwork.src))
+    return false;
+  if (artwork.type.is_null())
+    return false;
+  if (artwork.type.string().size() > kMaxArtworkTypeLength)
+    return false;
+  if (artwork.sizes.size() > kMaxNumberOfArtworkSizes)
+    return false;
+
+  return true;
+}
+
+// Sanitize artwork. The method should not be called if |artwork.src| is bad.
+MediaMetadata::Artwork SanitizeArtwork(const MediaMetadata::Artwork& artwork) {
+  MediaMetadata::Artwork sanitized_artwork;
+
+  sanitized_artwork.src = artwork.src;
+  sanitized_artwork.type = artwork.type.is_null() ?
+      base::NullableString16() :
+      base::NullableString16(
+          artwork.type.string().substr(0, kMaxArtworkTypeLength), false);
+  for (const auto& size : artwork.sizes) {
+    sanitized_artwork.sizes.push_back(size);
+    if (sanitized_artwork.sizes.size() == kMaxNumberOfArtworkSizes)
+      break;
+  }
+
+  return sanitized_artwork;
+}
+
+}  // anonymous namespace
+
+bool MediaMetadataSanitizer::CheckSanity(const MediaMetadata& metadata) {
+  if (metadata.title.size() > kMaxIPCStringLength)
+    return false;
+  if (metadata.artist.size() > kMaxIPCStringLength)
+    return false;
+  if (metadata.album.size() > kMaxIPCStringLength)
+    return false;
+  if (metadata.artwork.size() > kMaxNumberOfArtworkImages)
+    return false;
+
+  for (const auto& artwork : metadata.artwork) {
+    if (!CheckArtworkSanity(artwork))
+        return false;
+  }
+
+  return true;
+}
+
+MediaMetadata MediaMetadataSanitizer::Sanitize(const MediaMetadata& metadata) {
+  MediaMetadata sanitized_metadata;
+
+  sanitized_metadata.title = metadata.title.substr(0, kMaxIPCStringLength);
+  sanitized_metadata.artist = metadata.artist.substr(0, kMaxIPCStringLength);
+  sanitized_metadata.album = metadata.album.substr(0, kMaxIPCStringLength);
+
+  for (const auto& artwork : metadata.artwork) {
+    if (!CheckArtworkSrcSanity(artwork.src))
+      continue;
+
+    sanitized_metadata.artwork.push_back(
+        CheckArtworkSanity(artwork) ? artwork : SanitizeArtwork(artwork));
+
+    if (sanitized_metadata.artwork.size() == kMaxNumberOfArtworkImages)
+      break;
+  }
+
+  return sanitized_metadata;
+}
+
+}  // namespace content