Avoid memory corruption in sessions sync

chrome/browser/sync/sessions/sessions_sync_manager.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/sync/sessions/sessions_sync_manager.h"
 
 #include "chrome/browser/chrome_notification_types.h"
 #include "chrome/browser/profiles/profile.h"
 #include "chrome/browser/sync/glue/local_device_info_provider.h"
 #include "chrome/browser/sync/glue/synced_tab_delegate.h"
@@ skipping 320 matching lines @@
   syncer::SyncDataList data(
       sync_processor_->GetAllSyncData(syncer::SESSIONS));
   scoped_ptr<syncer::SyncErrorFactory> error_handler(error_handler_.Pass());
   scoped_ptr<syncer::SyncChangeProcessor> processor(sync_processor_.Pass());
 
   StopSyncing(syncer::SESSIONS);
   MergeDataAndStartSyncing(
       syncer::SESSIONS, data, processor.Pass(), error_handler.Pass());
 }
 
+bool SessionsSyncManager::IsValidSessionHeader(
+    const sync_pb::SessionHeader& header) {
+  // Verify that tab IDs appear only once within a session.
+  // Intended to prevent http://crbug.com/360822.
+  std::set<int> session_tab_ids;
+  for (int i = 0; i < header.window_size(); ++i) {
+    const sync_pb::SessionWindow& window = header.window(i);
+    for (int j = 0; j < window.tab_size(); ++j) {
+      const int tab_id = window.tab(j);
+      bool success = session_tab_ids.insert(tab_id).second;
+      if (!success)
+        return false;
+    }
+  }
+
+  return true;
+}
+
 void SessionsSyncManager::OnLocalTabModified(SyncedTabDelegate* modified_tab) {
   const content::NavigationEntry* entry = modified_tab->GetActiveEntry();
   if (!modified_tab->IsBeingDestroyed() &&
       entry &&
       entry->GetVirtualURL().is_valid() &&
       entry->GetVirtualURL().spec() == kNTPOpenTabSyncURL) {
     DVLOG(1) << "Triggering sync refresh for sessions datatype.";
     const syncer::ModelTypeSet types(syncer::SESSIONS);
     content::NotificationService::current()->Notify(
         chrome::NOTIFICATION_SYNC_REFRESH_LOCAL,
@@ skipping 231 matching lines @@
   std::string foreign_session_tag = specifics.session_tag();
   DCHECK_NE(foreign_session_tag, current_machine_tag());
 
   SyncedSession* foreign_session =
       session_tracker_.GetSession(foreign_session_tag);
   if (specifics.has_header()) {
     // Read in the header data for this foreign session.
     // Header data contains window information and ordered tab id's for each
     // window.
 
+    if (!IsValidSessionHeader(specifics.header())) {
+      LOG(WARNING) << "Ignoring foreign session node with invalid header "
+                   << "and tag " << foreign_session_tag << ".";
+      return;
+    }
+
     // Load (or create) the SyncedSession object for this client.
     const sync_pb::SessionHeader& header = specifics.header();
     PopulateSessionHeaderFromSpecifics(header,
                                        modification_time,
                                        foreign_session);
 
     // Reset the tab/window tracking for this session (must do this before
     // we start calling PutWindowInSession and PutTabInWindow so that all
     // unused tabs/windows get cleared by the CleanupSession(...) call).
     session_tracker_.ResetSessionTracking(foreign_session_tag);
@@ skipping 403 matching lines @@
                << " with age " << session_age_in_days << ", deleting.";
       DeleteForeignSessionInternal(session_tag, &changes);
     }
   }
 
   if (!changes.empty())
     sync_processor_->ProcessSyncChanges(FROM_HERE, changes);
 }
 
 };  // namespace browser_sync