CSP: Harden hash parsing.

Source/core/frame/csp/CSPSourceList.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "config.h"
 #include "core/frame/csp/CSPSourceList.h"
 
 #include "core/frame/csp/CSPSource.h"
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/ParsingUtilities.h"
@@ skipping 270 matching lines @@
 // hash-source       = "'" hash-algorithm "-" hash-value "'"
 // hash-algorithm    = "sha1" / "sha256" / "sha384" / "sha512"
 // hash-value        = 1*( ALPHA / DIGIT / "+" / "/" / "=" )
 //
 bool CSPSourceList::parseHash(const UChar* begin, const UChar* end, DigestValue& hash, ContentSecurityPolicyHashAlgorithm& hashAlgorithm)
 {
     // Any additions or subtractions from this struct should also modify the
     // respective entries in the kAlgorithmMap array in checkDigest().
     static const struct {
         const char* prefix;
-        ContentSecurityPolicyHashAlgorithm algorithm;
+        ContentSecurityPolicyHashAlgorithm type;
     } kSupportedPrefixes[] = {
         { "'sha1-", ContentSecurityPolicyHashAlgorithmSha1 },
         { "'sha256-", ContentSecurityPolicyHashAlgorithmSha256 },
         { "'sha384-", ContentSecurityPolicyHashAlgorithmSha384 },
         { "'sha512-", ContentSecurityPolicyHashAlgorithmSha512 }
     };
 
     String prefix;
     hashAlgorithm = ContentSecurityPolicyHashAlgorithmNone;
+    size_t hashLength = end - begin;
 
-    // Instead of this sizeof() calculation to get the length of this array,
-    // it would be preferable to use WTF_ARRAY_LENGTH for simplicity and to
-    // guarantee a compile time calculation. Unfortunately, on some
-    // compliers, the call to WTF_ARRAY_LENGTH fails on arrays of anonymous
-    // stucts, so, for now, it is necessary to resort to this sizeof
-    // calculation.
-    for (size_t i = 0; i < (sizeof(kSupportedPrefixes) / sizeof(kSupportedPrefixes[0])); i++) {
-        if (equalIgnoringCase(kSupportedPrefixes[i].prefix, begin, strlen(kSupportedPrefixes[i].prefix))) {
-            prefix = kSupportedPrefixes[i].prefix;
-            hashAlgorithm = kSupportedPrefixes[i].algorithm;
+    for (const auto& algorithm : kSupportedPrefixes) {
+        if (hashLength > strlen(algorithm.prefix) && equalIgnoringCase(algorithm.prefix, begin, strlen(algorithm.prefix))) {
+            prefix = algorithm.prefix;
+            hashAlgorithm = algorithm.type;
             break;
         }
     }
 
     if (hashAlgorithm == ContentSecurityPolicyHashAlgorithmNone)
         return true;
 
     const UChar* position = begin + prefix.length();
     const UChar* hashBegin = position;
 
+    ASSERT(position < end);
     skipWhile<UChar, isBase64EncodedCharacter>(position, end);
     ASSERT(hashBegin <= position);
 
     // Base64 encodings may end with exactly one or two '=' characters
-    skipExactly<UChar>(position, position + 1, '=');
-    skipExactly<UChar>(position, position + 1, '=');
+    if (position < end)
+        skipExactly<UChar>(position, position + 1, '=');
+    if (position < end)
+        skipExactly<UChar>(position, position + 1, '=');
 
-    if ((position + 1) != end || *position != '\'' || !(position - hashBegin))
+    if (position + 1 != end || *position != '\'' || position == hashBegin)
         return false;
 
     Vector<char> hashVector;
     base64Decode(hashBegin, position - hashBegin, hashVector);
     if (hashVector.size() > kMaxDigestSize)
         return false;
     hash.append(reinterpret_cast<uint8_t*>(hashVector.data()), hashVector.size());
     return true;
 }
 
@@ skipping 140 matching lines @@
 }
 
 void CSPSourceList::addSourceHash(const ContentSecurityPolicyHashAlgorithm& algorithm, const DigestValue& hash)
 {
     m_hashes.add(CSPHashValue(algorithm, hash));
     m_hashAlgorithmsUsed |= algorithm;
 }
 
 
 } // namespace blink