ClearBrowsingData: Prevent heap overflow with false data type

Users can call ClearBrowsingDataHandler::HandleClearBrowsingData with
false arguments through devtools. This usually results in a clean crash.
Passing an invalid data type results in a heap overflow. This is turned
into a clean crash by changing a DCHECK into a CHECK.

Bug: 1405123
Change-Id: I00c7d7aefcd8b1d68a285fce62edf8ebdf2e3b4b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4166946
Reviewed-by: Demetrios Papadopoulos <dpapad@chromium.org>
Commit-Queue: Demetrios Papadopoulos <dpapad@chromium.org>
Auto-Submit: Christian Dullweber <dullweber@chromium.org>
Reviewed-by: Martin Šrámek <msramek@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1093506}

chrome/browser/ui/webui/settings/settings_clear_browsing_data_handler.cc

@@ -175,11 +175,12 @@ void ClearBrowsingDataHandler::HandleClearBrowsingData(
       Profile::FromWebUI(web_ui()));
   for (const base::Value& type : data_type_list) {
     const std::string pref_name = type.GetString();
-    BrowsingDataType data_type =
+    absl::optional<BrowsingDataType> data_type =
         browsing_data::GetDataTypeFromDeletionPreference(pref_name);
-    data_type_vector.push_back(data_type);
+    CHECK(data_type);
+    data_type_vector.push_back(*data_type);
 
-    switch (data_type) {
+    switch (*data_type) {
       case BrowsingDataType::HISTORY:
         if (prefs->GetBoolean(prefs::kAllowDeletingBrowserHistory))
           remove_mask |= chrome_browsing_data_remover::DATA_TYPE_HISTORY;
@@ -222,7 +223,7 @@ void ClearBrowsingDataHandler::HandleClearBrowsingData(
 
     // Inform the T&S sentiment service that this datatype was cleared.
     if (sentiment_service) {
-      sentiment_service->ClearedBrowsingData(data_type);
+      sentiment_service->ClearedBrowsingData(*data_type);
     }
   }
 

components/browsing_data/core/browsing_data_utils.cc

@@ -17,6 +17,7 @@
 #include "components/browsing_data/core/pref_names.h"
 #include "components/prefs/pref_service.h"
 #include "components/strings/grit/components_strings.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 #include "ui/base/l10n/l10n_util.h"
 
 namespace browsing_data {
@@ -362,7 +363,7 @@ bool GetDeletionPreferenceFromDataType(
   return false;
 }
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name) {
   using DataTypeMap = base::flat_map<std::string, BrowsingDataType>;
   static base::NoDestructor<DataTypeMap> preference_to_datatype(
@@ -381,8 +382,10 @@ BrowsingDataType GetDataTypeFromDeletionPreference(
       });
 
   auto iter = preference_to_datatype->find(pref_name);
-  DCHECK(iter != preference_to_datatype->end());
-  return iter->second;
+  if (iter != preference_to_datatype->end()) {
+    return iter->second;
+  }
+  return absl::nullopt;
 }
 
 bool IsHttpsCookieSourceScheme(net::CookieSourceScheme cookie_source_scheme) {

components/browsing_data/core/browsing_data_utils.h

@@ -12,6 +12,7 @@
 #include "components/browsing_data/core/clear_browsing_data_tab.h"
 #include "components/browsing_data/core/counters/browsing_data_counter.h"
 #include "net/cookies/cookie_constants.h"
+#include "third_party/abseil-cpp/absl/types/optional.h"
 
 namespace browsing_data {
 
@@ -77,7 +78,8 @@ bool GetDeletionPreferenceFromDataType(
     ClearBrowsingDataTab clear_browsing_data_tab,
     std::string* out_pref);
 
-BrowsingDataType GetDataTypeFromDeletionPreference(
+// Returns a BrowsingDataType if a type matching |pref_name| is found.
+absl::optional<BrowsingDataType> GetDataTypeFromDeletionPreference(
     const std::string& pref_name);
 
 bool IsHttpsCookieSourceScheme(net::CookieSourceScheme cookie_source_scheme);