[SPDY] Insert bounds checks for data structures indexed by RequestPriority

This is to track down the hypothesized out-of-bounds error causing
the crash in the bug.

BUG=308348
R=rtenneti@chromium.org

Review URL: https://codereview.chromium.org/28003002

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@229301 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 23 insertions, 6 deletions

diff --git a/net/spdy/spdy_session.cc b/net/spdy/spdy_session.cc
index a0e0f7e..8727b77 100644
--- a/net/spdy/spdy_session.cc
+++ b/net/spdy/spdy_session.cc
@@ -645,7 +645,10 @@ int SpdySession::TryCreateStream(
 
   stalled_streams_++;
   net_log().AddEvent(NetLog::TYPE_SPDY_SESSION_STALLED_MAX_STREAMS);
-  pending_create_stream_queues_[request->priority()].push_back(request);
+  RequestPriority priority = request->priority();
+  CHECK_GE(priority, MINIMUM_PRIORITY);
+  CHECK_LT(priority, NUM_PRIORITIES);
+  pending_create_stream_queues_[priority].push_back(request);
   return ERR_IO_PENDING;
 }
 
@@ -701,11 +704,14 @@ int SpdySession::CreateStream(const SpdyStreamRequest& request,
 void SpdySession::CancelStreamRequest(
     const base::WeakPtr<SpdyStreamRequest>& request) {
   DCHECK(request);
+  RequestPriority priority = request->priority();
+  CHECK_GE(priority, MINIMUM_PRIORITY);
+  CHECK_LT(priority, NUM_PRIORITIES);
 
   if (DCHECK_IS_ON()) {
     // |request| should not be in a queue not matching its priority.
     for (int i = 0; i < NUM_PRIORITIES; ++i) {
-      if (request->priority() == i)
+      if (priority == i)
         continue;
       PendingStreamRequestQueue* queue = &pending_create_stream_queues_[i];
       DCHECK(std::find_if(queue->begin(),
@@ -715,7 +721,7 @@ void SpdySession::CancelStreamRequest(
   }
 
   PendingStreamRequestQueue* queue =
-      &pending_create_stream_queues_[request->priority()];
+      &pending_create_stream_queues_[priority];
   // Remove |request| from |queue| while preserving the order of the
   // other elements.
   PendingStreamRequestQueue::iterator it =
@@ -2926,7 +2932,10 @@ void SpdySession::DecreaseRecvWindowSize(int32 delta_window_size) {
 
 void SpdySession::QueueSendStalledStream(const SpdyStream& stream) {
   DCHECK(stream.send_stalled_by_flow_control());
-  stream_send_unstall_queue_[stream.priority()].push_back(stream.stream_id());
+  RequestPriority priority = stream.priority();
+  CHECK_GE(priority, MINIMUM_PRIORITY);
+  CHECK_LT(priority, NUM_PRIORITIES);
+  stream_send_unstall_queue_[priority].push_back(stream.stream_id());
 }
 
 void SpdySession::ResumeSendStalledStreams() {
diff --git a/net/spdy/spdy_stream.cc b/net/spdy/spdy_stream.cc
index a603a6c..9134469 100644
--- a/net/spdy/spdy_stream.cc
+++ b/net/spdy/spdy_stream.cc
@@ -113,6 +113,8 @@ SpdyStream::SpdyStream(SpdyStreamType type,
   CHECK(type_ == SPDY_BIDIRECTIONAL_STREAM ||
         type_ == SPDY_REQUEST_RESPONSE_STREAM ||
         type_ == SPDY_PUSH_STREAM);
+  CHECK_GE(priority_, MINIMUM_PRIORITY);
+  CHECK_LT(priority_, NUM_PRIORITIES);
 }
 
 SpdyStream::~SpdyStream() {
diff --git a/net/spdy/spdy_write_queue.cc b/net/spdy/spdy_write_queue.cc
index 2ac4241..e2bcfc4 100644
--- a/net/spdy/spdy_write_queue.cc
+++ b/net/spdy/spdy_write_queue.cc
@@ -44,6 +44,8 @@ void SpdyWriteQueue::Enqueue(RequestPriority priority,
                              SpdyFrameType frame_type,
                              scoped_ptr<SpdyBufferProducer> frame_producer,
                              const base::WeakPtr<SpdyStream>& stream) {
+  CHECK_GE(priority, MINIMUM_PRIORITY);
+  CHECK_LT(priority, NUM_PRIORITIES);
   if (stream.get())
     DCHECK_EQ(stream->priority(), priority);
   queue_[priority].push_back(
@@ -70,12 +72,16 @@ bool SpdyWriteQueue::Dequeue(SpdyFrameType* frame_type,
 
 void SpdyWriteQueue::RemovePendingWritesForStream(
     const base::WeakPtr<SpdyStream>& stream) {
+  RequestPriority priority = stream->priority();
+  CHECK_GE(priority, MINIMUM_PRIORITY);
+  CHECK_LT(priority, NUM_PRIORITIES);
+
   DCHECK(stream.get());
   if (DCHECK_IS_ON()) {
     // |stream| should not have pending writes in a queue not matching
     // its priority.
     for (int i = 0; i < NUM_PRIORITIES; ++i) {
-      if (stream->priority() == i)
+      if (priority == i)
         continue;
       for (std::deque<PendingWrite>::const_iterator it = queue_[i].begin();
            it != queue_[i].end(); ++it) {
@@ -85,7 +91,7 @@ void SpdyWriteQueue::RemovePendingWritesForStream(
   }
 
   // Do the actual deletion and removal, preserving FIFO-ness.
-  std::deque<PendingWrite>* queue = &queue_[stream->priority()];
+  std::deque<PendingWrite>* queue = &queue_[priority];
   std::deque<PendingWrite>::iterator out_it = queue->begin();
   for (std::deque<PendingWrite>::const_iterator it = queue->begin();
        it != queue->end(); ++it) {