[Video Capture Manager] Delete all occurrences of device start reques…

…ts queued.

The vulnerability indicated in crbug.com/995964 suggests that the core
issue relates to the assumption that device_start_request_queue_ can
only contain one occurrence of a controller while this might not be the
case.

This change makes sure that all occurrence of a controller are removed
from the list, instead of removing only the first found.

BUG=995964

Change-Id: Ice2a1da37d13339128d3d52d25daa252c5d61155
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1784726
Reviewed-by: Guido Urdaneta <[email protected]>
Commit-Queue: Armando Miraglia <[email protected]>
Cr-Commit-Position: refs/heads/master@{#694255}

content/browser/renderer_host/media/video_capture_manager.cc

@@ -243,16 +243,14 @@ void VideoCaptureManager::DoStopDevice(VideoCaptureController* controller) {
 
   // If start request has not yet started processing, i.e. if it is not at the
   // beginning of the queue, remove it from the queue.
-  auto request_iter = device_start_request_queue_.begin();
-  if (request_iter != device_start_request_queue_.end()) {
-    request_iter =
-        std::find_if(++request_iter, device_start_request_queue_.end(),
-                     [controller](const CaptureDeviceStartRequest& request) {
-                       return request.controller() == controller;
-                     });
-    if (request_iter != device_start_request_queue_.end()) {
-      device_start_request_queue_.erase(request_iter);
-      return;
+  if (!device_start_request_queue_.empty()) {
+    auto second_request = std::next(device_start_request_queue_.begin());
+
+    for (auto it = second_request; it != device_start_request_queue_.end();) {
+      if (it->controller() == controller)
+        it = device_start_request_queue_.erase(it);
+      else
+        ++it;
     }
   }