Check the size of bitmaps coming over IPC.

R=cpu
BUG=10869
TEST=IPCMessageTest.Bitmap

Review URL: http://codereview.chromium.org/92064

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@14398 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 53 insertions, 4 deletions

diff --git a/chrome/common/ipc_message_unittest.cc b/chrome/common/ipc_message_unittest.cc
index 643626e..cbf0f86 100644
--- a/chrome/common/ipc_message_unittest.cc
+++ b/chrome/common/ipc_message_unittest.cc
@@ -6,9 +6,12 @@
 
 #include "chrome/common/ipc_message.h"
 #include "chrome/common/ipc_message_utils.h"
+#include "base/scoped_ptr.h"
 #include "googleurl/src/gurl.h"
 #include "testing/gtest/include/gtest/gtest.h"
 
+#include "SkBitmap.h"
+
 // Tests that serialize/deserialize correctly understand each other
 TEST(IPCMessageTest, Serialize) {
   const char* serialize_cases[] = {
@@ -47,3 +50,45 @@ TEST(IPCMessageTest, Serialize) {
   void* iter = NULL;
   EXPECT_FALSE(IPC::ParamTraits<GURL>::Read(&msg, &iter, &output));
 }
+
+// Tests bitmap serialization.
+TEST(IPCMessageTest, Bitmap) {
+  SkBitmap bitmap;
+
+  bitmap.setConfig(SkBitmap::kARGB_8888_Config, 10, 5);
+  bitmap.allocPixels();
+  memset(bitmap.getPixels(), 'A', bitmap.getSize());
+
+  IPC::Message msg(1, 2, IPC::Message::PRIORITY_NORMAL);
+  IPC::ParamTraits<SkBitmap>::Write(&msg, bitmap);
+
+  SkBitmap output;
+  void* iter = NULL;
+  EXPECT_TRUE(IPC::ParamTraits<SkBitmap>::Read(&msg, &iter, &output));
+
+  EXPECT_EQ(bitmap.config(), output.config());
+  EXPECT_EQ(bitmap.width(), output.width());
+  EXPECT_EQ(bitmap.height(), output.height());
+  EXPECT_EQ(bitmap.rowBytes(), output.rowBytes());
+  EXPECT_EQ(bitmap.getSize(), output.getSize());
+  EXPECT_EQ(memcmp(bitmap.getPixels(), output.getPixels(), bitmap.getSize()),
+            0);
+
+  // Also test the corrupt case.
+  IPC::Message bad_msg(1, 2, IPC::Message::PRIORITY_NORMAL);
+  // Copy the first message block over to |bad_msg|.
+  const char* fixed_data;
+  int fixed_data_size;
+  iter = NULL;
+  msg.ReadData(&iter, &fixed_data, &fixed_data_size);
+  bad_msg.WriteData(fixed_data, fixed_data_size);
+  // Add some bogus pixel data.
+  const size_t bogus_pixels_size = bitmap.getSize() * 2;
+  scoped_ptr<char> bogus_pixels(new char[bogus_pixels_size]);
+  memset(bogus_pixels.get(), 'B', bogus_pixels_size);
+  bad_msg.WriteData(bogus_pixels.get(), bogus_pixels_size);
+  // Make sure we don't read out the bitmap!
+  SkBitmap bad_output;
+  iter = NULL;
+  EXPECT_FALSE(IPC::ParamTraits<SkBitmap>::Read(&bad_msg, &iter, &bad_output));
+}
diff --git a/chrome/common/ipc_message_utils.cc b/chrome/common/ipc_message_utils.cc
index 36e8052..8ce3f4f 100644
--- a/chrome/common/ipc_message_utils.cc
+++ b/chrome/common/ipc_message_utils.cc
@@ -33,13 +33,18 @@ struct SkBitmap_Data {
     fRowBytes = bitmap.rowBytes();
   }
 
-  void InitSkBitmapFromData(SkBitmap* bitmap, const char* pixels,
+  // Returns whether |bitmap| successfully initialized.
+  bool InitSkBitmapFromData(SkBitmap* bitmap, const char* pixels,
                             size_t total_pixels) const {
     if (total_pixels) {
       bitmap->setConfig(fConfig, fWidth, fHeight, fRowBytes);
-      bitmap->allocPixels();
+      if (!bitmap->allocPixels())
+        return false;
+      if (total_pixels > bitmap->getSize())
+        return false;
       memcpy(bitmap->getPixels(), pixels, total_pixels);
     }
+    return true;
   }
 };
 
@@ -78,8 +83,7 @@ bool ParamTraits<SkBitmap>::Read(const Message* m, void** iter, SkBitmap* r) {
   }
   const SkBitmap_Data* bmp_data =
       reinterpret_cast<const SkBitmap_Data*>(fixed_data);
-  bmp_data->InitSkBitmapFromData(r, variable_data, variable_data_size);
-  return true;
+  return bmp_data->InitSkBitmapFromData(r, variable_data, variable_data_size);
 }
 
 void ParamTraits<SkBitmap>::Log(const SkBitmap& p, std::wstring* l) {