diff options
| author | sky@google.com <sky@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-09-16 22:04:20 +0000 |
|---|---|---|
| committer | sky@google.com <sky@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2008-09-16 22:04:20 +0000 |
| commit | 5fe2c27391b3ca2f2864a0a4f6bd957d4347f95c (patch) | |
| tree | cc5362c7d4bcecd2e7c4e25e1fb32892f380a849 | |
| parent | 62cde7f151ed81bec13c382e6c5d4d54d5f3cb82 (diff) | |
| download | chromium_src-5fe2c27391b3ca2f2864a0a4f6bd957d4347f95c.zip chromium_src-5fe2c27391b3ca2f2864a0a4f6bd957d4347f95c.tar.gz chromium_src-5fe2c27391b3ca2f2864a0a4f6bd957d4347f95c.tar.bz2 | |
Fixes bug where we could write MAX_PATH + 1 to the clipboard. I came
across this when tracking down previous fix. Allowing MAX_PATH + 1
causes a DCHECK to be hit when we read back from the clipboard.
BUG=none
TEST=none
Review URL: http://codereview.chromium.org/3023
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@2286 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | webkit/port/platform/ClipboardWin.cpp | 19 |
1 files changed, 10 insertions, 9 deletions
diff --git a/webkit/port/platform/ClipboardWin.cpp b/webkit/port/platform/ClipboardWin.cpp index 2fa6ae3..a3b83f9 100644 --- a/webkit/port/platform/ClipboardWin.cpp +++ b/webkit/port/platform/ClipboardWin.cpp @@ -106,20 +106,21 @@ static inline void pathRemoveBadFSCharacters(PWSTR psz, size_t length) static String filesystemPathFromUrlOrTitle(const String& url, const String& title, TCHAR* extension, bool isLink) { bool usedURL = false; - WCHAR fsPathBuffer[MAX_PATH + 1]; + WCHAR fsPathBuffer[MAX_PATH]; fsPathBuffer[0] = 0; - int extensionLen = extension ? lstrlen(extension) : 0; + int extensionLen = extension ? min(MAX_PATH - 1, lstrlen(extension)) : 0; + String extensionString = extension ? String(extension, extensionLen) : String(L""); // We make the filename based on the title only if there's an extension. if (!title.isEmpty() && extension) { - size_t len = min<size_t>(title.length(), MAX_PATH - extensionLen); + size_t len = min<size_t>(title.length(), MAX_PATH - extensionLen - 1); CopyMemory(fsPathBuffer, title.characters(), len * sizeof(UChar)); fsPathBuffer[len] = 0; pathRemoveBadFSCharacters(fsPathBuffer, len); } if (!lstrlen(fsPathBuffer)) { - DWORD len = MAX_PATH; + DWORD len = MAX_PATH - 1; String nullTermURL = url; usedURL = true; if (UrlIsFileUrl((LPCWSTR)nullTermURL.charactersWithNullTermination()) @@ -135,10 +136,10 @@ static String filesystemPathFromUrlOrTitle(const String& url, const String& titl KURL kurl(url.deprecatedString()); String lastComponent; if (!isLink && !(lastComponent = kurl.lastPathComponent()).isEmpty()) { - len = min<DWORD>(MAX_PATH, lastComponent.length()); + len = min<DWORD>(MAX_PATH - 1, lastComponent.length()); CopyMemory(fsPathBuffer, lastComponent.characters(), len * sizeof(UChar)); } else { - len = min<DWORD>(MAX_PATH, nullTermURL.length()); + len = min<DWORD>(MAX_PATH - 1, nullTermURL.length()); CopyMemory(fsPathBuffer, nullTermURL.characters(), len * sizeof(UChar)); } fsPathBuffer[len] = 0; @@ -150,13 +151,13 @@ static String filesystemPathFromUrlOrTitle(const String& url, const String& titl return String((UChar*)fsPathBuffer); if (!isLink && usedURL) { - PathRenameExtension(fsPathBuffer, extension); + PathRenameExtension(fsPathBuffer, extensionString.charactersWithNullTermination()); return String((UChar*)fsPathBuffer); } String result((UChar*)fsPathBuffer); - result += String((UChar*)extension); - return result; + result += extensionString; + return result.length() >= MAX_PATH ? result.substring(0, MAX_PATH - 1) : result; } static HGLOBAL createGlobalURLContent(const String& url, int estimatedFileSize) |