Fixed handling of a non-NULL attrib_list in PPB_Surface3D Proxy's Create().

Previously, it would read beyond the end of the PP_GRAPHICS3DATTRIB_NONE-terminated list. This change also ensures that attrib values do not trigger termination.

BUG=none
TEST=Pass a non-NULL attrib_list to the pp::Surface3D_Dev constructor and run the plugin out-of-process.

Review URL: http://codereview.chromium.org/7066041

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@87615 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 5 deletions

diff --git a/ppapi/proxy/ppb_surface_3d_proxy.cc b/ppapi/proxy/ppb_surface_3d_proxy.cc
index 3a20aa1..655bf9d 100644
--- a/ppapi/proxy/ppb_surface_3d_proxy.cc
+++ b/ppapi/proxy/ppb_surface_3d_proxy.cc
@@ -32,11 +32,13 @@ PP_Resource Create(PP_Instance instance,
 
   std::vector<int32_t> attribs;
   if (attrib_list) {
-    for (const int32_t* attr = attrib_list; attr; ++attr)
-      attribs.push_back(*attr);
-  } else {
-    attribs.push_back(0);
+    const int32_t* attr = attrib_list;
+    while(*attr != PP_GRAPHICS3DATTRIB_NONE) {
+      attribs.push_back(*(attr++));  // Attribute.
+      attribs.push_back(*(attr++));  // Value.
+    }
   }
+  attribs.push_back(PP_GRAPHICS3DATTRIB_NONE);  // Always terminate.
 
   HostResource result;
   dispatcher->Send(new PpapiHostMsg_PPBSurface3D_Create(
@@ -159,7 +161,8 @@ void PPB_Surface3D_Proxy::OnMsgCreate(PP_Instance instance,
                                       PP_Config3D_Dev config,
                                       std::vector<int32_t> attribs,
                                       HostResource* result) {
-  DCHECK(attribs.back() == 0);
+  DCHECK(attribs.size() % 2 == 1);
+  DCHECK(attribs.back() == PP_GRAPHICS3DATTRIB_NONE);
   PP_Resource resource =
       ppb_surface_3d_target()->Create(instance, config, &attribs.front());
   result->SetHostResource(instance, resource);