diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-28 17:43:47 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-09-28 17:43:47 +0000 |
| commit | e3bfec9f7ba9eb84304ab93f04ad5a0c624c81b5 (patch) | |
| tree | df2bab95ed7785953ae664d645928bd30e899908 | |
| parent | 9b535cfe8e2c2cbb1dd6bccdde4911923d37f0cb (diff) | |
| download | chromium_src-e3bfec9f7ba9eb84304ab93f04ad5a0c624c81b5.zip chromium_src-e3bfec9f7ba9eb84304ab93f04ad5a0c624c81b5.tar.gz chromium_src-e3bfec9f7ba9eb84304ab93f04ad5a0c624c81b5.tar.bz2 | |
Be defensive against 0-sized custom cursors. This may fix a moderately common
browser crash that triggers ~100 times a day:
`anonymous namespace'::PureCall()
_invalid_parameter_noinfo
std::vector<unsigned char,std::allocator<unsigned char> >::operator[](unsigned int)
WebCursor::GetCursor(HINSTANCE__ *)
RenderWidgetHostViewWin::UpdateCursorIfOverSelf()
RenderWidgetHostViewWin::UpdateCursor(WebCursor const &)
I was unable to reproduce myself, so I don't know if the bad cursor came from
the web or from the Windows "external cursor" concept. Accordingly:
- Do not accept 0-sized cursors from the renderer.
- Do not access array[0] on an empty array as per other call sites in the
cursor code.
Thanks to The Mighty Hoppy for triggering this via means unknown!
BUG=NONE
TEST=NONE (unable to reproduce)
Review URL: http://codereview.chromium.org/251008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@27372 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | webkit/glue/webcursor.cc | 6 | ||||
| -rw-r--r-- | webkit/glue/webcursor_win.cc | 7 |
2 files changed, 9 insertions, 4 deletions
diff --git a/webkit/glue/webcursor.cc b/webkit/glue/webcursor.cc index 72ede41..3be9cc2 100644 --- a/webkit/glue/webcursor.cc +++ b/webkit/glue/webcursor.cc @@ -88,6 +88,9 @@ bool WebCursor::Deserialize(const Pickle* pickle, void** iter) { size_y > kMaxCursorDimension) return false; + if (type == WebCursorInfo::TypeCustom && (size_x == 0 || size_y == 0)) + return false; + // The * 4 is because the expected format is an array of RGBA pixel values. if (size_x * size_y * 4 > data_len) return false; @@ -168,7 +171,8 @@ void WebCursor::SetCustomData(const WebImage& image) { const SkBitmap& bitmap = image.getSkBitmap(); SkAutoLockPixels bitmap_lock(bitmap); custom_data_.resize(bitmap.getSize()); - memcpy(&custom_data_[0], bitmap.getPixels(), bitmap.getSize()); + if (!custom_data_.empty()) + memcpy(&custom_data_[0], bitmap.getPixels(), bitmap.getSize()); custom_size_.set_width(bitmap.width()); custom_size_.set_height(bitmap.height()); } diff --git a/webkit/glue/webcursor_win.cc b/webkit/glue/webcursor_win.cc index c1d7556..8331c7a 100644 --- a/webkit/glue/webcursor_win.cc +++ b/webkit/glue/webcursor_win.cc @@ -158,9 +158,10 @@ HCURSOR WebCursor::GetCursor(HINSTANCE module_handle){ HDC workingDC = CreateCompatibleDC(dc); HBITMAP bitmap_handle = CreateDIBSection( dc, &cursor_bitmap_info, DIB_RGB_COLORS, 0, 0, 0); - SetDIBits( - 0, bitmap_handle, 0, custom_size_.height(), &custom_data_[0], - &cursor_bitmap_info, DIB_RGB_COLORS); + if (!custom_data_.empty()) + SetDIBits( + 0, bitmap_handle, 0, custom_size_.height(), &custom_data_[0], + &cursor_bitmap_info, DIB_RGB_COLORS); HBITMAP old_bitmap = reinterpret_cast<HBITMAP>( SelectObject(workingDC, bitmap_handle)); |