diff options
| author | sanga@chromium.org <sanga@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-17 16:16:27 +0000 |
|---|---|---|
| committer | sanga@chromium.org <sanga@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-17 16:16:27 +0000 |
| commit | 3d6293a1bba2afffdaee2c2733d526547e013217 (patch) | |
| tree | 71842f41b2b7eff605f8ece6665b34feb9120c6c | |
| parent | 8573b3339aa26a4083a7d30abc8953ee5fbb0daf (diff) | |
| download | chromium_src-3d6293a1bba2afffdaee2c2733d526547e013217.zip chromium_src-3d6293a1bba2afffdaee2c2733d526547e013217.tar.gz chromium_src-3d6293a1bba2afffdaee2c2733d526547e013217.tar.bz2 | |
Adding guards against heap overflow in PPB_FileIO::Read
BUG= http://code.google.com/p/chromium/issues/detail?id=92750
TEST= none at this time. FileIO tests are turned off for ui_tests.
Review URL: http://codereview.chromium.org/7655009
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97141 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | base/file_util_proxy.cc | 2 | ||||
| -rw-r--r-- | ppapi/tests/test_file_io.cc | 10 |
2 files changed, 11 insertions, 1 deletions
diff --git a/base/file_util_proxy.cc b/base/file_util_proxy.cc index a192cbf..2d5125f 100644 --- a/base/file_util_proxy.cc +++ b/base/file_util_proxy.cc @@ -854,6 +854,8 @@ bool FileUtilProxy::Read( int64 offset, int bytes_to_read, ReadCallback* callback) { + if (bytes_to_read < 0) + return false; return Start(FROM_HERE, message_loop_proxy, new RelayRead(file, offset, bytes_to_read, callback)); } diff --git a/ppapi/tests/test_file_io.cc b/ppapi/tests/test_file_io.cc index 160951e..ed77669 100644 --- a/ppapi/tests/test_file_io.cc +++ b/ppapi/tests/test_file_io.cc @@ -4,7 +4,6 @@ #include "ppapi/tests/test_file_io.h" -#include <stdio.h> #include <string.h> #include "base/memory/scoped_ptr.h" @@ -257,6 +256,15 @@ std::string TestFileIO::TestReadWriteSetLength() { if (rv != PP_OK) return ReportError("FileIO::Write", rv); + // Check for failing read operation. + char buf[256]; + rv = file_io.Read(0, buf, -1, // negative number of bytes to read + callback); + if (rv == PP_OK_COMPLETIONPENDING) + rv = callback.WaitForResult(); + if (rv != PP_ERROR_FAILED) + return ReportError("FileIO::Read", rv); + // Read the entire file. std::string read_buffer; rv = ReadEntireFile(instance_->pp_instance(), &file_io, 0, &read_buffer); |