diff options
| author | cdn@google.com <cdn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-09 23:11:48 +0000 |
|---|---|---|
| committer | cdn@google.com <cdn@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-02-09 23:11:48 +0000 |
| commit | a7a18c0ab36c4f975c57f5cf70ffd63263efdbd2 (patch) | |
| tree | f1bd5cc0baa0ed3e0eccc6b78d81a5884d1b8b41 | |
| parent | ea2e390b9f7b482195677d31a32e11085ea0f45e (diff) | |
| download | chromium_src-a7a18c0ab36c4f975c57f5cf70ffd63263efdbd2.zip chromium_src-a7a18c0ab36c4f975c57f5cf70ffd63263efdbd2.tar.gz chromium_src-a7a18c0ab36c4f975c57f5cf70ffd63263efdbd2.tar.bz2 | |
Merge 72634 - Check that we've got a complete header before accessing its fields.
This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed
at http://codereview.chromium.org/6353010/
BUG=70376
TEST=none
TBR=darin,willchan
Review URL: http://codereview.chromium.org/6347013
Review URL: http://codereview.chromium.org/6478007
git-svn-id: svn://svn.chromium.org/chrome/branches/648/src@74367 0039d316-1c4b-4281-b951-d872f2087c98
| -rw-r--r-- | base/pickle.cc | 3 | ||||
| -rw-r--r-- | base/pickle.h | 1 | ||||
| -rw-r--r-- | base/pickle_unittest.cc | 11 |
3 files changed, 15 insertions, 0 deletions
diff --git a/base/pickle.cc b/base/pickle.cc index a05df28..e7d5768 100644 --- a/base/pickle.cc +++ b/base/pickle.cc @@ -406,6 +406,9 @@ const char* Pickle::FindNext(size_t header_size, DCHECK(header_size == AlignInt(header_size, sizeof(uint32))); DCHECK(header_size <= static_cast<size_t>(kPayloadUnit)); + if (static_cast<size_t>(end - start) < sizeof(Header)) + return NULL; + const Header* hdr = reinterpret_cast<const Header*>(start); const char* payload_base = start + header_size; const char* payload_end = payload_base + hdr->payload_size; diff --git a/base/pickle.h b/base/pickle.h index bbe5d34..498ce95 100644 --- a/base/pickle.h +++ b/base/pickle.h @@ -236,6 +236,7 @@ class Pickle { FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize); FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext); + FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader); FRIEND_TEST_ALL_PREFIXES(PickleTest, IteratorHasRoom); }; diff --git a/base/pickle_unittest.cc b/base/pickle_unittest.cc index fdc0664..39eaa1b 100644 --- a/base/pickle_unittest.cc +++ b/base/pickle_unittest.cc @@ -171,6 +171,17 @@ TEST(PickleTest, FindNext) { EXPECT_TRUE(end == Pickle::FindNext(pickle.header_size_, start, end + 1)); } +TEST(PickleTest, FindNextWithIncompleteHeader) { + size_t header_size = sizeof(Pickle::Header); + scoped_array<char> buffer(new char[header_size - 1]); + memset(buffer.get(), 0x1, header_size - 1); + + const char* start = buffer.get(); + const char* end = start + header_size - 1; + + EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end)); +} + TEST(PickleTest, IteratorHasRoom) { Pickle pickle; EXPECT_TRUE(pickle.WriteInt(1)); |