diff options
| author | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-30 02:52:33 +0000 |
|---|---|---|
| committer | cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-30 02:52:33 +0000 |
| commit | bec9a2b3b6b96d23a15a475e9a4d2132aee6d2a5 (patch) | |
| tree | 1ba469b7d517d8af000ea9b10ad9e64c7a4ca267 /app | |
| parent | 063596265708ab88268ae022db133dbff3d1e446 (diff) | |
| download | chromium_src-bec9a2b3b6b96d23a15a475e9a4d2132aee6d2a5.zip chromium_src-bec9a2b3b6b96d23a15a475e9a4d2132aee6d2a5.tar.gz chromium_src-bec9a2b3b6b96d23a15a475e9a4d2132aee6d2a5.tar.bz2 | |
Add a range of sanity checks to the clipboard object handling. In particular, fix an integer overflow that might be an issue on Linux. Other changes are to avoid OOB reads and calling front() or [] on an empty or insufficiently sized vector.
BUG=31928
TEST=NONE
Review URL: http://codereview.chromium.org/522024
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35362 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'app')
| -rw-r--r-- | app/clipboard/clipboard.cc | 27 |
1 files changed, 23 insertions, 4 deletions
diff --git a/app/clipboard/clipboard.cc b/app/clipboard/clipboard.cc index 9c13010..4103c3a 100644 --- a/app/clipboard/clipboard.cc +++ b/app/clipboard/clipboard.cc @@ -11,26 +11,45 @@ namespace { // A compromised renderer could send us bad data, so validate it. bool IsBitmapSafe(const Clipboard::ObjectMapParams& params) { + if (params[1].size() != sizeof(gfx::Size)) + return false; const gfx::Size* size = reinterpret_cast<const gfx::Size*>(&(params[1].front())); - return params[0].size() == - static_cast<size_t>(size->width() * size->height() * 4); + size_t total_size = size->width(); + // Using INT_MAX not SIZE_T_MAX to put a reasonable bound on things. + if (INT_MAX / size->width() <= size->height()) + return false; + total_size *= size->height(); + if (INT_MAX / total_size <= 4) + return false; + total_size *= 4; + return params[0].size() == total_size; } } // namespace void Clipboard::DispatchObject(ObjectType type, const ObjectMapParams& params) { + // All types apart from CBF_WEBKIT need at least 1 non-empty param. + if (type != CBF_WEBKIT && (params.empty() || params[0].empty())) + return; + // Some other types need a non-empty 2nd param. + if ((type == CBF_BOOKMARK || type == CBF_BITMAP || type == CBF_DATA) && + (params.size() != 2 || params[1].empty())) + return; switch (type) { case CBF_TEXT: WriteText(&(params[0].front()), params[0].size()); break; case CBF_HTML: - if (params.size() == 2) + if (params.size() == 2) { + if (params[1].empty()) + return; WriteHTML(&(params[0].front()), params[0].size(), &(params[1].front()), params[1].size()); - else + } else if (params.size() == 1) { WriteHTML(&(params[0].front()), params[0].size(), NULL, 0); + } break; case CBF_BOOKMARK: |