Fix a couple of integer issues in Pickle deserialization. Neither represent

a significant risk because the code is not directly exposed to user input. In
addition, neither error leads to memory corruption. At worse, there's a C++
exception or abort().

BUG=NONE
TEST=PickleTest.EvilLengths

Review URL: http://codereview.chromium.org/146121

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19249 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 1 deletions

diff --git a/base/pickle.cc b/base/pickle.cc
index 5e249c7..c3df8bc 100644
--- a/base/pickle.cc
+++ b/base/pickle.cc
@@ -208,6 +208,9 @@ bool Pickle::ReadWString(void** iter, std::wstring* result) const {
   int len;
   if (!ReadLength(iter, &len))
     return false;
+  // Avoid integer overflow.
+  if (len > INT_MAX / static_cast<int>(sizeof(wchar_t)))
+    return false;
   if (!IteratorHasRoomFor(*iter, len * sizeof(wchar_t)))
     return false;
 
@@ -224,7 +227,7 @@ bool Pickle::ReadString16(void** iter, string16* result) const {
   int len;
   if (!ReadLength(iter, &len))
     return false;
-  if (!IteratorHasRoomFor(*iter, len))
+  if (!IteratorHasRoomFor(*iter, len * sizeof(char16)))
     return false;
 
   char16* chars = reinterpret_cast<char16*>(*iter);