diff options
author | halyavin@google.com <halyavin@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 09:06:26 +0000 |
---|---|---|
committer | halyavin@google.com <halyavin@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2013-11-01 09:06:26 +0000 |
commit | 33a38dd309c35affc5395755473666b2fe7519db (patch) | |
tree | 9c0d08d300cd374b3007eb3f19f4b347603d7dc2 /base/pickle_unittest.cc | |
parent | 0cf88daeb27c7331c07f52fe916eb4f157689113 (diff) | |
download | chromium_src-33a38dd309c35affc5395755473666b2fe7519db.zip chromium_src-33a38dd309c35affc5395755473666b2fe7519db.tar.gz chromium_src-33a38dd309c35affc5395755473666b2fe7519db.tar.bz2 |
Avoid undefined behaviour in Pickle::FindNext.
TEST=base_unittests --gtest_filter=PickleTest.*
BUG=312250
R=jar@chromium.org
Review URL: https://codereview.chromium.org/50473002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@232315 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'base/pickle_unittest.cc')
-rw-r--r-- | base/pickle_unittest.cc | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/base/pickle_unittest.cc b/base/pickle_unittest.cc index 9dd0091..2bd45ac 100644 --- a/base/pickle_unittest.cc +++ b/base/pickle_unittest.cc @@ -182,6 +182,30 @@ TEST(PickleTest, FindNextWithIncompleteHeader) { EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end)); } +TEST(PickleTest, FindNextOverflow) { + size_t header_size = sizeof(Pickle::Header); + size_t header_size2 = 2 * header_size; + size_t payload_received = 100; + scoped_ptr<char[]> buffer(new char[header_size2 + payload_received]); + const char* start = buffer.get(); + Pickle::Header* header = reinterpret_cast<Pickle::Header*>(buffer.get()); + const char* end = start + header_size2 + payload_received; + // It is impossible to construct an overflow test otherwise. + if (sizeof(size_t) > sizeof(header->payload_size) || + sizeof(uintptr_t) > sizeof(header->payload_size)) + return; + + header->payload_size = -(reinterpret_cast<uintptr_t>(start) + header_size2); + EXPECT_TRUE(NULL == Pickle::FindNext(header_size2, start, end)); + + header->payload_size = -header_size2; + EXPECT_TRUE(NULL == Pickle::FindNext(header_size2, start, end)); + + header->payload_size = 0; + end = start + header_size; + EXPECT_TRUE(NULL == Pickle::FindNext(header_size2, start, end)); +} + TEST(PickleTest, GetReadPointerAndAdvance) { Pickle pickle; |