Fix one byte buffer over read in the IE importer code.

BUG=115892
R=kinaba@chromium.org
TEST=Import IE favorites


Review URL: http://codereview.chromium.org/9481004

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@123970 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 8 insertions, 5 deletions

diff --git a/chrome/browser/importer/ie_importer.cc b/chrome/browser/importer/ie_importer.cc
index 58f0b48..d35d09d 100644
--- a/chrome/browser/importer/ie_importer.cc
+++ b/chrome/browser/importer/ie_importer.cc
@@ -98,12 +98,13 @@ LPCITEMIDLIST BinaryReadItemIDList(size_t offset, size_t idlist_size,
                                    const std::vector<uint8>& blob) {
   size_t head = 0;
   while (true) {
-    SHITEMID id;
-    if (head >= idlist_size || !BinaryRead(&id, offset + head, blob))
+    // Use a USHORT instead of SHITEMID to avoid buffer over read.
+    USHORT id_cb;
+    if (head >= idlist_size || !BinaryRead(&id_cb, offset + head, blob))
       return NULL;
-    if (id.cb == 0)
+    if (id_cb == 0)
       break;
-    head += id.cb;
+    head += id_cb;
   }
   return reinterpret_cast<LPCITEMIDLIST>(&blob[offset]);
 }
diff --git a/chrome/browser/importer/ie_importer_unittest_win.cc b/chrome/browser/importer/ie_importer_unittest_win.cc
index 433337a..349e81d 100644
--- a/chrome/browser/importer/ie_importer_unittest_win.cc
+++ b/chrome/browser/importer/ie_importer_unittest_win.cc
@@ -106,7 +106,9 @@ bool CreateOrderBlob(const FilePath& favorites_folder,
     ITEMIDLIST* id_list_full = ILCreateFromPath(
         favorites_folder.Append(path).Append(entries[i]).value().c_str());
     ITEMIDLIST* id_list = ILFindLastID(id_list_full);
-    size_t id_list_size = id_list->mkid.cb + sizeof(id_list->mkid);
+    // Include the trailing zero-length item id.  Don't include the single
+    // element array.
+    size_t id_list_size = id_list->mkid.cb + sizeof(id_list->mkid.cb);
 
     blob.resize(blob.size() + 8);
     uint32 total_size = id_list_size + 8;