diff options
| author | lzheng@chromium.org <lzheng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-10 23:07:23 +0000 |
|---|---|---|
| committer | lzheng@chromium.org <lzheng@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-01-10 23:07:23 +0000 |
| commit | a781b07d624b5cd5ea9aab6e3723999810f10cd1 (patch) | |
| tree | 2ff179f2d2acf0c3b2f0375a536dea53101ca86c /chrome/browser/safe_browsing | |
| parent | dac99e97293d287e451f178f1c8c87f0ec8718f7 (diff) | |
| download | chromium_src-a781b07d624b5cd5ea9aab6e3723999810f10cd1.zip chromium_src-a781b07d624b5cd5ea9aab6e3723999810f10cd1.tar.gz chromium_src-a781b07d624b5cd5ea9aab6e3723999810f10cd1.tar.bz2 | |
Deal with truncated chunk.
In case the chunk is truncated, we should not read data from out side of the buffer.
BUG=none
TEST=protocol_parser_unittest.cc
Review URL: http://codereview.chromium.org/6154002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@70958 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/browser/safe_browsing')
| -rw-r--r-- | chrome/browser/safe_browsing/protocol_parser.cc | 12 | ||||
| -rw-r--r-- | chrome/browser/safe_browsing/protocol_parser_unittest.cc | 15 |
2 files changed, 21 insertions, 6 deletions
diff --git a/chrome/browser/safe_browsing/protocol_parser.cc b/chrome/browser/safe_browsing/protocol_parser.cc index 7290376..681253a 100644 --- a/chrome/browser/safe_browsing/protocol_parser.cc +++ b/chrome/browser/safe_browsing/protocol_parser.cc @@ -265,6 +265,8 @@ bool SafeBrowsingProtocolParser::ParseChunk(const char* data, return false; // Error: bad chunk format! const int line_len = static_cast<int>(cmd_line.length()) + 1; + chunk_data += line_len; + remaining -= line_len; std::vector<std::string> cmd_parts; base::SplitString(cmd_line, ':', &cmd_parts); @@ -274,8 +276,6 @@ bool SafeBrowsingProtocolParser::ParseChunk(const char* data, cmd_parts[0] == "e" && cmd_parts[1] == "pleaserekey") { *re_key = true; - chunk_data += line_len; - remaining -= line_len; continue; } return false; @@ -290,8 +290,9 @@ bool SafeBrowsingProtocolParser::ParseChunk(const char* data, } const int chunk_len = atoi(cmd_parts[3].c_str()); - chunk_data += line_len; - remaining -= line_len; + + if (remaining < chunk_len) + return false; // parse error. chunks->push_back(SBChunk()); chunks->back().chunk_number = chunk_number; @@ -313,8 +314,7 @@ bool SafeBrowsingProtocolParser::ParseChunk(const char* data, chunk_data += chunk_len; remaining -= chunk_len; - if (remaining < 0) - return false; // Parse error. + DCHECK_LE(0, remaining); } DCHECK(remaining == 0); diff --git a/chrome/browser/safe_browsing/protocol_parser_unittest.cc b/chrome/browser/safe_browsing/protocol_parser_unittest.cc index 3aa5bd1..f32a21c 100644 --- a/chrome/browser/safe_browsing/protocol_parser_unittest.cc +++ b/chrome/browser/safe_browsing/protocol_parser_unittest.cc @@ -173,6 +173,21 @@ TEST(SafeBrowsingProtocolParsingTest, TestAddBigChunk) { EXPECT_EQ(host.entry->prefix_count(), 260); } +// Test to make sure we could deal with truncated chunk. +TEST(SafeBrowsingProtocolParsingTest, TestTruncatedChunk) { + // This chunk delares there are 4 prefixes but actually only contains 2. + const char add_chunk[] = "a:1:4:21\naaaa\00411112222"; + SafeBrowsingProtocolParser parser; + bool re_key = false; + SBChunkList chunks; + bool result = parser.ParseChunk(add_chunk, + static_cast<int>(sizeof(add_chunk)), + "", "", &re_key, &chunks); + EXPECT_FALSE(result); + EXPECT_FALSE(re_key); + EXPECT_EQ(chunks.size(), 0U); +} + // Test parsing one sub chunk. TEST(SafeBrowsingProtocolParsingTest, TestSubChunk) { std::string sub_chunk("s:9:4:59\naaaaxkkkk1111\003" |