summaryrefslogtreecommitdiffstats
path: root/chrome/common/common_param_traits.cc
diff options
context:
space:
mode:
authorcevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-04-28 12:14:19 +0000
committercevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-04-28 12:14:19 +0000
commit7965592a1fccad22047238bba22650d9092dbde6 (patch)
tree974eb69076e49f8ab53470d8c2044d3c61037aa2 /chrome/common/common_param_traits.cc
parentb7b03139f328d2e4d0642aa00163e595a9479b09 (diff)
downloadchromium_src-7965592a1fccad22047238bba22650d9092dbde6.zip
chromium_src-7965592a1fccad22047238bba22650d9092dbde6.tar.gz
chromium_src-7965592a1fccad22047238bba22650d9092dbde6.tar.bz2
Apply a sanity limit to objects with width & height.
TEST=NONE BUG=NONE Review URL: http://codereview.chromium.org/1582023 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@45797 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome/common/common_param_traits.cc')
-rw-r--r--chrome/common/common_param_traits.cc5
1 files changed, 5 insertions, 0 deletions
diff --git a/chrome/common/common_param_traits.cc b/chrome/common/common_param_traits.cc
index 4995b46..b7f13ed 100644
--- a/chrome/common/common_param_traits.cc
+++ b/chrome/common/common_param_traits.cc
@@ -147,6 +147,9 @@ bool ParamTraits<gfx::Rect>::Read(const Message* m, void** iter, gfx::Rect* r) {
!m->ReadInt(iter, &w) ||
!m->ReadInt(iter, &h))
return false;
+ if (x < 0 || y < 0 || x >= (INT_MAX - w) || y >= (INT_MAX - h) ||
+ w < 0 || h < 0 || h >= ((INT_MAX / 16) / (w ? w : 1)))
+ return false;
r->set_x(x);
r->set_y(y);
r->set_width(w);
@@ -170,6 +173,8 @@ bool ParamTraits<gfx::Size>::Read(const Message* m, void** iter, gfx::Size* r) {
if (!m->ReadInt(iter, &w) ||
!m->ReadInt(iter, &h))
return false;
+ if (w < 0 || h < 0 || h >= ((INT_MAX / 16) / (w ? w : 1)))
+ return false;
r->set_width(w);
r->set_height(h);
return true;
generated by cgit v1.1 at 2025-01-19 23:17:30 +0000