Avoid calling vector resize() with excessive size parameter: fix broken integer overflow checks, or remove resize() calls to simplify non-hot-path cases, or add stronger validations as appropriate.

BUG=31364
TEST=NONE

Review URL: http://codereview.chromium.org/519031

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35414 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 2 deletions

diff --git a/chrome/common/render_messages.h b/chrome/common/render_messages.h
index 555ebd0..e21c415 100644
--- a/chrome/common/render_messages.h
+++ b/chrome/common/render_messages.h
@@ -861,14 +861,15 @@ struct ParamTraits<webkit_glue::FormFieldValues> {
           ReadParam(m, iter, &p->target_url);
       size_t elements_size = 0;
       result = result && ReadParam(m, iter, &elements_size);
-      p->elements.resize(elements_size);
       for (size_t i = 0; i < elements_size; i++) {
         string16 label, name, type, value;
         result = result && ReadParam(m, iter, &label);
         result = result && ReadParam(m, iter, &name);
         result = result && ReadParam(m, iter, &type);
         result = result && ReadParam(m, iter, &value);
-        p->elements[i] = webkit_glue::FormField(label, name, type, value);
+        if (result)
+          p->elements.push_back(
+            webkit_glue::FormField(label, name, type, value));
       }
       return result;
   }