diff options
| author | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-28 20:58:53 +0000 |
|---|---|---|
| committer | evan@chromium.org <evan@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-12-28 20:58:53 +0000 |
| commit | c3df2b248dabeec03a9a208a703cd5509ce1e40c (patch) | |
| tree | 818b0120299e63d2ff117ead3e691654a679537c /chrome | |
| parent | e4fb84ce23c47855852f84a7d7d4040abf71d61f (diff) | |
| download | chromium_src-c3df2b248dabeec03a9a208a703cd5509ce1e40c.zip chromium_src-c3df2b248dabeec03a9a208a703cd5509ce1e40c.tar.gz chromium_src-c3df2b248dabeec03a9a208a703cd5509ce1e40c.tar.bz2 | |
plugins: limit maximum window size
Even if plugins will crash when they are too large, we should try to
have the renderer stay up.
BUG=28606
Review URL: http://codereview.chromium.org/515043
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35309 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'chrome')
| -rw-r--r-- | chrome/renderer/webplugin_delegate_proxy.cc | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc index f459b51..869350a 100644 --- a/chrome/renderer/webplugin_delegate_proxy.cc +++ b/chrome/renderer/webplugin_delegate_proxy.cc @@ -411,6 +411,16 @@ void WebPluginDelegateProxy::OnChannelError() { void WebPluginDelegateProxy::UpdateGeometry(const gfx::Rect& window_rect, const gfx::Rect& clip_rect) { + // window_rect becomes either a window in native windowing system + // coords, or a backing buffer. In either case things will go bad + // if the rectangle is very large. + if (window_rect.width() < 0 || window_rect.width() > (1<<15) || + window_rect.height() < 0 || window_rect.height() > (1<<15) || + // Clip to 8m pixels; we know this won't overflow due to above checks. + window_rect.width() * window_rect.height() > (8<<20)) { + return; + } + plugin_rect_ = window_rect; bool bitmaps_changed = false; |