Enforce a max length for document titles.

R=deanm
BUG=http://crbug.com/12810
TEST=None

Review URL: http://codereview.chromium.org/113969

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@17282 0039d316-1c4b-4281-b951-d872f2087c98

4 files changed, 19 insertions, 2 deletions

diff --git a/chrome/browser/renderer_host/render_view_host.cc b/chrome/browser/renderer_host/render_view_host.cc
index 421615f..826ca6d 100644
--- a/chrome/browser/renderer_host/render_view_host.cc
+++ b/chrome/browser/renderer_host/render_view_host.cc
@@ -34,6 +34,7 @@
 #include "chrome/common/render_messages.h"
 #include "chrome/common/result_codes.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/chrome_constants.h"
 #include "chrome/common/thumbnail_score.h"
 #include "chrome/common/url_constants.h"
 #include "net/base/net_util.h"
@@ -952,6 +953,10 @@ void RenderViewHost::OnMsgUpdateState(int32 page_id,
 
 void RenderViewHost::OnMsgUpdateTitle(int32 page_id,
                                       const std::wstring& title) {
+  if (title.length() > chrome::kMaxTitleChars) {
+    NOTREACHED() << "Renderer sent too many characters in title.";
+    return;
+  }
   delegate_->UpdateTitle(this, page_id, title);
 }
 
diff --git a/chrome/common/chrome_constants.cc b/chrome/common/chrome_constants.cc
index f15f04a..93d4dc8 100644
--- a/chrome/common/chrome_constants.cc
+++ b/chrome/common/chrome_constants.cc
@@ -82,6 +82,8 @@ const unsigned int kMaxRendererProcessCount = 42;
 const int kStatsMaxThreads = 32;
 const int kStatsMaxCounters = 300;
 
+const size_t kMaxTitleChars = 4 * 1024;
+
 // We don't enable record mode in the released product because users could
 // potentially be tricked into running a product in record mode without
 // knowing it.  Enable in debug builds.  Playback mode is allowed always,
diff --git a/chrome/common/chrome_constants.h b/chrome/common/chrome_constants.h
index 8864d56..7d7836f 100644
--- a/chrome/common/chrome_constants.h
+++ b/chrome/common/chrome_constants.h
@@ -48,6 +48,10 @@ extern const unsigned int kMaxRendererProcessCount;
 extern const int kStatsMaxThreads;
 extern const int kStatsMaxCounters;
 
+// The maximum number of characters of the document's title that we're willing
+// to send to the browser process.
+extern const size_t kMaxTitleChars;
+
 extern const bool kRecordModeEnabled;
 
 }  // namespace chrome
diff --git a/chrome/renderer/render_view.cc b/chrome/renderer/render_view.cc
index 9e669fd..750b9ba 100644
--- a/chrome/renderer/render_view.cc
+++ b/chrome/renderer/render_view.cc
@@ -23,6 +23,7 @@
 #include "build/build_config.h"
 #include "chrome/common/bindings_policy.h"
 #include "chrome/common/chrome_switches.h"
+#include "chrome/common/chrome_constants.h"
 #include "chrome/common/jstemplate_builder.h"
 #include "chrome/common/page_zoom.h"
 #include "chrome/common/render_messages.h"
@@ -1124,8 +1125,13 @@ void RenderView::UpdateURL(WebFrame* frame) {
 // Tell the embedding application that the title of the active page has changed
 void RenderView::UpdateTitle(WebFrame* frame, const std::wstring& title) {
   // Ignore all but top level navigations...
-  if (webview()->GetMainFrame() == frame)
-    Send(new ViewHostMsg_UpdateTitle(routing_id_, page_id_, title));
+  if (webview()->GetMainFrame() == frame) {
+    Send(new ViewHostMsg_UpdateTitle(
+             routing_id_,
+             page_id_,
+             title.length() > chrome::kMaxTitleChars ?
+                 title.substr(0, chrome::kMaxTitleChars) : title));
+  }
 }
 
 void RenderView::UpdateEncoding(WebFrame* frame,