Fix size_t underflow in length calculation for SiteIsolationPolicy class.

TBR=creis BUG=278892 Review URL: https://chromiumcodereview.appspot.com/22867048 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@219479 0039d316-1c4b-4281-b951-d872f2087c98
author: ajwong@chromium.org <ajwong@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-25 15:36:53 +0000
committer: ajwong@chromium.org <ajwong@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2013-08-25 15:36:53 +0000
commit: 60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8 (patch)
tree: 8faa7066f5851b072ff6d7775e33d3008d3273c7 /content/child
parent: 4c58d780c6f0275226efa6b91cc36b4e735d22cd (diff)
download: chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.zip
chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.tar.gz
chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.tar.bz2
2 files changed, 26 insertions, 14 deletions
diff --git a/content/child/site_isolation_policy.cc b/content/child/site_isolation_policy.cc
index 20f0903..91eb158 100644
--- a/content/child/site_isolation_policy.cc
+++ b/content/child/site_isolation_policy.cc
@@ -8,6 +8,7 @@
 #include "base/command_line.h"
 #include "base/logging.h"
 #include "base/metrics/histogram.h"
+#include "base/strings/string_piece.h"
 #include "base/strings/string_util.h"
 #include "content/public/common/content_switches.h"
 #include "net/base/registry_controlled_domains/registry_controlled_domain.h"
@@ -414,19 +415,21 @@ bool SiteIsolationPolicy::SniffForHTML(const char* data, size_t length) {
 
   // "<!--" is specially treated since web JS can use "<!--" "-->" pair for
   // comments.
-  const char* comment_begins[] = {"<!--" };
+  static const char* comment_begins[] = {"<!--"};
 
   if (MatchesSignature(
           data, length, comment_begins, arraysize(comment_begins))) {
     // Search for --> and do SniffForHTML after that. If we can find the
     // comment's end, we start HTML sniffing from there again.
-    const char end_comment[] = "-->";
-    const size_t end_comment_size = strlen(end_comment);
-
-    for (size_t i = 0; i <= length - end_comment_size; ++i) {
-      if (!strncmp(data + i, end_comment, end_comment_size)) {
-        size_t skipped = i + end_comment_size;
-        return SniffForHTML(data + skipped, length - skipped);
+    static const char end_comment[] = "-->";
+    base::StringPiece data_as_stringpiece(data, length);
+
+    size_t offset = data_as_stringpiece.find(end_comment);
+    if (offset != base::StringPiece::npos) {
+      size_t new_start_offset = offset + strlen(end_comment);
+      if (new_start_offset < length) {
+        return SniffForHTML(data + new_start_offset,
+                            length - new_start_offset);
       }
     }
   }
@@ -539,11 +542,8 @@ bool SiteIsolationPolicy::SniffForJS(const char* data, size_t length) {
   // gathered.
 
   // Search for "var " for JS detection.
-  for (size_t i = 0; i < length - 3; ++i) {
-    if (strncmp(data + i, "var ", 4) == 0)
-      return true;
-  }
-  return false;
+  return base::StringPiece(data, length).find("var ") !=
+    base::StringPiece::npos;
 }
 
 SiteIsolationPolicy::RequestIdToMetaDataMap*
diff --git a/content/child/site_isolation_policy_unittest.cc b/content/child/site_isolation_policy_unittest.cc
index 15740d3..2a92ba4 100644
--- a/content/child/site_isolation_policy_unittest.cc
+++ b/content/child/site_isolation_policy_unittest.cc
@@ -9,7 +9,6 @@
 #include "third_party/WebKit/public/platform/WebURLResponse.h"
 #include "ui/base/range/range.h"
 
-
 namespace content {
 
 TEST(SiteIsolationPolicyTest, IsBlockableScheme) {
@@ -89,6 +88,9 @@ TEST(SiteIsolationPolicyTest, SniffForHTML) {
                                                  arraysize(non_html_data)));
   EXPECT_FALSE(SiteIsolationPolicy::SniffForHTML(comment_js_data,
                                                  arraysize(comment_js_data)));
+
+  // Basic bounds check.
+  EXPECT_FALSE(SiteIsolationPolicy::SniffForHTML(html_data, 0));
 }
 
 TEST(SiteIsolationPolicyTest, SniffForXML) {
@@ -98,6 +100,9 @@ TEST(SiteIsolationPolicyTest, SniffForXML) {
   EXPECT_TRUE(SiteIsolationPolicy::SniffForXML(xml_data, arraysize(xml_data)));
   EXPECT_FALSE(
       SiteIsolationPolicy::SniffForXML(non_xml_data, arraysize(non_xml_data)));
+
+  // Basic bounds check.
+  EXPECT_FALSE(SiteIsolationPolicy::SniffForXML(xml_data, 0));
 }
 
 TEST(SiteIsolationPolicyTest, SniffForJSON) {
@@ -111,15 +116,22 @@ TEST(SiteIsolationPolicyTest, SniffForJSON) {
                                                  arraysize(non_json_data0)));
   EXPECT_FALSE(SiteIsolationPolicy::SniffForJSON(non_json_data1,
                                                  arraysize(non_json_data1)));
+
+  // Basic bounds check.
+  EXPECT_FALSE(SiteIsolationPolicy::SniffForJSON(json_data, 0));
 }
 
 TEST(SiteIsolationPolicyTest, SniffForJS) {
+  const char basic_js_data[] = "var a = 4";
   const char js_data[] = "\t\t\r\n var a = 4";
   const char json_data[] = "\t\t\r\n   { \"name\" : \"chrome\", ";
 
   EXPECT_TRUE(SiteIsolationPolicy::SniffForJS(js_data, arraysize(js_data)));
   EXPECT_FALSE(
       SiteIsolationPolicy::SniffForJS(json_data, arraysize(json_data)));
+
+  // Basic bounds check.
+  EXPECT_FALSE(SiteIsolationPolicy::SniffForJS(basic_js_data, 0));
 }
 
 }  // namespace content
author	ajwong@chromium.org <ajwong@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-25 15:36:53 +0000
committer	ajwong@chromium.org <ajwong@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2013-08-25 15:36:53 +0000
commit	60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8 (patch)
tree	8faa7066f5851b072ff6d7775e33d3008d3273c7 /content/child
parent	4c58d780c6f0275226efa6b91cc36b4e735d22cd (diff)
download	chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.zip chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.tar.gz chromium_src-60c96bfe3ea62d3f7bec5a6b9a1b593f5fe1c6a8.tar.bz2