diff options
| author | mnaganov@chromium.org <mnaganov@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-02-26 19:31:17 +0000 |
|---|---|---|
| committer | mnaganov@chromium.org <mnaganov@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-02-26 19:31:17 +0000 |
| commit | 068e9480624cd3842cb3bc73c57421e70cda2dce (patch) | |
| tree | 7b90fbb2c93ddb2c28b55efbfe68c20760052d11 /content | |
| parent | 06c84460b74ffd5e4250a4c005751956b8a6a12d (diff) | |
| download | chromium_src-068e9480624cd3842cb3bc73c57421e70cda2dce.zip chromium_src-068e9480624cd3842cb3bc73c57421e70cda2dce.tar.gz chromium_src-068e9480624cd3842cb3bc73c57421e70cda2dce.tar.bz2 | |
Pepper: Use calloc instead of malloc(sizeof * count)
Using calloc is preferred, since 'sizeof * count' can overflow
resulting in less memory being allocated than expected.
Integer overflow becomes heap buffer overflow. This pattern
is in general readily exploitable.
Review URL: https://codereview.chromium.org/179403004
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@253553 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'content')
| -rw-r--r-- | content/renderer/pepper/plugin_object.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/content/renderer/pepper/plugin_object.cc b/content/renderer/pepper/plugin_object.cc index 55e4c6c..0ec50e5 100644 --- a/content/renderer/pepper/plugin_object.cc +++ b/content/renderer/pepper/plugin_object.cc @@ -186,7 +186,7 @@ bool WrapperClass_Enumerate(NPObject* object, NPIdentifier** values, if (!result_converter.has_exception()) { if (property_count > 0) { *values = static_cast<NPIdentifier*>( - malloc(sizeof(NPIdentifier) * property_count)); + calloc(property_count, sizeof(NPIdentifier))); *count = 0; // Will be the number of items successfully converted. for (uint32_t i = 0; i < property_count; ++i) { if (!((*values)[i] = PPVarToNPIdentifier(properties[i]))) { |