Verify lfFaceName is NUL terminated in IPC deserializer.

BUG=162066

Review URL: https://chromiumcodereview.appspot.com/11416115

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@168937 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 10 insertions, 7 deletions

diff --git a/ipc/ipc_message_utils.cc b/ipc/ipc_message_utils.cc
index 7dfea83..4cc8494 100644
--- a/ipc/ipc_message_utils.cc
+++ b/ipc/ipc_message_utils.cc
@@ -16,6 +16,8 @@
 
 #if defined(OS_POSIX)
 #include "ipc/file_descriptor_set_posix.h"
+#elif defined(OS_WIN)
+#include <tchar.h>
 #endif
 
 namespace IPC {
@@ -808,15 +810,16 @@ bool ParamTraits<LOGFONT>::Read(const Message* m, PickleIterator* iter,
                                 param_type* r) {
   const char *data;
   int data_size = 0;
-  bool result = m->ReadData(iter, &data, &data_size);
-  if (result && data_size == sizeof(LOGFONT)) {
-    memcpy(r, data, sizeof(LOGFONT));
-  } else {
-    result = false;
-    NOTREACHED();
+  if (m->ReadData(iter, &data, &data_size) && data_size == sizeof(LOGFONT)) {
+    const LOGFONT *font = reinterpret_cast<LOGFONT*>(const_cast<char*>(data));
+    if (_tcsnlen(font->lfFaceName, LF_FACESIZE) < LF_FACESIZE) {
+      memcpy(r, data, sizeof(LOGFONT));
+      return true;
+    }
   }
 
-  return result;
+  NOTREACHED();
+  return false;
 }
 
 void ParamTraits<LOGFONT>::Log(const param_type& p, std::string* l) {