Mojo: Fix possibly-invalid vector subscripting in RawChannelPosix.

In RawChannelPosix::OnFileCanReadWithoutBlocking()'s call to memmove(),
read_buffer_start may point one past the end of the buffer. This isn't a
"real" problem, since in that case read_buffer_num_valid_bytes_ will be
zero, but it's illegal to subscript a vector with an invalid index and
an assertion fails in Debug builds (an alternate fix would be to replace
&read_buffer_[read_buffer_start] with &read_buffer_[0] +
read_buffer_start).

The bug was exhibited by the flakily-failing
MultiprocessMessagePipeTest.QueueMessages (in Debug builds), so to test
run:

out/Debug/mojo_system_unittests \
    --gtest_filter=MultiprocessMessagePipeTest.QueueMessages \
    --gtest_repeat=-1 --single-process-tests

R=darin@chromium.org
BUG=329622

Review URL: https://codereview.chromium.org/132173003

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@244194 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 2 deletions

diff --git a/mojo/system/raw_channel_posix.cc b/mojo/system/raw_channel_posix.cc
index 0038afb..fa9d5f2 100644
--- a/mojo/system/raw_channel_posix.cc
+++ b/mojo/system/raw_channel_posix.cc
@@ -296,8 +296,10 @@ void RawChannelPosix::OnFileCanReadWithoutBlocking(int fd) {
 
   // Move data back to start.
   if (read_buffer_start > 0) {
-    memmove(&read_buffer_[0], &read_buffer_[read_buffer_start],
-            read_buffer_num_valid_bytes_);
+    if (read_buffer_num_valid_bytes_ > 0) {
+      memmove(&read_buffer_[0], &read_buffer_[read_buffer_start],
+              read_buffer_num_valid_bytes_);
+    }
     read_buffer_start = 0;
   }
 }