diff options
| author | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-22 04:59:07 +0000 |
|---|---|---|
| committer | darin@chromium.org <darin@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-22 04:59:07 +0000 |
| commit | 7d069e6e4067009b7b0549420e0192bac9db9eee (patch) | |
| tree | 793062db3acaae5612bd55531e0776f1fed4f91a /mojo | |
| parent | 833cac8d5aa4a9a3f526374143a6a875e0245419 (diff) | |
| download | chromium_src-7d069e6e4067009b7b0549420e0192bac9db9eee.zip chromium_src-7d069e6e4067009b7b0549420e0192bac9db9eee.tar.gz chromium_src-7d069e6e4067009b7b0549420e0192bac9db9eee.tar.bz2 | |
Mojo: fix integer overflow
BUG=355036
R=tsepez@chromium.org
Review URL: https://codereview.chromium.org/208593006
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@258785 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'mojo')
| -rw-r--r-- | mojo/public/bindings/lib/fixed_buffer.cc | 7 | ||||
| -rw-r--r-- | mojo/public/bindings/tests/buffer_unittest.cc | 20 |
2 files changed, 23 insertions, 4 deletions
diff --git a/mojo/public/bindings/lib/fixed_buffer.cc b/mojo/public/bindings/lib/fixed_buffer.cc index 6b20dd1..09e3094 100644 --- a/mojo/public/bindings/lib/fixed_buffer.cc +++ b/mojo/public/bindings/lib/fixed_buffer.cc @@ -31,11 +31,10 @@ void* FixedBuffer::Allocate(size_t delta, Destructor dtor) { delta = internal::Align(delta); - // TODO(darin): Using <assert.h> is probably not going to cut it. - assert(delta > 0); - assert(cursor_ + delta <= size_); - if (cursor_ + delta > size_) + if (delta == 0 || delta > size_ - cursor_) { + assert(false); return NULL; + } char* result = ptr_ + cursor_; cursor_ += delta; diff --git a/mojo/public/bindings/tests/buffer_unittest.cc b/mojo/public/bindings/tests/buffer_unittest.cc index b7d4e15..d2ff91e 100644 --- a/mojo/public/bindings/tests/buffer_unittest.cc +++ b/mojo/public/bindings/tests/buffer_unittest.cc @@ -2,6 +2,8 @@ // Use of this source code is governed by a BSD-style license that can be // found in the LICENSE file. +#include <limits> + #include "mojo/public/bindings/buffer.h" #include "mojo/public/bindings/lib/bindings_serialization.h" #include "mojo/public/bindings/lib/fixed_buffer.h" @@ -111,6 +113,24 @@ TEST(FixedBufferTest, Leak) { free(buf_ptr); } +#ifdef NDEBUG +TEST(FixedBufferTest, TooBig) { + Environment env; + + internal::FixedBuffer buf(24); + + // A little bit too large. + EXPECT_EQ(reinterpret_cast<void*>(0), buf.Allocate(32)); + + // Move the cursor forward. + EXPECT_NE(reinterpret_cast<void*>(0), buf.Allocate(16)); + + // A lot too large, leading to possible integer overflow. + EXPECT_EQ(reinterpret_cast<void*>(0), + buf.Allocate(std::numeric_limits<size_t>::max() - 8u)); +} +#endif + } // namespace } // namespace test } // namespace mojo |