Fix an out of band read when parsing a URL component of just "%". The calculation of max_digit_index is unsigned, and was underflowing when max was less than 2.

BUG=122

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@1677 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 2 insertions, 3 deletions

diff --git a/net/base/escape.cc b/net/base/escape.cc
index 9f330c6..87174e1 100644
--- a/net/base/escape.cc
+++ b/net/base/escape.cc
@@ -113,9 +113,8 @@ std::string UnescapeURLImpl(const std::string& escaped_text,
   std::string result;
   result.reserve(escaped_text.length());
 
-  for (size_t i = 0, max = escaped_text.size(), max_digit_index = max - 2;
-       i < max; ++i) {
-    if (escaped_text[i] == '%' && i < max_digit_index) {
+  for (size_t i = 0, max = escaped_text.size(); i < max; ++i) {
+    if (escaped_text[i] == '%' && i + 2 < max) {
       const std::string::value_type most_sig_digit(escaped_text[i + 1]);
       const std::string::value_type least_sig_digit(escaped_text[i + 2]);
       if (IsHex(most_sig_digit) && IsHex(least_sig_digit)) {