Fix the crash in SpdyNetworkTransactionTest.CorruptFrameSessionError.

Instead of changing the frame length to a huge number, which would
require that many bytes of frame data to match, I change the frame
length to a smaller number, so that we won't read beyond the end of
a valid data buffer.

R=mbelshe,willchan
BUG=48588
TEST=net_unittests --gtest_filter=*.CorruptFrameSessionError* should
not crash in memcpy.
Review URL: http://codereview.chromium.org/6286008

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72880 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 5 insertions, 6 deletions

diff --git a/net/spdy/spdy_network_transaction_unittest.cc b/net/spdy/spdy_network_transaction_unittest.cc
index f7ee96c..02c8d17 100644
--- a/net/spdy/spdy_network_transaction_unittest.cc
+++ b/net/spdy/spdy_network_transaction_unittest.cc
@@ -3262,17 +3262,16 @@ TEST_P(SpdyNetworkTransactionTest, InvalidSynReply) {
 }
 
 // Verify that we don't crash on some corrupt frames.
-// TODO(eroman): Renable this test, see http://crbug.com/48588
-TEST_P(SpdyNetworkTransactionTest, DISABLED_CorruptFrameSessionError) {
-  // This is the length field with a big number
-  scoped_ptr<spdy::SpdyFrame> syn_reply_massive_length(
+TEST_P(SpdyNetworkTransactionTest, CorruptFrameSessionError) {
+  // This is the length field that's too short.
+  scoped_ptr<spdy::SpdyFrame> syn_reply_wrong_length(
       ConstructSpdyGetSynReply(NULL, 0, 1));
-  syn_reply_massive_length->set_length(0x111126);
+  syn_reply_wrong_length->set_length(syn_reply_wrong_length->length() - 4);
 
   struct SynReplyTests {
     const spdy::SpdyFrame* syn_reply;
   } test_cases[] = {
-    { syn_reply_massive_length.get(), },
+    { syn_reply_wrong_length.get(), },
   };
 
   for (size_t i = 0; i < ARRAYSIZE_UNSAFE(test_cases); ++i) {