Check blockfile size before attempting to read the header.

Reading past the last page of a mmapped file will SIGBUS.

BUG=18174
TEST=truncate Default/Cache/data_* to zero bytes, launch chrome, try to load a website.  It shouldn't crash.

Review URL: http://codereview.chromium.org/164132

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@22781 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 26 insertions, 0 deletions

diff --git a/net/disk_cache/block_files.cc b/net/disk_cache/block_files.cc
index cd7e5cf..0e9eb04 100644
--- a/net/disk_cache/block_files.cc
+++ b/net/disk_cache/block_files.cc
@@ -247,6 +247,12 @@ bool BlockFiles::OpenBlockFile(int index) {
     return false;
   }
 
+  if (file->GetLength() < static_cast<size_t>(kBlockHeaderSize)) {
+    LOG(ERROR) << "File too small " << name;
+    file->Release();
+    return false;
+  }
+
   block_files_[index] = file;
 
   BlockFileHeader* header = reinterpret_cast<BlockFileHeader*>(file->buffer());
diff --git a/net/disk_cache/block_files_unittest.cc b/net/disk_cache/block_files_unittest.cc
index b4ce107..e3ca651 100644
--- a/net/disk_cache/block_files_unittest.cc
+++ b/net/disk_cache/block_files_unittest.cc
@@ -153,3 +153,23 @@ TEST_F(DiskCacheTest, BlockFiles_Recover) {
   EXPECT_EQ(empty_3, header->empty[2]);
   EXPECT_EQ(empty_4, header->empty[3]);
 }
+
+// Handling of truncated files.
+TEST_F(DiskCacheTest, BlockFiles_ZeroSizeFile) {
+  std::wstring path = GetCachePath();
+  ASSERT_TRUE(DeleteCache(path.c_str()));
+  ASSERT_TRUE(file_util::CreateDirectory(path));
+
+  disk_cache::BlockFiles files(path);
+  ASSERT_TRUE(files.Init(true));
+
+  // Truncate one of the files.
+  disk_cache::Addr address;
+  EXPECT_TRUE(files.CreateBlock(disk_cache::RANKINGS, 4, &address));
+  disk_cache::MappedFile* file = files.GetFile(address);
+  file->SetLength(0);
+  files.CloseFiles();
+
+  // Initializing should fail, not crash.
+  ASSERT_FALSE(files.Init(false));
+}