diff options
| author | ericroman@google.com <ericroman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-06-25 20:55:13 +0000 |
|---|---|---|
| committer | ericroman@google.com <ericroman@google.com@0039d316-1c4b-4281-b951-d872f2087c98> | 2009-06-25 20:55:13 +0000 |
| commit | 6501bc016d78c6d419b89bf991314148e6e4494b (patch) | |
| tree | a28808aa513841e96d02093ce4c6c12f8d555705 /net | |
| parent | 569a274a7644fc5afb86ec49fef7a2a78b8e1e41 (diff) | |
| download | chromium_src-6501bc016d78c6d419b89bf991314148e6e4494b.zip chromium_src-6501bc016d78c6d419b89bf991314148e6e4494b.tar.gz chromium_src-6501bc016d78c6d419b89bf991314148e6e4494b.tar.bz2 | |
Add some checks to make sure header_buf_body_offset_ is never used when negative.
BUG=b/1483703
Review URL: http://codereview.chromium.org/132051
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19284 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'net')
| -rw-r--r-- | net/http/http_network_transaction.cc | 7 | ||||
| -rw-r--r-- | net/http/http_network_transaction.h | 9 |
2 files changed, 10 insertions, 6 deletions
diff --git a/net/http/http_network_transaction.cc b/net/http/http_network_transaction.cc index c22b21f..a343151 100644 --- a/net/http/http_network_transaction.cc +++ b/net/http/http_network_transaction.cc @@ -916,8 +916,9 @@ int HttpNetworkTransaction::DoReadHeadersComplete(int result) { int HttpNetworkTransaction::DoReadBody() { DCHECK(read_buf_); - DCHECK(read_buf_len_ > 0); + DCHECK_GT(read_buf_len_, 0); DCHECK(connection_.is_initialized()); + DCHECK(!header_buf_->headers() || header_buf_body_offset_ >= 0); next_state_ = STATE_READ_BODY_COMPLETE; @@ -1141,6 +1142,8 @@ void HttpNetworkTransaction::LogBlockedTunnelResponse( } int HttpNetworkTransaction::DidReadResponseHeaders() { + DCHECK_GE(header_buf_body_offset_, 0); + scoped_refptr<HttpResponseHeaders> headers; if (has_found_status_line_start()) { headers = new HttpResponseHeaders( @@ -1176,7 +1179,7 @@ int HttpNetworkTransaction::DidReadResponseHeaders() { request_headers_->headers_.clear(); request_headers_bytes_sent_ = 0; header_buf_len_ = 0; - header_buf_body_offset_ = 0; + header_buf_body_offset_ = -1; establishing_tunnel_ = false; return OK; diff --git a/net/http/http_network_transaction.h b/net/http/http_network_transaction.h index bdb8e1b..9e6d53f 100644 --- a/net/http/http_network_transaction.h +++ b/net/http/http_network_transaction.h @@ -341,10 +341,11 @@ class HttpNetworkTransaction : public HttpTransaction { size_t request_headers_bytes_sent_; scoped_ptr<UploadDataStream> request_body_stream_; - // The read buffer may be larger than it is full. The 'capacity' indicates - // the allocation size of the buffer, and the 'len' indicates how much data - // is in the buffer already. The 'body offset' indicates the offset of the - // start of the response body within the read buffer. + // The read buffer |header_buf_| may be larger than it is full. The + // 'capacity' indicates the allocation size of the buffer, and the 'len' + // indicates how much data is in the buffer already. The 'body offset' + // indicates the offset of the start of the response body within the read + // buffer. scoped_refptr<ResponseHeaders> header_buf_; int header_buf_capacity_; int header_buf_len_; |