summaryrefslogtreecommitdiffstats
path: root/ppapi
diff options
context:
space:
mode:
authorcevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-08 19:17:54 +0000
committercevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2013-01-08 19:17:54 +0000
commit42d87b0bec018634ec81a72d3b265f3138d75e1d (patch)
treea1bfc51c599c6ee27dd6db8d0ac83085f559e044 /ppapi
parent8a4eb9a3075ebdff720bccc40729f47072496e6f (diff)
downloadchromium_src-42d87b0bec018634ec81a72d3b265f3138d75e1d.zip
chromium_src-42d87b0bec018634ec81a72d3b265f3138d75e1d.tar.gz
chromium_src-42d87b0bec018634ec81a72d3b265f3138d75e1d.tar.bz2
IPC: defend against excessive number of submenu entries in PPAPI message.
BUG=168710 Review URL: https://codereview.chromium.org/11794037 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@175576 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'ppapi')
-rw-r--r--ppapi/proxy/serialized_flash_menu.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/ppapi/proxy/serialized_flash_menu.cc b/ppapi/proxy/serialized_flash_menu.cc
index 2784485..bbd698c 100644
--- a/ppapi/proxy/serialized_flash_menu.cc
+++ b/ppapi/proxy/serialized_flash_menu.cc
@@ -15,6 +15,7 @@ namespace {
// Maximum depth of submenus allowed (e.g., 1 indicates that submenus are
// allowed, but not sub-submenus).
const int kMaxMenuDepth = 2;
+const uint32_t kMaxMenuEntries = 1000;
bool CheckMenu(int depth, const PP_Flash_Menu* menu);
void FreeMenu(const PP_Flash_Menu* menu);
@@ -123,6 +124,11 @@ PP_Flash_Menu* ReadMenu(int depth,
if (menu->count == 0)
return menu;
+ if (menu->count > kMaxMenuEntries) {
+ FreeMenu(menu);
+ return NULL;
+ }
+
menu->items = new PP_Flash_MenuItem[menu->count];
memset(menu->items, 0, sizeof(PP_Flash_MenuItem) * menu->count);
for (uint32_t i = 0; i < menu->count; ++i) {
generated by cgit v1.1 at 2025-01-27 19:53:47 +0000