Fix memory smashing on the sandbox PolicyRule

PolicyRule copy ctor was not taking into account that the source policy rule
could be using some 'constants' memory at the bottom, so adding further
opcodes to the new policy rule would overwrite the copied ones.

In other words, this pattern

PolicyRule pr_orig(ASK_BROKER);
pr_orig.AddStringMatch(...);
PolicyRule pr_copy(pr_orig);
pr_copy.AddStringMatch(...);

Was broken. This was not impacting the chrome sbox code because we don't
mutate the new rule after copy construction.

Acknoledgments to Ashutosh Mehra from Adobe Corp for pointing the bug
and providing a test case.

BUG=160890
TEST=new unittest added
Review URL: https://codereview.chromium.org/11275301

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@167571 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 2 insertions, 2 deletions

diff --git a/sandbox/win/src/policy_low_level.cc b/sandbox/win/src/policy_low_level.cc
index 8431bc0..686caa1 100644
--- a/sandbox/win/src/policy_low_level.cc
+++ b/sandbox/win/src/policy_low_level.cc
@@ -136,9 +136,9 @@ PolicyRule::PolicyRule(const PolicyRule& other) {
   memcpy(buffer_, other.buffer_, buffer_size);
 
   char* opcode_buffer = reinterpret_cast<char*>(&buffer_->opcodes[0]);
-  char* buffer_end = &opcode_buffer[kRuleBufferSize + sizeof(PolicyOpcode)];
   char* next_opcode = &opcode_buffer[GetOpcodeCount() * sizeof(PolicyOpcode)];
-  opcode_factory_ = new OpcodeFactory(next_opcode, buffer_end - next_opcode);
+  opcode_factory_ =
+      new OpcodeFactory(next_opcode, other.opcode_factory_->memory_size());
 }
 
 // This function get called from a simple state machine implemented in