diff options
| author | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-05 12:55:45 +0000 |
|---|---|---|
| committer | jschuh@chromium.org <jschuh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-03-05 12:55:45 +0000 |
| commit | 26f567588867461003cca6de89a292ef8e8a5d4d (patch) | |
| tree | ba1612ce031181fd1b7e88c463d9fd8ef32a92b0 /sandbox | |
| parent | 47a723ff2c31c383c145d870d322817a8f690e77 (diff) | |
| download | chromium_src-26f567588867461003cca6de89a292ef8e8a5d4d.zip chromium_src-26f567588867461003cca6de89a292ef8e8a5d4d.tar.gz chromium_src-26f567588867461003cca6de89a292ef8e8a5d4d.tar.bz2 | |
Correctly bounds check FileNameLength in IsSupportedRenameCall
BUG=348910
R=rvargas@chromium.org
Review URL: https://codereview.chromium.org/183893024
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@255026 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox')
| -rw-r--r-- | sandbox/win/src/sandbox_nt_util.cc | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/sandbox/win/src/sandbox_nt_util.cc b/sandbox/win/src/sandbox_nt_util.cc index 613d485..ed1d908 100644 --- a/sandbox/win/src/sandbox_nt_util.cc +++ b/sandbox/win/src/sandbox_nt_util.cc @@ -525,14 +525,17 @@ bool IsSupportedRenameCall(FILE_RENAME_INFORMATION* file_info, DWORD length, if (file_info->RootDirectory) return false; + static const wchar_t kPathPrefix[] = { L'\\', L'?', L'?', L'\\'}; + // Check if it starts with \\??\\. We don't support relative paths. - if (file_info->FileNameLength < 4 || file_info->FileNameLength > kuint16max) + if (file_info->FileNameLength < sizeof(kPathPrefix) || + file_info->FileNameLength > kuint16max) return false; - if (file_info->FileName[0] != L'\\' || - file_info->FileName[1] != L'?' || - file_info->FileName[2] != L'?' || - file_info->FileName[3] != L'\\') + if (file_info->FileName[0] != kPathPrefix[0] || + file_info->FileName[1] != kPathPrefix[1] || + file_info->FileName[2] != kPathPrefix[2] || + file_info->FileName[3] != kPathPrefix[3]) return false; return true; |