Avoid dereferencing uninitialized pointers.

Thanks to "The Mighty Hoppy" for requesting a browser crash investigation. BUG=NONE TEST=GlueSerializeTest.BadMessagesTest TBR=cpu Review URL: http://codereview.chromium.org/149738 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20849 0039d316-1c4b-4281-b951-d872f2087c98
author: cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-07-16 03:48:04 +0000
committer: cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2009-07-16 03:48:04 +0000
commit: 45b24dab00029be158ee1b98b29eb9a10b01c21b (patch)
tree: e23ffebf915d937b769bea050378d9b0c595f74c /webkit/glue/glue_serialize.cc
parent: cf7b1d3cf192bdef8e6dace8e63cf80fd12ebe9e (diff)
download: chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.zip
chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.tar.gz
chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.tar.bz2
1 files changed, 10 insertions, 6 deletions
diff --git a/webkit/glue/glue_serialize.cc b/webkit/glue/glue_serialize.cc
index 5db939a..7ec7f81 100644
--- a/webkit/glue/glue_serialize.cc
+++ b/webkit/glue/glue_serialize.cc
@@ -62,7 +62,7 @@ inline void WriteData(const void* data, int length, SerializeObject* obj) {
 
 inline void ReadData(const SerializeObject* obj, const void** data,
                      int* length) {
-  const char* tmp;
+  const char* tmp = NULL;
   obj->pickle.ReadData(&obj->iter, &tmp, length);
   *data = tmp;
 }
@@ -102,9 +102,12 @@ inline void WriteReal(double data, SerializeObject* obj) {
 
 inline double ReadReal(const SerializeObject* obj) {
   const void* tmp;
-  int length;
+  int length = 0;
   ReadData(obj, &tmp, &length);
-  return *static_cast<const double*>(tmp);
+  if (length > 0 && length >= sizeof(0.0))
+    return *static_cast<const double*>(tmp);
+  else
+    return 0.0;
 }
 
 inline void WriteBoolean(bool data, SerializeObject* obj) {
@@ -112,7 +115,7 @@ inline void WriteBoolean(bool data, SerializeObject* obj) {
 }
 
 inline bool ReadBoolean(const SerializeObject* obj) {
-  bool tmp;
+  bool tmp = false;
   obj->pickle.ReadBool(&obj->iter, &tmp);
   return tmp;
 }
@@ -232,9 +235,10 @@ static WebHTTPBody ReadFormData(const SerializeObject* obj) {
     int type = ReadInteger(obj);
     if (type == WebHTTPBody::Element::TypeData) {
       const void* data;
-      int length;
+      int length = -1;
       ReadData(obj, &data, &length);
-      http_body.appendData(WebData(static_cast<const char*>(data), length));
+      if (length >= 0)
+        http_body.appendData(WebData(static_cast<const char*>(data), length));
     } else {
       http_body.appendFile(ReadString(obj));
     }
author	cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-07-16 03:48:04 +0000
committer	cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2009-07-16 03:48:04 +0000
commit	45b24dab00029be158ee1b98b29eb9a10b01c21b (patch)
tree	e23ffebf915d937b769bea050378d9b0c595f74c /webkit/glue/glue_serialize.cc
parent	cf7b1d3cf192bdef8e6dace8e63cf80fd12ebe9e (diff)
download	chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.zip chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.tar.gz chromium_src-45b24dab00029be158ee1b98b29eb9a10b01c21b.tar.bz2