Avoid dereferencing uninitialized pointers.

Thanks to "The Mighty Hoppy" for requesting a browser crash investigation.

BUG=NONE
TEST=GlueSerializeTest.BadMessagesTest
TBR=cpu

Review URL: http://codereview.chromium.org/149738

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20849 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 39 insertions, 0 deletions

diff --git a/webkit/glue/glue_serialize_unittest.cc b/webkit/glue/glue_serialize_unittest.cc
index 1e7ab4b..97912f2 100644
--- a/webkit/glue/glue_serialize_unittest.cc
+++ b/webkit/glue/glue_serialize_unittest.cc
@@ -4,6 +4,7 @@
 
 #include <string>
 
+#include "base/pickle.h"
 #include "base/string_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "webkit/api/public/WebHTTPBody.h"
@@ -160,5 +161,43 @@ TEST_F(GlueSerializeTest, HistoryItemSerializeTest) {
   HistoryItemExpectEqual(item, deserialized_item);
 }
 
+// Checks that broken messages don't take out our process.
+TEST_F(GlueSerializeTest, BadMessagesTest) {
+  {
+    Pickle p;
+    // Version 1
+    p.WriteInt(1);
+    // Empty strings.
+    for (int i = 0; i < 6; ++i)
+      p.WriteInt(-1);
+    // Bad real number.
+    p.WriteInt(-1);
+    std::string s(static_cast<const char*>(p.data()), p.size());
+    HistoryItemFromString(s);
+  }
+  {
+    double d = 0;
+    Pickle p;
+    // Version 1
+    p.WriteInt(1);
+    // Empty strings.
+    for (int i = 0; i < 6; ++i)
+      p.WriteInt(-1);
+    // More misc fields.
+    p.WriteData(reinterpret_cast<const char*>(&d), sizeof(d));
+    p.WriteInt(1);
+    p.WriteInt(1);
+    p.WriteInt(0);
+    p.WriteInt(0);
+    p.WriteInt(-1);
+    p.WriteInt(0);
+    // WebForm
+    p.WriteInt(1);
+    p.WriteInt(WebHTTPBody::Element::TypeData);
+    std::string s(static_cast<const char*>(p.data()), p.size());
+    HistoryItemFromString(s);
+  }
+}
+
 
 } // namespace