Two fixes:

- Apply limit to cursor dimensions. Turns out that the APIs used on Windows
and Linux are integer-overflow resistant to width * height issues. Not sure
about Mac, though.
- Ensure the renderer passed enough data for the dimensions specified, otherwise
we read out of bounds.

BUG=none
TEST=WebCursorTest.CursorSerialization plus http://www.iconutils.com/faq/web-page-cursor.htm and http://www.hypergurl.com/customcursor.html

Review URL: http://codereview.chromium.org/147193

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19408 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 13 insertions, 2 deletions

diff --git a/webkit/glue/webcursor.cc b/webkit/glue/webcursor.cc
index 39d6598..4fe5ce1 100644
--- a/webkit/glue/webcursor.cc
+++ b/webkit/glue/webcursor.cc
@@ -12,6 +12,8 @@
 #include "base/logging.h"
 #include "base/pickle.h"
 
+static const int kMaxCursorDimension = 1024;
+
 WebCursor::WebCursor()
     : type_(WebCore::PlatformCursor::TypePointer) {
   InitPlatformData();
@@ -53,11 +55,20 @@ bool WebCursor::Deserialize(const Pickle* pickle, void** iter) {
   if (!pickle->ReadInt(iter, &type) ||
       !pickle->ReadInt(iter, &hotspot_x) ||
       !pickle->ReadInt(iter, &hotspot_y) ||
-      !pickle->ReadInt(iter, &size_x) ||
-      !pickle->ReadInt(iter, &size_y) ||
+      !pickle->ReadLength(iter, &size_x) ||
+      !pickle->ReadLength(iter, &size_y) ||
       !pickle->ReadData(iter, &data, &data_len))
     return false;
 
+  // Ensure the size is sane, and there is enough data.
+  if (size_x > kMaxCursorDimension ||
+      size_y > kMaxCursorDimension)
+    return false;
+
+  // The * 4 is because the expected format is an array of RGBA pixel values.
+  if (size_x * size_y * 4 > data_len)
+    return false;
+
   type_ = type;
   hotspot_.set_x(hotspot_x);
   hotspot_.set_y(hotspot_y);