Avoid dereferencing uninitialized pointers.

Thanks to "The Mighty Hoppy" for requesting a browser crash investigation.

BUG=NONE
TEST=GlueSerializeTest.BadMessagesTest
TBR=cpu

Review URL: http://codereview.chromium.org/149738

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@20849 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 49 insertions, 6 deletions

diff --git a/webkit/glue/glue_serialize.cc b/webkit/glue/glue_serialize.cc
index 5db939a..7ec7f81 100644
--- a/webkit/glue/glue_serialize.cc
+++ b/webkit/glue/glue_serialize.cc
@@ -62,7 +62,7 @@ inline void WriteData(const void* data, int length, SerializeObject* obj) {
 
 inline void ReadData(const SerializeObject* obj, const void** data,
                      int* length) {
-  const char* tmp;
+  const char* tmp = NULL;
   obj->pickle.ReadData(&obj->iter, &tmp, length);
   *data = tmp;
 }
@@ -102,9 +102,12 @@ inline void WriteReal(double data, SerializeObject* obj) {
 
 inline double ReadReal(const SerializeObject* obj) {
   const void* tmp;
-  int length;
+  int length = 0;
   ReadData(obj, &tmp, &length);
-  return *static_cast<const double*>(tmp);
+  if (length > 0 && length >= sizeof(0.0))
+    return *static_cast<const double*>(tmp);
+  else
+    return 0.0;
 }
 
 inline void WriteBoolean(bool data, SerializeObject* obj) {
@@ -112,7 +115,7 @@ inline void WriteBoolean(bool data, SerializeObject* obj) {
 }
 
 inline bool ReadBoolean(const SerializeObject* obj) {
-  bool tmp;
+  bool tmp = false;
   obj->pickle.ReadBool(&obj->iter, &tmp);
   return tmp;
 }
@@ -232,9 +235,10 @@ static WebHTTPBody ReadFormData(const SerializeObject* obj) {
     int type = ReadInteger(obj);
     if (type == WebHTTPBody::Element::TypeData) {
       const void* data;
-      int length;
+      int length = -1;
       ReadData(obj, &data, &length);
-      http_body.appendData(WebData(static_cast<const char*>(data), length));
+      if (length >= 0)
+        http_body.appendData(WebData(static_cast<const char*>(data), length));
     } else {
       http_body.appendFile(ReadString(obj));
     }
diff --git a/webkit/glue/glue_serialize_unittest.cc b/webkit/glue/glue_serialize_unittest.cc
index 1e7ab4b..97912f2 100644
--- a/webkit/glue/glue_serialize_unittest.cc
+++ b/webkit/glue/glue_serialize_unittest.cc
@@ -4,6 +4,7 @@
 
 #include <string>
 
+#include "base/pickle.h"
 #include "base/string_util.h"
 #include "testing/gtest/include/gtest/gtest.h"
 #include "webkit/api/public/WebHTTPBody.h"
@@ -160,5 +161,43 @@ TEST_F(GlueSerializeTest, HistoryItemSerializeTest) {
   HistoryItemExpectEqual(item, deserialized_item);
 }
 
+// Checks that broken messages don't take out our process.
+TEST_F(GlueSerializeTest, BadMessagesTest) {
+  {
+    Pickle p;
+    // Version 1
+    p.WriteInt(1);
+    // Empty strings.
+    for (int i = 0; i < 6; ++i)
+      p.WriteInt(-1);
+    // Bad real number.
+    p.WriteInt(-1);
+    std::string s(static_cast<const char*>(p.data()), p.size());
+    HistoryItemFromString(s);
+  }
+  {
+    double d = 0;
+    Pickle p;
+    // Version 1
+    p.WriteInt(1);
+    // Empty strings.
+    for (int i = 0; i < 6; ++i)
+      p.WriteInt(-1);
+    // More misc fields.
+    p.WriteData(reinterpret_cast<const char*>(&d), sizeof(d));
+    p.WriteInt(1);
+    p.WriteInt(1);
+    p.WriteInt(0);
+    p.WriteInt(0);
+    p.WriteInt(-1);
+    p.WriteInt(0);
+    // WebForm
+    p.WriteInt(1);
+    p.WriteInt(WebHTTPBody::Element::TypeData);
+    std::string s(static_cast<const char*>(p.data()), p.size());
+    HistoryItemFromString(s);
+  }
+}
+
 
 } // namespace