Added bounds checks to the URLLoader prefetch buffer threshhold.

BUG=89842
TEST=./ui_tests --gtest_filter=PPAPITest.URLLoader*PrefetchBufferThreshold


Review URL: http://codereview.chromium.org/9139076

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@117970 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 8 insertions, 1 deletions

diff --git a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
index dcea987..78a38f9 100644
--- a/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
+++ b/webkit/plugins/ppapi/ppb_url_request_info_impl.cc
@@ -1,4 +1,4 @@
-// Copyright (c) 2011 The Chromium Authors. All rights reserved.
+// Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
@@ -131,6 +131,13 @@ bool PPB_URLRequestInfo_Impl::RequiresUniversalAccess() const {
 }
 
 bool PPB_URLRequestInfo_Impl::ValidateData() {
+  if (data().prefetch_buffer_lower_threshold < 0 ||
+      data().prefetch_buffer_upper_threshold < 0 ||
+      data().prefetch_buffer_upper_threshold <=
+      data().prefetch_buffer_lower_threshold) {
+    return false;
+  }
+
   // Get the Resource objects for any file refs with only host resource (this
   // is the state of the request as it comes off IPC).
   for (size_t i = 0; i < data().body.size(); ++i) {