diff options
| author | sanga@chromium.org <sanga@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-17 16:45:48 +0000 |
|---|---|---|
| committer | sanga@chromium.org <sanga@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2011-08-17 16:45:48 +0000 |
| commit | a88016d19c4e05687cc9b1cf10fda7ef849c3db9 (patch) | |
| tree | 2387d3694246441c7276e7cd41fd66745b1a16b7 /webkit/plugins | |
| parent | cc25dba3d78ec1657aaa5ad9f286ac771b5c9bc4 (diff) | |
| download | chromium_src-a88016d19c4e05687cc9b1cf10fda7ef849c3db9.zip chromium_src-a88016d19c4e05687cc9b1cf10fda7ef849c3db9.tar.gz chromium_src-a88016d19c4e05687cc9b1cf10fda7ef849c3db9.tar.bz2 | |
Adding checks to guard against buffer overruns in QuotaFileIO::Write and base::FileUtilProxy::Write
Also made some minor changes to fix lint warnings.
There are no tests for base::FileUtilProxy.
BUG= http://code.google.com/p/nativeclient/issues/detail?id=2076
TEST= test_shell_tests
Review URL: http://codereview.chromium.org/7651002
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97147 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit/plugins')
| -rw-r--r-- | webkit/plugins/ppapi/quota_file_io.cc | 4 | ||||
| -rw-r--r-- | webkit/plugins/ppapi/quota_file_io.h | 1 | ||||
| -rw-r--r-- | webkit/plugins/ppapi/quota_file_io_unittest.cc | 12 |
3 files changed, 17 insertions, 0 deletions
diff --git a/webkit/plugins/ppapi/quota_file_io.cc b/webkit/plugins/ppapi/quota_file_io.cc index d5af70b..2e628c7 100644 --- a/webkit/plugins/ppapi/quota_file_io.cc +++ b/webkit/plugins/ppapi/quota_file_io.cc @@ -4,6 +4,8 @@ #include "webkit/plugins/ppapi/quota_file_io.h" +#include <algorithm> + #include "base/stl_util.h" #include "base/message_loop_proxy.h" #include "base/task.h" @@ -222,6 +224,8 @@ QuotaFileIO::~QuotaFileIO() { bool QuotaFileIO::Write( int64_t offset, const char* buffer, int32_t bytes_to_write, WriteCallback* callback) { + if (bytes_to_write <= 0) + return false; WriteOperation* op = new WriteOperation( this, false, offset, buffer, bytes_to_write, callback); return RegisterOperationForQuotaChecks(op); diff --git a/webkit/plugins/ppapi/quota_file_io.h b/webkit/plugins/ppapi/quota_file_io.h index bbd1b36..1ee3188 100644 --- a/webkit/plugins/ppapi/quota_file_io.h +++ b/webkit/plugins/ppapi/quota_file_io.h @@ -35,6 +35,7 @@ class QuotaFileIO { // Performs write or setlength operation with quota checks. // Returns true when the operation is successfully dispatched. + // |bytes_to_write| must be geater than zero. // |callback| will be dispatched when the operation completes. // Otherwise it returns false and |callback| will not be dispatched. // |callback| will not be dispatched either when this instance is diff --git a/webkit/plugins/ppapi/quota_file_io_unittest.cc b/webkit/plugins/ppapi/quota_file_io_unittest.cc index 1e0b360..79a4637 100644 --- a/webkit/plugins/ppapi/quota_file_io_unittest.cc +++ b/webkit/plugins/ppapi/quota_file_io_unittest.cc @@ -3,6 +3,8 @@ // found in the LICENSE file. #include <deque> +#include <limits> +#include <string> #include "base/basictypes.h" #include "base/memory/scoped_callback_factory.h" @@ -115,6 +117,16 @@ class QuotaFileIOTest : public PpapiUnittest { } void WriteTestBody(bool will_operation) { + // Attempt to write zero bytes. + EXPECT_FALSE(quota_file_io_->Write(0, "data", 0, + callback_factory_.NewCallback( + &QuotaFileIOTest::DidWrite))); + // Attempt to write negative number of bytes. + EXPECT_FALSE(quota_file_io_->Write(0, "data", + std::numeric_limits<int32_t>::min(), + callback_factory_.NewCallback( + &QuotaFileIOTest::DidWrite))); + quota_plugin_delegate()->set_available_space(100); std::string read_buffer; |