Two fixes:

- Apply limit to cursor dimensions. Turns out that the APIs used on Windows
and Linux are integer-overflow resistant to width * height issues. Not sure
about Mac, though.
- Ensure the renderer passed enough data for the dimensions specified, otherwise
we read out of bounds.

BUG=none
TEST=WebCursorTest.CursorSerialization plus http://www.iconutils.com/faq/web-page-cursor.htm and http://www.hypergurl.com/customcursor.html

Review URL: http://codereview.chromium.org/147193

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19408 0039d316-1c4b-4281-b951-d872f2087c98

3 files changed, 96 insertions, 2 deletions

diff --git a/webkit/glue/webcursor.cc b/webkit/glue/webcursor.cc
index 39d6598..4fe5ce1 100644
--- a/webkit/glue/webcursor.cc
+++ b/webkit/glue/webcursor.cc
@@ -12,6 +12,8 @@
 #include "base/logging.h"
 #include "base/pickle.h"
 
+static const int kMaxCursorDimension = 1024;
+
 WebCursor::WebCursor()
     : type_(WebCore::PlatformCursor::TypePointer) {
   InitPlatformData();
@@ -53,11 +55,20 @@ bool WebCursor::Deserialize(const Pickle* pickle, void** iter) {
   if (!pickle->ReadInt(iter, &type) ||
       !pickle->ReadInt(iter, &hotspot_x) ||
       !pickle->ReadInt(iter, &hotspot_y) ||
-      !pickle->ReadInt(iter, &size_x) ||
-      !pickle->ReadInt(iter, &size_y) ||
+      !pickle->ReadLength(iter, &size_x) ||
+      !pickle->ReadLength(iter, &size_y) ||
       !pickle->ReadData(iter, &data, &data_len))
     return false;
 
+  // Ensure the size is sane, and there is enough data.
+  if (size_x > kMaxCursorDimension ||
+      size_y > kMaxCursorDimension)
+    return false;
+
+  // The * 4 is because the expected format is an array of RGBA pixel values.
+  if (size_x * size_y * 4 > data_len)
+    return false;
+
   type_ = type;
   hotspot_.set_x(hotspot_x);
   hotspot_.set_y(hotspot_y);
diff --git a/webkit/glue/webcursor_unittest.cc b/webkit/glue/webcursor_unittest.cc
new file mode 100644
index 0000000..1a15bf8
--- /dev/null
+++ b/webkit/glue/webcursor_unittest.cc
@@ -0,0 +1,82 @@
+// Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include "base/pickle.h"
+#include "testing/gtest/include/gtest/gtest.h"
+#include "webkit/glue/webcursor.h"
+#include "webkit/tools/test_shell/test_shell_test.h"
+
+TEST(WebCursorTest, CursorSerialization) {
+  WebCursor custom_cursor;
+  // This is a valid custom cursor.
+  Pickle ok_custom_pickle;
+  // Type and hotspots.
+  ok_custom_pickle.WriteInt(0);
+  ok_custom_pickle.WriteInt(0);
+  ok_custom_pickle.WriteInt(0);
+  // X & Y
+  ok_custom_pickle.WriteInt(1);
+  ok_custom_pickle.WriteInt(1);
+  // Data len including enough data for a 1x1 image.
+  ok_custom_pickle.WriteInt(4);
+  ok_custom_pickle.WriteUInt32(0);
+  // Custom Windows message.
+  ok_custom_pickle.WriteIntPtr(NULL);
+  void* iter = NULL;
+  EXPECT_TRUE(custom_cursor.Deserialize(&ok_custom_pickle, &iter));
+
+  // This custom cursor has not been send with enough data.
+  Pickle short_custom_pickle;
+  // Type and hotspots.
+  short_custom_pickle.WriteInt(0);
+  short_custom_pickle.WriteInt(0);
+  short_custom_pickle.WriteInt(0);
+  // X & Y
+  short_custom_pickle.WriteInt(1);
+  short_custom_pickle.WriteInt(1);
+  // Data len not including enough data for a 1x1 image.
+  short_custom_pickle.WriteInt(3);
+  short_custom_pickle.WriteUInt32(0);
+  // Custom Windows message.
+  ok_custom_pickle.WriteIntPtr(NULL);
+  iter = NULL;
+  EXPECT_FALSE(custom_cursor.Deserialize(&short_custom_pickle, &iter));
+
+  // This custom cursor has enough data but is too big.
+  Pickle large_custom_pickle;
+  // Type and hotspots.
+  large_custom_pickle.WriteInt(0);
+  large_custom_pickle.WriteInt(0);
+  large_custom_pickle.WriteInt(0);
+  // X & Y
+  static const int kTooBigSize = 4096 + 1;
+  large_custom_pickle.WriteInt(kTooBigSize);
+  large_custom_pickle.WriteInt(1);
+  // Data len including enough data for a 4097x1 image.
+  large_custom_pickle.WriteInt(kTooBigSize * 4);
+  for (int i = 0; i < kTooBigSize; ++i)
+    large_custom_pickle.WriteUInt32(0);
+  // Custom Windows message.
+  ok_custom_pickle.WriteIntPtr(NULL);
+  iter = NULL;
+  EXPECT_FALSE(custom_cursor.Deserialize(&large_custom_pickle, &iter));
+
+  // This custom cursor uses negative lengths.
+  Pickle neg_custom_pickle;
+  // Type and hotspots.
+  neg_custom_pickle.WriteInt(0);
+  neg_custom_pickle.WriteInt(0);
+  neg_custom_pickle.WriteInt(0);
+  // X & Y
+  neg_custom_pickle.WriteInt(-1);
+  neg_custom_pickle.WriteInt(-1);
+  // Data len including enough data for a 1x1 image.
+  neg_custom_pickle.WriteInt(4);
+  neg_custom_pickle.WriteUInt32(0);
+  // Custom Windows message.
+  neg_custom_pickle.WriteIntPtr(NULL);
+  iter = NULL;
+  EXPECT_FALSE(custom_cursor.Deserialize(&neg_custom_pickle, &iter));
+}
+
diff --git a/webkit/tools/test_shell/test_shell.gyp b/webkit/tools/test_shell/test_shell.gyp
index 17bdc34..718a754 100644
--- a/webkit/tools/test_shell/test_shell.gyp
+++ b/webkit/tools/test_shell/test_shell.gyp
@@ -468,6 +468,7 @@
         '../../glue/regular_expression_unittest.cc',
         '../../glue/resource_fetcher_unittest.cc',
         '../../glue/unittest_test_server.h',
+        '../../glue/webcursor_unittest.cc',
         '../../glue/webframe_unittest.cc',
         '../../glue/webplugin_impl_unittest.cc',
         '../webcore_unit_tests/BMPImageDecoder_unittest.cpp',