diff options
| author | victorhsieh@chromium.org <victorhsieh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-15 07:27:55 +0000 |
|---|---|---|
| committer | victorhsieh@chromium.org <victorhsieh@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2012-11-15 07:27:55 +0000 |
| commit | ad103a1564365c95f4ee4f10261f9604f91f686a (patch) | |
| tree | a29e9898a2f4f333308343f258510a711dc88f75 /webkit | |
| parent | 344e1d32cd935f06463083521a5299cbc5c592e5 (diff) | |
| download | chromium_src-ad103a1564365c95f4ee4f10261f9604f91f686a.zip chromium_src-ad103a1564365c95f4ee4f10261f9604f91f686a.tar.gz chromium_src-ad103a1564365c95f4ee4f10261f9604f91f686a.tar.bz2 | |
Security fix: integer overflow on checking image size
Test is left in another CL (codereview.chromiu,.org/11274036) to avoid conflict there. Hope it's fine.
BUG=160926
Review URL: https://chromiumcodereview.appspot.com/11410081
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@167882 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'webkit')
| -rw-r--r-- | webkit/plugins/ppapi/ppb_image_data_impl.cc | 5 |
1 files changed, 2 insertions, 3 deletions
diff --git a/webkit/plugins/ppapi/ppb_image_data_impl.cc b/webkit/plugins/ppapi/ppb_image_data_impl.cc index b318b46..4bdcbef 100644 --- a/webkit/plugins/ppapi/ppb_image_data_impl.cc +++ b/webkit/plugins/ppapi/ppb_image_data_impl.cc @@ -54,8 +54,8 @@ bool PPB_ImageData_Impl::Init(PP_ImageDataFormat format, return false; // Only support this one format for now. if (width <= 0 || height <= 0) return false; - if (static_cast<int64>(width) * static_cast<int64>(height) * 4 >= - std::numeric_limits<int32>::max()) + if (static_cast<int64>(width) * static_cast<int64>(height) >= + std::numeric_limits<int32>::max() / 4) return false; // Prevent overflow of signed 32-bit ints. format_ = format; @@ -285,4 +285,3 @@ const SkBitmap* ImageDataNaClBackend::GetMappedBitmap() const { } // namespace ppapi } // namespace webkit - |