From 137d237f941001695681ed5628a20dec84cd3b86 Mon Sep 17 00:00:00 2001 From: "glider@chromium.org" Date: Wed, 26 Jan 2011 13:02:27 +0000 Subject: Check that we've got a complete header before accessing its fields. This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed at http://codereview.chromium.org/6353010/ BUG=70376 TEST=none TBR=darin,willchan Review URL: http://codereview.chromium.org/6347013 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72634 0039d316-1c4b-4281-b951-d872f2087c98 --- base/pickle.cc | 3 +++ base/pickle.h | 1 + base/pickle_unittest.cc | 11 +++++++++++ 3 files changed, 15 insertions(+) diff --git a/base/pickle.cc b/base/pickle.cc index a05df28..e7d5768 100644 --- a/base/pickle.cc +++ b/base/pickle.cc @@ -406,6 +406,9 @@ const char* Pickle::FindNext(size_t header_size, DCHECK(header_size == AlignInt(header_size, sizeof(uint32))); DCHECK(header_size <= static_cast(kPayloadUnit)); + if (static_cast(end - start) < sizeof(Header)) + return NULL; + const Header* hdr = reinterpret_cast(start); const char* payload_base = start + header_size; const char* payload_end = payload_base + hdr->payload_size; diff --git a/base/pickle.h b/base/pickle.h index bbe5d34..498ce95 100644 --- a/base/pickle.h +++ b/base/pickle.h @@ -236,6 +236,7 @@ class Pickle { FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize); FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext); + FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader); FRIEND_TEST_ALL_PREFIXES(PickleTest, IteratorHasRoom); }; diff --git a/base/pickle_unittest.cc b/base/pickle_unittest.cc index fdc0664..39eaa1b 100644 --- a/base/pickle_unittest.cc +++ b/base/pickle_unittest.cc @@ -171,6 +171,17 @@ TEST(PickleTest, FindNext) { EXPECT_TRUE(end == Pickle::FindNext(pickle.header_size_, start, end + 1)); } +TEST(PickleTest, FindNextWithIncompleteHeader) { + size_t header_size = sizeof(Pickle::Header); + scoped_array buffer(new char[header_size - 1]); + memset(buffer.get(), 0x1, header_size - 1); + + const char* start = buffer.get(); + const char* end = start + header_size - 1; + + EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end)); +} + TEST(PickleTest, IteratorHasRoom) { Pickle pickle; EXPECT_TRUE(pickle.WriteInt(1)); -- cgit v1.1