From 3d6293a1bba2afffdaee2c2733d526547e013217 Mon Sep 17 00:00:00 2001
From: "sanga@chromium.org"
 <sanga@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Wed, 17 Aug 2011 16:16:27 +0000
Subject: Adding guards against heap overflow in PPB_FileIO::Read BUG=
 http://code.google.com/p/chromium/issues/detail?id=92750 TEST= none at this
 time.  FileIO tests are turned off for ui_tests. Review URL:
 http://codereview.chromium.org/7655009

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97141 0039d316-1c4b-4281-b951-d872f2087c98
---
 base/file_util_proxy.cc     |  2 ++
 ppapi/tests/test_file_io.cc | 10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/base/file_util_proxy.cc b/base/file_util_proxy.cc
index a192cbf..2d5125f 100644
--- a/base/file_util_proxy.cc
+++ b/base/file_util_proxy.cc
@@ -854,6 +854,8 @@ bool FileUtilProxy::Read(
     int64 offset,
     int bytes_to_read,
     ReadCallback* callback) {
+  if (bytes_to_read < 0)
+    return false;
   return Start(FROM_HERE, message_loop_proxy,
                new RelayRead(file, offset, bytes_to_read, callback));
 }
diff --git a/ppapi/tests/test_file_io.cc b/ppapi/tests/test_file_io.cc
index 160951e..ed77669 100644
--- a/ppapi/tests/test_file_io.cc
+++ b/ppapi/tests/test_file_io.cc
@@ -4,7 +4,6 @@
 
 #include "ppapi/tests/test_file_io.h"
 
-#include <stdio.h>
 #include <string.h>
 
 #include "base/memory/scoped_ptr.h"
@@ -257,6 +256,15 @@ std::string TestFileIO::TestReadWriteSetLength() {
   if (rv != PP_OK)
     return ReportError("FileIO::Write", rv);
 
+  // Check for failing read operation.
+  char buf[256];
+  rv = file_io.Read(0, buf, -1,  // negative number of bytes to read
+                    callback);
+  if (rv == PP_OK_COMPLETIONPENDING)
+    rv = callback.WaitForResult();
+  if (rv != PP_ERROR_FAILED)
+    return ReportError("FileIO::Read", rv);
+
   // Read the entire file.
   std::string read_buffer;
   rv = ReadEntireFile(instance_->pp_instance(), &file_io, 0, &read_buffer);
-- 
cgit v1.1