From 86440f533f6efca55ff112c93c6bab8839c797e2 Mon Sep 17 00:00:00 2001
From: "cevans@chromium.org"
 <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 31 Dec 2009 05:17:23 +0000
Subject: Avoid calling vector resize() with excessive size parameter: fix
 broken integer overflow checks, or remove resize() calls to simplify
 non-hot-path cases, or add stronger validations as appropriate.

BUG=31364
TEST=NONE

Review URL: http://codereview.chromium.org/519031

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35414 0039d316-1c4b-4281-b951-d872f2087c98
---
 chrome/common/render_messages.h | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

(limited to 'chrome/common')

diff --git a/chrome/common/render_messages.h b/chrome/common/render_messages.h
index 555ebd0..e21c415 100644
--- a/chrome/common/render_messages.h
+++ b/chrome/common/render_messages.h
@@ -861,14 +861,15 @@ struct ParamTraits<webkit_glue::FormFieldValues> {
           ReadParam(m, iter, &p->target_url);
       size_t elements_size = 0;
       result = result && ReadParam(m, iter, &elements_size);
-      p->elements.resize(elements_size);
       for (size_t i = 0; i < elements_size; i++) {
         string16 label, name, type, value;
         result = result && ReadParam(m, iter, &label);
         result = result && ReadParam(m, iter, &name);
         result = result && ReadParam(m, iter, &type);
         result = result && ReadParam(m, iter, &value);
-        p->elements[i] = webkit_glue::FormField(label, name, type, value);
+        if (result)
+          p->elements.push_back(
+            webkit_glue::FormField(label, name, type, value));
       }
       return result;
   }
-- 
cgit v1.1