From c3df2b248dabeec03a9a208a703cd5509ce1e40c Mon Sep 17 00:00:00 2001 From: "evan@chromium.org" Date: Mon, 28 Dec 2009 20:58:53 +0000 Subject: plugins: limit maximum window size Even if plugins will crash when they are too large, we should try to have the renderer stay up. BUG=28606 Review URL: http://codereview.chromium.org/515043 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@35309 0039d316-1c4b-4281-b951-d872f2087c98 --- chrome/renderer/webplugin_delegate_proxy.cc | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'chrome/renderer/webplugin_delegate_proxy.cc') diff --git a/chrome/renderer/webplugin_delegate_proxy.cc b/chrome/renderer/webplugin_delegate_proxy.cc index f459b51..869350a 100644 --- a/chrome/renderer/webplugin_delegate_proxy.cc +++ b/chrome/renderer/webplugin_delegate_proxy.cc @@ -411,6 +411,16 @@ void WebPluginDelegateProxy::OnChannelError() { void WebPluginDelegateProxy::UpdateGeometry(const gfx::Rect& window_rect, const gfx::Rect& clip_rect) { + // window_rect becomes either a window in native windowing system + // coords, or a backing buffer. In either case things will go bad + // if the rectangle is very large. + if (window_rect.width() < 0 || window_rect.width() > (1<<15) || + window_rect.height() < 0 || window_rect.height() > (1<<15) || + // Clip to 8m pixels; we know this won't overflow due to above checks. + window_rect.width() * window_rect.height() > (8<<20)) { + return; + } + plugin_rect_ = window_rect; bool bitmaps_changed = false; -- cgit v1.1