From 9d65ad87c64ec57473b42ed290472ddec99e55c6 Mon Sep 17 00:00:00 2001
From: "abarth@chromium.org"
 <abarth@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Date: Thu, 18 Jun 2009 04:58:34 +0000
Subject: Improve chunked encoding parsing.

R=abarth
BUG=14508
TEST=HttpChunkedDecoderTest.ExcessiveChunkLen

Patch contributed by Chris Evans.



git-svn-id: svn://svn.chromium.org/chrome/trunk/src@18687 0039d316-1c4b-4281-b951-d872f2087c98
---
 net/http/http_chunked_decoder.cc          | 3 ++-
 net/http/http_chunked_decoder_unittest.cc | 7 +++++++
 2 files changed, 9 insertions(+), 1 deletion(-)

(limited to 'net/http')

diff --git a/net/http/http_chunked_decoder.cc b/net/http/http_chunked_decoder.cc
index e030dc0..6ecdcad 100644
--- a/net/http/http_chunked_decoder.cc
+++ b/net/http/http_chunked_decoder.cc
@@ -125,7 +125,8 @@ int HttpChunkedDecoder::ScanForChunkRemaining(const char* buf, int buf_len) {
       if (index_of_semicolon != StringPiece::npos)
         buf_len = static_cast<int>(index_of_semicolon);
 
-      if (!ParseChunkSize(buf, buf_len, &chunk_remaining_)) {
+      if (!ParseChunkSize(buf, buf_len, &chunk_remaining_) ||
+          chunk_remaining_ < 0) {
         DLOG(ERROR) << "Failed parsing HEX from: " <<
             std::string(buf, buf_len);
         return ERR_INVALID_CHUNKED_ENCODING;
diff --git a/net/http/http_chunked_decoder_unittest.cc b/net/http/http_chunked_decoder_unittest.cc
index 51fbba0..f335f0a 100644
--- a/net/http/http_chunked_decoder_unittest.cc
+++ b/net/http/http_chunked_decoder_unittest.cc
@@ -266,3 +266,10 @@ TEST(HttpChunkedDecoderTest, InvalidConsecutiveCRLFs) {
   };
   RunTestUntilFailure(inputs, arraysize(inputs), 1);
 }
+
+TEST(HttpChunkedDecoderTest, ExcessiveChunkLen) {
+  const char* inputs[] = {
+    "c0000000\r\nhello\r\n"
+  };
+  RunTestUntilFailure(inputs, arraysize(inputs), 0);
+}
-- 
cgit v1.1