base/pickle.cc - Issue 146121: Fix a couple of integer issues in Pickle deserialization

Side by Side Diff: base/pickle.cc

Issue 146121: Fix a couple of integer issues in Pickle deserialization (Closed) Base URL: svn://chrome-svn/chrome/trunk/src/

Patch Set: '' Created 11 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch | Annotate | Revision Log

OLD	NEW
1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.	1 // Copyright (c) 2006-2008 The Chromium Authors. All rights reserved.

2 // Use of this source code is governed by a BSD-style license that can be	2 // Use of this source code is governed by a BSD-style license that can be

3 // found in the LICENSE file.	3 // found in the LICENSE file.

4	4

5 #include "base/pickle.h"	5 #include "base/pickle.h"

6	6

7 #include <stdlib.h>	7 #include <stdlib.h>

8	8

9 #include <limits>	9 #include <limits>

10 #include <string>	10 #include <string>

(...skipping 190 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
201 UpdateIter(iter, len);	201 UpdateIter(iter, len);

202 return true;	202 return true;

203 }	203 }

204	204

205 bool Pickle::ReadWString(void** iter, std::wstring* result) const {	205 bool Pickle::ReadWString(void** iter, std::wstring* result) const {

206 DCHECK(iter);	206 DCHECK(iter);

207	207

208 int len;	208 int len;

209 if (!ReadLength(iter, &len))	209 if (!ReadLength(iter, &len))

210 return false;	210 return false;

	211 // Avoid integer overflow.

	212 if (len > INT_MAX / static_cast<int>(sizeof(wchar_t)))

	213 return false;

211 if (!IteratorHasRoomFor(iter, len sizeof(wchar_t)))	214 if (!IteratorHasRoomFor(iter, len sizeof(wchar_t)))

212 return false;	215 return false;

213	216

214 wchar_t* chars = reinterpret_cast<wchar_t>(iter);	217 wchar_t* chars = reinterpret_cast<wchar_t>(iter);

215 result->assign(chars, len);	218 result->assign(chars, len);

216	219

217 UpdateIter(iter, len * sizeof(wchar_t));	220 UpdateIter(iter, len * sizeof(wchar_t));

218 return true;	221 return true;

219 }	222 }

220	223

221 bool Pickle::ReadString16(void** iter, string16* result) const {	224 bool Pickle::ReadString16(void** iter, string16* result) const {

222 DCHECK(iter);	225 DCHECK(iter);

223	226

224 int len;	227 int len;

225 if (!ReadLength(iter, &len))	228 if (!ReadLength(iter, &len))

226 return false;	229 return false;

227 if (!IteratorHasRoomFor(*iter, len))	230 if (!IteratorHasRoomFor(iter, len sizeof(char16)))

228 return false;	231 return false;

229	232

230 char16* chars = reinterpret_cast<char16>(iter);	233 char16* chars = reinterpret_cast<char16>(iter);

231 result->assign(chars, len);	234 result->assign(chars, len);

232	235

233 UpdateIter(iter, len * sizeof(char16));	236 UpdateIter(iter, len * sizeof(char16));

234 return true;	237 return true;

235 }	238 }

236	239

237 bool Pickle::ReadBytes(void iter, const char data, int length) const {	240 bool Pickle::ReadBytes(void iter, const char data, int length) const {

(...skipping 141 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
379 DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));	382 DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));

380	383

381 const Header* hdr = reinterpret_cast<const Header*>(start);	384 const Header* hdr = reinterpret_cast<const Header*>(start);

382 const char* payload_base = start + header_size;	385 const char* payload_base = start + header_size;

383 const char* payload_end = payload_base + hdr->payload_size;	386 const char* payload_end = payload_base + hdr->payload_size;

384 if (payload_end < payload_base)	387 if (payload_end < payload_base)

385 return NULL;	388 return NULL;

386	389

387 return (payload_end > end) ? NULL : payload_end;	390 return (payload_end > end) ? NULL : payload_end;

388 }	391 }

OLD	NEW

« no previous file with comments | « no previous file | base/pickle_unittest.cc » ('j') | no next file with comments »