Index: net/http/http_auth_handler_ntlm.cc |
=================================================================== |
--- net/http/http_auth_handler_ntlm.cc (revision 19403) |
+++ net/http/http_auth_handler_ntlm.cc (working copy) |
@@ -411,10 +411,17 @@ |
cursor += sizeof(NTLM_TYPE2_MARKER); |
// read target name security buffer |
- msg->target_len = ReadUint16(cursor); |
+ uint32 target_len = ReadUint16(cursor); |
ReadUint16(cursor); // discard next 16-bit value |
uint32 offset = ReadUint32(cursor); // get offset from in_buf |
- msg->target = ((const uint8*) in_buf) + offset; |
+ msg->target_len = 0; |
+ msg->target = NULL; |
+ // Check the offset / length combo is in range of the input buffer, including |
+ // integer overflow checking. |
+ if (offset + target_len > offset && offset + target_len <= in_len) { |
wtc
2009/07/13 18:07:30
Should we return ERR_UNEXPECTED or some other erro
|
+ msg->target_len = target_len; |
+ msg->target = ((const uint8*) in_buf) + offset; |
+ } |
// read flags |
msg->flags = ReadUint32(cursor); |