| Index: chrome/common/common_param_traits.cc
|
| ===================================================================
|
| --- chrome/common/common_param_traits.cc (revision 44106)
|
| +++ chrome/common/common_param_traits.cc (working copy)
|
| @@ -147,6 +147,9 @@
|
| !m->ReadInt(iter, &w) ||
|
| !m->ReadInt(iter, &h))
|
| return false;
|
| + if (x < 0 || y < 0 || x >= (INT_MAX - w) || y >= (INT_MAX - h) ||
|
| + w < 0 || h < 0 || h >= ((INT_MAX / 16) / (w ? w : 1)))
|
| + return false;
|
| r->set_x(x);
|
| r->set_y(y);
|
| r->set_width(w);
|
| @@ -170,6 +173,8 @@
|
| if (!m->ReadInt(iter, &w) ||
|
| !m->ReadInt(iter, &h))
|
| return false;
|
| + if (w < 0 || h < 0 || h >= ((INT_MAX / 16) / (w ? w : 1)))
|
| + return false;
|
| r->set_width(w);
|
| r->set_height(h);
|
| return true;
|
|
|
Chromium Code Reviews
Issue 1582023:
Apply a sanity limit to objects with width & height. (Closed)
Base URL: svn://chrome-svn.corp.google.com/chrome/trunk/src/