| Index: base/clipboard.cc
|
| ===================================================================
|
| --- base/clipboard.cc (revision 12385)
|
| +++ base/clipboard.cc (working copy)
|
| @@ -6,6 +6,17 @@
|
|
|
| #include "base/logging.h"
|
|
|
| +namespace {
|
| +
|
| +// A compromised renderer could send us bad data, so validate it.
|
| +bool IsBitmapSafe(const Clipboard::ObjectMapParams& params) {
|
| + const gfx::Size* size = reinterpret_cast<const gfx::Size*>(params[1].data());
|
| + return params[0].size() ==
|
| + static_cast<size_t>(size->width() * size->height() * 4);
|
| +}
|
| +
|
| +}
|
| +
|
| void Clipboard::DispatchObject(ObjectType type, const ObjectMapParams& params) {
|
| switch (type) {
|
| case CBF_TEXT:
|
| @@ -40,6 +51,8 @@
|
|
|
| #if defined(OS_WIN) || defined(OS_LINUX) // This is just a stub on Linux
|
| case CBF_BITMAP:
|
| + if (!IsBitmapSafe(params))
|
| + return;
|
| WriteBitmap(&(params[0].front()), &(params[1].front()));
|
| break;
|
| #endif // defined(OS_WIN) || defined(OS_LINUX)
|
|
|
Chromium Code Reviews
Issue 53040:
Validate clipboard bitmap size data. (Closed)
Base URL: svn://chrome-svn/chrome/trunk/src/