Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(23)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 6347013: Check that we've got a complete header before accessing its fields.... (Closed)

Created:
9 years, 11 months ago by Alexander Potapenko
Modified:
9 years, 6 months ago
CC:
chromium-reviews, Paweł Hajdan Jr., brettw-cc_chromium.org, eugenis
Visibility:
Public.

Description

Check that we've got a complete header before accessing its fields. This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed at http://codereview.chromium.org/6353010/ BUG=70376 TEST=none TBR=darin,willchan Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=72634

Patch Set 1 #

Unified diffs Side-by-side diffs Delta from patch set Stats (+15 lines, -0 lines) Patch
M base/pickle.h View 1 chunk +1 line, -0 lines 0 comments Download
M base/pickle.cc View 1 chunk +3 lines, -0 lines 0 comments Download
M base/pickle_unittest.cc View 1 chunk +11 lines, -0 lines 0 comments Download

Messages

Total messages: 2 (0 generated)
Alexander Potapenko
9 years, 11 months ago (2011-01-26 13:03:00 UTC) #1
willchan no longer on Chromium
9 years, 11 months ago (2011-01-26 15:36:54 UTC) #2 
LGTM

On Wed, Jan 26, 2011 at 5:03 AM, <glider@chromium.org> wrote:

> Reviewers: darin, willchan,
>
> Description:
> Check that we've got a complete header before accessing its fields.
>
> This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and
> reviewed
> at http://codereview.chromium.org/6353010/
>
> BUG=70376
> TEST=none
> TBR=darin,willchan
>
>
> Committed: http://src.chromium.org/viewvc/chrome?view=rev&revision=72634
>
> Please review this at http://codereview.chromium.org/6347013/
>
> SVN Base: svn://svn.chromium.org/chrome/trunk/src/
>
> Affected files:
>  M     base/pickle.h
>  M     base/pickle.cc
>  M     base/pickle_unittest.cc
>
>
> Index: base/pickle.cc
> ===================================================================
> --- base/pickle.cc      (revision 72619)
> +++ base/pickle.cc      (working copy)
> @@ -406,6 +406,9 @@
>   DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
>   DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
>
> +  if (static_cast<size_t>(end - start) < sizeof(Header))
> +    return NULL;
> +
>   const Header* hdr = reinterpret_cast<const Header*>(start);
>   const char* payload_base = start + header_size;
>   const char* payload_end = payload_base + hdr->payload_size;
> Index: base/pickle.h
> ===================================================================
> --- base/pickle.h       (revision 72619)
> +++ base/pickle.h       (working copy)
> @@ -236,6 +236,7 @@
>
>   FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize);
>   FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext);
> +  FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader);
>   FRIEND_TEST_ALL_PREFIXES(PickleTest, IteratorHasRoom);
>  };
>
> Index: base/pickle_unittest.cc
> ===================================================================
> --- base/pickle_unittest.cc     (revision 72619)
> +++ base/pickle_unittest.cc     (working copy)
> @@ -171,6 +171,17 @@
>   EXPECT_TRUE(end == Pickle::FindNext(pickle.header_size_, start, end +
> 1));
>  }
>
> +TEST(PickleTest, FindNextWithIncompleteHeader) {
> +  size_t header_size = sizeof(Pickle::Header);
> +  scoped_array<char> buffer(new char[header_size - 1]);
> +  memset(buffer.get(), 0x1, header_size - 1);
> +
> +  const char* start = buffer.get();
> +  const char* end = start + header_size - 1;
> +
> +  EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end));
> +}
> +
>  TEST(PickleTest, IteratorHasRoom) {
>   Pickle pickle;
>   EXPECT_TRUE(pickle.WriteInt(1));
>
>
>

Powered by Google App Engine
This is Rietveld 408576698