Add size checks to extension icons to prevent out of memory conditions

chrome/browser/ui/webui/extensions/extension_icon_source.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "chrome/browser/ui/webui/extensions/extension_icon_source.h"
 
 #include "base/bind.h"
 #include "base/bind_helpers.h"
 #include "base/memory/ref_counted_memory.h"
 #include "base/stl_util.h"
@@ skipping 19 matching lines @@
 #include "ui/base/layout.h"
 #include "ui/base/resource/resource_bundle.h"
 #include "ui/gfx/codec/png_codec.h"
 #include "ui/gfx/color_utils.h"
 #include "ui/gfx/favicon_size.h"
 #include "ui/gfx/skbitmap_operations.h"
 #include "webkit/glue/image_decoder.h"
 
 namespace {
 
+// Maximum size for the loaded icon. Actual loaded size can be larger than
+// this because of scaling factor.
+const int kMaxIconSize = 512;
+
 scoped_refptr<base::RefCountedMemory> BitmapToMemory(const SkBitmap* image) {
   base::RefCountedBytes* image_bytes = new base::RefCountedBytes;
   gfx::PNGCodec::EncodeBGRASkBitmap(*image, false, &image_bytes->data());
   return image_bytes;
 }
 
 SkBitmap DesaturateImage(const SkBitmap* image) {
   color_utils::HSL shift = {-1, 0, 0.6};
   return SkBitmapOperations::CreateHSLShiftedBitmap(*image, shift);
 }
@@ skipping 63 matching lines @@
                                            bool is_incognito,
                                            int request_id) {
   // This is where everything gets started. First, parse the request and make
   // the request data available for later.
   if (!ParseData(path, request_id)) {
     SendDefaultResponse(request_id);
     return;
   }
 
   ExtensionIconRequest* request = GetData(request_id);
+  if (request->size>kMaxIconSize) {

[Matt Perry, 2012/12/14 18:57:08]

Move these ifs below.

Also, familiarize yourself with the style guide.
http://google-styleguide.googlecode.com/svn/trunk/cppguide.xml#Horizontal_Whi...
says you should put spaces around operators.

+    request->size = kMaxIconSize;
+  }
   ExtensionResource icon =
       request->extension->GetIconResource(request->size, request->match);
 
   if (icon.relative_path().empty()) {
     LoadIconFailed(request_id);
   } else {
     LoadExtensionImage(icon, request_id);
   }
 }
 
@@ skipping 26 matching lines @@
   else
     bitmap = *image;
 
   ClearData(request_id);
   SendResponse(request_id, BitmapToMemory(&bitmap));
 }
 
 void ExtensionIconSource::LoadDefaultImage(int request_id) {
   ExtensionIconRequest* request = GetData(request_id);
   const SkBitmap* default_image = NULL;
+  if (request->size>kMaxIconSize) {
+    request->size = kMaxIconSize;
+  }
 
   if (request->extension->is_app())
     default_image = GetDefaultAppImage();
   else
     default_image = GetDefaultExtensionImage();
 
   SkBitmap resized_image(skia::ImageOperations::Resize(
       *default_image, skia::ImageOperations::RESIZE_LANCZOS3,
       request->size, request->size));
 
   // There are cases where Resize returns an empty bitmap, for example if you
   // ask for an image too large. In this case it is better to return the default
   // image than returning nothing at all.
   if (resized_image.empty())
     resized_image = *default_image;
 
   FinalizeImage(&resized_image, request_id);
 }
 
 void ExtensionIconSource::LoadExtensionImage(const ExtensionResource& icon,
                                              int request_id) {
   ExtensionIconRequest* request = GetData(request_id);
+  if (request->size>kMaxIconSize) {
+    request->size = kMaxIconSize;
+  }
   extensions::ImageLoader::Get(profile_)->LoadImageAsync(
       request->extension, icon,
       gfx::Size(request->size, request->size),
       base::Bind(&ExtensionIconSource::OnImageLoaded, this, request_id));
 }
 
 void ExtensionIconSource::LoadFaviconImage(int request_id) {
   FaviconService* favicon_service =
       FaviconServiceFactory::GetForProfile(profile_, Profile::EXPLICIT_ACCESS);
   // Fall back to the default icons if the service isn't available.
   if (favicon_service == NULL) {
     LoadDefaultImage(request_id);
     return;
   }
 
   GURL favicon_url = GetData(request_id)->extension->GetFullLaunchURL();
   favicon_service->GetRawFaviconForURL(
       FaviconService::FaviconForURLParams(
           profile_, favicon_url, history::FAVICON, gfx::kFaviconSize),
       ui::SCALE_FACTOR_100P,
       base::Bind(&ExtensionIconSource::OnFaviconDataAvailable,
                  base::Unretained(this), request_id),
       &cancelable_task_tracker_);
 }
 
 void ExtensionIconSource::OnFaviconDataAvailable(
     int request_id,
     const history::FaviconBitmapResult& bitmap_result) {
   ExtensionIconRequest* request = GetData(request_id);
-
+  if (request->size>kMaxIconSize) {
+      request->size = kMaxIconSize;
+  }
   // Fallback to the default icon if there wasn't a favicon.
   if (!bitmap_result.is_valid()) {
     LoadDefaultImage(request_id);
     return;
   }
 
   if (!request->grayscale) {
     // If we don't need a grayscale image, then we can bypass FinalizeImage
     // to avoid unnecessary conversions.
     ClearData(request_id);
     SendResponse(request_id, bitmap_result.bitmap_data);
   } else {
     FinalizeImage(ToBitmap(bitmap_result.bitmap_data->front(),
                            bitmap_result.bitmap_data->size()), request_id);
   }
 }
 
 void ExtensionIconSource::OnImageLoaded(int request_id,
                                         const gfx::Image& image) {
   if (image.IsEmpty())
     LoadIconFailed(request_id);
   else
     FinalizeImage(image.ToSkBitmap(), request_id);
 }
 
 void ExtensionIconSource::LoadIconFailed(int request_id) {
   ExtensionIconRequest* request = GetData(request_id);
+  if (request->size>kMaxIconSize) {
+    request->size = kMaxIconSize;
+  }
   ExtensionResource icon =
       request->extension->GetIconResource(request->size, request->match);
 
   if (request->size == extension_misc::EXTENSION_ICON_BITTY)
     LoadFaviconImage(request_id);
   else
     LoadDefaultImage(request_id);
 }
 
 bool ExtensionIconSource::ParseData(const std::string& path,
                                     int request_id) {
   // Extract the parameters from the path by lower casing and splitting.
   std::string path_lower = StringToLowerASCII(path);
   std::vector<std::string> path_parts;
 
   base::SplitString(path_lower, '/', &path_parts);
   if (path_lower.empty() || path_parts.size() < 3)
     return false;
 
   std::string size_param = path_parts.at(1);
   std::string match_param = path_parts.at(2);
   match_param = match_param.substr(0, match_param.find('?'));
 
   int size;
   if (!base::StringToInt(size_param, &size))
     return false;
   if (size <= 0)
     return false;

[Matt Perry, 2012/12/14 18:57:08]

This is where the size is parsed. Just move all the bounds checking here.

 
   ExtensionIconSet::MatchType match_type;
   int match_num;
   if (!base::StringToInt(match_param, &match_num))
     return false;
   match_type = static_cast<ExtensionIconSet::MatchType>(match_num);
   if (!(match_type == ExtensionIconSet::MATCH_EXACTLY ||
         match_type == ExtensionIconSet::MATCH_SMALLER ||
         match_type == ExtensionIconSet::MATCH_BIGGER))
     match_type = ExtensionIconSet::MATCH_EXACTLY;
@@ skipping 40 matching lines @@
 
 void ExtensionIconSource::ClearData(int request_id) {
   std::map<int, ExtensionIconRequest*>::iterator i =
       request_map_.find(request_id);
   if (i == request_map_.end())
     return;
 
   delete i->second;
   request_map_.erase(i);
 }