Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(162)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: ppapi/proxy/serialized_flash_menu.cc

Issue 11794037: IPC: defend against excessive number of submenu entries in PPAPI message. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "ppapi/proxy/serialized_flash_menu.h" 5 #include "ppapi/proxy/serialized_flash_menu.h"
6 6
7 #include "ipc/ipc_message.h" 7 #include "ipc/ipc_message.h"
8 #include "ppapi/c/private/ppb_flash_menu.h" 8 #include "ppapi/c/private/ppb_flash_menu.h"
9 #include "ppapi/proxy/ppapi_param_traits.h" 9 #include "ppapi/proxy/ppapi_param_traits.h"
10 10
11 namespace ppapi { 11 namespace ppapi {
12 namespace proxy { 12 namespace proxy {
13 13
14 namespace { 14 namespace {
15 // Maximum depth of submenus allowed (e.g., 1 indicates that submenus are 15 // Maximum depth of submenus allowed (e.g., 1 indicates that submenus are
16 // allowed, but not sub-submenus). 16 // allowed, but not sub-submenus).
17 const int kMaxMenuDepth = 2; 17 const int kMaxMenuDepth = 2;
18 const uint32_t kMaxMenuEntries = 1000;
18 19
19 bool CheckMenu(int depth, const PP_Flash_Menu* menu); 20 bool CheckMenu(int depth, const PP_Flash_Menu* menu);
20 void FreeMenu(const PP_Flash_Menu* menu); 21 void FreeMenu(const PP_Flash_Menu* menu);
21 void WriteMenu(IPC::Message* m, const PP_Flash_Menu* menu); 22 void WriteMenu(IPC::Message* m, const PP_Flash_Menu* menu);
22 PP_Flash_Menu* ReadMenu(int depth, const IPC::Message* m, PickleIterator* iter); 23 PP_Flash_Menu* ReadMenu(int depth, const IPC::Message* m, PickleIterator* iter);
23 24
24 bool CheckMenuItem(int depth, const PP_Flash_MenuItem* item) { 25 bool CheckMenuItem(int depth, const PP_Flash_MenuItem* item) {
25 if (item->type == PP_FLASH_MENUITEM_TYPE_SUBMENU) 26 if (item->type == PP_FLASH_MENUITEM_TYPE_SUBMENU)
26 return CheckMenu(depth, item->submenu); 27 return CheckMenu(depth, item->submenu);
27 return true; 28 return true;
(...skipping 88 matching lines...) Expand 10 before | Expand all | Expand 10 after
116 menu->items = NULL; 117 menu->items = NULL;
117 118
118 if (!m->ReadUInt32(iter, &menu->count)) { 119 if (!m->ReadUInt32(iter, &menu->count)) {
119 FreeMenu(menu); 120 FreeMenu(menu);
120 return NULL; 121 return NULL;
121 } 122 }
122 123
123 if (menu->count == 0) 124 if (menu->count == 0)
124 return menu; 125 return menu;
125 126
127 if (menu->count > kMaxMenuEntries) {
128 FreeMenu(menu);
129 return NULL;
130 }
131
126 menu->items = new PP_Flash_MenuItem[menu->count]; 132 menu->items = new PP_Flash_MenuItem[menu->count];
127 memset(menu->items, 0, sizeof(PP_Flash_MenuItem) * menu->count); 133 memset(menu->items, 0, sizeof(PP_Flash_MenuItem) * menu->count);
128 for (uint32_t i = 0; i < menu->count; ++i) { 134 for (uint32_t i = 0; i < menu->count; ++i) {
129 if (!ReadMenuItem(depth, m, iter, menu->items + i)) { 135 if (!ReadMenuItem(depth, m, iter, menu->items + i)) {
130 FreeMenu(menu); 136 FreeMenu(menu);
131 return NULL; 137 return NULL;
132 } 138 }
133 } 139 }
134 return menu; 140 return menu;
135 } 141 }
(...skipping 30 matching lines...) Expand all
166 pp_menu_ = ReadMenu(0, m, iter); 172 pp_menu_ = ReadMenu(0, m, iter);
167 if (!pp_menu_) 173 if (!pp_menu_)
168 return false; 174 return false;
169 175
170 own_menu_ = true; 176 own_menu_ = true;
171 return true; 177 return true;
172 } 178 }
173 179
174 } // namespace proxy 180 } // namespace proxy
175 } // namespace ppapi 181 } // namespace ppapi
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698