Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(85)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: ppapi/proxy/serialized_flash_menu.cc

Issue 11794037: IPC: defend against excessive number of submenu entries in PPAPI message. (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Created 7 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: ppapi/proxy/serialized_flash_menu.cc
===================================================================
--- ppapi/proxy/serialized_flash_menu.cc (revision 174890)
+++ ppapi/proxy/serialized_flash_menu.cc (working copy)
@@ -15,6 +15,7 @@
// Maximum depth of submenus allowed (e.g., 1 indicates that submenus are
// allowed, but not sub-submenus).
const int kMaxMenuDepth = 2;
+const uint32_t kMaxMenuEntries = 1000;
bool CheckMenu(int depth, const PP_Flash_Menu* menu);
void FreeMenu(const PP_Flash_Menu* menu);
@@ -123,6 +124,11 @@
if (menu->count == 0)
return menu;
+ if (menu->count > kMaxMenuEntries) {
+ FreeMenu(menu);
+ return NULL;
+ }
+
menu->items = new PP_Flash_MenuItem[menu->count];
memset(menu->items, 0, sizeof(PP_Flash_MenuItem) * menu->count);
for (uint32_t i = 0; i < menu->count; ++i) {
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698