| OLD | NEW |
|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "webkit/blob/blob_url_request_job.h" | 5 #include "webkit/blob/blob_url_request_job.h" |
| 6 | 6 |
| 7 #include <limits> |
| 8 |
| 9 #include "base/basictypes.h" |
| 7 #include "base/bind.h" | 10 #include "base/bind.h" |
| 8 #include "base/compiler_specific.h" | 11 #include "base/compiler_specific.h" |
| 9 #include "base/files/file_util_proxy.h" | 12 #include "base/files/file_util_proxy.h" |
| 10 #include "base/message_loop.h" | 13 #include "base/message_loop.h" |
| 11 #include "base/message_loop_proxy.h" | 14 #include "base/message_loop_proxy.h" |
| 12 #include "base/stl_util.h" | 15 #include "base/stl_util.h" |
| 13 #include "base/string_number_conversions.h" | 16 #include "base/string_number_conversions.h" |
| 14 #include "net/base/io_buffer.h" | 17 #include "net/base/io_buffer.h" |
| 15 #include "net/base/net_errors.h" | 18 #include "net/base/net_errors.h" |
| 16 #include "net/http/http_request_headers.h" | 19 #include "net/http/http_request_headers.h" |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 176 | 179 |
| 177 // If the blob data is not present, bail out. | 180 // If the blob data is not present, bail out. |
| 178 if (!blob_data_) { | 181 if (!blob_data_) { |
| 179 NotifyFailure(net::ERR_FILE_NOT_FOUND); | 182 NotifyFailure(net::ERR_FILE_NOT_FOUND); |
| 180 return; | 183 return; |
| 181 } | 184 } |
| 182 | 185 |
| 183 CountSize(); | 186 CountSize(); |
| 184 } | 187 } |
| 185 | 188 |
| 189 bool BlobURLRequestJob::AddItemLength(size_t index, int64 item_length) { |
| 190 if (item_length > kint64max - total_size_) { |
| 191 NotifyFailure(net::ERR_FAILED); |
| 192 return false; |
| 193 } |
| 194 |
| 195 // Cache the size and add it to the total size. |
| 196 DCHECK_LT(index, item_length_list_.size()); |
| 197 item_length_list_[index] = item_length; |
| 198 total_size_ += item_length; |
| 199 return true; |
| 200 } |
| 201 |
| 186 void BlobURLRequestJob::CountSize() { | 202 void BlobURLRequestJob::CountSize() { |
| 187 error_ = false; | 203 error_ = false; |
| 188 pending_get_file_info_count_ = 0; | 204 pending_get_file_info_count_ = 0; |
| 189 total_size_ = 0; | 205 total_size_ = 0; |
| 190 item_length_list_.resize(blob_data_->items().size()); | 206 item_length_list_.resize(blob_data_->items().size()); |
| 191 | 207 |
| 192 for (size_t i = 0; i < blob_data_->items().size(); ++i) { | 208 for (size_t i = 0; i < blob_data_->items().size(); ++i) { |
| 193 const BlobData::Item& item = blob_data_->items().at(i); | 209 const BlobData::Item& item = blob_data_->items().at(i); |
| 194 if (IsFileType(item.type())) { | 210 if (IsFileType(item.type())) { |
| 195 ++pending_get_file_info_count_; | 211 ++pending_get_file_info_count_; |
| 196 GetFileStreamReader(i)->GetLength( | 212 GetFileStreamReader(i)->GetLength( |
| 197 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, | 213 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, |
| 198 weak_factory_.GetWeakPtr(), i)); | 214 weak_factory_.GetWeakPtr(), i)); |
| 199 continue; | 215 continue; |
| 200 } | 216 } |
| 201 // Cache the size and add it to the total size. | 217 |
| 202 int64 item_length = static_cast<int64>(item.length()); | 218 if (!AddItemLength(i, item.length())) |
| 203 item_length_list_[i] = item_length; | 219 return; |
| 204 total_size_ += item_length; | |
| 205 } | 220 } |
| 206 | 221 |
| 207 if (pending_get_file_info_count_ == 0) | 222 if (pending_get_file_info_count_ == 0) |
| 208 DidCountSize(net::OK); | 223 DidCountSize(net::OK); |
| 209 } | 224 } |
| 210 | 225 |
| 211 void BlobURLRequestJob::DidCountSize(int error) { | 226 void BlobURLRequestJob::DidCountSize(int error) { |
| 212 DCHECK(!error_); | 227 DCHECK(!error_); |
| 213 | 228 |
| 214 // If an error occured, bail out. | 229 // If an error occured, bail out. |
| (...skipping 29 matching lines...) Expand all Loading... |
| 244 return; | 259 return; |
| 245 } else if (result < 0) { | 260 } else if (result < 0) { |
| 246 NotifyFailure(result); | 261 NotifyFailure(result); |
| 247 return; | 262 return; |
| 248 } | 263 } |
| 249 | 264 |
| 250 DCHECK_LT(index, blob_data_->items().size()); | 265 DCHECK_LT(index, blob_data_->items().size()); |
| 251 const BlobData::Item& item = blob_data_->items().at(index); | 266 const BlobData::Item& item = blob_data_->items().at(index); |
| 252 DCHECK(IsFileType(item.type())); | 267 DCHECK(IsFileType(item.type())); |
| 253 | 268 |
| 269 uint64 file_length = result; |
| 270 uint64 item_offset = item.offset(); |
| 271 uint64 item_length = item.length(); |
| 272 |
| 273 if (item_offset > file_length) { |
| 274 NotifyFailure(net::ERR_FILE_NOT_FOUND); |
| 275 return; |
| 276 } |
| 277 |
| 278 uint64 max_length = file_length - item_offset; |
| 279 |
| 254 // If item length is -1, we need to use the file size being resolved | 280 // If item length is -1, we need to use the file size being resolved |
| 255 // in the real time. | 281 // in the real time. |
| 256 int64 item_length = static_cast<int64>(item.length()); | 282 if (item_length == static_cast<uint64>(-1)) { |
| 257 if (item_length == -1) | 283 item_length = max_length; |
| 258 item_length = result - item.offset(); | 284 } else if (item_length > max_length) { |
| 285 NotifyFailure(net::ERR_FILE_NOT_FOUND); |
| 286 return; |
| 287 } |
| 259 | 288 |
| 260 // Cache the size and add it to the total size. | 289 if (!AddItemLength(index, item_length)) |
| 261 DCHECK_LT(index, item_length_list_.size()); | 290 return; |
| 262 item_length_list_[index] = item_length; | |
| 263 total_size_ += item_length; | |
| 264 | 291 |
| 265 if (--pending_get_file_info_count_ == 0) | 292 if (--pending_get_file_info_count_ == 0) |
| 266 DidCountSize(net::OK); | 293 DidCountSize(net::OK); |
| 267 } | 294 } |
| 268 | 295 |
| 269 void BlobURLRequestJob::Seek(int64 offset) { | 296 void BlobURLRequestJob::Seek(int64 offset) { |
| 270 // Skip the initial items that are not in the range. | 297 // Skip the initial items that are not in the range. |
| 271 for (current_item_index_ = 0; | 298 for (current_item_index_ = 0; |
| 272 current_item_index_ < blob_data_->items().size() && | 299 current_item_index_ < blob_data_->items().size() && |
| 273 offset >= item_length_list_[current_item_index_]; | 300 offset >= item_length_list_[current_item_index_]; |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 413 } | 440 } |
| 414 } | 441 } |
| 415 | 442 |
| 416 int BlobURLRequestJob::BytesReadCompleted() { | 443 int BlobURLRequestJob::BytesReadCompleted() { |
| 417 int bytes_read = read_buf_->BytesConsumed(); | 444 int bytes_read = read_buf_->BytesConsumed(); |
| 418 read_buf_ = NULL; | 445 read_buf_ = NULL; |
| 419 return bytes_read; | 446 return bytes_read; |
| 420 } | 447 } |
| 421 | 448 |
| 422 int BlobURLRequestJob::ComputeBytesToRead() const { | 449 int BlobURLRequestJob::ComputeBytesToRead() const { |
| 423 int64 current_item_remaining_bytes = | 450 int64 current_item_length = item_length_list_[current_item_index_]; |
| 424 item_length_list_[current_item_index_] - current_item_offset_; | |
| 425 int64 remaining_bytes = std::min(current_item_remaining_bytes, | |
| 426 remaining_bytes_); | |
| 427 | 451 |
| 428 return static_cast<int>(std::min( | 452 int64 item_remaining = current_item_length - current_item_offset_; |
| 429 static_cast<int64>(read_buf_->BytesRemaining()), | 453 int64 buf_remaining = read_buf_->BytesRemaining(); |
| 430 remaining_bytes)); | 454 int64 max_remaining = std::numeric_limits<int>::max(); |
| 455 |
| 456 int64 min = std::min(std::min(std::min(item_remaining, |
| 457 buf_remaining), |
| 458 remaining_bytes_), |
| 459 max_remaining); |
| 460 |
| 461 return static_cast<int>(min); |
| 431 } | 462 } |
| 432 | 463 |
| 433 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { | 464 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { |
| 434 // Read until we encounter an error or could not get the data immediately. | 465 // Read until we encounter an error or could not get the data immediately. |
| 435 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { | 466 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { |
| 436 if (!ReadItem()) | 467 if (!ReadItem()) |
| 437 return false; | 468 return false; |
| 438 } | 469 } |
| 439 | 470 |
| 440 *bytes_read = BytesReadCompleted(); | 471 *bytes_read = BytesReadCompleted(); |
| (...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 567 item.expected_modification_time()); | 598 item.expected_modification_time()); |
| 568 break; | 599 break; |
| 569 default: | 600 default: |
| 570 NOTREACHED(); | 601 NOTREACHED(); |
| 571 } | 602 } |
| 572 DCHECK(reader); | 603 DCHECK(reader); |
| 573 index_to_reader_[index] = reader; | 604 index_to_reader_[index] = reader; |
| 574 } | 605 } |
| 575 | 606 |
| 576 } // namespace webkit_blob | 607 } // namespace webkit_blob |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 12047012:
Avoid integer overflows in BlobURLRequestJob. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src