Chromium Code Reviews Chromium Code Reviews
Issue 12047012:
Avoid integer overflows in BlobURLRequestJob. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "webkit/blob/blob_url_request_job.h" | 5 #include "webkit/blob/blob_url_request_job.h" |
| 6 | 6 |
| 7 #include <limits> | |
| 8 | |
| 7 #include "base/bind.h" | 9 #include "base/bind.h" |
| 8 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
| 9 #include "base/files/file_util_proxy.h" | 11 #include "base/files/file_util_proxy.h" |
| 10 #include "base/message_loop.h" | 12 #include "base/message_loop.h" |
| 11 #include "base/message_loop_proxy.h" | 13 #include "base/message_loop_proxy.h" |
| 12 #include "base/stl_util.h" | 14 #include "base/stl_util.h" |
| 13 #include "base/string_number_conversions.h" | 15 #include "base/string_number_conversions.h" |
| 14 #include "net/base/io_buffer.h" | 16 #include "net/base/io_buffer.h" |
| 15 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 16 #include "net/http/http_request_headers.h" | 18 #include "net/http/http_request_headers.h" |
| (...skipping 159 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 176 | 178 |
| 177 // If the blob data is not present, bail out. | 179 // If the blob data is not present, bail out. |
| 178 if (!blob_data_) { | 180 if (!blob_data_) { |
| 179 NotifyFailure(net::ERR_FILE_NOT_FOUND); | 181 NotifyFailure(net::ERR_FILE_NOT_FOUND); |
| 180 return; | 182 return; |
| 181 } | 183 } |
| 182 | 184 |
| 183 CountSize(); | 185 CountSize(); |
| 184 } | 186 } |
| 185 | 187 |
| 188 bool BlobURLRequestJob::AddItemLength(size_t index, int64 item_length) { | |
| 189 if (item_length > std::numeric_limits<int64>::max() - total_size_) { | |
|
michaeln
2013/01/29 20:22:43
base/basictypes.h defines some constants like this
| |
| 190 NotifyFailure(net::ERR_FAILED); | |
| 191 return false; | |
| 192 } | |
| 193 | |
| 194 // Cache the size and add it to the total size. | |
| 195 DCHECK_LT(index, item_length_list_.size()); | |
| 196 item_length_list_[index] = item_length; | |
| 197 total_size_ += item_length; | |
| 198 return true; | |
| 199 } | |
| 200 | |
| 186 void BlobURLRequestJob::CountSize() { | 201 void BlobURLRequestJob::CountSize() { |
| 187 error_ = false; | 202 error_ = false; |
| 188 pending_get_file_info_count_ = 0; | 203 pending_get_file_info_count_ = 0; |
| 189 total_size_ = 0; | 204 total_size_ = 0; |
| 190 item_length_list_.resize(blob_data_->items().size()); | 205 item_length_list_.resize(blob_data_->items().size()); |
| 191 | 206 |
| 192 for (size_t i = 0; i < blob_data_->items().size(); ++i) { | 207 for (size_t i = 0; i < blob_data_->items().size(); ++i) { |
| 193 const BlobData::Item& item = blob_data_->items().at(i); | 208 const BlobData::Item& item = blob_data_->items().at(i); |
| 194 if (IsFileType(item.type())) { | 209 if (IsFileType(item.type())) { |
| 195 ++pending_get_file_info_count_; | 210 ++pending_get_file_info_count_; |
| 196 GetFileStreamReader(i)->GetLength( | 211 GetFileStreamReader(i)->GetLength( |
| 197 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, | 212 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, |
| 198 weak_factory_.GetWeakPtr(), i)); | 213 weak_factory_.GetWeakPtr(), i)); |
| 199 continue; | 214 continue; |
| 200 } | 215 } |
| 201 // Cache the size and add it to the total size. | 216 |
| 202 int64 item_length = static_cast<int64>(item.length()); | 217 if (!AddItemLength(i, item.length())) |
| 203 item_length_list_[i] = item_length; | 218 return; |
| 204 total_size_ += item_length; | |
| 205 } | 219 } |
| 206 | 220 |
| 207 if (pending_get_file_info_count_ == 0) | 221 if (pending_get_file_info_count_ == 0) |
| 208 DidCountSize(net::OK); | 222 DidCountSize(net::OK); |
| 209 } | 223 } |
| 210 | 224 |
| 211 void BlobURLRequestJob::DidCountSize(int error) { | 225 void BlobURLRequestJob::DidCountSize(int error) { |
| 212 DCHECK(!error_); | 226 DCHECK(!error_); |
| 213 | 227 |
| 214 // If an error occured, bail out. | 228 // If an error occured, bail out. |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 244 return; | 258 return; |
| 245 } else if (result < 0) { | 259 } else if (result < 0) { |
| 246 NotifyFailure(result); | 260 NotifyFailure(result); |
| 247 return; | 261 return; |
| 248 } | 262 } |
| 249 | 263 |
| 250 DCHECK_LT(index, blob_data_->items().size()); | 264 DCHECK_LT(index, blob_data_->items().size()); |
| 251 const BlobData::Item& item = blob_data_->items().at(index); | 265 const BlobData::Item& item = blob_data_->items().at(index); |
| 252 DCHECK(IsFileType(item.type())); | 266 DCHECK(IsFileType(item.type())); |
| 253 | 267 |
| 268 uint64 file_length = result; | |
| 269 uint64 item_offset = item.offset(); | |
| 270 uint64 item_length = item.length(); | |
| 271 | |
| 272 if (item_offset > file_length) { | |
| 273 NotifyFailure(net::ERR_FILE_NOT_FOUND); | |
| 274 return; | |
| 275 } | |
| 276 | |
| 277 uint64 max_length = file_length - item_offset; | |
| 278 | |
| 254 // If item length is -1, we need to use the file size being resolved | 279 // If item length is -1, we need to use the file size being resolved |
| 255 // in the real time. | 280 // in the real time. |
| 256 int64 item_length = static_cast<int64>(item.length()); | 281 if (item_length == static_cast<uint64>(-1)) { |
| 257 if (item_length == -1) | 282 item_length = max_length; |
| 258 item_length = result - item.offset(); | 283 } else if (item_length > max_length) { |
| 284 NotifyFailure(net::ERR_FILE_NOT_FOUND); | |
| 285 return; | |
| 286 } | |
| 259 | 287 |
| 260 // Cache the size and add it to the total size. | 288 if (!AddItemLength(index, item_length)) |
| 261 DCHECK_LT(index, item_length_list_.size()); | 289 return; |
| 262 item_length_list_[index] = item_length; | |
| 263 total_size_ += item_length; | |
| 264 | 290 |
| 265 if (--pending_get_file_info_count_ == 0) | 291 if (--pending_get_file_info_count_ == 0) |
| 266 DidCountSize(net::OK); | 292 DidCountSize(net::OK); |
| 267 } | 293 } |
| 268 | 294 |
| 269 void BlobURLRequestJob::Seek(int64 offset) { | 295 void BlobURLRequestJob::Seek(int64 offset) { |
| 270 // Skip the initial items that are not in the range. | 296 // Skip the initial items that are not in the range. |
| 271 for (current_item_index_ = 0; | 297 for (current_item_index_ = 0; |
| 272 current_item_index_ < blob_data_->items().size() && | 298 current_item_index_ < blob_data_->items().size() && |
| 273 offset >= item_length_list_[current_item_index_]; | 299 offset >= item_length_list_[current_item_index_]; |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 413 } | 439 } |
| 414 } | 440 } |
| 415 | 441 |
| 416 int BlobURLRequestJob::BytesReadCompleted() { | 442 int BlobURLRequestJob::BytesReadCompleted() { |
| 417 int bytes_read = read_buf_->BytesConsumed(); | 443 int bytes_read = read_buf_->BytesConsumed(); |
| 418 read_buf_ = NULL; | 444 read_buf_ = NULL; |
| 419 return bytes_read; | 445 return bytes_read; |
| 420 } | 446 } |
| 421 | 447 |
| 422 int BlobURLRequestJob::ComputeBytesToRead() const { | 448 int BlobURLRequestJob::ComputeBytesToRead() const { |
| 423 int64 current_item_remaining_bytes = | 449 int64 current_item_length = item_length_list_[current_item_index_]; |
| 424 item_length_list_[current_item_index_] - current_item_offset_; | |
| 425 int64 remaining_bytes = std::min(current_item_remaining_bytes, | |
| 426 remaining_bytes_); | |
| 427 | 450 |
| 428 return static_cast<int>(std::min( | 451 int64 item_remaining = current_item_length - current_item_offset_; |
| 429 static_cast<int64>(read_buf_->BytesRemaining()), | 452 int64 buf_remaining = read_buf_->BytesRemaining(); |
| 430 remaining_bytes)); | 453 int64 max_remaining = std::numeric_limits<int>::max(); |
| 454 | |
| 455 int64 min = std::min(std::min(std::min(item_remaining, | |
| 456 buf_remaining), | |
| 457 remaining_bytes_), | |
| 458 max_remaining); | |
| 459 | |
| 460 return static_cast<int>(min); | |
| 431 } | 461 } |
| 432 | 462 |
| 433 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { | 463 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { |
| 434 // Read until we encounter an error or could not get the data immediately. | 464 // Read until we encounter an error or could not get the data immediately. |
| 435 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { | 465 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { |
| 436 if (!ReadItem()) | 466 if (!ReadItem()) |
| 437 return false; | 467 return false; |
| 438 } | 468 } |
| 439 | 469 |
| 440 *bytes_read = BytesReadCompleted(); | 470 *bytes_read = BytesReadCompleted(); |
| (...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 567 item.expected_modification_time()); | 597 item.expected_modification_time()); |
| 568 break; | 598 break; |
| 569 default: | 599 default: |
| 570 NOTREACHED(); | 600 NOTREACHED(); |
| 571 } | 601 } |
| 572 DCHECK(reader); | 602 DCHECK(reader); |
| 573 index_to_reader_[index] = reader; | 603 index_to_reader_[index] = reader; |
| 574 } | 604 } |
| 575 | 605 |
| 576 } // namespace webkit_blob | 606 } // namespace webkit_blob |
| OLD | NEW |
