Chromium Code Reviews Chromium Code Reviews
Issue 12047012:
Avoid integer overflows in BlobURLRequestJob. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 #include "webkit/blob/blob_url_request_job.h" | 5 #include "webkit/blob/blob_url_request_job.h" |
| 6 | 6 |
| 7 #include <limits> | |
| 8 | |
| 7 #include "base/bind.h" | 9 #include "base/bind.h" |
| 8 #include "base/compiler_specific.h" | 10 #include "base/compiler_specific.h" |
| 9 #include "base/file_util_proxy.h" | 11 #include "base/file_util_proxy.h" |
| 10 #include "base/message_loop.h" | 12 #include "base/message_loop.h" |
| 11 #include "base/message_loop_proxy.h" | 13 #include "base/message_loop_proxy.h" |
| 12 #include "base/stl_util.h" | 14 #include "base/stl_util.h" |
| 13 #include "base/string_number_conversions.h" | 15 #include "base/string_number_conversions.h" |
| 14 #include "net/base/io_buffer.h" | 16 #include "net/base/io_buffer.h" |
| 15 #include "net/base/net_errors.h" | 17 #include "net/base/net_errors.h" |
| 16 #include "net/http/http_request_headers.h" | 18 #include "net/http/http_request_headers.h" |
| (...skipping 22 matching lines...) Expand all Loading... | |
| 39 | 41 |
| 40 const char kHTTPOKText[] = "OK"; | 42 const char kHTTPOKText[] = "OK"; |
| 41 const char kHTTPPartialContentText[] = "Partial Content"; | 43 const char kHTTPPartialContentText[] = "Partial Content"; |
| 42 const char kHTTPNotAllowedText[] = "Not Allowed"; | 44 const char kHTTPNotAllowedText[] = "Not Allowed"; |
| 43 const char kHTTPNotFoundText[] = "Not Found"; | 45 const char kHTTPNotFoundText[] = "Not Found"; |
| 44 const char kHTTPMethodNotAllowText[] = "Method Not Allowed"; | 46 const char kHTTPMethodNotAllowText[] = "Method Not Allowed"; |
| 45 const char kHTTPRequestedRangeNotSatisfiableText[] = | 47 const char kHTTPRequestedRangeNotSatisfiableText[] = |
| 46 "Requested Range Not Satisfiable"; | 48 "Requested Range Not Satisfiable"; |
| 47 const char kHTTPInternalErrorText[] = "Internal Server Error"; | 49 const char kHTTPInternalErrorText[] = "Internal Server Error"; |
| 48 | 50 |
| 51 const int64 kMaxTotalSize = std::numeric_limits<int64>::max(); | |
| 52 | |
| 49 bool IsFileType(BlobData::Item::Type type) { | 53 bool IsFileType(BlobData::Item::Type type) { |
| 50 switch (type) { | 54 switch (type) { |
| 51 case BlobData::Item::TYPE_FILE: | 55 case BlobData::Item::TYPE_FILE: |
| 52 case BlobData::Item::TYPE_FILE_FILESYSTEM: | 56 case BlobData::Item::TYPE_FILE_FILESYSTEM: |
| 53 return true; | 57 return true; |
| 54 default: | 58 default: |
| 55 return false; | 59 return false; |
| 56 } | 60 } |
| 57 } | 61 } |
| 58 | 62 |
| (...skipping 117 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 176 | 180 |
| 177 // If the blob data is not present, bail out. | 181 // If the blob data is not present, bail out. |
| 178 if (!blob_data_) { | 182 if (!blob_data_) { |
| 179 NotifyFailure(net::ERR_FILE_NOT_FOUND); | 183 NotifyFailure(net::ERR_FILE_NOT_FOUND); |
| 180 return; | 184 return; |
| 181 } | 185 } |
| 182 | 186 |
| 183 CountSize(); | 187 CountSize(); |
| 184 } | 188 } |
| 185 | 189 |
| 190 bool BlobURLRequestJob::AddItemLength(size_t index, int64 item_length) { | |
| 191 bool enough_space = kMaxTotalSize - total_size_ >= item_length; | |
| 192 | |
| 193 if (enough_space) { | |
|
kinuko
2013/01/25 08:01:03
nit: it'd be simpler to just early return in false
| |
| 194 // Cache the size and add it to the total size. | |
| 195 DCHECK_LT(index, item_length_list_.size()); | |
| 196 item_length_list_[index] = item_length; | |
| 197 total_size_ += item_length; | |
| 198 } | |
| 199 else | |
| 200 NotifyFailure(net::ERR_FAILED); | |
| 201 | |
| 202 return enough_space; | |
| 203 } | |
| 204 | |
| 186 void BlobURLRequestJob::CountSize() { | 205 void BlobURLRequestJob::CountSize() { |
| 187 error_ = false; | 206 error_ = false; |
| 188 pending_get_file_info_count_ = 0; | 207 pending_get_file_info_count_ = 0; |
| 189 total_size_ = 0; | 208 total_size_ = 0; |
| 190 item_length_list_.resize(blob_data_->items().size()); | 209 item_length_list_.resize(blob_data_->items().size()); |
| 191 | 210 |
| 192 for (size_t i = 0; i < blob_data_->items().size(); ++i) { | 211 for (size_t i = 0; i < blob_data_->items().size(); ++i) { |
| 193 const BlobData::Item& item = blob_data_->items().at(i); | 212 const BlobData::Item& item = blob_data_->items().at(i); |
| 194 if (IsFileType(item.type())) { | 213 if (IsFileType(item.type())) { |
| 195 ++pending_get_file_info_count_; | 214 ++pending_get_file_info_count_; |
| 196 GetFileStreamReader(i)->GetLength( | 215 GetFileStreamReader(i)->GetLength( |
| 197 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, | 216 base::Bind(&BlobURLRequestJob::DidGetFileItemLength, |
| 198 weak_factory_.GetWeakPtr(), i)); | 217 weak_factory_.GetWeakPtr(), i)); |
| 199 continue; | 218 continue; |
| 200 } | 219 } |
| 201 // Cache the size and add it to the total size. | 220 |
| 202 int64 item_length = static_cast<int64>(item.length()); | 221 if (!AddItemLength(i, item.length())) |
| 203 item_length_list_[i] = item_length; | 222 return; |
| 204 total_size_ += item_length; | |
| 205 } | 223 } |
| 206 | 224 |
| 207 if (pending_get_file_info_count_ == 0) | 225 if (pending_get_file_info_count_ == 0) |
| 208 DidCountSize(net::OK); | 226 DidCountSize(net::OK); |
| 209 } | 227 } |
| 210 | 228 |
| 211 void BlobURLRequestJob::DidCountSize(int error) { | 229 void BlobURLRequestJob::DidCountSize(int error) { |
| 212 DCHECK(!error_); | 230 DCHECK(!error_); |
| 213 | 231 |
| 214 // If an error occured, bail out. | 232 // If an error occured, bail out. |
| (...skipping 29 matching lines...) Expand all Loading... | |
| 244 return; | 262 return; |
| 245 } else if (result < 0) { | 263 } else if (result < 0) { |
| 246 NotifyFailure(result); | 264 NotifyFailure(result); |
| 247 return; | 265 return; |
| 248 } | 266 } |
| 249 | 267 |
| 250 DCHECK_LT(index, blob_data_->items().size()); | 268 DCHECK_LT(index, blob_data_->items().size()); |
| 251 const BlobData::Item& item = blob_data_->items().at(index); | 269 const BlobData::Item& item = blob_data_->items().at(index); |
| 252 DCHECK(IsFileType(item.type())); | 270 DCHECK(IsFileType(item.type())); |
| 253 | 271 |
| 272 uint64 file_length = result; | |
| 273 uint64 item_offset = item.offset(); | |
| 274 uint64 item_length = item.length(); | |
| 275 | |
| 276 if (item_offset > file_length) { | |
| 277 NotifyFailure(net::ERR_FILE_NOT_FOUND); | |
| 278 return; | |
| 279 } | |
| 280 | |
| 281 uint64 max_length = file_length - item_offset; | |
| 282 | |
| 254 // If item length is -1, we need to use the file size being resolved | 283 // If item length is -1, we need to use the file size being resolved |
| 255 // in the real time. | 284 // in the real time. |
| 256 int64 item_length = static_cast<int64>(item.length()); | 285 if (item_length == static_cast<uint64>(-1)) |
|
kinuko
2013/01/25 08:01:03
nit: to be consistent in all if/else clauses pleas
| |
| 257 if (item_length == -1) | 286 item_length = max_length; |
| 258 item_length = result - item.offset(); | 287 else if (item_length > max_length) { |
| 288 NotifyFailure(net::ERR_FILE_NOT_FOUND); | |
| 289 return; | |
| 290 } | |
| 259 | 291 |
| 260 // Cache the size and add it to the total size. | 292 if (!AddItemLength(index, item_length)) |
| 261 DCHECK_LT(index, item_length_list_.size()); | 293 return; |
| 262 item_length_list_[index] = item_length; | |
| 263 total_size_ += item_length; | |
| 264 | 294 |
| 265 if (--pending_get_file_info_count_ == 0) | 295 if (--pending_get_file_info_count_ == 0) |
| 266 DidCountSize(net::OK); | 296 DidCountSize(net::OK); |
| 267 } | 297 } |
| 268 | 298 |
| 269 void BlobURLRequestJob::Seek(int64 offset) { | 299 void BlobURLRequestJob::Seek(int64 offset) { |
| 270 // Skip the initial items that are not in the range. | 300 // Skip the initial items that are not in the range. |
| 271 for (current_item_index_ = 0; | 301 for (current_item_index_ = 0; |
| 272 current_item_index_ < blob_data_->items().size() && | 302 current_item_index_ < blob_data_->items().size() && |
| 273 offset >= item_length_list_[current_item_index_]; | 303 offset >= item_length_list_[current_item_index_]; |
| (...skipping 139 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 413 } | 443 } |
| 414 } | 444 } |
| 415 | 445 |
| 416 int BlobURLRequestJob::BytesReadCompleted() { | 446 int BlobURLRequestJob::BytesReadCompleted() { |
| 417 int bytes_read = read_buf_->BytesConsumed(); | 447 int bytes_read = read_buf_->BytesConsumed(); |
| 418 read_buf_ = NULL; | 448 read_buf_ = NULL; |
| 419 return bytes_read; | 449 return bytes_read; |
| 420 } | 450 } |
| 421 | 451 |
| 422 int BlobURLRequestJob::ComputeBytesToRead() const { | 452 int BlobURLRequestJob::ComputeBytesToRead() const { |
| 423 int64 current_item_remaining_bytes = | 453 int64 current_item_length = item_length_list_[current_item_index_]; |
| 424 item_length_list_[current_item_index_] - current_item_offset_; | |
| 425 int64 remaining_bytes = std::min(current_item_remaining_bytes, | |
| 426 remaining_bytes_); | |
| 427 | 454 |
| 428 return static_cast<int>(std::min( | 455 int64 item_remaining = current_item_length - current_item_offset_; |
| 429 static_cast<int64>(read_buf_->BytesRemaining()), | 456 int64 buf_remaining = read_buf_->BytesRemaining(); |
| 430 remaining_bytes)); | 457 int64 max_remaining = std::numeric_limits<int>::max(); |
| 458 | |
| 459 int64 min = std::min(std::min(std::min(item_remaining, | |
| 460 buf_remaining), | |
| 461 remaining_bytes_), | |
| 462 max_remaining); | |
| 463 | |
| 464 return static_cast<int>(min); | |
| 431 } | 465 } |
| 432 | 466 |
| 433 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { | 467 bool BlobURLRequestJob::ReadLoop(int* bytes_read) { |
| 434 // Read until we encounter an error or could not get the data immediately. | 468 // Read until we encounter an error or could not get the data immediately. |
| 435 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { | 469 while (remaining_bytes_ > 0 && read_buf_->BytesRemaining() > 0) { |
| 436 if (!ReadItem()) | 470 if (!ReadItem()) |
| 437 return false; | 471 return false; |
| 438 } | 472 } |
| 439 | 473 |
| 440 *bytes_read = BytesReadCompleted(); | 474 *bytes_read = BytesReadCompleted(); |
| (...skipping 126 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 567 item.expected_modification_time()); | 601 item.expected_modification_time()); |
| 568 break; | 602 break; |
| 569 default: | 603 default: |
| 570 NOTREACHED(); | 604 NOTREACHED(); |
| 571 } | 605 } |
| 572 DCHECK(reader); | 606 DCHECK(reader); |
| 573 index_to_reader_[index] = reader; | 607 index_to_reader_[index] = reader; |
| 574 } | 608 } |
| 575 | 609 |
| 576 } // namespace webkit_blob | 610 } // namespace webkit_blob |
| OLD | NEW |
