Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(9)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/browser/frame_host/navigation_controller_impl.cc

Issue 1272453002: Fix NavController buffer overflow found by IPC fuzzer. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2013 The Chromium Authors. All rights reserved. 1 // Copyright 2013 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 /* 5 /*
6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved. 6 * Copyright (C) 2006, 2007, 2008, 2009 Apple Inc. All rights reserved.
7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies) 7 * Copyright (C) 2008 Nokia Corporation and/or its subsidiary(-ies)
8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved. 8 * Copyright (C) 2008, 2009 Torch Mobile Inc. All rights reserved.
9 * (http://www.torchmobile.com/) 9 * (http://www.torchmobile.com/)
10 * 10 *
(...skipping 1609 matching lines...) Expand 10 before | Expand all | Expand 10 after
1620 // then the renderer navigated on its own, independent of the pending entry, 1620 // then the renderer navigated on its own, independent of the pending entry,
1621 // so don't copy anything. 1621 // so don't copy anything.
1622 if (pending_entry_ && pending_entry_index_ == -1) 1622 if (pending_entry_ && pending_entry_index_ == -1)
1623 entry->set_unique_id(pending_entry_->GetUniqueID()); 1623 entry->set_unique_id(pending_entry_->GetUniqueID());
1624 1624
1625 DiscardNonCommittedEntriesInternal(); 1625 DiscardNonCommittedEntriesInternal();
1626 1626
1627 int current_size = static_cast<int>(entries_.size()); 1627 int current_size = static_cast<int>(entries_.size());
1628 1628
1629 // When replacing, don't prune the forward history. 1629 // When replacing, don't prune the forward history.
1630 if (replace) { 1630 if (replace && current_size > 0) {
1631 DCHECK_GT(current_size, 0);
1632 int32 page_id = entry->GetPageID(); 1631 int32 page_id = entry->GetPageID();
1633 1632
1634 // ScopedVectors don't automatically delete the replaced value, so make sure 1633 // ScopedVectors don't automatically delete the replaced value, so make sure
1635 // the previous value gets deleted. 1634 // the previous value gets deleted.
1636 scoped_ptr<NavigationEntryImpl> old_entry( 1635 scoped_ptr<NavigationEntryImpl> old_entry(
1637 entries_[last_committed_entry_index_]); 1636 entries_[last_committed_entry_index_]);
1638 entries_[last_committed_entry_index_] = entry.release(); 1637 entries_[last_committed_entry_index_] = entry.release();
1639 1638
1640 // This is a new page ID, so we need everybody to know about it. 1639 // This is a new page ID, so we need everybody to know about it.
1641 delegate_->UpdateMaxPageID(page_id); 1640 delegate_->UpdateMaxPageID(page_id);
1642 return; 1641 return;
1643 } 1642 }
1644 1643
1644 // We shouldn't see replace == true when there's no committed entries.
1645 DCHECK(!replace);
1646
1645 if (current_size > 0) { 1647 if (current_size > 0) {
1646 // Prune any entries which are in front of the current entry. 1648 // Prune any entries which are in front of the current entry.
1647 // last_committed_entry_index_ must be updated here since calls to 1649 // last_committed_entry_index_ must be updated here since calls to
1648 // NotifyPrunedEntries() below may re-enter and we must make sure 1650 // NotifyPrunedEntries() below may re-enter and we must make sure
1649 // last_committed_entry_index_ is not left in an invalid state. 1651 // last_committed_entry_index_ is not left in an invalid state.
1650 int num_pruned = 0; 1652 int num_pruned = 0;
1651 while (last_committed_entry_index_ < (current_size - 1)) { 1653 while (last_committed_entry_index_ < (current_size - 1)) {
1652 num_pruned++; 1654 num_pruned++;
1653 entries_.pop_back(); 1655 entries_.pop_back();
1654 current_size--; 1656 current_size--;
(...skipping 327 matching lines...) Expand 10 before | Expand all | Expand 10 after
1982 } 1984 }
1983 } 1985 }
1984 } 1986 }
1985 1987
1986 void NavigationControllerImpl::SetGetTimestampCallbackForTest( 1988 void NavigationControllerImpl::SetGetTimestampCallbackForTest(
1987 const base::Callback<base::Time()>& get_timestamp_callback) { 1989 const base::Callback<base::Time()>& get_timestamp_callback) {
1988 get_timestamp_callback_ = get_timestamp_callback; 1990 get_timestamp_callback_ = get_timestamp_callback;
1989 } 1991 }
1990 1992
1991 } // namespace content 1993 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698