Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(420)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: content/common/cursors/webcursor.cc

Issue 1498903003: Fix a overflow in WebCursorn (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "content/common/cursors/webcursor.h" 5 #include "content/common/cursors/webcursor.h"
6 6
7 #include "base/logging.h" 7 #include "base/logging.h"
8 #include "base/pickle.h" 8 #include "base/pickle.h"
9 #include "third_party/WebKit/public/platform/WebImage.h" 9 #include "third_party/WebKit/public/platform/WebImage.h"
10 10
(...skipping 94 matching lines...) Expand 10 before | Expand all | Expand 10 after
105 size_x / scale > kMaxCursorDimension || 105 size_x / scale > kMaxCursorDimension ||
106 size_y / scale > kMaxCursorDimension) 106 size_y / scale > kMaxCursorDimension)
107 return false; 107 return false;
108 108
109 type_ = type; 109 type_ = type;
110 110
111 if (type == WebCursorInfo::TypeCustom) { 111 if (type == WebCursorInfo::TypeCustom) {
112 if (size_x > 0 && size_y > 0) { 112 if (size_x > 0 && size_y > 0) {
113 // The * 4 is because the expected format is an array of RGBA pixel 113 // The * 4 is because the expected format is an array of RGBA pixel
114 // values. 114 // values.
115 if (size_x * size_y * 4 > data_len) 115 if (size_x * size_y * 4 != data_len) {
116 LOG(WARNING) << "WebCursor's data length and image size mismatch: "
117 << size_x << "x" << size_y << "x4 != "
118 << data_len;
116 return false; 119 return false;
120 }
117 121
118 hotspot_.set_x(hotspot_x); 122 hotspot_.set_x(hotspot_x);
119 hotspot_.set_y(hotspot_y); 123 hotspot_.set_y(hotspot_y);
120 custom_size_.set_width(size_x); 124 custom_size_.set_width(size_x);
121 custom_size_.set_height(size_y); 125 custom_size_.set_height(size_y);
122 custom_scale_ = scale; 126 custom_scale_ = scale;
123 ClampHotspot(); 127 ClampHotspot();
124 128
125 custom_data_.clear(); 129 custom_data_.clear();
126 if (data_len > 0) { 130 if (data_len > 0) {
(...skipping 131 matching lines...) Expand 10 before | Expand all | Expand 10 after
258 return; 262 return;
259 263
260 // Clamp the hotspot to the custom image's dimensions. 264 // Clamp the hotspot to the custom image's dimensions.
261 hotspot_.set_x(std::max(0, 265 hotspot_.set_x(std::max(0,
262 std::min(custom_size_.width() - 1, hotspot_.x()))); 266 std::min(custom_size_.width() - 1, hotspot_.x())));
263 hotspot_.set_y(std::max(0, 267 hotspot_.set_y(std::max(0,
264 std::min(custom_size_.height() - 1, hotspot_.y()))); 268 std::min(custom_size_.height() - 1, hotspot_.y())));
265 } 269 }
266 270
267 } // namespace content 271 } // namespace content
OLDNEW
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698