Properly handle zero-sized fields in the PReg parser.

chrome/browser/policy/preg_parser_win.cc

Index: chrome/browser/policy/preg_parser_win.cc
diff --git a/chrome/browser/policy/preg_parser_win.cc b/chrome/browser/policy/preg_parser_win.cc
index 0351dac5dac51d4c5feba155fad326efd5cd2fd4..cd855d3dda0496551d776e0f22b48038ead4b45d 100644
--- a/chrome/browser/policy/preg_parser_win.cc
+++ b/chrome/browser/policy/preg_parser_win.cc
@@ -64,12 +64,13 @@ int NextChar(const uint8** cursor, const uint8* end) {
 // Reads a fixed-size field from a PReg file.
 bool ReadFieldBinary(const uint8** cursor,
                      const uint8* end,
-                     int size,
+                     uint32 size,
                      uint8* data) {
-  if (!size)
-    return false;
+  if (size == 0)
+    return true;
+
   const uint8* field_end = *cursor + size;
-  if (field_end > end)
+  if (field_end <= *cursor || field_end > end)

[Joao da Silva, 2013/09/13 14:18:07]

if this accepted "field_end == *cursor" then it wouldn't be necessary to special
case "size == 0".

[Mattias Nissler (ping if slow), 2013/09/13 14:40:24]

The size == 0 check is here to handle the case of callers passing size = 0, data
= NULL gracefully. We can't forward data = NULL to std::copy as this triggers
asserts in the standard library.

     return false;
   std::copy(*cursor, field_end, data);
   *cursor = field_end;