Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(116)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 2834893002: Ensure ClipboardWin::ReadHTML does not crash on embedded nulls (Closed)

Created:
3 years, 8 months ago by elawrence
Modified:
3 years, 7 months ago
Reviewers:
dcheng
CC:
chromium-reviews, dcheng
Target Ref:
refs/heads/master
Project:
chromium
Visibility:
Public.

Description

Ensure ClipboardWin::ReadHTML does not crash on embedded nulls If the CF_HTML content on the clipboard contains a null byte, a 64-bit browser process would crash when attempting to perform a checked_cast of 0xFFFFFFFFFFFFFFFF (string::npos) to uint32_t. This change avoids the crash by ensuring that the offset remains within the length of the data. BUG=607181 Review-Url: https://codereview.chromium.org/2834893002 Cr-Commit-Position: refs/heads/master@{#467350} Committed: https://chromium.googlesource.com/chromium/src/+/d2338b606d6536d20975a601c197d3e2ee3cec0e

Patch Set 1 #

Total comments: 4

Patch Set 2 : Ensure start_fragment is appropriate #

Total comments: 2

Patch Set 3 : Fix off-by-one #

Total comments: 2

Patch Set 4 : Simplify #

Patch Set 5 : Be smarter #

Unified diffs Side-by-side diffs Delta from patch set Stats (+4 lines, -2 lines) Patch
M ui/base/clipboard/clipboard_win.cc View 1 2 3 4 1 chunk +4 lines, -2 lines 0 comments Download

Messages

Total messages: 18 (8 generated)
elawrence
PTAL?
3 years, 8 months ago (2017-04-21 20:42:43 UTC) #4
dcheng
https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc#newcode575 ui/base/clipboard/clipboard_win.cc:575: base::checked_cast<uint32_t>(std::min(offsets[1], markup->length())); Should we do this for offsets[0] as ...
3 years, 8 months ago (2017-04-22 08:25:25 UTC) #7
elawrence
https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc#newcode575 ui/base/clipboard/clipboard_win.cc:575: base::checked_cast<uint32_t>(std::min(offsets[1], markup->length())); On 2017/04/22 08:25:25, dcheng (OOO through May ...
3 years, 7 months ago (2017-04-25 16:20:19 UTC) #8
dcheng
https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc#newcode575 ui/base/clipboard/clipboard_win.cc:575: base::checked_cast<uint32_t>(std::min(offsets[1], markup->length())); On 2017/04/25 16:20:19, elawrence wrote: > On ...
3 years, 7 months ago (2017-04-26 00:42:09 UTC) #9
elawrence
https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/1/ui/base/clipboard/clipboard_win.cc#newcode575 ui/base/clipboard/clipboard_win.cc:575: base::checked_cast<uint32_t>(std::min(offsets[1], markup->length())); On 2017/04/26 00:42:08, dcheng (OOO through May ...
3 years, 7 months ago (2017-04-26 15:11:22 UTC) #10
dcheng
lgtm https://codereview.chromium.org/2834893002/diff/40001/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/40001/ui/base/clipboard/clipboard_win.cc#newcode577 ui/base/clipboard/clipboard_win.cc:577: base::checked_cast<uint32_t>(std::min(offsets[0], markup_end))); Nit: I think that if one ...
3 years, 7 months ago (2017-04-26 15:19:10 UTC) #11
elawrence
https://codereview.chromium.org/2834893002/diff/40001/ui/base/clipboard/clipboard_win.cc File ui/base/clipboard/clipboard_win.cc (right): https://codereview.chromium.org/2834893002/diff/40001/ui/base/clipboard/clipboard_win.cc#newcode577 ui/base/clipboard/clipboard_win.cc:577: base::checked_cast<uint32_t>(std::min(offsets[0], markup_end))); On 2017/04/26 15:19:10, dcheng (OOO through May ...
3 years, 7 months ago (2017-04-26 15:33:45 UTC) #12
dcheng
still lgtm
3 years, 7 months ago (2017-04-26 15:44:44 UTC) #13
commit-bot: I haz the power
CQ is trying da patch. Follow status at: https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.org/2834893002/80001
3 years, 7 months ago (2017-04-26 15:47:37 UTC) #15
commit-bot: I haz the power
3 years, 7 months ago (2017-04-26 16:57:53 UTC) #18
Message was sent while issue was closed. 
Committed patchset #5 (id:80001) as
https://chromium.googlesource.com/chromium/src/+/d2338b606d6536d20975a601c197...

Powered by Google App Engine
This is Rietveld 408576698