Index: net/http/http_auth_handler_ntlm_portable.cc |
diff --git a/net/http/http_auth_handler_ntlm_portable.cc b/net/http/http_auth_handler_ntlm_portable.cc |
index bb65b308c05644250a3293be0e46ecd721376442..4f0204c249f72974899632c335719de7e71f74ed 100644 |
--- a/net/http/http_auth_handler_ntlm_portable.cc |
+++ b/net/http/http_auth_handler_ntlm_portable.cc |
@@ -365,11 +365,19 @@ static int ParseType2Msg(const void* in_buf, uint32_t in_len, Type2Msg* msg) { |
uint32_t offset = ReadUint32(cursor); // get offset from in_buf |
msg->target_len = 0; |
msg->target = NULL; |
- // Check the offset / length combo is in range of the input buffer, including |
- // integer overflow checking. |
- if (offset + target_len > offset && offset + target_len <= in_len) { |
- msg->target_len = target_len; |
- msg->target = ((const uint8_t*)in_buf) + offset; |
+ |
+ // Target length 0 is valid and indicates no target information. |
+ if (target_len != 0) { |
+ // Check the offset / length combo is in range of the input buffer, |
+ // including integer overflow checking. |
+ if (offset + target_len > offset && offset + target_len <= in_len) { |
+ msg->target_len = target_len; |
+ msg->target = ((const uint8_t*)in_buf) + offset; |
+ } else { |
+ // Reject a message with a non-zero target length that |
+ // would cause an overflow. |
+ return ERR_UNEXPECTED; |
+ } |
} |
// read flags |