Mojo cpp bindings: More clear checks for array num_bytes and num_elements.

mojo/public/cpp/bindings/lib/array_internal.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef MOJO_PUBLIC_CPP_BINDINGS_LIB_ARRAY_INTERNAL_H_
 #define MOJO_PUBLIC_CPP_BINDINGS_LIB_ARRAY_INTERNAL_H_
 
 #include <new>
 #include <vector>
 
 #include "mojo/public/c/system/macros.h"
 #include "mojo/public/cpp/bindings/lib/bindings_internal.h"
 #include "mojo/public/cpp/bindings/lib/bindings_serialization.h"
 #include "mojo/public/cpp/bindings/lib/bounds_checker.h"
 #include "mojo/public/cpp/bindings/lib/buffer.h"
 #include "mojo/public/cpp/bindings/lib/template_util.h"
 #include "mojo/public/cpp/bindings/lib/validation_errors.h"
 #include "mojo/public/cpp/environment/logging.h"
 
 namespace mojo {
 template <typename T> class Array;
 class String;
 
 namespace internal {
 
+// std::numeric_limits<uint32_t>::max() is not a compile-time constant (until
+// C++11).
+const uint32_t kMaxUint32 = 0xFFFFFFFF;
+
 template <typename T>
 struct ArrayDataTraits {
   typedef T StorageType;
   typedef T& Ref;
   typedef T const& ConstRef;
 
-  static size_t GetStorageSize(size_t num_elements) {
-    return sizeof(StorageType) * num_elements;
+  static const uint32_t kMaxNumElements =
+      (kMaxUint32 - sizeof(ArrayHeader)) / sizeof(StorageType);
+
+  static uint32_t GetStorageSize(uint32_t num_elements) {
+    MOJO_DCHECK(num_elements <= kMaxNumElements);
+    return sizeof(ArrayHeader) + sizeof(StorageType) * num_elements;
   }
   static Ref ToRef(StorageType* storage, size_t offset) {
     return storage[offset];
   }
   static ConstRef ToConstRef(const StorageType* storage, size_t offset) {
     return storage[offset];
   }
 };
 
 template <typename P>
 struct ArrayDataTraits<P*> {
   typedef StructPointer<P> StorageType;
   typedef P*& Ref;
   typedef P* const& ConstRef;
 
-  static size_t GetStorageSize(size_t num_elements) {
-    return sizeof(StorageType) * num_elements;
+  static const uint32_t kMaxNumElements =
+      (kMaxUint32 - sizeof(ArrayHeader)) / sizeof(StorageType);
+
+  static uint32_t GetStorageSize(uint32_t num_elements) {
+    MOJO_DCHECK(num_elements <= kMaxNumElements);
+    return sizeof(ArrayHeader) + sizeof(StorageType) * num_elements;
   }
   static Ref ToRef(StorageType* storage, size_t offset) {
     return storage[offset].ptr;
   }
   static ConstRef ToConstRef(const StorageType* storage, size_t offset) {
     return storage[offset].ptr;
   }
 };
 
 template <typename T>
 struct ArrayDataTraits<Array_Data<T>*> {
   typedef ArrayPointer<T> StorageType;
   typedef Array_Data<T>*& Ref;
   typedef Array_Data<T>* const& ConstRef;
 
-  static size_t GetStorageSize(size_t num_elements) {
-    return sizeof(StorageType) * num_elements;
+  static const uint32_t kMaxNumElements =
+      (kMaxUint32 - sizeof(ArrayHeader)) / sizeof(StorageType);
+
+  static uint32_t GetStorageSize(uint32_t num_elements) {
+    MOJO_DCHECK(num_elements <= kMaxNumElements);
+    return sizeof(ArrayHeader) + sizeof(StorageType) * num_elements;
   }
   static Ref ToRef(StorageType* storage, size_t offset) {
     return storage[offset].ptr;
   }
   static ConstRef ToConstRef(const StorageType* storage, size_t offset) {
     return storage[offset].ptr;
   }
 };
 
 // Specialization of Arrays for bools, optimized for space. It has the
@@ skipping 12 matching lines @@
     BitRef& operator=(const BitRef& value);
     operator bool() const;
    private:
     friend struct ArrayDataTraits<bool>;
     BitRef(uint8_t* storage, uint8_t mask);
     BitRef();
     uint8_t* storage_;
     uint8_t mask_;
   };
 
+  // Because each element consumes only 1/8 byte.
+  static const uint32_t kMaxNumElements = kMaxUint32;
+
   typedef uint8_t StorageType;
   typedef BitRef Ref;
   typedef bool ConstRef;
 
-  static size_t GetStorageSize(size_t num_elements) {
-    return ((num_elements + 7) / 8);
+  static uint32_t GetStorageSize(uint32_t num_elements) {
+    return sizeof(ArrayHeader) + ((num_elements + 7) / 8);
   }
   static BitRef ToRef(StorageType* storage, size_t offset) {
     return BitRef(&storage[offset / 8], 1 << (offset % 8));
   }
   static bool ToConstRef(const StorageType* storage, size_t offset) {
     return (storage[offset / 8] & (1 << (offset % 8))) != 0;
   }
 };
 
 // Array type information needed for valdiation.
@@ skipping 175 matching lines @@
 
 template <typename T>
 class Array_Data {
  public:
   typedef ArrayDataTraits<T> Traits;
   typedef typename Traits::StorageType StorageType;
   typedef typename Traits::Ref Ref;
   typedef typename Traits::ConstRef ConstRef;
   typedef ArraySerializationHelper<T, IsHandle<T>::value> Helper;
 
+  // Returns NULL if |num_elements| or the corresponding storage size cannot be
+  // stored in uint32_t.
   static Array_Data<T>* New(size_t num_elements, Buffer* buf) {
-    size_t num_bytes = sizeof(Array_Data<T>) +
-                       Traits::GetStorageSize(num_elements);
-    return new (buf->Allocate(num_bytes)) Array_Data<T>(num_bytes,
-                                                        num_elements);
+    if (num_elements > Traits::kMaxNumElements)
+      return NULL;
+
+    uint32_t num_bytes =
+        Traits::GetStorageSize(static_cast<uint32_t>(num_elements));
+    return new (buf->Allocate(num_bytes)) Array_Data<T>(
+        num_bytes, static_cast<uint32_t>(num_elements));
   }
 
   template <typename Params>
   static bool Validate(const void* data, BoundsChecker* bounds_checker) {
     if (!data)
       return true;
     if (!IsAligned(data)) {
       ReportValidationError(VALIDATION_ERROR_MISALIGNED_OBJECT);
       return false;
     }
     if (!bounds_checker->IsValidRange(data, sizeof(ArrayHeader))) {
       ReportValidationError(VALIDATION_ERROR_ILLEGAL_MEMORY_RANGE);
       return false;
     }
     const ArrayHeader* header = static_cast<const ArrayHeader*>(data);
-    if (header->num_bytes < (sizeof(Array_Data<T>) +
-                             Traits::GetStorageSize(header->num_elements))) {
+    if (header->num_elements > Traits::kMaxNumElements ||
+        header->num_bytes < Traits::GetStorageSize(header->num_elements)) {
       ReportValidationError(VALIDATION_ERROR_UNEXPECTED_ARRAY_HEADER);
       return false;
     }
     if (Params::expected_num_elements != 0 &&
         header->num_elements != Params::expected_num_elements) {
       ReportValidationError(VALIDATION_ERROR_UNEXPECTED_ARRAY_HEADER);
       return false;
     }
     if (!bounds_checker->ClaimMemory(data, header->num_bytes)) {
       ReportValidationError(VALIDATION_ERROR_ILLEGAL_MEMORY_RANGE);
@@ skipping 30 matching lines @@
 
   void EncodePointersAndHandles(std::vector<Handle>* handles) {
     Helper::EncodePointersAndHandles(&header_, storage(), handles);
   }
 
   void DecodePointersAndHandles(std::vector<Handle>* handles) {
     Helper::DecodePointersAndHandles(&header_, storage(), handles);
   }
 
  private:
-  Array_Data(size_t num_bytes, size_t num_elements) {
-    header_.num_bytes = static_cast<uint32_t>(num_bytes);
-    header_.num_elements = static_cast<uint32_t>(num_elements);
+  Array_Data(uint32_t num_bytes, uint32_t num_elements) {
+    header_.num_bytes = num_bytes;
+    header_.num_elements = num_elements;
   }
   ~Array_Data() {}
 
   internal::ArrayHeader header_;
 
   // Elements of type internal::ArrayDataTraits<T>::StorageType follow.
 };
 MOJO_COMPILE_ASSERT(sizeof(Array_Data<char>) == 8, bad_sizeof_Array_Data);
 
 // UTF-8 encoded
@@ skipping 73 matching lines @@
 };
 
 template <> struct WrapperTraits<String, false> {
   typedef String_Data* DataType;
 };
 
 }  // namespace internal
 }  // namespace mojo
 
 #endif  // MOJO_PUBLIC_CPP_BINDINGS_LIB_ARRAY_INTERNAL_H_