Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
644463002:
Zeroes buffer for DocumentProperti (Closed)
|
Created:
6 years, 2 months ago by Vitaly Buka (NO REVIEWS) Modified:
6 years, 2 months ago Reviewers:
Lei Zhang CC:
chromium-reviews Base URL:
https://chromium.googlesource.com/chromium/src.git@master Project:
chromium Visibility:
Public. |
DescriptionZeroes buffer for DocumentProperties.
Suspecting that driver does not reset dmDriverExtra.
BUG=421402
Committed: https://crrev.com/f16d34bbc32d79d739bd2e151552e5229de5e3c1
Cr-Commit-Position: refs/heads/master@{#298760}
Patch Set 1 #
Total comments: 6
Patch Set 2 : Wed Oct 8 13:17:15 PDT 2014 #Messages
Total messages: 15 (6 generated)
vitalybuka@chromium.org changed reviewers: + thestig@chromium.org
https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.cc File printing/backend/win_helper.cc (right): https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:481: memset(out.get(), 0, buffer_size); Just calloc() instead? https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:490: CHECK_GE(buffer_size, size + extra_size); Do we care if size + extra_size overflows?
https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.cc File printing/backend/win_helper.cc (right): https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:481: memset(out.get(), 0, buffer_size); On 2014/10/08 20:11:34, Lei Zhang wrote: > Just calloc() instead? Done. https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:490: CHECK_GE(buffer_size, size + extra_size); On 2014/10/08 20:11:34, Lei Zhang wrote: > Do we care if size + extra_size overflows? Done.
lgtm https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.cc File printing/backend/win_helper.cc (right): https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:490: CHECK_GE(buffer_size, size + extra_size); On 2014/10/08 20:18:15, Vitaly Buka wrote: > On 2014/10/08 20:11:34, Lei Zhang wrote: > > Do we care if size + extra_size overflows? > > Done. I just checked and a WORD is only 16-bit. There's no way 2 WORDS added together can overflow a LONG. So why not just: LONG actual_size = out->dmSize + out->dmDriverExtra; ?
The CQ bit was checked by vitalybuka@chromium.org
The CQ bit was unchecked by vitalybuka@chromium.org
https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.cc File printing/backend/win_helper.cc (right): https://codereview.chromium.org/644463002/diff/1/printing/backend/win_helper.... printing/backend/win_helper.cc:490: CHECK_GE(buffer_size, size + extra_size); C++ does WORD+WORD->WORD, so old version indeed had overflow problem. However it made no difference because overflow would likely satisfy CHECK_GE LONG would work instead of int, but we don't need LONG for api calls like above, so int should be used, according our style. Also I put two local variable hoping to see them in future crash dumps on stack. On 2014/10/08 20:24:15, Lei Zhang wrote: > On 2014/10/08 20:18:15, Vitaly Buka wrote: > > On 2014/10/08 20:11:34, Lei Zhang wrote: > > > Do we care if size + extra_size overflows? > > > > Done. > > I just checked and a WORD is only 16-bit. There's no way 2 WORDS added together > can overflow a LONG. So why not just: LONG actual_size = out->dmSize + > out->dmDriverExtra; ?
The CQ bit was checked by vitalybuka@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/644463002/20001
The CQ bit was unchecked by vitalybuka@chromium.org
The CQ bit was checked by vitalybuka@chromium.org
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/patch-status/644463002/20001
Message was sent while issue was closed.
Committed patchset #2 (id:20001) as 4372c0acb01d253c3c3b931e87da1e4c20018521
Message was sent while issue was closed.
Patchset 2 (id:??) landed as https://crrev.com/f16d34bbc32d79d739bd2e151552e5229de5e3c1 Cr-Commit-Position: refs/heads/master@{#298760} |
