Fix a couple of integer issues in Pickle deserialization. Neither represent a significant risk because the code is not directly exposed to user input. In addition, neither error leads to memory corruption. At worse, there's a C++ exception or abort(). BUG=NONE TEST=PickleTest.EvilLengths Review URL: http://codereview.chromium.org/146121 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@19249 0039d316-1c4b-4281-b951-d872f2087c98 CrOS-Libchrome-Original-Commit: 8766556dd35a7295e2aef849a3ba33bedaa1106a

commit: a834cdd431421246ba5063de5256cc1cff39baed [log] [tgz]
author: cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Fri Jun 26 01:54:02 2009 +0900
committer: Qijiang Fan <fqj@google.com> Thu Jun 04 09:41:14 2020 +0900
tree: d932e4efff1f753360f2c375f0fc1a91b0a15f9b
parent: 73502a0a34ea7c40f320878a2ce7fb23464e3d35 [diff] [blame]
diff --git a/base/pickle.cc b/base/pickle.cc
index 5e249c7..c3df8bc 100644
--- a/base/pickle.cc
+++ b/base/pickle.cc

@@ -208,6 +208,9 @@
   int len;
   if (!ReadLength(iter, &len))
     return false;
+  // Avoid integer overflow.
+  if (len > INT_MAX / static_cast<int>(sizeof(wchar_t)))
+    return false;
   if (!IteratorHasRoomFor(*iter, len * sizeof(wchar_t)))
     return false;
 
@@ -224,7 +227,7 @@
   int len;
   if (!ReadLength(iter, &len))
     return false;
-  if (!IteratorHasRoomFor(*iter, len))
+  if (!IteratorHasRoomFor(*iter, len * sizeof(char16)))
     return false;
 
   char16* chars = reinterpret_cast<char16*>(*iter);
commit	a834cdd431421246ba5063de5256cc1cff39baed	[log] [tgz]
author	cevans@chromium.org <cevans@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	Fri Jun 26 01:54:02 2009 +0900
committer	Qijiang Fan <fqj@google.com>	Thu Jun 04 09:41:14 2020 +0900
tree	d932e4efff1f753360f2c375f0fc1a91b0a15f9b
parent	73502a0a34ea7c40f320878a2ce7fb23464e3d35 [diff] [blame]