diff options
author | Russell Brenner <russellbrenner@google.com> | 2011-11-29 15:34:08 -0800 |
---|---|---|
committer | Russell Brenner <russellbrenner@google.com> | 2011-11-29 15:44:29 -0800 |
commit | 54dddd414a10f9c661f181d016b49b1803373ed3 (patch) | |
tree | ec462ad80790c8829a9ab57b6a9171339815e82d /Source/WebKit/android/jni/WebHistory.cpp | |
parent | d3e14d5783061619077851b76bf03cd273defd08 (diff) | |
download | external_webkit-54dddd414a10f9c661f181d016b49b1803373ed3.zip external_webkit-54dddd414a10f9c661f181d016b49b1803373ed3.tar.gz external_webkit-54dddd414a10f9c661f181d016b49b1803373ed3.tar.bz2 |
Use unsigned length when reading data
With a signed length, invalid negative sizes can bypass data limit
checks of the type:
if (data + length < end)
With an unsigned length, absurdly large lengths will now trigger an
early exit instead of following through into the decoding routine
with a bad length.
Bug: 5143832
Change-Id: I50c636ccfbc82a297df802572cf85972dddf8213
Diffstat (limited to 'Source/WebKit/android/jni/WebHistory.cpp')
-rw-r--r-- | Source/WebKit/android/jni/WebHistory.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Source/WebKit/android/jni/WebHistory.cpp b/Source/WebKit/android/jni/WebHistory.cpp index 8453974..42a7ecf 100644 --- a/Source/WebKit/android/jni/WebHistory.cpp +++ b/Source/WebKit/android/jni/WebHistory.cpp @@ -490,7 +490,7 @@ static bool read_item_recursive(WebCore::HistoryItem* newItem, // Read the original url // Read the expected length of the string. - int l; + size_t l; memcpy(&l, data, sizeofUnsigned); // Increment data pointer by the size of an unsigned int. data += sizeofUnsigned; |