diff options
| author | Russell Brenner <russellbrenner@google.com> | 2011-11-29 15:34:08 -0800 | 
|---|---|---|
| committer | Russell Brenner <russellbrenner@google.com> | 2011-11-30 12:05:20 -0800 | 
| commit | 1adc38d53cef911069a0d08a4049f5be6ea50a93 (patch) | |
| tree | efe5ddd631dc88bd5e11f50a340bffb6e92f253f /Source/WebKit/android/jni | |
| parent | 06081e3d5c78c73256b49c85d05e7c41d9e2b6f1 (diff) | |
| download | external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.zip external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.tar.gz external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.tar.bz2 | |
DO NOT MERGE Use unsigned length when reading data
With a signed length, invalid negative sizes can bypass data limit
checks of the type:
        if (data + length < end)
With an unsigned length, absurdly large lengths will now trigger an
early exit instead of following through into the decoding routine
with a bad length.
Bug: 5143832
Change-Id: I8e4a8d357ee04a36e35ab47d538ce57088734ccf
Diffstat (limited to 'Source/WebKit/android/jni')
| -rw-r--r-- | Source/WebKit/android/jni/WebHistory.cpp | 2 | 
1 files changed, 1 insertions, 1 deletions
| diff --git a/Source/WebKit/android/jni/WebHistory.cpp b/Source/WebKit/android/jni/WebHistory.cpp index 7ec73a3..aa74b81 100644 --- a/Source/WebKit/android/jni/WebHistory.cpp +++ b/Source/WebKit/android/jni/WebHistory.cpp @@ -490,7 +490,7 @@ static bool read_item_recursive(WebCore::HistoryItem* newItem,      // Read the original url      // Read the expected length of the string. -    int l; +    unsigned l;      memcpy(&l, data, sizeofUnsigned);      // Increment data pointer by the size of an unsigned int.      data += sizeofUnsigned; | 
