diff options
author | Russell Brenner <russellbrenner@google.com> | 2011-11-29 15:34:08 -0800 |
---|---|---|
committer | Russell Brenner <russellbrenner@google.com> | 2011-11-30 12:05:20 -0800 |
commit | 1adc38d53cef911069a0d08a4049f5be6ea50a93 (patch) | |
tree | efe5ddd631dc88bd5e11f50a340bffb6e92f253f /Source | |
parent | 06081e3d5c78c73256b49c85d05e7c41d9e2b6f1 (diff) | |
download | external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.zip external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.tar.gz external_webkit-1adc38d53cef911069a0d08a4049f5be6ea50a93.tar.bz2 |
DO NOT MERGE Use unsigned length when reading data
With a signed length, invalid negative sizes can bypass data limit
checks of the type:
if (data + length < end)
With an unsigned length, absurdly large lengths will now trigger an
early exit instead of following through into the decoding routine
with a bad length.
Bug: 5143832
Change-Id: I8e4a8d357ee04a36e35ab47d538ce57088734ccf
Diffstat (limited to 'Source')
-rw-r--r-- | Source/WebKit/android/jni/WebHistory.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/Source/WebKit/android/jni/WebHistory.cpp b/Source/WebKit/android/jni/WebHistory.cpp index 7ec73a3..aa74b81 100644 --- a/Source/WebKit/android/jni/WebHistory.cpp +++ b/Source/WebKit/android/jni/WebHistory.cpp @@ -490,7 +490,7 @@ static bool read_item_recursive(WebCore::HistoryItem* newItem, // Read the original url // Read the expected length of the string. - int l; + unsigned l; memcpy(&l, data, sizeofUnsigned); // Increment data pointer by the size of an unsigned int. data += sizeofUnsigned; |