From 1adc38d53cef911069a0d08a4049f5be6ea50a93 Mon Sep 17 00:00:00 2001 From: Russell Brenner Date: Tue, 29 Nov 2011 15:34:08 -0800 Subject: DO NOT MERGE Use unsigned length when reading data With a signed length, invalid negative sizes can bypass data limit checks of the type: if (data + length < end) With an unsigned length, absurdly large lengths will now trigger an early exit instead of following through into the decoding routine with a bad length. Bug: 5143832 Change-Id: I8e4a8d357ee04a36e35ab47d538ce57088734ccf --- Source/WebKit/android/jni/WebHistory.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'Source/WebKit/android/jni') diff --git a/Source/WebKit/android/jni/WebHistory.cpp b/Source/WebKit/android/jni/WebHistory.cpp index 7ec73a3..aa74b81 100644 --- a/Source/WebKit/android/jni/WebHistory.cpp +++ b/Source/WebKit/android/jni/WebHistory.cpp @@ -490,7 +490,7 @@ static bool read_item_recursive(WebCore::HistoryItem* newItem, // Read the original url // Read the expected length of the string. - int l; + unsigned l; memcpy(&l, data, sizeofUnsigned); // Increment data pointer by the size of an unsigned int. data += sizeofUnsigned; -- cgit v1.1