Check that we've got a complete header before accessing its fields.
This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed
at http://codereview.chromium.org/6353010/
BUG=70376
TEST=none
TBR=darin,willchan
Review URL: http://codereview.chromium.org/6347013
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72634 0039d316-1c4b-4281-b951-d872f2087c98
diff --git a/base/pickle.cc b/base/pickle.cc
index a05df287..e7d57688 100644
--- a/base/pickle.cc
+++ b/base/pickle.cc
@@ -406,6 +406,9 @@
DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
+ if (static_cast<size_t>(end - start) < sizeof(Header))
+ return NULL;
+
const Header* hdr = reinterpret_cast<const Header*>(start);
const char* payload_base = start + header_size;
const char* payload_end = payload_base + hdr->payload_size;