Check that we've got a complete header before accessing its fields. This patch was prepared by Evgeniy Stepanov (eugenis@chromium.org) and reviewed at http://codereview.chromium.org/6353010/ BUG=70376 TEST=none TBR=darin,willchan Review URL: http://codereview.chromium.org/6347013 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@72634 0039d316-1c4b-4281-b951-d872f2087c98

commit: 137d237f941001695681ed5628a20dec84cd3b86 [log] [tgz]
author: glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Wed Jan 26 13:02:27 2011
committer: glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> Wed Jan 26 13:02:27 2011
tree: 70559e184761db404b76e7c45114a7f18355ad5c
parent: 088a29610c15b4a2fcb5f504f36c1f397cd3f42c [diff] [blame]
diff --git a/base/pickle.cc b/base/pickle.cc
index a05df287..e7d57688 100644
--- a/base/pickle.cc
+++ b/base/pickle.cc

@@ -406,6 +406,9 @@
   DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
   DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
 
+  if (static_cast<size_t>(end - start) < sizeof(Header))
+    return NULL;
+
   const Header* hdr = reinterpret_cast<const Header*>(start);
   const char* payload_base = start + header_size;
   const char* payload_end = payload_base + hdr->payload_size;
commit	137d237f941001695681ed5628a20dec84cd3b86	[log] [tgz]
author	glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	Wed Jan 26 13:02:27 2011
committer	glider@chromium.org <glider@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	Wed Jan 26 13:02:27 2011
tree	70559e184761db404b76e7c45114a7f18355ad5c
parent	088a29610c15b4a2fcb5f504f36c1f397cd3f42c [diff] [blame]