Fix a crash when a line with an HTTP chunk length is too long

net/http/http_chunked_decoder.cc

 // Copyright (c) 2011 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 // Derived from:
 //   mozilla/netwerk/protocol/http/src/nsHttpChunkedDecoder.cpp
 // The license block is:
 /* ***** BEGIN LICENSE BLOCK *****
  * Version: MPL 1.1/GPL 2.0/LGPL 2.1
  *
@@ skipping 34 matching lines @@
 #include "net/http/http_chunked_decoder.h"
 
 #include "base/logging.h"
 #include "base/string_number_conversions.h"
 #include "base/string_piece.h"
 #include "base/string_util.h"
 #include "net/base/net_errors.h"
 
 namespace net {
 
+// Absurdly long size to avoid imposing a constraint on chunked encoding
+// extensions.
+const size_t HttpChunkedDecoder::kMaxLineBufLen = 16384;
+
 HttpChunkedDecoder::HttpChunkedDecoder()
     : chunk_remaining_(0),
       chunk_terminator_remaining_(false),
       reached_last_chunk_(false),
       reached_eof_(false),
       bytes_after_eof_(0) {
 }
 
 int HttpChunkedDecoder::FilterBuf(char* buf, int buf_len) {
   int result = 0;
@@ skipping 23 matching lines @@
 
     buf_len -= bytes_consumed;
     if (buf_len)
       memmove(buf, buf + bytes_consumed, buf_len);
   }
 
   return result;
 }
 
 int HttpChunkedDecoder::ScanForChunkRemaining(const char* buf, int buf_len) {
-  DCHECK(chunk_remaining_ == 0);
-  DCHECK(buf_len > 0);
+  DCHECK_EQ(0, chunk_remaining_);
+  DCHECK_GT(buf_len, 0);
 
   int bytes_consumed = 0;
 
   size_t index_of_lf = base::StringPiece(buf, buf_len).find('\n');
   if (index_of_lf != base::StringPiece::npos) {
     buf_len = static_cast<int>(index_of_lf);
     if (buf_len && buf[buf_len - 1] == '\r')  // Eliminate a preceding CR.
       buf_len--;
     bytes_consumed = static_cast<int>(index_of_lf) + 1;
 
@@ skipping 35 matching lines @@
     }
     line_buf_.clear();
   } else {
     // Save the partial line; wait for more data.
     bytes_consumed = buf_len;
 
     // Ignore a trailing CR
     if (buf[buf_len - 1] == '\r')
       buf_len--;
 
+    if (line_buf_.length() + buf_len > kMaxLineBufLen) {
+      DLOG(ERROR) << "Chunked line length too long";
+      return ERR_INVALID_CHUNKED_ENCODING;
+    }
+
     line_buf_.append(buf, buf_len);
   }
   return bytes_consumed;
 }
 
 
 // While the HTTP 1.1 specification defines chunk-size as 1*HEX
 // some sites rely on more lenient parsing.
 // http://www.yahoo.com/, for example, pads chunk-size with trailing spaces
 // (0x20) to be 7 characters long, such as "819b   ".
 //
 // A comparison of browsers running on WindowsXP shows that
 // they will parse the following inputs (egrep syntax):
 //
 // Let \X be the character class for a hex digit: [0-9a-fA-F]
 //
 //   RFC 2616: ^\X+$
 //        IE7: ^\X+[^\X]*$
 // Safari 3.1: ^[\t\r ]*\X+[\t ]*$
 //  Firefox 3: ^[\t\f\v\r ]*[+]?(0x)?\X+[^\X]*$
 // Opera 9.51: ^[\t\f\v ]*[+]?(0x)?\X+[^\X]*$
 //
 // Our strategy is to be as strict as possible, while not breaking
 // known sites.
 //
 //         Us: ^\X+[ ]*$
 bool HttpChunkedDecoder::ParseChunkSize(const char* start, int len, int* out) {
-  DCHECK(len >= 0);
+  DCHECK_GE(len, 0);
 
   // Strip trailing spaces
   while (len && start[len - 1] == ' ')
     len--;
 
   // Be more restrictive than HexStringToInt;
   // don't allow inputs with leading "-", "+", "0x", "0X"
   base::StringPiece chunk_size(start, len);
   if (chunk_size.find_first_not_of("0123456789abcdefABCDEF")
       != base::StringPiece::npos) {
     return false;
   }
 
   int parsed_number;
   bool ok = base::HexStringToInt(chunk_size, &parsed_number);
   if (ok && parsed_number >= 0) {
     *out = parsed_number;
     return true;
   }
   return false;
 }
 
 }  // namespace net