Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(400)

Unified Diff: net/http/http_chunked_decoder.cc

Issue 11191003: Fix a crash when a line with an HTTP chunk length is too long (Closed) Base URL: svn://svn.chromium.org/chrome/trunk/src/
Patch Set: Fix signed / unsigned comparison Created 8 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: net/http/http_chunked_decoder.cc
===================================================================
--- net/http/http_chunked_decoder.cc (revision 161387)
+++ net/http/http_chunked_decoder.cc (working copy)
@@ -52,6 +52,10 @@
namespace net {
+// Absurdly long size to avoid imposing a constraint on chunked encoding
+// extensions.
+const size_t HttpChunkedDecoder::kMaxLineBufLen = 16384;
+
HttpChunkedDecoder::HttpChunkedDecoder()
: chunk_remaining_(0),
chunk_terminator_remaining_(false),
@@ -95,8 +99,8 @@
}
int HttpChunkedDecoder::ScanForChunkRemaining(const char* buf, int buf_len) {
- DCHECK(chunk_remaining_ == 0);
- DCHECK(buf_len > 0);
+ DCHECK_EQ(0, chunk_remaining_);
+ DCHECK_GT(buf_len, 0);
int bytes_consumed = 0;
@@ -152,6 +156,11 @@
if (buf[buf_len - 1] == '\r')
buf_len--;
+ if (line_buf_.length() + buf_len > kMaxLineBufLen) {
+ DLOG(ERROR) << "Chunked line length too long";
+ return ERR_INVALID_CHUNKED_ENCODING;
+ }
+
line_buf_.append(buf, buf_len);
}
return bytes_consumed;
@@ -179,7 +188,7 @@
//
// Us: ^\X+[ ]*$
bool HttpChunkedDecoder::ParseChunkSize(const char* start, int len, int* out) {
- DCHECK(len >= 0);
+ DCHECK_GE(len, 0);
// Strip trailing spaces
while (len && start[len - 1] == ' ')

Powered by Google App Engine
This is Rietveld 408576698