Improve IndexedDB IPC message sanitization

content/browser/in_process_webkit/indexed_db_dispatcher_host.cc

Index: content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
diff --git a/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc b/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
index 4ecefd51aa869272b6f9cf12988a2534b9a0d25f..b5dd4c40f95659488cb5104634127342b4c04cd6 100644
--- a/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
+++ b/content/browser/in_process_webkit/indexed_db_dispatcher_host.cc
@@ -475,6 +475,12 @@ void IndexedDBDispatcherHost::DatabaseDispatcherHost::OnPut(
   scoped_ptr<WebIDBCallbacks> callbacks(
       new IndexedDBCallbacks<WebIDBKey>(parent_, params.ipc_thread_id,
                                         params.ipc_response_id));
+  if (params.index_ids.size() != params.index_keys.size()) {
+    callbacks->onError(WebIDBDatabaseError(
+        WebKit::WebIDBDatabaseExceptionUnknownError,
+        "Malformed IPC message: index_ids.size() != index_keys.size()"));
+    return;
+  }
 
   WebVector<unsigned char> value(params.value);
   int64 host_transaction_id = parent_->HostTransactionId(params.transaction_id);
@@ -499,7 +505,15 @@ void IndexedDBDispatcherHost::DatabaseDispatcherHost::OnSetIndexKeys(
   if (!database)
     return;
 
-  database->setIndexKeys(parent_->HostTransactionId(params.transaction_id),
+  int64 host_transaction_id = parent_->HostTransactionId(params.transaction_id);
+  if (params.index_ids.size() != params.index_keys.size()) {
+    database->abort(host_transaction_id, WebIDBDatabaseError(
+        WebKit::WebIDBDatabaseExceptionUnknownError,
+        "Malformed IPC message: index_ids.size() != index_keys.size()"));
+    return;
+  }
+
+  database->setIndexKeys(host_transaction_id,
                          params.object_store_id,
                          params.primary_key, params.index_ids,
                          params.index_keys);