diff options
-rw-r--r-- | chromium/mojo/core/node_channel.cc | 13 | ||||
-rw-r--r-- | chromium/mojo/core/node_channel.h | 4 | ||||
-rw-r--r-- | chromium/mojo/core/node_controller.cc | 4 | ||||
-rw-r--r-- | chromium/mojo/core/user_message_impl.cc | 4 |
4 files changed, 17 insertions, 8 deletions
diff --git a/chromium/mojo/core/node_channel.cc b/chromium/mojo/core/node_channel.cc index ebcb8812e1e..ada2eb5e6f7 100644 --- a/chromium/mojo/core/node_channel.cc +++ b/chromium/mojo/core/node_channel.cc @@ -181,13 +181,16 @@ Channel::MessagePtr NodeChannel::CreateEventMessage(size_t capacity, } // static -void NodeChannel::GetEventMessageData(Channel::Message* message, +bool NodeChannel::GetEventMessageData(Channel::Message& message, void** data, size_t* num_data_bytes) { - // NOTE: OnChannelMessage guarantees that we never accept a Channel::Message - // with a payload of fewer than |sizeof(Header)| bytes. - *data = reinterpret_cast<Header*>(message->mutable_payload()) + 1; - *num_data_bytes = message->payload_size() - sizeof(Header); + // NOTE: Callers must guarantee that the payload in `message` must be at least + // large enough to hold a Header. + if (message.payload_size() < sizeof(Header)) + return false; + *data = reinterpret_cast<Header*>(message.mutable_payload()) + 1; + *num_data_bytes = message.payload_size() - sizeof(Header); + return true; } void NodeChannel::Start() { diff --git a/chromium/mojo/core/node_channel.h b/chromium/mojo/core/node_channel.h index 5573305013f..ce337a214ef 100644 --- a/chromium/mojo/core/node_channel.h +++ b/chromium/mojo/core/node_channel.h @@ -87,7 +87,9 @@ class NodeChannel : public base::RefCountedThreadSafe<NodeChannel>, void** payload, size_t num_handles); - static void GetEventMessageData(Channel::Message* message, + // Retrieves address and size of an Event message's underlying message data. + // Returns `false` if the message is not a valid Event message. + static bool GetEventMessageData(Channel::Message& message, void** data, size_t* num_data_bytes); diff --git a/chromium/mojo/core/node_controller.cc b/chromium/mojo/core/node_controller.cc index 4a6e618833a..52082c3c289 100644 --- a/chromium/mojo/core/node_controller.cc +++ b/chromium/mojo/core/node_controller.cc @@ -81,7 +81,9 @@ ports::ScopedEvent DeserializeEventMessage( Channel::MessagePtr channel_message) { void* data; size_t size; - NodeChannel::GetEventMessageData(channel_message.get(), &data, &size); + bool valid = NodeChannel::GetEventMessageData(*channel_message, &data, &size); + if (!valid) + return nullptr; auto event = ports::Event::Deserialize(data, size); if (!event) return nullptr; diff --git a/chromium/mojo/core/user_message_impl.cc b/chromium/mojo/core/user_message_impl.cc index d4a4da16a23..661a80c9763 100644 --- a/chromium/mojo/core/user_message_impl.cc +++ b/chromium/mojo/core/user_message_impl.cc @@ -408,7 +408,9 @@ Channel::MessagePtr UserMessageImpl::FinalizeEventMessage( if (channel_message) { void* data; size_t size; - NodeChannel::GetEventMessageData(channel_message.get(), &data, &size); + bool result = + NodeChannel::GetEventMessageData(*channel_message, &data, &size); + DCHECK(result); message_event->Serialize(data); } |