Google Git
Sign in
chromium / chromium / src / c2de834c1d71955c14e9a13128cfa93675c2fd62
commitc2de834c1d71955c14e9a13128cfa93675c2fd62[log] [tgz]
authorLeonard Grey <lgrey@chromium.org>Wed Apr 24 19:57:43 2019
committerCommit Bot <commit-bot@chromium.org>Wed Apr 24 19:57:43 2019
tree67664017f00256c56068cc9ddfb1685c43bba674
parent950e42b1220cc1a9f64c591843222e0623c0df48 [diff]
UIDevTools: Prevent overflow when setting views properties

When setting a "CSS" property to the empty string in DevTools (easily done by accident),
CSSAgent is called twice:
(assume the property is "Enabled)
First, with "\n Enabled:\n", and then, with "  \n " or similar.

The loop in the parsing code's exit condition is "size of parsed tokens - 1"
The good news is that this means that the first call never enters the loop. The same is true for any odd number of tokens, so I removed the DCHECK.

The bad news is that the size is unsigned, so when no tokens are parsed, it wraps around and we crash trying to read the first token.

Bug: 954675
Change-Id: I31735f0344246458c3f33bf0cac3ed2eb3758ce6
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1582759
Reviewed-by: Wei Li <weili@chromium.org>
Commit-Queue: Leonard Grey <lgrey@chromium.org>
Cr-Commit-Position: refs/heads/master@{#653715}
2 files changed
tree: 67664017f00256c56068cc9ddfb1685c43bba674
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chrome_elf/
  11. chromecast/
  12. chromeos/
  13. cloud_print/
  14. components/
  15. content/
  16. courgette/
  17. crypto/
  18. dbus/
  19. device/
  20. docs/
  21. extensions/
  22. fuchsia/
  23. gin/
  24. google_apis/
  25. google_update/
  26. gpu/
  27. headless/
  28. infra/
  29. ios/
  30. ipc/
  31. jingle/
  32. media/
  33. mojo/
  34. native_client_sdk/
  35. net/
  36. pdf/
  37. ppapi/
  38. printing/
  39. remoting/
  40. rlz/
  41. sandbox/
  42. services/
  43. skia/
  44. sql/
  45. storage/
  46. styleguide/
  47. testing/
  48. third_party/
  49. tools/
  50. ui/
  51. url/
  52. .clang-format
  53. .eslintrc.js
  54. .git-blame-ignore-revs
  55. .gitattributes
  56. .gitignore
  57. .gn
  58. .vpython
  59. AUTHORS
  60. BUILD.gn
  61. CODE_OF_CONDUCT.md
  62. codereview.settings
  63. DEPS
  64. ENG_REVIEW_OWNERS
  65. LICENSE
  66. LICENSE.chromium_os
  67. OWNERS
  68. PRESUBMIT.py
  69. PRESUBMIT_test.py
  70. PRESUBMIT_test_mocks.py
  71. README.md
  72. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure .