-
Peter Kasting authored
The other ends of these pipes should normally not write negative values, but since attackers can control them, treat negatives as 0. Other alternatives: * checked_cast -- rejected since then attackers can trivially crash the browser and "force negative to zero" doesn't seem to bad. Also hard to fuzz * Adding some kind of SizeTAttribute/GetSizeTAttribute() wrapper -- seems like a lot of work, but would provide the ability to pass these across the wire as unsigned via Mojo uint32_t values Let me know if I should pursue that second alternative. Bug: 966275 Change-Id: I232359e9e99eb73c862650b092f73e3ea4263249 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1627826Reviewed-by:
Zachary Kuznia <zork@chromium.org> Reviewed-by:
Aaron Leventhal <aleventhal@chromium.org> Commit-Queue: Aaron Leventhal <aleventhal@chromium.org> Auto-Submit: Peter Kasting <pkasting@chromium.org> Cr-Commit-Position: refs/heads/master@{#664833}
809f4921
