-
Chase Phillips authored
IndexedDB's Put() call from the renderer runs across a Mojo interface. The args to the interface call are serialized by Mojo and then received by the browser process. Users can submit args to the call that are arbitrary in size. If the args are too large, Mojo will detect the message is too large to send to the browser process and will crash the renderer. To avoid the crash, we first check the size of the args before calling the interface method. Previously, this check only looked at the value and key args. Extend the check to also look at the index_keys arg, which could also be arbitrarily large. Bug: 901269 Bug: 717812 Change-Id: Ifb67c8c72f2db37a412c6583d8418454dbc85713 Reviewed-on: https://chromium-review.googlesource.com/c/1325078Reviewed-by:
Daniel Murphy <dmurph@chromium.org> Commit-Queue: Chase Phillips <cmp@chromium.org> Cr-Commit-Position: refs/heads/master@{#606301}
d9207bf9
