Fix buffer overrun in Bluetooth LE code.

Review URL: https://codereview.chromium.org/375703009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@281967 0039d316-1c4b-4281-b951-d872f2087c98

Fix buffer overrun in Bluetooth LE code.
Review URL: https://codereview.chromium.org/375703009 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@281967 0039d316-1c4b-4281-b951-d872f2087c98
54f58a9a · rpaquay@chromium.org · d5ef911e · 54f58a9a
Commit 54f58a9a authored Jul 09, 2014 by rpaquay@chromium.org
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

device/bluetooth/bluetooth_low_energy_win.cc device/bluetooth/bluetooth_low_energy_win.cc +4 -2

No files found.
--- a/device/bluetooth/bluetooth_low_energy_win.cc
+++ b/device/bluetooth/bluetooth_low_energy_win.cc
@@ -130,9 +130,11 @@ class DeviceRegistryPropertyValue {
  Create(DWORD property_type, scoped_ptr<UINT8[]> value, size_t value_size) {
    if (property_type == REG_SZ) {
      // Ensure string is zero terminated.
-      CHECK_GE(value_size, 1u);
+      size_t character_size = value_size / sizeof(WCHAR);
+      CHECK_EQ(character_size * sizeof(WCHAR), value_size);
+      CHECK_GE(character_size, 1u);
      WCHAR* value_string = reinterpret_cast<WCHAR*>(value.get());
-      value_string[value_size - 1] = 0;
+      value_string[character_size - 1] = 0;
    }
    return scoped_ptr<DeviceRegistryPropertyValue>(
        new DeviceRegistryPropertyValue(