DO NOT MERGE Use unsigned length when reading data

With a signed length, invalid negative sizes can bypass data limit
checks of the type:

        if (data + length < end)

With an unsigned length, absurdly large lengths will now trigger an
early exit instead of following through into the decoding routine
with a bad length.

Bug: 5143832
Change-Id: I8e4a8d357ee04a36e35ab47d538ce57088734ccf

diff --git a/Source/WebKit/android/jni/WebHistory.cpp b/Source/WebKit/android/jni/WebHistory.cpp
index 7ec73a3..aa74b81 100644 (file)
--- a/Source/WebKit/android/jni/WebHistory.cpp
+++ b/Source/WebKit/android/jni/WebHistory.cpp
@@ -490,7 +490,7 @@ static bool read_item_recursive(WebCore::HistoryItem* newItem,
 
     // Read the original url
     // Read the expected length of the string.
-    int l;
+    unsigned l;
     memcpy(&l, data, sizeofUnsigned);
     // Increment data pointer by the size of an unsigned int.
     data += sizeofUnsigned;