With a signed length, invalid negative sizes can bypass data limit
checks of the type:
if (data + length < end)
With an unsigned length, absurdly large lengths will now trigger an
early exit instead of following through into the decoding routine
with a bad length.
Bug:
5143832
Change-Id: I8e4a8d357ee04a36e35ab47d538ce57088734ccf
// Read the original url
// Read the expected length of the string.
- int l;
+ unsigned l;
memcpy(&l, data, sizeofUnsigned);
// Increment data pointer by the size of an unsigned int.
data += sizeofUnsigned;