bug 518914: make sure that Messages are fully deserialized. fix fencepost error in chromium code

ipc/chromium/src/base/pickle.cc

@@ -316,7 +316,11 @@ char* Pickle::BeginWrite(size_t length) {
   // write at a uint32-aligned offset from the beginning of the header
   size_t offset = AlignInt(header_->payload_size, sizeof(uint32));
 
+#ifdef CHROMIUM_MOZILLA_BUILD
+  size_t new_size = offset + AlignInt(length, sizeof(uint32));
+#else
   size_t new_size = offset + length;
+#endif
   size_t needed_size = header_size_ + new_size;
   if (needed_size > capacity_ && !Resize(std::max(capacity_ * 2, needed_size)))
     return NULL;

ipc/chromium/src/base/pickle.h

@@ -146,6 +146,12 @@ class Pickle {
   // not been changed.
   void TrimWriteData(int length);
 
+#if defined(CHROMIUM_MOZILLA_BUILD)
+  void EndRead(void* iter) const {
+    DCHECK(iter == end_of_payload());
+  }
+#endif
+
   // Payload follows after allocation of Header (header size is customizable).
   struct Header {
     uint32 payload_size;  // Specifies the size of the payload.

ipc/glue/IPCMessageUtils.h

@@ -193,30 +193,11 @@ struct ParamTraits<nsTArray<E> >
       return false;
     }
 
-    // sizeof(E) only makes a limited amount of sense here as it may not have
-    // anything to do with the amount of data needed to serialize an object of
-    // type E. Neverheless trying to allocate a huge chunk of memory here if
-    // we receive a bad message must also be avoided and so we check before we
-    // call SetLength. If we don't have enough space in the message then we do
-    // individual allocations to be safe.
-    if (aMsg->IteratorHasRoomFor(*aIter, length * sizeof(E))) {
-      if (!aResult->SetLength(length)) {
+    for (PRUint32 index = 0; index < length; index++) {
+      E* element = aResult->AppendElement();
+      if (!(element && ReadParam(aMsg, aIter, element))) {
         return false;
       }
-      for (PRUint32 index = 0; index < length; index++) {
-        E& element = aResult->ElementAt(index);
-        if (!ReadParam(aMsg, aIter, &element)) {
-          return false;
-        }
-      }
-    }
-    else {
-      for (PRUint32 index = 0; index < length; index++) {
-        E* element = aResult->AppendElement();
-        if (!(element && ReadParam(aMsg, aIter, element))) {
-          return false;
-        }
-      }
     }
 
     return true;

ipc/ipdl/ipdl/lower.py

@@ -1263,6 +1263,7 @@ def _generateMessageClass(clsname, msgid, inparams, outparams, typedefs):
                           args=[ ExprVar.THIS, ExprVar(p.name) ]))
         for p in inparams
     ])
+    
     cls.addstmts([ ctor, Whitespace.NL ])
 
     # make the message deserializer
@@ -1285,6 +1286,11 @@ def _generateMessageClass(clsname, msgid, inparams, outparams, typedefs):
         failif.addifstmt(StmtReturn(ExprLiteral.FALSE))
         reader.addstmts([ failif, Whitespace.NL ])
 
+    if len(outparams):
+        reader.addstmt(StmtExpr(ExprCall(
+            ExprSelect(msgvar, '->', 'EndRead'),
+            args=[ itervar ])))
+
     reader.addstmt(StmtReturn(ExprLiteral.TRUE))
     cls.addstmts([ reader, Whitespace.NL ])