diff --git a/mojo/edk/system/core.cc b/mojo/edk/system/core.cc index bf289bf66d9576..c40601c8ff3a96 100644 --- a/mojo/edk/system/core.cc +++ b/mojo/edk/system/core.cc @@ -799,6 +799,10 @@ MojoResult Core::CreateDataPipe(const MojoCreateDataPipeOptions* options, create_options.capacity_num_bytes = options && options->capacity_num_bytes ? options->capacity_num_bytes : 64 * 1024; + if (!create_options.element_num_bytes || !create_options.capacity_num_bytes || + create_options.capacity_num_bytes < create_options.element_num_bytes) { + return MOJO_RESULT_INVALID_ARGUMENT; + } scoped_refptr ring_buffer = GetNodeController()->CreateSharedBuffer( diff --git a/mojo/edk/system/data_pipe_consumer_dispatcher.cc b/mojo/edk/system/data_pipe_consumer_dispatcher.cc index ad32846c2f007d..9a3762cbc3fa7d 100644 --- a/mojo/edk/system/data_pipe_consumer_dispatcher.cc +++ b/mojo/edk/system/data_pipe_consumer_dispatcher.cc @@ -372,6 +372,10 @@ DataPipeConsumerDispatcher::Deserialize(const void* data, } const SerializedState* state = static_cast(data); + if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || + state->options.capacity_num_bytes < state->options.element_num_bytes) { + return nullptr; + } NodeController* node_controller = internal::g_core->GetNodeController(); ports::PortRef port; diff --git a/mojo/edk/system/data_pipe_producer_dispatcher.cc b/mojo/edk/system/data_pipe_producer_dispatcher.cc index 0edfc586742110..97d25b26ecbe90 100644 --- a/mojo/edk/system/data_pipe_producer_dispatcher.cc +++ b/mojo/edk/system/data_pipe_producer_dispatcher.cc @@ -335,6 +335,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data, } const SerializedState* state = static_cast(data); + if (!state->options.capacity_num_bytes || !state->options.element_num_bytes || + state->options.capacity_num_bytes < state->options.element_num_bytes) { + return nullptr; + } NodeController* node_controller = internal::g_core->GetNodeController(); ports::PortRef port; diff --git a/mojo/public/c/system/data_pipe.h b/mojo/public/c/system/data_pipe.h index aaeafcf21e76df..62adbea1ea62dd 100644 --- a/mojo/public/c/system/data_pipe.h +++ b/mojo/public/c/system/data_pipe.h @@ -129,8 +129,9 @@ extern "C" { // // Returns: // |MOJO_RESULT_OK| on success. -// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid (e.g., -// |*options| is invalid). +// |MOJO_RESULT_INVALID_ARGUMENT| if some argument was invalid, e.g., +// |*options| is invalid, specified capacity or element size is zero, or +// the specified element size exceeds the specified capacity. // |MOJO_RESULT_RESOURCE_EXHAUSTED| if a process/system/quota/etc. limit has // been reached (e.g., if the requested capacity was too large, or if the // maximum number of handles was exceeded).