1 files changed, 13 insertions, 3 deletions

diff --git a/Source/WebCore/Modules/websockets/WebSocketChannel.cpp b/Source/WebCore/Modules/websockets/WebSocketChannel.cpp
index 2ce69dd38..c8ee9a8fd 100644
--- a/Source/WebCore/Modules/websockets/WebSocketChannel.cpp
+++ b/Source/WebCore/Modules/websockets/WebSocketChannel.cpp
@@ -674,12 +674,22 @@ bool WebSocketChannel::processFrame()
         break;
 
     case WebSocketFrame::OpCodeClose:
-        if (frame.payloadLength >= 2) {
+        if (!frame.payloadLength)
+            m_closeEventCode = CloseEventCodeNoStatusRcvd;
+        else if (frame.payloadLength == 1) {
+            m_closeEventCode = CloseEventCodeAbnormalClosure;
+            fail("Received a broken close frame containing an invalid size body.");
+            return false;
+        } else {
             unsigned char highByte = static_cast<unsigned char>(frame.payload[0]);
             unsigned char lowByte = static_cast<unsigned char>(frame.payload[1]);
             m_closeEventCode = highByte << 8 | lowByte;
-        } else
-            m_closeEventCode = CloseEventCodeNoStatusRcvd;
+            if (m_closeEventCode == CloseEventCodeNoStatusRcvd || m_closeEventCode == CloseEventCodeAbnormalClosure || m_closeEventCode == CloseEventCodeTLSHandshake) {
+                m_closeEventCode = CloseEventCodeAbnormalClosure;
+                fail("Received a broken close frame containing a reserved status code.");
+                return false;
+            }
+        }
         if (frame.payloadLength >= 3)
             m_closeEventReason = String::fromUTF8(&frame.payload[2], frame.payloadLength - 2);
         else