diff options
author | Robert Sesek <rsesek@chromium.org> | 2023-02-22 18:37:10 -0500 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-03-24 10:06:25 +0000 |
commit | 6e261dcd44f8bc097c0eac394edf2c29365aa2e2 (patch) | |
tree | b90a1e33da65903426b2662f5515cfe345ff0274 | |
parent | 48d580fabbe8658bab6ad6136b95e46a7463386d (diff) | |
download | qtwebengine-chromium-6e261dcd44f8bc097c0eac394edf2c29365aa2e2.tar.gz |
[Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559:
win: Only process up to EXCEPTION_MAXIMUM_PARAMETERS in an EXCEPTION_RECORD
The EXCEPTION_RECORD contains a NumberParameters field, which could
store a value that exceeds the amount of space allocated for the
ExceptionInformation array.
Bug: chromium:1412658
Change-Id: Ibfed8eb6317e28d3addf9215cda7fffc32e1030d
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468218
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc index 29cf165d19d..f072d41da7e 100644 --- a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc +++ b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc @@ -14,6 +14,8 @@ #include "snapshot/win/exception_snapshot_win.h" +#include <algorithm> + #include "base/logging.h" #include "snapshot/capture_memory.h" #include "snapshot/memory_snapshot.h" @@ -250,8 +252,12 @@ bool ExceptionSnapshotWin::InitializeFromExceptionPointers( exception_code_ = first_record.ExceptionCode; exception_flags_ = first_record.ExceptionFlags; exception_address_ = first_record.ExceptionAddress; - for (DWORD i = 0; i < first_record.NumberParameters; ++i) + + const DWORD number_parameters = std::min<DWORD>( + first_record.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS); + for (DWORD i = 0; i < number_parameters; ++i) { codes_.push_back(first_record.ExceptionInformation[i]); + } if (first_record.ExceptionRecord) { // https://crashpad.chromium.org/bug/43 LOG(WARNING) << "dropping chained ExceptionRecord"; |