summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRobert Sesek <rsesek@chromium.org>2023-02-22 18:37:10 -0500
committerMichael BrĂ¼ning <michael.bruning@qt.io>2023-03-24 10:06:25 +0000
commit6e261dcd44f8bc097c0eac394edf2c29365aa2e2 (patch)
treeb90a1e33da65903426b2662f5515cfe345ff0274
parent48d580fabbe8658bab6ad6136b95e46a7463386d (diff)
downloadqtwebengine-chromium-6e261dcd44f8bc097c0eac394edf2c29365aa2e2.tar.gz
[Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting
Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559: win: Only process up to EXCEPTION_MAXIMUM_PARAMETERS in an EXCEPTION_RECORD The EXCEPTION_RECORD contains a NumberParameters field, which could store a value that exceeds the amount of space allocated for the ExceptionInformation array. Bug: chromium:1412658 Change-Id: Ibfed8eb6317e28d3addf9215cda7fffc32e1030d Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559 Reviewed-by: Alex Gough <ajgo@chromium.org> Commit-Queue: Robert Sesek <rsesek@chromium.org> Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468218 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat
-rw-r--r--chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc8
1 files changed, 7 insertions, 1 deletions
diff --git a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
index 29cf165d19d..f072d41da7e 100644
--- a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
+++ b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
@@ -14,6 +14,8 @@
#include "snapshot/win/exception_snapshot_win.h"
+#include <algorithm>
+
#include "base/logging.h"
#include "snapshot/capture_memory.h"
#include "snapshot/memory_snapshot.h"
@@ -250,8 +252,12 @@ bool ExceptionSnapshotWin::InitializeFromExceptionPointers(
exception_code_ = first_record.ExceptionCode;
exception_flags_ = first_record.ExceptionFlags;
exception_address_ = first_record.ExceptionAddress;
- for (DWORD i = 0; i < first_record.NumberParameters; ++i)
+
+ const DWORD number_parameters = std::min<DWORD>(
+ first_record.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS);
+ for (DWORD i = 0; i < number_parameters; ++i) {
codes_.push_back(first_record.ExceptionInformation[i]);
+ }
if (first_record.ExceptionRecord) {
// https://crashpad.chromium.org/bug/43
LOG(WARNING) << "dropping chained ExceptionRecord";
View Lorry Controller Status