diff options
| author | Michael Brüning <michael.bruning@qt.io> | 2019-11-29 18:07:35 +0100 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2019-12-02 18:25:46 +0000 |
| commit | dda18dccd9174d6b5aa065eea8475fddd0e72395 (patch) | |
| tree | 5fbb90fd3bae86ae636b61d3be600d7015afbbdd | |
| parent | f99f4ed74de6b4928c017c7a40029d06ed65ee12 (diff) | |
| download | qtwebengine-chromium-dda18dccd9174d6b5aa065eea8475fddd0e72395.tar.gz | |
[Backport] Security bug 916874
Backport of patch by Jan Wilken Dörrie <jdoerrie@chromium.org>:
[Sandbox] Fix integer overflow in CreateFromBuffer
This change fixes a integer overflow in
CrossCallParamsEx::CreateFromBuffer, resulting in a fuzzer failure.
Bug: 916874
Change-Id: Ie9f6f0e5ac83b1147926e00a23729209d6d66128
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/sandbox/win/src/crosscall_server.cc | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/chromium/sandbox/win/src/crosscall_server.cc b/chromium/sandbox/win/src/crosscall_server.cc index 9f71f333f02..59c1ad2a692 100644 --- a/chromium/sandbox/win/src/crosscall_server.cc +++ b/chromium/sandbox/win/src/crosscall_server.cc @@ -175,19 +175,24 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base, return NULL; } - const char* last_byte = &backing_mem[declared_size]; - const char* first_byte = &backing_mem[min_declared_size]; + // Here and below we're making use of uintptr_t to have well-defined integer + // overflow when doing pointer arithmetic. + auto backing_mem_ptr = reinterpret_cast<uintptr_t>(backing_mem); + auto last_byte = reinterpret_cast<uintptr_t>(&backing_mem[declared_size]); + auto first_byte = + reinterpret_cast<uintptr_t>(&backing_mem[min_declared_size]); + // Verify here that all and each parameters make sense. This is done in the // local copy. for (uint32_t ix = 0; ix != param_count; ++ix) { uint32_t size = 0; ArgType type; - char* address = reinterpret_cast<char*>( + auto address = reinterpret_cast<uintptr_t>( copied_params->GetRawParameter(ix, &size, &type)); if ((NULL == address) || // No null params. (INVALID_TYPE >= type) || (LAST_TYPE <= type) || // Unknown type. - (address < backing_mem) || // Start cannot point before buffer. + (address < backing_mem_ptr) || // Start cannot point before buffer. (address < first_byte) || // Start cannot point too low. (address > last_byte) || // Start cannot point past buffer. ((address + size) < address) || // Invalid size. |