diff options
author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2017-12-20 12:31:26 +0100 |
---|---|---|
committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-05 09:47:53 +0000 |
commit | ccdc643a9e8a34119fac41129f2998b44e7c03ec (patch) | |
tree | 97fb6b4e9fcbf683c7010ae1871755910a40f2f2 | |
parent | 6e4dc7836378c1ed20df9b8b63ddf3c09435e3d3 (diff) | |
download | qtwebengine-chromium-ccdc643a9e8a34119fac41129f2998b44e7c03ec.tar.gz |
[Backport] [BlobStorage] Fixing potential overflow
Bug: 779314
Reviewed-on: https://chromium-review.googlesource.com/747725
Reviewed-on: https://chromium-review.googlesource.com/754084
(CVE-2017-15416)
Change-Id: I2bac7f52e8650da5b14e91b9a68e7e8a1e83f848
Reviewed-by: Michael BrĂ¼ning <michael.bruning@qt.io>
-rw-r--r-- | chromium/storage/browser/blob/blob_storage_context.cc | 5 | ||||
-rw-r--r-- | chromium/storage/browser/blob/blob_storage_context_unittest.cc | 18 |
2 files changed, 22 insertions, 1 deletions
diff --git a/chromium/storage/browser/blob/blob_storage_context.cc b/chromium/storage/browser/blob/blob_storage_context.cc index d84d10f1e35..a83476e90b0 100644 --- a/chromium/storage/browser/blob/blob_storage_context.cc +++ b/chromium/storage/browser/blob/blob_storage_context.cc @@ -168,7 +168,10 @@ BlobStorageContext::BlobFlattener::BlobFlattener( } // Validate our reference has good offset & length. - if (input_element.offset() + length > ref_entry->total_size()) { + uint64_t end_byte; + if (!base::CheckAdd(input_element.offset(), length) + .AssignIfValid(&end_byte) || + end_byte > ref_entry->total_size()) { status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS; return; } diff --git a/chromium/storage/browser/blob/blob_storage_context_unittest.cc b/chromium/storage/browser/blob/blob_storage_context_unittest.cc index 5b2abebb209..e08bac18e19 100644 --- a/chromium/storage/browser/blob/blob_storage_context_unittest.cc +++ b/chromium/storage/browser/blob/blob_storage_context_unittest.cc @@ -891,6 +891,24 @@ TEST_F(BlobStorageContextTest, BuildBlobCombinations) { EXPECT_EQ(0lu, context_->memory_controller().disk_usage()); } +TEST_F(BlobStorageContextTest, NegativeSlice) { + const std::string kId1("id1"); + const std::string kId2("id2"); + + std::unique_ptr<BlobDataHandle> handle = SetupBasicBlob(kId1); + + EXPECT_EQ(1lu, context_->memory_controller().memory_usage()); + + BlobDataBuilder builder(kId2); + builder.AppendBlob(kId1, static_cast<uint64_t>(-10), 11); + std::unique_ptr<BlobDataHandle> handle2 = context_->BuildBlob( + builder, BlobStorageContext::TransportAllowedCallback()); + + EXPECT_TRUE(handle2->IsBroken()); + EXPECT_EQ(BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS, + handle2->GetBlobStatus()); +} + // TODO(michaeln): tests for the deprecated url stuff } // namespace storage |