[Backport] Fix OOB Write in QuicStreamSequencerBuffer::OnStreamData

BUG=778505 TBR=rch@chromium.org Reviewed-on: https://chromium-review.googlesource.com/748282 Reviewed-on: https://chromium-review.googlesource.com/755001 (CVE-2017-15407) Change-Id: Ia563451918e62e5d81d24f1d47c40c5210bb840e Reviewed-by: Michael Brüning <michael.bruning@qt.io>
author: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-12-19 13:08:56 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2017-12-20 10:11:07 +0000
commit: ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (patch)
tree: 152ea5532b165f3acfe0b7fac7f6557bf39f5ec1
parent: 224acc295777ea2cf642842cebbd6df86ad2c888 (diff)
download: qtwebengine-chromium-ecf956cc0aa45a4bb64f32d66e6dac48a0144011.tar.gz
2 files changed, 21 insertions, 2 deletions
diff --git a/chromium/net/quic/core/quic_stream_sequencer_buffer.cc b/chromium/net/quic/core/quic_stream_sequencer_buffer.cc
index 3706d38805c..46defd0605f 100644
--- a/chromium/net/quic/core/quic_stream_sequencer_buffer.cc
+++ b/chromium/net/quic/core/quic_stream_sequencer_buffer.cc
@@ -102,7 +102,10 @@ QuicErrorCode QuicStreamSequencerBuffer::OnStreamData(
     ++current_gap;
   }
 
-  DCHECK(current_gap != gaps_.end());
+  if (current_gap == gaps_.end()) {
+    *error_details = "Received stream data outside of maximum range.";
+    return QUIC_INTERNAL_ERROR;
+  }
 
   // "duplication": might duplicate with data alread filled,but also might
   // overlap across different QuicStringPiece objects already written.
@@ -138,7 +141,8 @@ QuicErrorCode QuicStreamSequencerBuffer::OnStreamData(
   }
 
   // Write beyond the current range this buffer is covering.
-  if (offset + size > total_bytes_read_ + max_buffer_capacity_bytes_) {
+  if (offset + size > total_bytes_read_ + max_buffer_capacity_bytes_ ||
+      offset + size < offset) {
     *error_details = "Received data beyond available range.";
     return QUIC_INTERNAL_ERROR;
   }
diff --git a/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc b/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc
index 88c9a0c391b..344ca583d83 100644
--- a/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc
+++ b/chromium/net/quic/core/quic_stream_sequencer_buffer_test.cc
@@ -297,6 +297,21 @@ TEST_F(QuicStreamSequencerBufferTest, OnStreamDataBeyondCapacity) {
                                   clock_.ApproximateNow(), &written,
                                   &error_details_));
   EXPECT_TRUE(helper_->CheckBufferInvariants());
+
+  // Disallow current_gap != gaps_.end()
+  EXPECT_EQ(QUIC_INTERNAL_ERROR,
+            buffer_->OnStreamData(static_cast<QuicStreamOffset>(-1), source,
+                                  clock_.ApproximateNow(), &written,
+                                  &error_details_));
+  EXPECT_TRUE(helper_->CheckBufferInvariants());
+
+  // Disallow offset + size overflow
+  source = "bbb";
+  EXPECT_EQ(QUIC_INTERNAL_ERROR,
+            buffer_->OnStreamData(static_cast<QuicStreamOffset>(-2), source,
+                                  clock_.ApproximateNow(), &written,
+                                  &error_details_));
+  EXPECT_TRUE(helper_->CheckBufferInvariants());
   EXPECT_EQ(0u, buffer_->BytesBuffered());
 }
author	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-12-19 13:08:56 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2017-12-20 10:11:07 +0000
commit	ecf956cc0aa45a4bb64f32d66e6dac48a0144011 (patch)
tree	152ea5532b165f3acfe0b7fac7f6557bf39f5ec1
parent	224acc295777ea2cf642842cebbd6df86ad2c888 (diff)
download	qtwebengine-chromium-ecf956cc0aa45a4bb64f32d66e6dac48a0144011.tar.gz