diff options
| author | Robert Sesek <rsesek@chromium.org> | 2023-02-22 18:37:10 -0500 |
|---|---|---|
| committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 11:25:29 +0000 |
| commit | bf140f0d01b873b88c133f13b817ea143366494c (patch) | |
| tree | bbb3628313e7574c4c67fa8e2b3c168f44e9af92 | |
| parent | aec0b21eb330283b4c3edd71c3d0b7f8e26e4b61 (diff) | |
| download | qtwebengine-chromium-bf140f0d01b873b88c133f13b817ea143366494c.tar.gz | |
[Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559:
win: Only process up to EXCEPTION_MAXIMUM_PARAMETERS in an EXCEPTION_RECORD
The EXCEPTION_RECORD contains a NumberParameters field, which could
store a value that exceeds the amount of space allocated for the
ExceptionInformation array.
Bug: chromium:1412658
Change-Id: Ibfed8eb6317e28d3addf9215cda7fffc32e1030d
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469839
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc index 5759652d452..3073829d68f 100644 --- a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc +++ b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc @@ -14,6 +14,8 @@ #include "snapshot/win/exception_snapshot_win.h" +#include <algorithm> + #include "base/logging.h" #include "client/crashpad_client.h" #include "snapshot/capture_memory.h" @@ -246,8 +248,12 @@ bool ExceptionSnapshotWin::InitializeFromExceptionPointers( exception_code_ = first_record.ExceptionCode; exception_flags_ = first_record.ExceptionFlags; exception_address_ = first_record.ExceptionAddress; - for (DWORD i = 0; i < first_record.NumberParameters; ++i) + + const DWORD number_parameters = std::min<DWORD>( + first_record.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS); + for (DWORD i = 0; i < number_parameters; ++i) { codes_.push_back(first_record.ExceptionInformation[i]); + } if (first_record.ExceptionRecord) { // https://crashpad.chromium.org/bug/43 LOG(WARNING) << "dropping chained ExceptionRecord"; |