diff options
author | Michael Brüning <michael.bruning@qt.io> | 2019-04-01 15:48:42 +0200 |
---|---|---|
committer | Michael Brüning <michael.bruning@qt.io> | 2019-04-01 17:12:22 +0000 |
commit | be81c3d2eefb9e690690f2f87faec99417f3ca3f (patch) | |
tree | a65df99b6ac6ab392f14c9b6a698dea5d8b86415 /chromium/sandbox | |
parent | bd1c4e1d42c06aad463af62024b81b3773e5b36e (diff) | |
download | qtwebengine-chromium-be81c3d2eefb9e690690f2f87faec99417f3ca3f.tar.gz |
[Backport] Security bug 916874
Backport of patch by Jan Wilken Dörrie <jdoerrie@chromium.org>:
[Sandbox] Fix integer overflow in CreateFromBuffer
This change fixes a integer overflow in
CrossCallParamsEx::CreateFromBuffer, resulting in a fuzzer failure.
Bug: 916874
Change-Id: Ic074f9bfd7038b885edae638b385a5485bb32651
Reviewed-on: https://chromium-review.googlesource.com/c/1393371
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Diffstat (limited to 'chromium/sandbox')
-rw-r--r-- | chromium/sandbox/win/src/crosscall_server.cc | 12 |
1 files changed, 8 insertions, 4 deletions
diff --git a/chromium/sandbox/win/src/crosscall_server.cc b/chromium/sandbox/win/src/crosscall_server.cc index 15cfa5f4ea1..d348352e5a5 100644 --- a/chromium/sandbox/win/src/crosscall_server.cc +++ b/chromium/sandbox/win/src/crosscall_server.cc @@ -181,19 +181,23 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base, return nullptr; } - const char* last_byte = &backing_mem[declared_size]; - const char* first_byte = &backing_mem[min_declared_size]; + // Here and below we're making use of uintptr_t to have well-defined integer + // overflow when doing pointer arithmetic. + auto backing_mem_ptr = reinterpret_cast<uintptr_t>(backing_mem); + auto last_byte = reinterpret_cast<uintptr_t>(&backing_mem[declared_size]); + auto first_byte = + reinterpret_cast<uintptr_t>(&backing_mem[min_declared_size]); // Verify here that all and each parameters make sense. This is done in the // local copy. for (uint32_t ix = 0; ix != param_count; ++ix) { uint32_t size = 0; ArgType type; - char* address = reinterpret_cast<char*>( + auto address = reinterpret_cast<uintptr_t>( copied_params->GetRawParameter(ix, &size, &type)); if ((!address) || // No null params. (INVALID_TYPE >= type) || (LAST_TYPE <= type) || // Unknown type. - (address < backing_mem) || // Start cannot point before buffer. + (address < backing_mem_ptr) || // Start cannot point before buffer. (address < first_byte) || // Start cannot point too low. (address > last_byte) || // Start cannot point past buffer. ((address + size) < address) || // Invalid size. |