From bf140f0d01b873b88c133f13b817ea143366494c Mon Sep 17 00:00:00 2001
From: Robert Sesek <rsesek@chromium.org>
Date: Wed, 22 Feb 2023 18:37:10 -0500
Subject: [Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559:
win: Only process up to EXCEPTION_MAXIMUM_PARAMETERS in an EXCEPTION_RECORD

The EXCEPTION_RECORD contains a NumberParameters field, which could
store a value that exceeds the amount of space allocated for the
ExceptionInformation array.

Bug: chromium:1412658
Change-Id: Ibfed8eb6317e28d3addf9215cda7fffc32e1030d
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469839
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../crashpad/crashpad/snapshot/win/exception_snapshot_win.cc      | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
index 5759652d452..3073829d68f 100644
--- a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
+++ b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc
@@ -14,6 +14,8 @@
 
 #include "snapshot/win/exception_snapshot_win.h"
 
+#include <algorithm>
+
 #include "base/logging.h"
 #include "client/crashpad_client.h"
 #include "snapshot/capture_memory.h"
@@ -246,8 +248,12 @@ bool ExceptionSnapshotWin::InitializeFromExceptionPointers(
     exception_code_ = first_record.ExceptionCode;
     exception_flags_ = first_record.ExceptionFlags;
     exception_address_ = first_record.ExceptionAddress;
-    for (DWORD i = 0; i < first_record.NumberParameters; ++i)
+
+    const DWORD number_parameters = std::min<DWORD>(
+        first_record.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS);
+    for (DWORD i = 0; i < number_parameters; ++i) {
       codes_.push_back(first_record.ExceptionInformation[i]);
+    }
     if (first_record.ExceptionRecord) {
       // https://crashpad.chromium.org/bug/43
       LOG(WARNING) << "dropping chained ExceptionRecord";
-- 
cgit v1.2.1