3party/crashpad
0
0
Fork 0
mirror of https://github.com/chromium/crashpad.git synced 2025-03-09 14:06:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

ios: Validate exception code buffer size before read.

Browse Source 
Bug: 1415371
Change-Id: I9e1bd902494a664d4f07829e686803712fa8e7a8
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4255568
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Justin Cohen <justincohen@chromium.org>
This commit is contained in:
Justin Cohen 2023-02-15 13:02:26 -05:00 committed by Crashpad LUCI CQ
parent c7d9c710f2
commit 0adab59836
4 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
snapshot/BUILD.gn
View File

@ -493,6 +493,7 @@ bundle_data("snapshot_test_ios_data") {
"ios/testdata/crash-1fa088dda0adb41459d063078a0f384a0bb8eefa",
"ios/testdata/crash-5726011582644224",
"ios/testdata/crash-6605504629637120",
"ios/testdata/crash-c44acfcbccd8c7a8",
]
outputs = [ "{{bundle_resources_dir}}/crashpad_test_data/" +

9
snapshot/ios/exception_snapshot_ios_intermediate_dump.cc
View File

@ -175,18 +175,21 @@ bool ExceptionSnapshotIOSIntermediateDump::InitializeFromMachException(
const std::vector<uint8_t>& bytes = code_dump->bytes();
const mach_exception_data_type_t* code =
reinterpret_cast<const mach_exception_data_type_t*>(bytes.data());
if (bytes.size() == 0 || !code) {
if (bytes.size() == 0 ||
bytes.size() % sizeof(mach_exception_data_type_t) != 0 || !code) {
LOG(ERROR) << "Invalid mach exception code.";
} else {
// TODO: rationalize with the macOS implementation.
mach_msg_type_number_t code_count =
bytes.size() / sizeof(mach_exception_data_type_t);
for (mach_msg_type_number_t code_index = 0; code_index < code_count;
++code_index) {
codes_.push_back(code[code_index]);
}
DCHECK_GE(code_count, 1u);
exception_info_ = code[0];
exception_address_ = code[1];
if (code_count >= 2) {
exception_address_ = code[1];
}
}
}

5
snapshot/ios/process_snapshot_ios_intermediate_dump_test.cc
View File

@ -760,6 +760,11 @@ TEST_F(ProcessSnapshotIOSIntermediateDumpTest, FuzzTestCases) {
FILE_PATH_LITERAL("snapshot/ios/testdata/crash-6605504629637120"));
crashpad::internal::ProcessSnapshotIOSIntermediateDump process_snapshot3;
EXPECT_FALSE(process_snapshot3.InitializeWithFilePath(fuzz_path, {}));
fuzz_path = TestPaths::TestDataRoot().Append(
FILE_PATH_LITERAL("snapshot/ios/testdata/crash-c44acfcbccd8c7a8"));
crashpad::internal::ProcessSnapshotIOSIntermediateDump process_snapshot4;
EXPECT_TRUE(process_snapshot4.InitializeWithFilePath(fuzz_path, {}));
}
} // namespace

BIN
snapshot/ios/testdata/crash-c44acfcbccd8c7a8 vendored Normal file
View File

Binary file not shown.