From 385fe6615f1197e0f2e46974e73b9e710f6e5496 Mon Sep 17 00:00:00 2001
From: Mark Mentovai <mark@chromium.org>
Date: Fri, 31 Mar 2017 11:48:41 -0400
Subject: [PATCH] posix: DCHECK for (addr + len) overflow in
 ScopedMmap::ResetAddrLen()

This also enhances ScopedMmapDeathTest.Mprotect to better ensure that
ScopedMmap::Mprotect() works properly.

Bug: crashpad:30
Test: crashpad_util_test ScopedMmap*.*
Change-Id: Iff35dba9fa993086f3f4cd8f4a862d802e637bb1
Reviewed-on: https://chromium-review.googlesource.com/464547
Reviewed-by: Joshua Peraza <jperaza@chromium.org>
---
 util/posix/scoped_mmap.cc      | 2 ++
 util/posix/scoped_mmap_test.cc | 6 +++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/util/posix/scoped_mmap.cc b/util/posix/scoped_mmap.cc
index f8449b1f..4860cecb 100644
--- a/util/posix/scoped_mmap.cc
+++ b/util/posix/scoped_mmap.cc
@@ -19,6 +19,7 @@
 #include <algorithm>
 
 #include "base/logging.h"
+#include "base/numerics/safe_math.h"
 
 namespace {
 
@@ -56,6 +57,7 @@ bool ScopedMmap::ResetAddrLen(void* addr, size_t len) {
     DCHECK_NE(len, 0u);
     DCHECK_EQ(new_addr % getpagesize(), 0u);
     DCHECK_EQ(len % getpagesize(), 0u);
+    DCHECK((base::CheckedNumeric<uintptr_t>(new_addr) + (len - 1)).IsValid());
   }
 
   bool result = true;
diff --git a/util/posix/scoped_mmap_test.cc b/util/posix/scoped_mmap_test.cc
index ea96c65f..0c4787b2 100644
--- a/util/posix/scoped_mmap_test.cc
+++ b/util/posix/scoped_mmap_test.cc
@@ -302,11 +302,15 @@ TEST(ScopedMmapDeathTest, Mprotect) {
   EXPECT_EQ(kPageSize, mapping.len());
 
   char* addr = mapping.addr_as<char*>();
-  *addr = 0;
+  *addr = 1;
 
   ASSERT_TRUE(mapping.Mprotect(PROT_READ));
 
   EXPECT_DEATH(*addr = 0, "");
+
+  ASSERT_TRUE(mapping.Mprotect(PROT_READ | PROT_WRITE));
+  EXPECT_EQ(1, *addr);
+  *addr = 2;
 }
 
 }  // namespace