From 4581a355b17e9deae20447cec88c315210f50b7a Mon Sep 17 00:00:00 2001 From: Justin Cohen Date: Tue, 10 May 2022 12:34:01 -0400 Subject: [PATCH] ios: Limit depth of intermediate dump parser. Limit the parser stack to 10 to prevent malformed intermediate dumps from causing a stack overflow. Bug: 1321382 Change-Id: I880e80de585b0fb18f0c383102b9227d6ffbfa76 Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/3637719 Commit-Queue: Justin Cohen Reviewed-by: Joshua Peraza --- snapshot/BUILD.gn | 1 + ...ocess_snapshot_ios_intermediate_dump_test.cc | 5 +++++ snapshot/ios/testdata/crash-6605504629637120 | Bin 0 -> 42751 bytes util/ios/ios_intermediate_dump_reader.cc | 6 ++++++ 4 files changed, 12 insertions(+) create mode 100644 snapshot/ios/testdata/crash-6605504629637120 diff --git a/snapshot/BUILD.gn b/snapshot/BUILD.gn index ea2412a0..b3315982 100644 --- a/snapshot/BUILD.gn +++ b/snapshot/BUILD.gn @@ -492,6 +492,7 @@ bundle_data("snapshot_test_ios_data") { sources = [ "ios/testdata/crash-1fa088dda0adb41459d063078a0f384a0bb8eefa", "ios/testdata/crash-5726011582644224", + "ios/testdata/crash-6605504629637120", ] outputs = [ "{{bundle_resources_dir}}/crashpad_test_data/" + diff --git a/snapshot/ios/process_snapshot_ios_intermediate_dump_test.cc b/snapshot/ios/process_snapshot_ios_intermediate_dump_test.cc index 44a7b775..1a994bdb 100644 --- a/snapshot/ios/process_snapshot_ios_intermediate_dump_test.cc +++ b/snapshot/ios/process_snapshot_ios_intermediate_dump_test.cc @@ -679,6 +679,11 @@ TEST_F(ProcessSnapshotIOSIntermediateDumpTest, FuzzTestCases) { map = process_snapshot2.AnnotationsSimpleMap(); ASSERT_TRUE(map.find("crashpad_intermediate_dump_incomplete") != map.end()); EXPECT_EQ(map["crashpad_intermediate_dump_incomplete"], "yes"); + + fuzz_path = TestPaths::TestDataRoot().Append( + FILE_PATH_LITERAL("snapshot/ios/testdata/crash-6605504629637120")); + crashpad::internal::ProcessSnapshotIOSIntermediateDump process_snapshot3; + EXPECT_FALSE(process_snapshot3.InitializeWithFilePath(fuzz_path, {})); } } // namespace diff --git a/snapshot/ios/testdata/crash-6605504629637120 b/snapshot/ios/testdata/crash-6605504629637120 new file mode 100644 index 0000000000000000000000000000000000000000..1e041d9021eda5d220ac847f7dbe4a6b8b813e19 GIT binary patch literal 42751 zcmeI3;c=rd5QR;cNmu!kQqsxIHF6DHbyon#B38&k8*CzEX8AnhAs{5s)7z)jlk?sU zL;ulr{l{(mj>pgUaGb8m^}@B!(zUE!(oQ!wU2H0=_9f@x+S~d?^re!}OMA@DJQ(aeyH(L^uEsz`#8ZP<>QC=B+3misxSO?$%f^9>$xD zSEfXLob7^mZnH-WgyT$vjY)go!++1cn;M`0jy=uK>3J}f49t`{4`CVFc*aCJ^Z47$ zXjy_MgfAu$3J<^l9<)?m_y*tL8>=ee06YK#co2SaKr9do!~(G}x;-2A4N8GhoLDK; z+r%4QAz??ZM7>6S@Ovl!_#1!NiyxfyR`L3#*EuR)P*^eJAq-Zv(wN)9r+QmFI+S{R zs5^lQZih4ujy-JkOE9=G95Ed0#}%xCRj`VMm~a3dfB`(fw$cSWdVn6F2j~HMu-J8I zBAVz-6V=;{zFuNwPkyJ(c~J&chrCw#+>0xE>7J*IFagc-uw46!i_6d9jt zL~+-wSWEA`?yQpH_CsymGi;l6UbPW7V)3d+6V0rFCEtSwVBnAk>5QZEuU^~W{H0ex z0Na^sdm$MJ1B^5>|OZVWojd zA8ia)wbGc|!6*LxTliE71$%H>max%*@hk!Y55NE(v{YXB2H)VDtEKJ6B975!w1ork z01V&(CjV$zF=K#1H078VT+It=SI6=C{FGlyJd!91JWR36fw_}15 zSL#USvoG^WHKMo)XvYcKTGmc`12x>A&#i}0mkpTis+&*}v3Ar_0y^y&Qcs5JwZuLV z8h{40(*Ur366>7_;Z^gUeG8wRAVcOS$sCO*CY{rA2NNK&G+)x&ti}Gwv3l%0w?CSb z&(#mEFY9tJ>qpJ9HR`1$%>!E>SoE=Tak8P=C+w9}C3(%Kx)bW<+ImQmixY$BUfn~h z7X$TLy84)$c6oJ(3NzaF3{J@@W1(&wXnG{aV#a5)U|)u(4=g?`$=f!%x$*E}2>*Yd jJVmm)s_A9*21ShGcY5<-{&eH#t-tmE{`~rT>u>)7l)8-t literal 0 HcmV?d00001 diff --git a/util/ios/ios_intermediate_dump_reader.cc b/util/ios/ios_intermediate_dump_reader.cc index 022133bc..d9610f65 100644 --- a/util/ios/ios_intermediate_dump_reader.cc +++ b/util/ios/ios_intermediate_dump_reader.cc @@ -70,6 +70,12 @@ bool IOSIntermediateDumpReader::Parse(FileReaderInterface* reader, } while (reader->ReadExactly(&command, sizeof(Command))) { + constexpr int kMaxStackDepth = 10; + if (stack.size() > kMaxStackDepth) { + LOG(ERROR) << "Unexpected depth of intermediate dump data."; + return false; + } + IOSIntermediateDumpObject* parent = stack.top(); switch (command) { case Command::kMapStart: {