mirror of
https://github.com/chromium/crashpad.git
synced 2025-01-14 01:08:01 +08:00
ios: Properly handle overflows in scoped_vm_read.
Passing -1 (or size_t max) to ScopedVMRead would succeed, because the amount of memory to be read would overflow vm_address_t/vm_size_t and turn into something reasonable. ScopedVMRead would return true having only read a miniscule subset of the requested data length. Bug: 1348341 Change-Id: I061a1d86928f211c541a6378a78ee045d489a838 Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/3791710 Commit-Queue: Justin Cohen <justincohen@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org>
This commit is contained in:
parent
4e5cef683a
commit
7b105f83ab
@ -43,6 +43,10 @@ bool ScopedVMReadInternal::Read(const void* data, const size_t data_length) {
|
||||
vm_address_t page_region_address = trunc_page(data_address);
|
||||
vm_size_t page_region_size =
|
||||
round_page(data_address - page_region_address + data_length);
|
||||
if (page_region_size < data_length) {
|
||||
CRASHPAD_RAW_LOG("ScopedVMRead data_length overflow");
|
||||
return false;
|
||||
}
|
||||
kern_return_t kr = vm_read(mach_task_self(),
|
||||
page_region_address,
|
||||
page_region_size,
|
||||
|
@ -30,6 +30,7 @@ TEST(ScopedVMReadTest, BasicFunctionality) {
|
||||
ASSERT_FALSE(vmread_bad.Read(reinterpret_cast<void*>(0x1000), 100));
|
||||
vm_address_t address = 1;
|
||||
ASSERT_FALSE(vmread_bad.Read(&address, 1000000000));
|
||||
ASSERT_FALSE(vmread_bad.Read(&address, -1));
|
||||
|
||||
// array
|
||||
constexpr char read_me[] = "read me";
|
||||
|
Loading…
x
Reference in New Issue
Block a user