ios: Properly handle overflows in scoped_vm_read.

Passing -1 (or size_t max) to ScopedVMRead would succeed, because the amount of memory to be read would overflow vm_address_t/vm_size_t and turn into something reasonable. ScopedVMRead would return true having only read a miniscule subset of the requested data length. Bug: 1348341 Change-Id: I061a1d86928f211c541a6378a78ee045d489a838 Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/3791710 Commit-Queue: Justin Cohen <justincohen@chromium.org> Reviewed-by: Mark Mentovai <mark@chromium.org>
2024-12-26 23:01:05 +08:00 · 2022-07-28 21:18:25 -04:00 · 2022-07-28 21:18:25 -04:00 · 7b105f83ab
commit 7b105f83ab
parent 4e5cef683a
2 changed files with 5 additions and 0 deletions
--- a/util/ios/scoped_vm_read.cc
+++ b/util/ios/scoped_vm_read.cc
@ -43,6 +43,10 @@ bool ScopedVMReadInternal::Read(const void* data, const size_t data_length) {
  vm_address_t page_region_address = trunc_page(data_address);
  vm_size_t page_region_size =
      round_page(data_address - page_region_address + data_length);
+  if (page_region_size < data_length) {
+    CRASHPAD_RAW_LOG("ScopedVMRead data_length overflow");
+    return false;
+  }
  kern_return_t kr = vm_read(mach_task_self(),
                             page_region_address,
                             page_region_size,
--- a/util/ios/scoped_vm_read_test.cc
+++ b/util/ios/scoped_vm_read_test.cc
@ -30,6 +30,7 @@ TEST(ScopedVMReadTest, BasicFunctionality) {
  ASSERT_FALSE(vmread_bad.Read(reinterpret_cast<void*>(0x1000), 100));
  vm_address_t address = 1;
  ASSERT_FALSE(vmread_bad.Read(&address, 1000000000));
+  ASSERT_FALSE(vmread_bad.Read(&address, -1));

  // array
  constexpr char read_me[] = "read me";