From eec1e17ab5588680a3e1d4904f5ba497e24f496b Mon Sep 17 00:00:00 2001 From: Scott Graham Date: Thu, 15 Feb 2018 15:58:08 -0800 Subject: [PATCH] Fix two bugs in memset()ing CrashpadInfo on size mismatch In trying to clear out the end of info when the alleged size is smaller than the current structure size, we didn't handle the opposite case. We need to continue the rest of Read() to initialize members, but need to make sure not to pass a very large (negative -> size_t) length to memset(). Additionally, I believe it meant to memset from the end of the alleged size, to the end of the local structure, rather than from the beginning of the structure. This repro'd on Fuchsia, but would affect all platforms that use it. Bug: crashpad:196, crashpad:30 Change-Id: I9c35c834010b5cb26d54156ce8f9bc538dcbf96c Reviewed-on: https://chromium-review.googlesource.com/923094 Commit-Queue: Scott Graham Reviewed-by: Joshua Peraza --- snapshot/crashpad_types/crashpad_info_reader.cc | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/snapshot/crashpad_types/crashpad_info_reader.cc b/snapshot/crashpad_types/crashpad_info_reader.cc index ade9931b..dfc438fc 100644 --- a/snapshot/crashpad_types/crashpad_info_reader.cc +++ b/snapshot/crashpad_types/crashpad_info_reader.cc @@ -81,7 +81,11 @@ class CrashpadInfoReader::InfoContainerSpecific : public InfoContainer { return false; } - memset(reinterpret_cast(&info), 0, sizeof(info) - info.size); + if (sizeof(info) > info.size) { + memset(reinterpret_cast(&info) + info.size, + 0, + sizeof(info) - info.size); + } UnsetIfNotValidTriState(&info.crashpad_handler_behavior); UnsetIfNotValidTriState(&info.system_crash_reporter_forwarding);