diff options
author | Robert Sesek <rsesek@chromium.org> | 2023-02-22 18:37:10 -0500 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-03 15:21:09 +0000 |
commit | 0bf2239f10b379438b33dd17234d5ff4c1c78aeb (patch) | |
tree | 99f1d87add27eac625f1f4b37ee04a6147579cc6 | |
parent | 86258b7611ae643d632f7ca56d4c6dc00faa01d1 (diff) | |
download | qtwebengine-chromium-0bf2239f10b379438b33dd17234d5ff4c1c78aeb.tar.gz |
[Backport] CVE-2023-1217: Stack buffer overflow in Crash reporting
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559:
win: Only process up to EXCEPTION_MAXIMUM_PARAMETERS in an EXCEPTION_RECORD
The EXCEPTION_RECORD contains a NumberParameters field, which could
store a value that exceeds the amount of space allocated for the
ExceptionInformation array.
Bug: chromium:1412658
Change-Id: Ibfed8eb6317e28d3addf9215cda7fffc32e1030d
Reviewed-on: https://chromium-review.googlesource.com/c/crashpad/crashpad/+/4284559
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468172
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc index 2a70c5c0cea..b8931444ac8 100644 --- a/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc +++ b/chromium/third_party/crashpad/crashpad/snapshot/win/exception_snapshot_win.cc @@ -14,6 +14,8 @@ #include "snapshot/win/exception_snapshot_win.h" +#include <algorithm> + #include "base/logging.h" #include "snapshot/capture_memory.h" #include "snapshot/memory_snapshot.h" @@ -261,8 +263,12 @@ bool ExceptionSnapshotWin::InitializeFromExceptionPointers( exception_code_ = first_record.ExceptionCode; exception_flags_ = first_record.ExceptionFlags; exception_address_ = first_record.ExceptionAddress; - for (DWORD i = 0; i < first_record.NumberParameters; ++i) + + const DWORD number_parameters = std::min<DWORD>( + first_record.NumberParameters, EXCEPTION_MAXIMUM_PARAMETERS); + for (DWORD i = 0; i < number_parameters; ++i) { codes_.push_back(first_record.ExceptionInformation[i]); + } if (first_record.ExceptionRecord) { // https://crashpad.chromium.org/bug/43 LOG(WARNING) << "dropping chained ExceptionRecord"; |