Skip to content

GitLab

T
tangled
Commit 3749e7b6 authored by Robert Sesek's avatar Robert Sesek Committed by Commit Bot
Browse files
Options

Fix heap-buffer-overflow in safe_browsing::dmg::HFSBTreeIterator::Next. 

The BTree leaf structure contains a length and embedded string. Check
that the length of the embedded string is not larger than node
containing the leaf.

Bug: 776307
Test: Covered by fuzzer.
Change-Id: I2c39c55b42da34bcc8cb26c481e269b66b19811d
Reviewed-on: https://chromium-review.googlesource.com/728084Reviewed-by: default avatarVarun Khaneja <vakh@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#510119}
parent f082fcc5
Hide whitespace changes
Inline Side-by-side
Showing with 9 additions and 0 deletions
chrome/utility/safe_browsing/mac/hfs.cc
View file @ 3749e7b6
...@@ -512,6 +512,15 @@ bool HFSBTreeIterator::Next() { ...@@ -512,6 +512,15 @@ bool HFSBTreeIterator::Next() {
GetLeafData<uint16_t>(); // keyLength GetLeafData<uint16_t>(); // keyLength
auto parent_id = OSSwapBigToHostInt32(*GetLeafData<uint32_t>()); auto parent_id = OSSwapBigToHostInt32(*GetLeafData<uint32_t>());
auto key_string_length = OSSwapBigToHostInt16(*GetLeafData<uint16_t>()); auto key_string_length = OSSwapBigToHostInt16(*GetLeafData<uint16_t>());
size_t key_string_end_offset = 0;
if (!base::CheckAdd(current_leaf_offset_, key_string_length)
.AssignIfValid(&key_string_end_offset) ||
key_string_end_offset > leaf_data_.size()) {
DLOG(ERROR) << "Key string length larger than leaf data";
return false;
}
auto* key_string = auto* key_string =
reinterpret_cast<uint16_t*>(&leaf_data_[current_leaf_offset_]); reinterpret_cast<uint16_t*>(&leaf_data_[current_leaf_offset_]);
for (uint16_t i = 0; for (uint16_t i = 0;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment