Update Crashpad to ee1d5124a2bfec578a1474b048cf934d92dcf7ba

ee1d5124a2bf Fix incorrect range checks in elf image note reader Bug: 967228, 967257, 967223 Change-Id: I3c6be7ab517b6f4a9c32ad2d607a2587b73d187e TBR: jperaza@chromium.org Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1630230 Commit-Queue: Scott Graham <scottmg@chromium.org> Auto-Submit: Scott Graham <scottmg@chromium.org> Reviewed-by: Scott Graham <scottmg@chromium.org> Cr-Commit-Position: refs/heads/master@{#663924}

Update Crashpad to ee1d5124a2bfec578a1474b048cf934d92dcf7ba
ee1d5124a2bf Fix incorrect range checks in elf image note reader Bug: 967228, 967257, 967223 Change-Id: I3c6be7ab517b6f4a9c32ad2d607a2587b73d187e TBR: jperaza@chromium.org Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1630230 Commit-Queue: Scott Graham <scottmg@chromium.org> Auto-Submit: Scott Graham <scottmg@chromium.org> Reviewed-by: Scott Graham <scottmg@chromium.org> Cr-Commit-Position: refs/heads/master@{#663924}
ffd3a013 · Scott Graham · Commit Bot · a6317a09 · ffd3a013 · ffd3a013
Commit ffd3a013 authored May 28, 2019 by Scott Graham Committed by Commit Bot May 28, 2019
Showing with 33 additions and 8 deletions

third_party/crashpad/README.chromium third_party/crashpad/README.chromium +1 -1

third_party/crashpad/crashpad/snapshot/elf/elf_image_reader.cc ..._party/crashpad/crashpad/snapshot/elf/elf_image_reader.cc +32 -7

No files found.
--- a/third_party/crashpad/README.chromium
+++ b/third_party/crashpad/README.chromium
@@ -2,7 +2,7 @@ Name: Crashpad
 Short Name: crashpad
 URL: https://crashpad.chromium.org/
 Version: unknown
-Revision: daf9f5669eedec1c326dd07f623872c1c4cc01a5
+Revision: ee1d5124a2bfec578a1474b048cf934d92dcf7ba
 License: Apache 2.0
 License File: crashpad/LICENSE
 Security Critical: yes

--- a/third_party/crashpad/crashpad/snapshot/elf/elf_image_reader.cc
+++ b/third_party/crashpad/crashpad/snapshot/elf/elf_image_reader.cc
@@ -22,6 +22,7 @@
 #include <vector>

 #include "base/logging.h"
+#include "base/numerics/safe_math.h"
 #include "build/build_config.h"
 #include "util/numeric/checked_vm_address_range.h"

@@ -277,10 +278,24 @@ ElfImageReader::NoteReader::Result ElfImageReader::NoteReader::ReadNote(
  current_address_ += sizeof(note_info);

  constexpr size_t align = sizeof(note_info.n_namesz);
-#define PAD(x) (((x) + align - 1) & ~(align - 1))
-  size_t padded_namesz = PAD(note_info.n_namesz);
-  size_t padded_descsz = PAD(note_info.n_descsz);
-  size_t note_size = padded_namesz + padded_descsz;
+
+#define CHECKED_PAD(x, into)                                 \
+  base::CheckAnd(base::CheckAdd(x, align - 1), ~(align - 1)) \
+      .AssignIfValid(&into)
+
+  size_t padded_namesz;
+  if (!CHECKED_PAD(note_info.n_namesz, padded_namesz)) {
+    return Result::kError;
+  }
+  size_t padded_descsz;
+  if (!CHECKED_PAD(note_info.n_descsz, padded_descsz)) {
+    return Result::kError;
+  }
+
+  size_t note_size;
+  if (!base::CheckAdd(padded_namesz, padded_descsz).AssignIfValid(&note_size)) {
+    return Result::kError;
+  }

  // Notes typically have 4-byte alignment. However, .note.android.ident may
  // inadvertently use 2-byte alignment.
@@ -289,9 +304,19 @@ ElfImageReader::NoteReader::Result ElfImageReader::NoteReader::ReadNote(
  // but there may be 4-byte aligned notes following it. If this note was
  // aligned at less than 4-bytes, expect that the next note will be aligned at
  // 4-bytes and add extra padding, if necessary.
-  VMAddress end_of_note =
-      std::min(PAD(current_address_ + note_size), segment_end_address_);
-#undef PAD
+
+  VMAddress end_of_note_candidate;
+  if (!base::CheckAdd(current_address_, note_size)
+           .AssignIfValid(&end_of_note_candidate)) {
+    return Result::kError;
+  }
+  VMAddress end_of_note;
+  if (!CHECKED_PAD(end_of_note_candidate, end_of_note)) {
+    return Result::kError;
+  }
+  end_of_note = std::min(end_of_note, segment_end_address_);
+
+#undef CHECKED_PAD

  if (note_size > max_note_size_) {
    current_address_ = end_of_note;