summaryrefslogtreecommitdiffstats
path: root/sandbox/src/crosscall_server.cc
diff options
context:
space:
mode:
authorcpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-08-20 01:27:20 +0000
committercpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>2010-08-20 01:27:20 +0000
commitaf1e6f59e12fabc8ae8ab1fbb0f0423e42dfadf2 (patch)
treed8e2d84f8b6baeb4bcf7e44cc9f2dcf73bcfbcaf /sandbox/src/crosscall_server.cc
parent0c5970256ba27bbc97d03586646c5931374188ca (diff)
downloadchromium_src-af1e6f59e12fabc8ae8ab1fbb0f0423e42dfadf2.zip
chromium_src-af1e6f59e12fabc8ae8ab1fbb0f0423e42dfadf2.tar.gz
chromium_src-af1e6f59e12fabc8ae8ab1fbb0f0423e42dfadf2.tar.bz2
Revert 56796 - Sbox IPC fix
Tests failing on vista BUG=52682 TEST=included Review URL: http://codereview.chromium.org/3142022 TBR=cpu@chromium.org Review URL: http://codereview.chromium.org/3122031 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56798 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'sandbox/src/crosscall_server.cc')
-rw-r--r--sandbox/src/crosscall_server.cc43
1 files changed, 19 insertions, 24 deletions
diff --git a/sandbox/src/crosscall_server.cc b/sandbox/src/crosscall_server.cc
index 5063ce6..da43c69 100644
--- a/sandbox/src/crosscall_server.cc
+++ b/sandbox/src/crosscall_server.cc
@@ -85,8 +85,6 @@ void CrossCallParamsEx::operator delete(void* raw_memory) throw() {
CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
size_t buffer_size,
size_t* output_size) {
- // IMPORTANT: Everything inside buffer_base and derived from it such
- // as param_count and declared_size is untrusted.
if (NULL == buffer_base) {
return NULL;
}
@@ -96,12 +94,10 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
if (buffer_size > kMaxBufferSize) {
return NULL;
}
-
char* backing_mem = NULL;
size_t param_count = 0;
- size_t declared_size;
- size_t min_declared_size;
CrossCallParamsEx* copied_params = NULL;
+ size_t actual_size;
// Touching the untrusted buffer is done under a SEH try block. This
// will catch memory access violations so we don't crash.
@@ -111,28 +107,30 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
// Check against the minimum size given the number of stated params
// if too small we bail out.
param_count = call_params->GetParamsCount();
-
- min_declared_size =
- sizeof(CrossCallParamsEx) + (param_count * sizeof(ParamInfo));
-
- if (min_declared_size < sizeof(CrossCallParams) ||
- (buffer_size < min_declared_size)) {
- // Integer overflow or computed size bigger than untrusted buffer.
+ if ((buffer_size - sizeof(CrossCallParams)) <
+ (sizeof(ptrdiff_t) * (param_count + 1))) {
+ // This test is subject to integer overflow but the next is not.
return NULL;
}
- declared_size = GetActualBufferSize(param_count, buffer_base);
- if ((declared_size > buffer_size) ||
- (declared_size < min_declared_size)) {
- // declared size is bigger than buffer or smaller than computed size.
+ actual_size = GetActualBufferSize(param_count, buffer_base);
+ if ((actual_size > buffer_size) || (0 == actual_size)) {
+ // It is too big or too many declared parameters.
return NULL;
}
// Now we copy the actual amount of the message.
- *output_size = declared_size;
- backing_mem = new char[declared_size];
- copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem);
- memcpy(backing_mem, call_params, declared_size);
+ actual_size += sizeof(ParamInfo); // To get the last offset.
+ *output_size = actual_size;
+ backing_mem = new char[actual_size];
+ memset(backing_mem, 0, actual_size);
+ // Note that this is a placement new.
+#pragma warning(push)
+#pragma warning(disable: 4291) // No matching operator delete.
+ // TODO(cpu): Remove this warning.
+ copied_params = new(backing_mem)CrossCallParamsEx();
+#pragma warning(pop)
+ memcpy(backing_mem, call_params, actual_size);
} __except(EXCEPTION_EXECUTE_HANDLER) {
// In case of a windows exception we know it occurred while touching the
@@ -140,9 +138,7 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
return NULL;
}
- const char* last_byte = &backing_mem[declared_size - 1];
- const char* first_byte = &backing_mem[min_declared_size];
-
+ char* last_byte = &backing_mem[actual_size - 1];
// Verify here that all and each parameters make sense. This is done in the
// local copy.
for (size_t ix =0; ix != param_count; ++ix) {
@@ -153,7 +149,6 @@ CrossCallParamsEx* CrossCallParamsEx::CreateFromBuffer(void* buffer_base,
if ((NULL == address) || // No null params.
(INVALID_TYPE >= type) || (LAST_TYPE <= type) || // Unknown type.
(address < backing_mem) || // Start cannot point before buffer.
- (address < first_byte) || // Start cannot point too low.
(address > last_byte) || // Start cannot point past buffer.
((address + size) < address) || // Invalid size.
((address + size) > last_byte)) { // End cannot point past buffer.
generated by cgit v1.1 at 2025-02-13 10:06:43 +0000