Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1072)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: sandbox/win/src/broker_services.cc

Issue 1128903006: Fix a stack overflow in the windows sandbox SpawnTarget function. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 7 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « no previous file | no next file » | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: sandbox/win/src/broker_services.cc
diff --git a/sandbox/win/src/broker_services.cc b/sandbox/win/src/broker_services.cc
index 905c5fdde4e809275016f472371f64bb2f48f093..a1c1ed716b96dc30e326c2e4f76d362abe8935eb 100644
--- a/sandbox/win/src/broker_services.cc
+++ b/sandbox/win/src/broker_services.cc
@@ -410,7 +410,14 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
// its |lpValue| parameter persist until |DeleteProcThreadAttributeList| is
// called; StartupInformation's destructor makes such a call.
DWORD64 mitigations;
- HANDLE inherit_handle_list[2];
+
+ HandleList policy_handle_list = policy_base->GetHandlesBeingShared();
+
+ // We allocate space for handles being shared via Policy and 2 additional
+ // handles which are STDOUT and STDERR.
+ scoped_ptr<HANDLE> inherit_handle_list(
+ new HANDLE[policy_handle_list.size() + 2]);
cpu_(ooo_6.6-7.5) 2015/05/11 22:35:45 this is too strange now use std::vector<HANDLE> in
ananta 2015/05/11 22:42:24 Done.
+
base::string16 desktop = policy_base->GetAlternateDesktop();
if (!desktop.empty()) {
startup_info.startup_info()->lpDesktop =
@@ -436,14 +443,13 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
HANDLE stderr_handle = policy_base->GetStderrHandle();
int inherit_handle_count = 0;
if (stdout_handle != INVALID_HANDLE_VALUE)
- inherit_handle_list[inherit_handle_count++] = stdout_handle;
+ inherit_handle_list.get()[inherit_handle_count++] = stdout_handle;
// Handles in the list must be unique.
if (stderr_handle != stdout_handle && stderr_handle != INVALID_HANDLE_VALUE)
- inherit_handle_list[inherit_handle_count++] = stderr_handle;
+ inherit_handle_list.get()[inherit_handle_count++] = stderr_handle;
- HandleList handle_list = policy_base->GetHandlesBeingShared();
- for (auto handle : handle_list)
- inherit_handle_list[inherit_handle_count++] = handle;
+ for (auto handle : policy_handle_list)
+ inherit_handle_list.get()[inherit_handle_count++] = handle;
if (inherit_handle_count)
++attribute_count;
@@ -468,8 +474,8 @@ ResultCode BrokerServicesBase::SpawnTarget(const wchar_t* exe_path,
if (inherit_handle_count) {
if (!startup_info.UpdateProcThreadAttribute(
PROC_THREAD_ATTRIBUTE_HANDLE_LIST,
- inherit_handle_list,
- sizeof(inherit_handle_list[0]) * inherit_handle_count)) {
+ inherit_handle_list.get(),
+ sizeof(HANDLE) * inherit_handle_count)) {
return SBOX_ERROR_PROC_THREAD_ATTRIBUTES;
}
startup_info.startup_info()->dwFlags |= STARTF_USESTDHANDLES;
« no previous file with comments | « no previous file | no next file » | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698