Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(137)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 1130763007: Fix potential UAF in ConcatInPlace. (Closed)

Created:
5 years, 7 months ago by Tom Sepez
Modified:
5 years, 7 months ago
Reviewers:
Lei Zhang
CC:
pdfium-reviews_googlegroups.com
Base URL:
https://pdfium.googlesource.com/pdfium.git@master
Target Ref:
refs/heads/master
Visibility:
Public.

Description

Fix potential UAF in ConcatInPlace. If ConcatCopy somehow gets a zero nNewlen, it returns early, without allocating a new m_Data. ConcatInPlace then frees the old one, leaving m_Data dangling. Also be concerned about the multiplication in the widestring version. So use wmemcpy and let the library cope with it. R=thestig@chromium.org Committed: https://pdfium.googlesource.com/pdfium/+/7f3b99a6a78e524613337f42a99b5634c0ad05f8

Patch Set 1 #

Total comments: 1

Patch Set 2 : Fix merge. #

Patch Set 3 : Fix lastly issue. #

Patch Set 4 : memcpy good enough. #

Patch Set 5 : Restore some code, add Test. #

Patch Set 6 : Add comment before strange looking test. #

Unified diffs Side-by-side diffs Delta from patch set Stats (+68 lines, -10 lines) Patch
M core/include/fxcrt/fx_string.h View 1 2 3 4 2 chunks +2 lines, -0 lines 0 comments Download
M core/src/fxcrt/fx_basic_bstring.cpp View 1 2 3 4 2 chunks +6 lines, -5 lines 0 comments Download
M core/src/fxcrt/fx_basic_bstring_unittest.cpp View 1 2 3 4 5 1 chunk +27 lines, -0 lines 0 comments Download
M core/src/fxcrt/fx_basic_wstring.cpp View 1 2 3 4 2 chunks +6 lines, -5 lines 0 comments Download
M core/src/fxcrt/fx_basic_wstring_unittest.cpp View 1 2 3 4 5 1 chunk +27 lines, -0 lines 0 comments Download

Messages

Total messages: 10 (1 generated)
Tom Sepez
Lei, this looks suspicious.
5 years, 7 months ago (2015-05-14 21:47:42 UTC) #2
Lei Zhang
How do you feel about writing a unit test to trigger this? https://codereview.chromium.org/1130763007/diff/1/core/src/fxcrt/fx_basic_wstring.cpp File core/src/fxcrt/fx_basic_wstring.cpp ...
5 years, 7 months ago (2015-05-14 22:07:55 UTC) #3
Tom Sepez
On 2015/05/14 22:07:55, Lei Zhang wrote: > How do you feel about writing a unit ...
5 years, 7 months ago (2015-05-14 22:19:29 UTC) #4
Lei Zhang
On 2015/05/14 22:19:29, Tom Sepez wrote: > On 2015/05/14 22:07:55, Lei Zhang wrote: > > ...
5 years, 7 months ago (2015-05-14 22:23:55 UTC) #5
Tom Sepez
On 2015/05/14 22:23:55, Lei Zhang wrote: > On 2015/05/14 22:19:29, Tom Sepez wrote: > > ...
5 years, 7 months ago (2015-05-14 23:03:19 UTC) #6
Tom Sepez
OK, I added tests to cover the basic case, plus contrived one to hit the ...
5 years, 7 months ago (2015-05-14 23:14:47 UTC) #7
Lei Zhang
lgtm We don't need to mention wmemmove anymore in the CL description?
5 years, 7 months ago (2015-05-15 09:19:59 UTC) #8
Tom Sepez
On 2015/05/15 09:19:59, Lei Zhang wrote: > lgtm > > We don't need to mention ...
5 years, 7 months ago (2015-05-15 15:39:24 UTC) #9
Tom Sepez
5 years, 7 months ago (2015-05-15 15:44:40 UTC) #10
Message was sent while issue was closed. 
Committed patchset #6 (id:100001) manually as
7f3b99a6a78e524613337f42a99b5634c0ad05f8 (presubmit successful).

Powered by Google App Engine
This is Rietveld 408576698