Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(492)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: chrome/common/safe_browsing/mach_o_image_reader_mac.cc

Issue 1763443002: Protect against recursive processing of the fat header in MachOImageReader. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 4 years, 9 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | chrome/common/safe_browsing/mach_o_image_reader_mac_unittest.cc » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2015 The Chromium Authors. All rights reserved. 1 // Copyright 2015 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be 2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file. 3 // found in the LICENSE file.
4 4
5 #include "chrome/common/safe_browsing/mach_o_image_reader_mac.h" 5 #include "chrome/common/safe_browsing/mach_o_image_reader_mac.h"
6 6
7 #include <libkern/OSByteOrder.h> 7 #include <libkern/OSByteOrder.h>
8 #include <mach-o/fat.h> 8 #include <mach-o/fat.h>
9 #include <mach-o/loader.h> 9 #include <mach-o/loader.h>
10 10
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after
115 115
116 size_t offset = sizeof(*header); 116 size_t offset = sizeof(*header);
117 for (uint32_t i = 0; i < nfat_arch; ++i) { 117 for (uint32_t i = 0; i < nfat_arch; ++i) {
118 const fat_arch* arch = data_->GetPointerAt<fat_arch>(offset); 118 const fat_arch* arch = data_->GetPointerAt<fat_arch>(offset);
119 if (!arch) 119 if (!arch)
120 return false; 120 return false;
121 121
122 uint32_t arch_offset = do_swap ? OSSwapInt32(arch->offset) : arch->offset; 122 uint32_t arch_offset = do_swap ? OSSwapInt32(arch->offset) : arch->offset;
123 uint32_t arch_size = do_swap ? OSSwapInt32(arch->size) : arch->size; 123 uint32_t arch_size = do_swap ? OSSwapInt32(arch->size) : arch->size;
124 124
125 // Cannot refer back to headers of previous arches to cause
126 // recursive processing.
127 if (arch_offset < offset)
128 return false;
129
125 ByteSlice slice = data_->Slice(arch_offset, arch_size); 130 ByteSlice slice = data_->Slice(arch_offset, arch_size);
126 if (!slice.IsValid()) 131 if (!slice.IsValid())
127 return false; 132 return false;
128 133
129 fat_images_.push_back(new MachOImageReader()); 134 fat_images_.push_back(new MachOImageReader());
130 if (!fat_images_.back()->Initialize(slice.data(), slice.size())) 135 if (!fat_images_.back()->Initialize(slice.data(), slice.size()))
131 return false; 136 return false;
132 137
133 offset += sizeof(*arch); 138 offset += sizeof(*arch);
134 } 139 }
(...skipping 106 matching lines...) Expand 10 before | Expand all | Expand 10 after
241 if (lc_code_signature == nullptr) 246 if (lc_code_signature == nullptr)
242 return false; 247 return false;
243 248
244 info->resize(lc_code_signature->datasize); 249 info->resize(lc_code_signature->datasize);
245 return data_->CopyDataAt(lc_code_signature->dataoff, 250 return data_->CopyDataAt(lc_code_signature->dataoff,
246 lc_code_signature->datasize, 251 lc_code_signature->datasize,
247 &(*info)[0]); 252 &(*info)[0]);
248 } 253 }
249 254
250 } // namespace safe_browsing 255 } // namespace safe_browsing
OLDNEW
« no previous file with comments | « no previous file | chrome/common/safe_browsing/mach_o_image_reader_mac_unittest.cc » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698