| Index: mojo/edk/system/channel.cc
|
| diff --git a/mojo/edk/system/channel.cc b/mojo/edk/system/channel.cc
|
| index a00f0ce0ddc1667278408e305239296e3b9ef512..e802527619f944ff70540c612d2033f84e50867d 100644
|
| --- a/mojo/edk/system/channel.cc
|
| +++ b/mojo/edk/system/channel.cc
|
| @@ -140,7 +140,8 @@ Channel::MessagePtr Channel::Message::Deserialize(const void* data,
|
| return nullptr;
|
| }
|
|
|
| - if (header->num_bytes < header->num_header_bytes) {
|
| + if (header->num_bytes < header->num_header_bytes ||
|
| + header->num_header_bytes < sizeof(Header)) {
|
| DLOG(ERROR) << "Decoding invalid message: " << header->num_bytes << " < "
|
| << header->num_header_bytes;
|
| return nullptr;
|
| @@ -150,10 +151,15 @@ Channel::MessagePtr Channel::Message::Deserialize(const void* data,
|
| #if defined(OS_WIN)
|
| uint32_t max_handles = extra_header_size / sizeof(PlatformHandle);
|
| #elif defined(OS_MACOSX) && !defined(OS_IOS)
|
| + if (extra_header_size < sizeof(MachPortsExtraHeader)) {
|
| + DLOG(ERROR) << "Decoding invalid message: " << extra_header_size << " < "
|
| + << sizeof(MachPortsExtraHeader);
|
| + return nullptr;
|
| + }
|
| uint32_t max_handles = (extra_header_size - sizeof(MachPortsExtraHeader)) /
|
| sizeof(MachPortsEntry);
|
| #endif
|
| - if (header->num_handles > max_handles) {
|
| + if (header->num_handles > max_handles || max_handles > kMaxAttachedHandles) {
|
| DLOG(ERROR) << "Decoding invalid message:" << header->num_handles
|
| << " > " << max_handles;
|
| return nullptr;
|
|
|
Chromium Code Reviews
Issue 2102193002:
[mojo-edk] Fix unchecked header sizes channel messages (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@2743