Chromium Code Reviews
|
|
Chromium Code Reviews
Issue
2249973006:
ui: Fix potential out-of-bounds array access in EDID parser (Closed)
|
Created:
4 years, 4 months ago by robert.bradford Modified:
4 years, 4 months ago Reviewers:
oshima CC:
chromium-reviews Base URL:
https://chromium.googlesource.com/chromium/src.git@master Target Ref:
refs/pending/heads/master Project:
chromium Visibility:
Public. |
Descriptionui: Fix potential out-of-bounds array access in EDID parser
When checking the that the size of the array is sufficient for all
accesses, including the value in the third byte, the header byte was not
taken into consideration.
This bug was found with the fuzzer in: https://crrev.com/2252643003
BUG=638273
TEST=No ASan issues with fuzzer after change; existing unittest passes.
Committed: https://crrev.com/1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c
Cr-Commit-Position: refs/heads/master@{#412899}
Patch Set 1 : Add header byte to size check #
Messages
Total messages: 18 (11 generated)
The CQ bit was checked by robert.bradford@intel.com to run a CQ dry run
Dry run: CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
robert.bradford@intel.com changed reviewers: + oshima@chromium.org
Hi oshima@ please could you take a look at this? https://codereview.chromium.org/2249973006/diff/1/ui/display/util/edid_parser.cc File ui/display/util/edid_parser.cc (right): https://codereview.chromium.org/2249973006/diff/1/ui/display/util/edid_parser... ui/display/util/edid_parser.cc:249: if ((edid[data_offset + 2] & (1 << kPTOverscan)) || Here is the potential out-of-bounds access.
The CQ bit was unchecked by commit-bot@chromium.org
Dry run: Try jobs failed on following builders: linux_chromium_chromeos_rel_ng on master.tryserver.chromium.linux (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_...)
Description was changed from ========== ui: Fix potential out-of-bounds array access in EDID parser The overscan bits are stored in the 3rd byte of the payload block. Therefore it is necessary to check the payload length is at least 3. This bug was found with the fuzzer in: https://crrev.com/2252643003 BUG=638273 TEST=No ASan issues with fuzzer after change; existing unittest passes. ========== to ========== ui: Fix potential out-of-bounds array access in EDID parser When checking the that the size of the array is sufficient for all accesses, including the value in the third byte, the header byte was not taken into consideration. This bug was found with the fuzzer in: https://crrev.com/2252643003 BUG=638273 TEST=No ASan issues with fuzzer after change; existing unittest passes. ==========
Patchset #1 (id:1) has been deleted
lgtm
The CQ bit was checked by robert.bradford@intel.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
The CQ bit was unchecked by commit-bot@chromium.org
Try jobs failed on following builders: linux_android_rel_ng on master.tryserver.chromium.android (JOB_FAILED, https://build.chromium.org/p/tryserver.chromium.android/builders/linux_androi...) mac_chromium_rel_ng on master.tryserver.chromium.mac (JOB_FAILED, http://build.chromium.org/p/tryserver.chromium.mac/builders/mac_chromium_rel_...)
The CQ bit was checked by robert.bradford@intel.com
CQ is trying da patch. Follow status at https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...
Message was sent while issue was closed.
Committed patchset #1 (id:20001)
Message was sent while issue was closed.
Description was changed from ========== ui: Fix potential out-of-bounds array access in EDID parser When checking the that the size of the array is sufficient for all accesses, including the value in the third byte, the header byte was not taken into consideration. This bug was found with the fuzzer in: https://crrev.com/2252643003 BUG=638273 TEST=No ASan issues with fuzzer after change; existing unittest passes. ========== to ========== ui: Fix potential out-of-bounds array access in EDID parser When checking the that the size of the array is sufficient for all accesses, including the value in the third byte, the header byte was not taken into consideration. This bug was found with the fuzzer in: https://crrev.com/2252643003 BUG=638273 TEST=No ASan issues with fuzzer after change; existing unittest passes. Committed: https://crrev.com/1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c Cr-Commit-Position: refs/heads/master@{#412899} ==========
Message was sent while issue was closed.
Patchset 1 (id:??) landed as https://crrev.com/1e7c1a2f73e24fd7cbe6de2dd53bba6ab7b5f05c Cr-Commit-Position: refs/heads/master@{#412899} |
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
