chrome/utility/safe_browsing/mac/udif.cc - Issue 2314883002: Validate that UDIFBlock data length matches the size and reported number of chunks.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: chrome/utility/safe_browsing/mac/udif.cc

Issue 2314883002: Validate that UDIFBlock data length matches the size and reported number of chunks. (Closed)

Patch Set: Created 4 years, 3 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: chrome/utility/safe_browsing/mac/udif.cc

diff --git a/chrome/utility/safe_browsing/mac/udif.cc b/chrome/utility/safe_browsing/mac/udif.cc

index 9a48efa50023474d0912d0cc2bc151048be8d1e9..22d66c0453dd1ae22a215a9a24ce8c070866bcc8 100644

--- a/chrome/utility/safe_browsing/mac/udif.cc

+++ b/chrome/utility/safe_browsing/mac/udif.cc

@@ -190,7 +190,14 @@ class UDIFBlock {

public:

UDIFBlock() : block_() {}

- bool ParseBlockData(const UDIFBlockData* block_data, uint16_t sector_size) {

+ bool ParseBlockData(const UDIFBlockData* block_data,

+ size_t block_data_size,

+ uint16_t sector_size) {

+ if (block_data_size < sizeof(block_)) {

+ DLOG(ERROR) << "UDIF block data is smaller than expected";

+ return false;

+ }

block_ = *block_data;

ConvertBigEndian(&block_);

@@ -202,6 +209,19 @@ class UDIFBlock {

return false;

}

+ // Make sure the block data contains the reported number of chunks.

+ auto block_and_chunks_size =

+ (base::CheckedNumeric<size_t>(sizeof(UDIFBlockChunk)) *

+ block_.chunk_count) +

+ sizeof(block_);

+ if (!block_and_chunks_size.IsValid() ||

+ block_data_size < block_and_chunks_size.ValueOrDie()) {

+ DLOG(ERROR) << "UDIF block does not contain reported number of chunks, "

+ << block_and_chunks_size.ValueOrDie() << " bytes expected, "

+ << "got " << block_data_size;

+ return false;

+ }

// Make sure that the chunk data isn't larger than the block reports.

base::CheckedNumeric<size_t> chunk_sectors(0);

for (uint32_t i = 0; i < block_.chunk_count; ++i) {

@@ -486,6 +506,7 @@ bool UDIFParser::ParseBlkx() {

std::unique_ptr<UDIFBlock> block(new UDIFBlock());

if (!block->ParseBlockData(

reinterpret_cast<const UDIFBlockData*>(CFDataGetBytePtr(data)),

+ base::checked_cast<size_t>(CFDataGetLength(data)),

block_size_)) {

DLOG(ERROR) << "Failed to parse UDIF block data";

return false;

« no previous file with comments | « chrome/utility/BUILD.gn ('k') | no next file » | no next file with comments »