Support Serializing and Deserializing RepeatedField / RepeatedPtrField in IPC::Message

ipc/ipc_message_utils.h

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef IPC_IPC_MESSAGE_UTILS_H_
 #define IPC_IPC_MESSAGE_UTILS_H_
 
 #include <limits.h>
 #include <stddef.h>
 #include <stdint.h>
@@ skipping 102 matching lines @@
   typedef typename SimilarTypeTraits<P>::Type Type;
   return ParamTraits<Type>::Read(m, iter, reinterpret_cast<Type* >(p));
 }
 
 template <class P>
 static inline void LogParam(const P& p, std::string* l) {
   typedef typename SimilarTypeTraits<P>::Type Type;
   ParamTraits<Type>::Log(static_cast<const Type& >(p), l);
 }
 
+// Checks whether |m| is sufficient to carry |count| elements. This function
+// cannot guarantee the |m| contains valid data to be deserialized. |raw_size|
+// is the size of bytes needed for one element in the memory.
+static inline bool IsPickleSizeSufficient(const base::Pickle* m,

[dcheng, 2017/07/12 08:52:14]

OK, sorry. I think I probably didn't do a good job explaining =/

I think we assume that some code (such as the array operator new[], or things
like calloc()) is written to be overflow safe. So we don't need to change the
serializers for various STL types. This just needs to be implemented for proto
repeated fields which should make things simpler.

[Hzj_jie, 2017/07/13 00:01:03]

This change has been reverted. Instead a bug http://crbug.com/741866 has been
opened to track the issue.

+                                          int count,
+                                          int raw_size) {
+  DCHECK(raw_size > 0);
+  if (count < 0)
+    return false;
+  // Rejects if count * raw_size is overflow. See BUG 1006367 for details.

[dcheng, 2017/07/12 08:52:14]

So we have to spelunk a bit into proto details here. RepeatedPtrField always
contains a void*, so we want to make sure that INT_MAX / sizeof(void*) > count

Similarly, for RepeatedField<Element>, we can check INT_MAX > sizeof(Element).

Does that make sense?

[Hzj_jie, 2017/07/13 00:01:03]

Acknowledged.

+  if (INT_MAX / raw_size < count)
+    return false;
+  // TODO(zijiehe): Find a better way to analyze the minimum bytes needed for
+  // each element in the Pickle. Now we assume the size is 1. Note:
+  // ParamTraits<T> may not implement GetSize() function.
+  if (static_cast<size_t>(count) > m->payload_size())

[dcheng, 2017/07/12 08:52:15]

I think it's OK if we omit this check; the important part is to make sure that
proto's internal buffer size calculation doesn't overflow when it does
sizeof(Element) * new_size in
https://cs.chromium.org/chromium/src/third_party/protobuf/src/google/protobuf...

We don't actually need to check the other bit, as it will naturally fail when we
run out of bytes to read in the pickle.

[Hzj_jie, 2017/07/13 00:01:03]

Acknowledged.

+    return false;
+  return true;
+}
+
+// Checks whether |m| is sufficient to carry |count| * P data.
+template <class P>
+static inline bool IsPickleSizeSufficient(const base::Pickle* m, int count) {
+  return IsPickleSizeSufficient(m, count, sizeof(P));
+}
+
+// Checks whether |m| is sufficient to carry |count| * (A + B) data.
+template <class A, class B>
+static inline bool IsPickleSizeSufficient(const base::Pickle* m, int count) {
+  return IsPickleSizeSufficient(m, count, sizeof(A) + sizeof(B));
+}
+
 // Primitive ParamTraits -------------------------------------------------------
 
 template <>
 struct ParamTraits<bool> {
   typedef bool param_type;
   static void GetSize(base::PickleSizer* sizer, const param_type& p) {
     sizer->AddBool();
   }
   static void Write(base::Pickle* m, const param_type& p) { m->WriteBool(p); }
   static bool Read(const base::Pickle* m,
@@ skipping 287 matching lines @@
     for (size_t i = 0; i < p.size(); i++)
       WriteParam(m, p[i]);
   }
   static bool Read(const base::Pickle* m,
                    base::PickleIterator* iter,
                    param_type* r) {
     int size;
     // ReadLength() checks for < 0 itself.
     if (!iter->ReadLength(&size))
       return false;
-    // Resizing beforehand is not safe, see BUG 1006367 for details.
-    if (INT_MAX / sizeof(P) <= static_cast<size_t>(size))
+    if (!IsPickleSizeSufficient<P>(m, size))
       return false;
     r->resize(size);
     for (int i = 0; i < size; i++) {
       if (!ReadParam(m, iter, &(*r)[i]))
         return false;
     }
     return true;
   }
   static void Log(const param_type& p, std::string* l) {
     for (size_t i = 0; i < p.size(); ++i) {
@@ skipping 18 matching lines @@
     typename param_type::const_iterator iter;
     for (iter = p.begin(); iter != p.end(); ++iter)
       WriteParam(m, *iter);
   }
   static bool Read(const base::Pickle* m,
                    base::PickleIterator* iter,
                    param_type* r) {
     int size;
     if (!iter->ReadLength(&size))
       return false;
+    if (!IsPickleSizeSufficient<P>(m, size))
+      return false;
     for (int i = 0; i < size; ++i) {
       P item;
       if (!ReadParam(m, iter, &item))
         return false;
       r->insert(item);
     }
     return true;
   }
   static void Log(const param_type& p, std::string* l) {
     l->append("<std::set>");
@@ skipping 16 matching lines @@
     typename param_type::const_iterator iter;
     for (iter = p.begin(); iter != p.end(); ++iter) {
       WriteParam(m, iter->first);
       WriteParam(m, iter->second);
     }
   }
   static bool Read(const base::Pickle* m,
                    base::PickleIterator* iter,
                    param_type* r) {
     int size;
-    if (!ReadParam(m, iter, &size) || size < 0)
+    if (!iter->ReadLength(&size))
+      return false;
+    if (!IsPickleSizeSufficient<K, V>(m, size))
       return false;
     for (int i = 0; i < size; ++i) {
       K k;
       if (!ReadParam(m, iter, &k))
         return false;
       V& value = (*r)[k];
       if (!ReadParam(m, iter, &value))
         return false;
     }
     return true;
@@ skipping 370 matching lines @@
       WriteParam(m, iter.second);
     }
   }
   static bool Read(const base::Pickle* m,
                    base::PickleIterator* iter,
                    param_type* r) {
     int size;
     if (!iter->ReadLength(&size))
       return false;
 
+    if (!IsPickleSizeSufficient<Key, Mapped>(m, size))
+      return false;
+
     // Construct by creating in a vector and moving into the flat_map. Properly
     // serialized flat_maps will be in-order so this will be O(n). Incorrectly
     // serialized ones will still be handled properly.
     std::vector<typename param_type::value_type> vect;
     vect.resize(size);
     for (int i = 0; i < size; ++i) {
       if (!ReadParam(m, iter, &vect[i].first))
         return false;
       if (!ReadParam(m, iter, &vect[i].second))
         return false;
@@ skipping 203 matching lines @@
 template <class ReplyParamType>
 inline void LogReplyParamsToMessage(const ReplyParamType& reply_params,
                                     const Message* msg) {}
 
 inline void ConnectMessageAndReply(const Message* msg, Message* reply) {}
 #endif
 
 }  // namespace IPC
 
 #endif  // IPC_IPC_MESSAGE_UTILS_H_