- Make sure to be able to deal with unaligned snapshot buffers

runtime/vm/snapshot.cc

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #include "vm/snapshot.h"
 
 #include "platform/assert.h"
 #include "vm/bigint_operations.h"
 #include "vm/bootstrap.h"
 #include "vm/class_finalizer.h"
@@ skipping 118 matching lines @@
   ASSERT(kHeaderSize == sizeof(Snapshot));
   ASSERT(kLengthIndex == length_offset());
   ASSERT((kSnapshotFlagIndex * sizeof(int64_t)) == kind_offset());
   ASSERT((kHeapObjectTag & kInlined));
   // The kWatchedBit and kMarkBit are only set during GC operations. This
   // allows the two low bits in the header to be used for snapshotting.
   ASSERT(kObjectId ==
          ((1 << RawObject::kWatchedBit) | (1 << RawObject::kMarkBit)));
   ASSERT((kObjectAlignmentMask & kObjectId) == kObjectId);
   const Snapshot* snapshot = reinterpret_cast<const Snapshot*>(raw_memory);
+  // If the raw length is negative or greater than what the local machine can
+  // handle, then signal an error.
+  int64_t snapshot_length = ReadUnaligned(&snapshot->unaligned_length_);
+  if ((snapshot_length < 0) || (snapshot_length > kIntptrMax)) {
+    return NULL;
+  }
   return snapshot;
 }
 
 
 RawSmi* BaseReader::ReadAsSmi() {
   intptr_t value = ReadIntptrValue();
   ASSERT((value & kSmiTagMask) == kSmiTag);
   return reinterpret_cast<RawSmi*>(value);
 }
 
@@ skipping 1486 matching lines @@
     NoGCScope no_gc;
     WriteObject(obj.raw());
     UnmarkAll();
   } else {
     ThrowException(exception_type(), exception_msg());
   }
 }
 
 
 }  // namespace dart