Fix overflow error in breakpad for linux

A computation in the stack unwind algorithm could cause an overflow if a base pointer read from crashed process is sufficiently close to top of address space. This causes a memory read that causes the dump thread to crash, resulting in a failure to generate crash dump. Check fixed to properly detect that this pointer is greater than actual memory range of current stack. Patch by Kyle Joswiak <kjoswiak@chromium.org> Review URL: https://breakpad.appspot.com/3754003/ git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1425 4c0a9323-5329-0410-9bdc-e9ce6186880e
2024-11-24 10:15:39 +01:00 · 2015-02-05 23:01:31 +00:00 · 2015-02-05 23:01:31 +00:00 · 3b7262b0ee
commit 3b7262b0ee
parent c63cf36a13
1 changed files with 4 additions and 4 deletions
--- a/src/client/linux/dump_writer_common/seccomp_unwinder.cc
+++ b/src/client/linux/dump_writer_common/seccomp_unwinder.cc
@ -44,8 +44,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
  uint64_t top = thread.stack.start_of_memory_range;
  for (int i = 4; i--; ) {
    if (bp < top ||
-        bp + sizeof(bp) > thread.stack.start_of_memory_range +
-        thread.stack.memory.data_size ||
+        bp > thread.stack.start_of_memory_range +
+        thread.stack.memory.data_size - sizeof(bp) ||
        bp & 1) {
      break;
    }
@ -107,8 +107,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
  uint32_t top = thread.stack.start_of_memory_range;
  for (int i = 4; i--; ) {
    if (bp < top ||
-        bp + sizeof(bp) > thread.stack.start_of_memory_range +
-        thread.stack.memory.data_size ||
+        bp > thread.stack.start_of_memory_range +
+        thread.stack.memory.data_size - sizeof(bp) ||
        bp & 1) {
      break;
    }