Fix overflow error in breakpad for linux

A computation in the stack unwind algorithm could cause an overflow if a base
pointer read from crashed process is sufficiently close to top of address space.
This causes a memory read that causes the dump thread to crash, resulting in a
failure to generate crash dump. Check fixed to properly detect that this pointer
is greater than actual memory range of current stack.

Patch by Kyle Joswiak <kjoswiak@chromium.org>

Review URL: https://breakpad.appspot.com/3754003/


git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1425 4c0a9323-5329-0410-9bdc-e9ce6186880e
This commit is contained in:
mark@chromium.org 2015-02-05 23:01:31 +00:00
parent c63cf36a13
commit 3b7262b0ee

View file

@ -44,8 +44,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
uint64_t top = thread.stack.start_of_memory_range;
for (int i = 4; i--; ) {
if (bp < top ||
bp + sizeof(bp) > thread.stack.start_of_memory_range +
thread.stack.memory.data_size ||
bp > thread.stack.start_of_memory_range +
thread.stack.memory.data_size - sizeof(bp) ||
bp & 1) {
break;
}
@ -107,8 +107,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
uint32_t top = thread.stack.start_of_memory_range;
for (int i = 4; i--; ) {
if (bp < top ||
bp + sizeof(bp) > thread.stack.start_of_memory_range +
thread.stack.memory.data_size ||
bp > thread.stack.start_of_memory_range +
thread.stack.memory.data_size - sizeof(bp) ||
bp & 1) {
break;
}