diff options
author | Jonathan Hao <phao@chromium.org> | 2023-08-03 16:12:56 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-09-14 09:47:42 +0000 |
commit | 3bf928ef51c9ef418de17bc7c4d9ac49ea76a6db (patch) | |
tree | cdd294dd81e4c78d3f70f108271f25fa76258438 | |
parent | 419ccc596a8fe69b071067213efd19be0659e605 (diff) |
[Backport] CVE-2023-4362: Heap buffer overflow in Mojom IDL
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4742429:
Add hardening CHECK in mojojs for large buffers.
Bug: 1316379
Change-Id: I7a3a50cd9c1434cc86b4b2aa45a491c812832a3a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4742429
Auto-Submit: Jonathan Hao <phao@chromium.org>
Reviewed-by: Ken Rockot <rockot@google.com>
Commit-Queue: Ken Rockot <rockot@google.com>
Cr-Commit-Position: refs/heads/main@{#1179071}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/503196
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | chromium/mojo/public/cpp/bindings/lib/message.cc | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/mojo/public/cpp/bindings/lib/message.cc b/chromium/mojo/public/cpp/bindings/lib/message.cc index 8c489947606..ba0b148adb1 100644 --- a/chromium/mojo/public/cpp/bindings/lib/message.cc +++ b/chromium/mojo/public/cpp/bindings/lib/message.cc @@ -270,7 +270,7 @@ Message::Message(base::span<const uint8_t> payload, void* buffer; uint32_t buffer_size; - DCHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size())); + CHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size())); DCHECK(base::IsValueInRangeForNumericType<uint32_t>(handles.size())); MojoAppendMessageDataOptions options; options.struct_size = sizeof(options); |