diff options
| author | Ken Rockot <rockot@google.com> | 2021-03-31 18:44:06 +0000 |
|---|---|---|
| committer | Michael Brüning <michael.bruning@qt.io> | 2021-04-01 11:19:10 +0000 |
| commit | 0b6e11fe9681464d5e99082377cae9cd2699a6dd (patch) | |
| tree | 6ff22d10997a9cb3f97ab2e809eab67cc12e6b8c /chromium/ipc/message_view.cc | |
| parent | 1bf155cf60759d4cd2c44655737e3368e086b3f4 (diff) | |
[Backport] CVE-2021-21198: Out of bounds read in IPC
Partial cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/2779918:
Don't use BigBuffer for IPC::Message transport
M86 merge conflicts and resolution:
* ipc/ipc_message_pipe_reader.cc
Fixed extra include.
(cherry picked from commit 85bd7c88523545ab0e497d5e7b3e929793813358)
(cherry picked from commit fad3b9ffe7c7ff82909d911c573bd185aa3b3b50)
Fixed: 1184399
Change-Id: Iddd91ae8d7ae63022b61c96239f5e39261dfb735
Commit-Queue: Ken Rockot <rockot@google.com>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/master@{#860010}
Auto-Submit: Ken Rockot <rockot@google.com>
Reviewed-by: Adrian Taylor <adetaylor@chromium.org>
Reviewed-by: Alex Gough <ajgo@chromium.org>
Commit-Queue: Alex Gough <ajgo@chromium.org>
Cr-Original-Commit-Position: refs/branch-heads/4389@{#1597}
Cr-Original-Branched-From: 9251c5db2b6d5a59fe4eac7aafa5fed37c139bb7-refs/heads/master@{#843830}
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Artem Sumaneev <asumaneev@google.com>
Reviewed-by: Ken Rockot <rockot@google.com>
Auto-Submit: Artem Sumaneev <asumaneev@google.com>
Commit-Queue: Artem Sumaneev <asumaneev@google.com>
Cr-Commit-Position: refs/branch-heads/4240@{#1587}
Cr-Branched-From: f297677702651916bbf65e59c0d4bbd4ce57d1ee-refs/heads/master@{#800218}
Reviewed-by: Jüri Valdmann <juri.valdmann@qt.io>
Diffstat (limited to 'chromium/ipc/message_view.cc')
| -rw-r--r-- | chromium/ipc/message_view.cc | 11 |
1 files changed, 2 insertions, 9 deletions
diff --git a/chromium/ipc/message_view.cc b/chromium/ipc/message_view.cc index 49a80878e7a..39c6608dd50 100644 --- a/chromium/ipc/message_view.cc +++ b/chromium/ipc/message_view.cc @@ -11,16 +11,9 @@ namespace IPC { MessageView::MessageView() = default; MessageView::MessageView( - const Message& message, + base::span<const uint8_t> bytes, base::Optional<std::vector<mojo::native::SerializedHandlePtr>> handles) - : buffer_view_(base::make_span(static_cast<const uint8_t*>(message.data()), - message.size())), - handles_(std::move(handles)) {} - -MessageView::MessageView( - mojo_base::BigBufferView buffer_view, - base::Optional<std::vector<mojo::native::SerializedHandlePtr>> handles) - : buffer_view_(std::move(buffer_view)), handles_(std::move(handles)) {} + : bytes_(bytes), handles_(std::move(handles)) {} MessageView::MessageView(MessageView&&) = default; |