[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 717 [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
Giuseppe Iuculano
iuculano at debian.org
Thu Mar 3 17:07:18 UTC 2011
Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 717
Revision Id: iuculano at debian.org-20110303170718-8lkil15vkoukw1vv
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
deserialization. Credit to Evgeniy Stepanov of the Chromium development
community.
--------------------------------------------------------
** Added :
- debian/patches/70376.patch
** Modified :
- debian/changelog
- debian/patches/series
-------------- next part --------------
=== modified file 'debian/changelog'
--- a/debian/changelog 2011-03-03 15:37:33 +0000
+++ b/debian/changelog 2011-03-03 17:07:18 +0000
@@ -7,8 +7,11 @@
- [68263] High Stylesheet node stale pointer. Credit to Sergey Glazunov.
- [69640] Medium Out-of-bounds read in text searching. Credit to Kostya
Serebryany of the Chromium development community
+ - [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
+ deserialization. Credit to Evgeniy Stepanov of the Chromium development
+ community.
- -- Giuseppe Iuculano <iuculano at debian.org> Thu, 03 Mar 2011 16:36:36 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org> Thu, 03 Mar 2011 17:00:14 +0100
chromium-browser (6.0.472.63~r59945-5+squeeze2) stable-security; urgency=high
=== added file 'debian/patches/70376.patch'
--- a/debian/patches/70376.patch 1970-01-01 00:00:00 +0000
+++ b/debian/patches/70376.patch 2011-03-03 17:07:18 +0000
@@ -0,0 +1,42 @@
+--- a/src/base/pickle.cc
++++ b/src/base/pickle.cc
+@@ -406,6 +406,9 @@ const char* Pickle::FindNext(size_t head
+ DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
+ DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
+
++ if (static_cast<size_t>(end - start) < sizeof(Header))
++ return NULL;
++
+ const Header* hdr = reinterpret_cast<const Header*>(start);
+ const char* payload_base = start + header_size;
+ const char* payload_end = payload_base + hdr->payload_size;
+--- a/src/base/pickle.h
++++ b/src/base/pickle.h
+@@ -235,6 +235,7 @@ class Pickle {
+
+ FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize);
+ FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext);
++ FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader);
+ FRIEND_TEST_ALL_PREFIXES(PickleTest, IteratorHasRoom);
+ };
+
+--- a/src/base/pickle_unittest.cc
++++ b/src/base/pickle_unittest.cc
+@@ -171,6 +171,17 @@ TEST(PickleTest, FindNext) {
+ EXPECT_TRUE(end == Pickle::FindNext(pickle.header_size_, start, end + 1));
+ }
+
++TEST(PickleTest, FindNextWithIncompleteHeader) {
++ size_t header_size = sizeof(Pickle::Header);
++ scoped_array<char> buffer(new char[header_size - 1]);
++ memset(buffer.get(), 0x1, header_size - 1);
++
++ const char* start = buffer.get();
++ const char* end = start + header_size - 1;
++
++ EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end));
++}
++
+ TEST(PickleTest, IteratorHasRoom) {
+ Pickle pickle;
+ EXPECT_TRUE(pickle.WriteInt(1));
=== modified file 'debian/patches/series'
--- a/debian/patches/series 2011-03-03 15:37:33 +0000
+++ b/debian/patches/series 2011-03-03 17:07:18 +0000
@@ -60,3 +60,4 @@
63732.patch
68263.patch
69640.patch
+70376.patch
More information about the Pkg-chromium-commit
mailing list