[Pkg-chromium-commit] chromium-browser/chromium-browser.squeeze: 717 [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle

Thu Mar 3 17:07:18 UTC 2011

Branch name: chromium-browser/chromium-browser.squeeze
Branch location : bzr+ssh://bzr.debian.org/bzr/pkg-chromium/chromium-browser/chromium-browser.squeeze
Browse location: http://bzr.debian.org/loggerhead/pkg-chromium
Revision No: 717
Revision Id: iuculano at debian.org-20110303170718-8lkil15vkoukw1vv
Committer: Giuseppe Iuculano <iuculano at debian.org>
Message : [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
deserialization. Credit to Evgeniy Stepanov of the Chromium development
community.


--------------------------------------------------------
  ** Added :
        - debian/patches/70376.patch

  ** Modified :
        - debian/changelog
        - debian/patches/series

-------------- next part --------------
=== modified file 'debian/changelog'

--- a/debian/changelog	2011-03-03 15:37:33 +0000
+++ b/debian/changelog	2011-03-03 17:07:18 +0000
@@ -7,8 +7,11 @@
     - [68263] High Stylesheet node stale pointer. Credit to Sergey Glazunov.
     - [69640] Medium Out-of-bounds read in text searching. Credit to Kostya
       Serebryany of the Chromium development community
+    - [64-bit Linux only] [70376] Medium Out-of-bounds read in pickle
+      deserialization. Credit to Evgeniy Stepanov of the Chromium development
+      community.
 
- -- Giuseppe Iuculano <iuculano at debian.org>  Thu, 03 Mar 2011 16:36:36 +0100
+ -- Giuseppe Iuculano <iuculano at debian.org>  Thu, 03 Mar 2011 17:00:14 +0100
 
 chromium-browser (6.0.472.63~r59945-5+squeeze2) stable-security; urgency=high
 

=== added file 'debian/patches/70376.patch'
--- a/debian/patches/70376.patch	1970-01-01 00:00:00 +0000
+++ b/debian/patches/70376.patch	2011-03-03 17:07:18 +0000
@@ -0,0 +1,42 @@
+--- a/src/base/pickle.cc
++++ b/src/base/pickle.cc
+@@ -406,6 +406,9 @@ const char* Pickle::FindNext(size_t head
+   DCHECK(header_size == AlignInt(header_size, sizeof(uint32)));
+   DCHECK(header_size <= static_cast<size_t>(kPayloadUnit));
+ 
++  if (static_cast<size_t>(end - start) < sizeof(Header))
++    return NULL;
++
+   const Header* hdr = reinterpret_cast<const Header*>(start);
+   const char* payload_base = start + header_size;
+   const char* payload_end = payload_base + hdr->payload_size;
+--- a/src/base/pickle.h
++++ b/src/base/pickle.h
+@@ -235,6 +235,7 @@ class Pickle {
+ 
+   FRIEND_TEST_ALL_PREFIXES(PickleTest, Resize);
+   FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNext);
++  FRIEND_TEST_ALL_PREFIXES(PickleTest, FindNextWithIncompleteHeader);
+   FRIEND_TEST_ALL_PREFIXES(PickleTest, IteratorHasRoom);
+ };
+ 
+--- a/src/base/pickle_unittest.cc
++++ b/src/base/pickle_unittest.cc
+@@ -171,6 +171,17 @@ TEST(PickleTest, FindNext) {
+   EXPECT_TRUE(end == Pickle::FindNext(pickle.header_size_, start, end + 1));
+ }
+ 
++TEST(PickleTest, FindNextWithIncompleteHeader) {
++  size_t header_size = sizeof(Pickle::Header);
++  scoped_array<char> buffer(new char[header_size - 1]);
++  memset(buffer.get(), 0x1, header_size - 1);
++
++  const char* start = buffer.get();
++  const char* end = start + header_size - 1;
++
++  EXPECT_TRUE(NULL == Pickle::FindNext(header_size, start, end));
++}
++
+ TEST(PickleTest, IteratorHasRoom) {
+   Pickle pickle;
+   EXPECT_TRUE(pickle.WriteInt(1));

=== modified file 'debian/patches/series'
--- a/debian/patches/series	2011-03-03 15:37:33 +0000
+++ b/debian/patches/series	2011-03-03 17:07:18 +0000
@@ -60,3 +60,4 @@
 63732.patch
 68263.patch
 69640.patch
+70376.patch

