Avoid trusting the length encoded in the Snapshot if there is an

runtime/vm/snapshot.h

 // Copyright (c) 2012, the Dart project authors.  Please see the AUTHORS file
 // for details. All rights reserved. Use of this source code is governed by a
 // BSD-style license that can be found in the LICENSE file.
 
 #ifndef VM_SNAPSHOT_H_
 #define VM_SNAPSHOT_H_
 
 #include "platform/assert.h"
 #include "vm/allocation.h"
 #include "vm/bitfield.h"
@@ skipping 93 matching lines @@
   enum Kind {
     kFull = 0,  // Full snapshot of the current dart heap.
     kScript,    // A partial snapshot of only the application script.
     kMessage,   // A partial snapshot used only for isolate messaging.
   };
 
   static const int kHeaderSize = 2 * sizeof(int32_t);
   static const int kLengthIndex = 0;
   static const int kSnapshotFlagIndex = 1;
 
-  static const Snapshot* SetupFromBuffer(const void* raw_memory);
+  static const int kTrustedLength = -1;
+
+  // Convert a (buffer, buffer_len) to a Snapshot.
+  //
+  // This function will return NULL if buffer_len is less than the
+  // minimum legal size or if buffer_len does not match the length
+  // encoded internally in the buffer.
+  //
+  // If the buffer is coming from a trusted source, you can pass
+  // Snapshot::kTrustedLength to trust the length encoded internally
+  // in the buffer.
+  static const Snapshot* SetupFromBuffer(const void* buffer,
+                                         intptr_t buffer_len);
 
   // Getters.
   const uint8_t* content() const { return content_; }
   int32_t length() const { return length_; }
   Kind kind() const { return static_cast<Kind>(kind_); }
 
   bool IsMessageSnapshot() const { return kind_ == kMessage; }
   bool IsScriptSnapshot() const { return kind_ == kScript; }
   bool IsFullSnapshot() const { return kind_ == kFull; }
   int32_t Size() const { return length_ + sizeof(Snapshot); }
@@ skipping 228 matching lines @@
     WriteIntptrValue(value);
   }
 
   // Write out a buffer of bytes.
   void WriteBytes(const uint8_t* addr, intptr_t len) {
     stream_.WriteBytes(addr, len);
   }
 
   // Finalize the serialized buffer by filling in the header information
   // which comprises of a flag(snaphot kind) and the length of
-  // serialzed bytes.
-  void FinalizeBuffer(Snapshot::Kind kind) {
+  // serialzed bytes.  Returns the total length of the buffer in bytes.
+  intptr_t FinalizeBuffer(Snapshot::Kind kind) {
     int32_t* data = reinterpret_cast<int32_t*>(stream_.buffer());
     data[Snapshot::kLengthIndex] = stream_.bytes_written();
     data[Snapshot::kSnapshotFlagIndex] = kind;
+    return stream_.bytes_written();
   }
 
  protected:
   BaseWriter(uint8_t** buffer, ReAlloc alloc) : stream_(buffer, alloc) {
     ASSERT(buffer != NULL);
     ASSERT(alloc != NULL);
     // Make room for recording snapshot buffer size.
     stream_.set_current(*buffer + Snapshot::kHeaderSize);
   }
   ~BaseWriter() { }
@@ skipping 14 matching lines @@
         class_table_(Isolate::Current()->class_table()),
         forward_list_() {
   }
   ~SnapshotWriter() { }
 
   // Snapshot kind.
   Snapshot::Kind kind() const { return kind_; }
 
   // Finalize the serialized buffer by filling in the header information
   // which comprises of a flag(full/partial snaphot) and the length of
-  // serialzed bytes.
-  void FinalizeBuffer() {
-    BaseWriter::FinalizeBuffer(kind_);
+  // serialzed bytes.  Returns the total bytes written.
+  intptr_t FinalizeBuffer() {
+    intptr_t bytes_written = BaseWriter::FinalizeBuffer(kind_);
     UnmarkAll();
+    return bytes_written;
   }
 
   // Serialize an object into the buffer.
   void WriteObject(RawObject* raw);
 
   // Writes a full snapshot of the Isolate.
-  void WriteFullSnapshot();
+  intptr_t WriteFullSnapshot();
 
   uword GetObjectTags(RawObject* raw);
 
  private:
   class ForwardObjectNode : public ZoneAllocated {
    public:
     ForwardObjectNode(RawObject* raw, uword tags, SerializeState state)
         : raw_(raw), tags_(tags), state_(state) {}
     RawObject* raw() const { return raw_; }
     uword tags() const { return tags_; }
@@ skipping 51 matching lines @@
 class ScriptSnapshotWriter : public SnapshotWriter {
  public:
   ScriptSnapshotWriter(uint8_t** buffer, ReAlloc alloc)
       : SnapshotWriter(Snapshot::kScript, buffer, alloc) {
     ASSERT(buffer != NULL);
     ASSERT(alloc != NULL);
   }
   ~ScriptSnapshotWriter() { }
 
   // Writes a partial snapshot of the script.
-  void WriteScriptSnapshot(const Library& lib);
+  intptr_t WriteScriptSnapshot(const Library& lib);
 
  private:
   DISALLOW_COPY_AND_ASSIGN(ScriptSnapshotWriter);
 };
 
 
 // An object pointer visitor implementation which writes out
 // objects to a snap shot.
 class SnapshotWriterVisitor : public ObjectPointerVisitor {
  public:
@@ skipping 12 matching lines @@
  private:
   SnapshotWriter* writer_;
   bool as_references_;
 
   DISALLOW_COPY_AND_ASSIGN(SnapshotWriterVisitor);
 };
 
 }  // namespace dart
 
 #endif  // VM_SNAPSHOT_H_