runtime/vm/snapshot.cc - Issue 10829444: Avoid trusting the length encoded in the Snapshot if there is an

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: runtime/vm/snapshot.cc

Issue 10829444: Avoid trusting the length encoded in the Snapshot if there is an (Closed) Base URL: http://dart.googlecode.com/svn/branches/bleeding_edge/dart/

Patch Set: Created 8 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: runtime/vm/snapshot.cc

===================================================================

--- runtime/vm/snapshot.cc (revision 10993)

+++ runtime/vm/snapshot.cc (working copy)

@@ -107,10 +107,16 @@

// TODO(5411462): Temporary setup of snapshot for testing purposes,

// the actual creation of a snapshot maybe done differently.

-const Snapshot* Snapshot::SetupFromBuffer(const void* raw_memory) {

- ASSERT(raw_memory != NULL);

+const Snapshot* Snapshot::SetupFromBuffer(const void* buffer,

+ intptr_t buffer_len) {

+ ASSERT(buffer != NULL);

ASSERT(kHeaderSize == sizeof(Snapshot));

ASSERT(kLengthIndex == length_offset());

+ if (buffer_len != Snapshot::kTrustedLength &&

+ buffer_len < kHeaderSize) {

+ // The buffer is too short to be a valid message.

+ return NULL;

+ }

ASSERT((kSnapshotFlagIndex * sizeof(int32_t)) == kind_offset());

ASSERT((kHeapObjectTag & kInlined));

// No object can have kFreeBit and kMarkBit set simultaneously. If kFreeBit

@@ -119,7 +125,13 @@

ASSERT(kObjectId ==

((1 << RawObject::kFreeBit) | (1 << RawObject::kMarkBit)));

ASSERT((kObjectAlignmentMask & kObjectId) == kObjectId);

- const Snapshot* snapshot = reinterpret_cast<const Snapshot*>(raw_memory);

+ const Snapshot* snapshot = reinterpret_cast<const Snapshot*>(buffer);

+ if (buffer_len != Snapshot::kTrustedLength &&

+ buffer_len != snapshot->length()) {

+ // There is a mismatch between the buffer length and the

+ // snapshot's internal length.

+ return NULL;

+ }

return snapshot;

}

@@ -837,7 +849,7 @@

}

-void SnapshotWriter::WriteFullSnapshot() {

+intptr_t SnapshotWriter::WriteFullSnapshot() {

ASSERT(kind_ == Snapshot::kFull);

Isolate* isolate = Isolate::Current();

ASSERT(isolate != NULL);

@@ -853,7 +865,7 @@

WriteForwardedObjects();

// Finalize the snapshot buffer.

- FinalizeBuffer();

+ return FinalizeBuffer();

}

@@ -1104,14 +1116,14 @@

}

-void ScriptSnapshotWriter::WriteScriptSnapshot(const Library& lib) {

+intptr_t ScriptSnapshotWriter::WriteScriptSnapshot(const Library& lib) {

ASSERT(kind() == Snapshot::kScript);

// Write out the library object.

WriteObject(lib.raw());

// Finalize the snapshot buffer.

- FinalizeBuffer();

+ return FinalizeBuffer();

}

« runtime/vm/isolate.cc ('K') | « runtime/vm/snapshot.h ('k') | runtime/vm/snapshot_test.cc » ('j') | no next file with comments »