commit a7b621f8107a94d8cdcd49d49bca645aa3bae098
author Joshua Peraza <jperaza@chromium.org> Mon Apr 27 14:58:17 2020 -0700
committer Joshua Peraza <jperaza@chromium.org> Mon Apr 27 23:33:35 2020 +0000
tree 3bf2f9606db55f36cd8eae68e2f7d9885942c83f
parent a2d3e8b2d5f8f3de06eefec50566c9a54d7cf0a6

processor: Bound number of exception parameters read

Bug: 1074532
Change-Id: I769074d7cbe0a47c8c8b716275d815e4b7f6dd63
Reviewed-on: https://chromium-review.googlesource.com/c/breakpad/breakpad/+/2168816
Reviewed-by: Ivan Penkov <ivanpe@chromium.org>

src/google_breakpad/common/minidump_format.h

diff --git a/src/google_breakpad/common/minidump_format.h b/src/google_breakpad/common/minidump_format.h
index 6eceddb..7b36d11 100644
--- a/src/google_breakpad/common/minidump_format.h
+++ b/src/google_breakpad/common/minidump_format.h
@@ -529,7 +529,7 @@
                                                        memory_ranges[0]);
 
 
-#define MD_EXCEPTION_MAXIMUM_PARAMETERS 15
+#define MD_EXCEPTION_MAXIMUM_PARAMETERS 15u
 
 typedef struct {
   uint32_t  exception_code;     /* Windows: MDExceptionCodeWin,

src/processor/minidump_processor.cc

diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc
index 4ea4cb7..a90e618 100644
--- a/src/processor/minidump_processor.cc
+++ b/src/processor/minidump_processor.cc
@@ -31,6 +31,7 @@
 
 #include <assert.h>
 
+#include <algorithm>
 #include <string>
 
 #include "common/scoped_ptr.h"
@@ -128,8 +129,10 @@
     process_state->exception_record_.set_nested_exception_record_address(
         exception->exception()->exception_record.exception_record);
     process_state->exception_record_.set_address(process_state->crash_address_);
-    for (uint32_t i = 0;
-         i < exception->exception()->exception_record.number_parameters; i++) {
+    const uint32_t num_parameters =
+        std::min(exception->exception()->exception_record.number_parameters,
+                 MD_EXCEPTION_MAXIMUM_PARAMETERS);
+    for (uint32_t i = 0; i < num_parameters; ++i) {
       process_state->exception_record_.add_parameter(
           exception->exception()->exception_record.exception_information[i],
           // TODO(ivanpe): Populate description.

src/processor/synth_minidump.cc

diff --git a/src/processor/synth_minidump.cc b/src/processor/synth_minidump.cc
index aa86d24..5e72c16 100644
--- a/src/processor/synth_minidump.cc
+++ b/src/processor/synth_minidump.cc
@@ -332,7 +332,7 @@
   D64(exception_address);
   D32(0);  // number_parameters
   D32(0);  // __align
-  for (int i = 0; i < MD_EXCEPTION_MAXIMUM_PARAMETERS; ++i)
+  for (size_t i = 0; i < MD_EXCEPTION_MAXIMUM_PARAMETERS; ++i)
     D64(0);  // exception_information
   context.CiteLocationIn(this);
   assert(Size() == sizeof(MDRawExceptionStream));