Fix overflow error in breakpad for linux

A computation in the stack unwind algorithm could cause an overflow if a base
pointer read from crashed process is sufficiently close to top of address space.
This causes a memory read that causes the dump thread to crash, resulting in a
failure to generate crash dump. Check fixed to properly detect that this pointer
is greater than actual memory range of current stack.

Patch by Kyle Joswiak <kjoswiak@chromium.org>

Review URL: https://breakpad.appspot.com/3754003/


git-svn-id: http://google-breakpad.googlecode.com/svn/trunk@1425 4c0a9323-5329-0410-9bdc-e9ce6186880e

1 files changed, 4 insertions, 4 deletions

diff --git a/src/client/linux/dump_writer_common/seccomp_unwinder.cc b/src/client/linux/dump_writer_common/seccomp_unwinder.cc
index 49971557..241bf1b0 100644
--- a/src/client/linux/dump_writer_common/seccomp_unwinder.cc
+++ b/src/client/linux/dump_writer_common/seccomp_unwinder.cc
@@ -44,8 +44,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
   uint64_t top = thread.stack.start_of_memory_range;
   for (int i = 4; i--; ) {
     if (bp < top ||
-        bp + sizeof(bp) > thread.stack.start_of_memory_range +
-        thread.stack.memory.data_size ||
+        bp > thread.stack.start_of_memory_range +
+        thread.stack.memory.data_size - sizeof(bp) ||
         bp & 1) {
       break;
     }
@@ -107,8 +107,8 @@ void SeccompUnwinder::PopSeccompStackFrame(RawContextCPU* cpu,
   uint32_t top = thread.stack.start_of_memory_range;
   for (int i = 4; i--; ) {
     if (bp < top ||
-        bp + sizeof(bp) > thread.stack.start_of_memory_range +
-        thread.stack.memory.data_size ||
+        bp > thread.stack.start_of_memory_range +
+        thread.stack.memory.data_size - sizeof(bp) ||
         bp & 1) {
       break;
     }