From a7b621f8107a94d8cdcd49d49bca645aa3bae098 Mon Sep 17 00:00:00 2001
From: Joshua Peraza <jperaza@chromium.org>
Date: Mon, 27 Apr 2020 14:58:17 -0700
Subject: processor: Bound number of exception parameters read

Bug: 1074532
Change-Id: I769074d7cbe0a47c8c8b716275d815e4b7f6dd63
Reviewed-on: https://chromium-review.googlesource.com/c/breakpad/breakpad/+/2168816
Reviewed-by: Ivan Penkov <ivanpe@chromium.org>
---
 src/google_breakpad/common/minidump_format.h | 2 +-
 src/processor/minidump_processor.cc          | 7 +++++--
 src/processor/synth_minidump.cc              | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/src/google_breakpad/common/minidump_format.h b/src/google_breakpad/common/minidump_format.h
index 6eceddbb..7b36d112 100644
--- a/src/google_breakpad/common/minidump_format.h
+++ b/src/google_breakpad/common/minidump_format.h
@@ -529,7 +529,7 @@ static const size_t MDRawMemoryList_minsize = offsetof(MDRawMemoryList,
                                                        memory_ranges[0]);
 
 
-#define MD_EXCEPTION_MAXIMUM_PARAMETERS 15
+#define MD_EXCEPTION_MAXIMUM_PARAMETERS 15u
 
 typedef struct {
   uint32_t  exception_code;     /* Windows: MDExceptionCodeWin,
diff --git a/src/processor/minidump_processor.cc b/src/processor/minidump_processor.cc
index 4ea4cb70..a90e6188 100644
--- a/src/processor/minidump_processor.cc
+++ b/src/processor/minidump_processor.cc
@@ -31,6 +31,7 @@
 
 #include <assert.h>
 
+#include <algorithm>
 #include <string>
 
 #include "common/scoped_ptr.h"
@@ -128,8 +129,10 @@ ProcessResult MinidumpProcessor::Process(
     process_state->exception_record_.set_nested_exception_record_address(
         exception->exception()->exception_record.exception_record);
     process_state->exception_record_.set_address(process_state->crash_address_);
-    for (uint32_t i = 0;
-         i < exception->exception()->exception_record.number_parameters; i++) {
+    const uint32_t num_parameters =
+        std::min(exception->exception()->exception_record.number_parameters,
+                 MD_EXCEPTION_MAXIMUM_PARAMETERS);
+    for (uint32_t i = 0; i < num_parameters; ++i) {
       process_state->exception_record_.add_parameter(
           exception->exception()->exception_record.exception_information[i],
           // TODO(ivanpe): Populate description.
diff --git a/src/processor/synth_minidump.cc b/src/processor/synth_minidump.cc
index aa86d248..5e72c161 100644
--- a/src/processor/synth_minidump.cc
+++ b/src/processor/synth_minidump.cc
@@ -332,7 +332,7 @@ Exception::Exception(const Dump &dump,
   D64(exception_address);
   D32(0);  // number_parameters
   D32(0);  // __align
-  for (int i = 0; i < MD_EXCEPTION_MAXIMUM_PARAMETERS; ++i)
+  for (size_t i = 0; i < MD_EXCEPTION_MAXIMUM_PARAMETERS; ++i)
     D64(0);  // exception_information
   context.CiteLocationIn(this);
   assert(Size() == sizeof(MDRawExceptionStream));
-- 
cgit v1.2.1