beenull/ladybird
1
0
Fork 0
mirror of https://github.com/LadybirdBrowser/ladybird.git synced 2024-11-22 23:50:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Kernel: Fix possible buffer overrun when scanning a MappedROM

Browse source 
If the length of the prefix was less than the chunk_size argument
we were potentionally reading past the mapped memory region.
This commit is contained in:
Tom 2022-01-02 16:25:08 -07:00 committed by Linus Groh
parent e70aa690d2
commit 190572b714
Notes: sideshowbarker 2024-07-17 21:41:23 +09:00 
Author: https://github.com/tomuta
Commit: https://github.com/SerenityOS/serenity/commit/190572b7142
Pull-request: https://github.com/SerenityOS/serenity/pull/11581
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
Kernel/Memory/MappedROM.h
View file

@ -23,7 +23,10 @@ public:
Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const Optional<PhysicalAddress> find_chunk_starting_with(StringView prefix, size_t chunk_size) const
{ {
for (auto* candidate = base(); candidate < end(); candidate += chunk_size) { auto prefix_length = prefix.length();
if (size < prefix_length)
return {};
for (auto* candidate = base(); candidate <= end() - prefix_length; candidate += chunk_size) {
if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length())) if (!__builtin_memcmp(prefix.characters_without_null_termination(), candidate, prefix.length()))
return paddr_of(candidate); return paddr_of(candidate);
} }