search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
(parent: f1da29a) | patch
Fix memory smashing on the sandbox PolicyRule
commite1d363c023d08ef59f6828e5124fcc957f1143b5
authorcpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Wed, 14 Nov 2012 02:22:36 +0000 (14 02:22 +0000)
committercpu@chromium.org <cpu@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>
Wed, 14 Nov 2012 02:22:36 +0000 (14 02:22 +0000)
tree16001d6d3fa3cb50e0e8f7074885b933a14d9659tree | snapshot (tar.gz zip)
parentf1da29a3f857ace298bed2a5e19a174d58916b75commit | diff
Fix memory smashing on the sandbox PolicyRule

PolicyRule copy ctor was not taking into account that the source policy rule
could be using some 'constants' memory at the bottom, so adding further
opcodes to the new policy rule would overwrite the copied ones.

In other words, this pattern

PolicyRule pr_orig(ASK_BROKER);
pr_orig.AddStringMatch(...);
PolicyRule pr_copy(pr_orig);
pr_copy.AddStringMatch(...);

Was broken. This was not impacting the chrome sbox code because we don't
mutate the new rule after copy construction.

Acknoledgments to Ashutosh Mehra from Adobe Corp for pointing the bug
and providing a test case.

BUG=160890
TEST=new unittest added
Review URL: https://codereview.chromium.org/11275301

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@167571 0039d316-1c4b-4281-b951-d872f2087c98
sandbox/win/src/policy_engine_opcodes.h diff | blob | blame | history
sandbox/win/src/policy_low_level.cc diff | blob | blame | history
sandbox/win/src/policy_low_level_unittest.cc diff | blob | blame | history