This is an automated email from the git hooks/post-receive script. richard pushed a commit to branch tor-browser-91.8.0esr-11.0-1 in repository tor-browser. commit e006c0b0d909f8a5715d3ad55c47ce626e70473e Author: Nika Layzell <nika@thelayzells.com> AuthorDate: Mon Mar 21 14:37:50 2022 +0000 Bug 1757805 - Add additional assertions around shmem size, r=ipc-reviewers,handyman a=RyanVM Differential Revision: https://phabricator.services.mozilla.com/D140097 --- ipc/glue/Shmem.cpp | 10 ++++++++++ ipc/glue/Shmem.h | 7 ------- 2 files changed, 10 insertions(+), 7 deletions(-) diff --git a/ipc/glue/Shmem.cpp b/ipc/glue/Shmem.cpp index 00bec892fabe5..7bcd4c7709134 100644 --- a/ipc/glue/Shmem.cpp +++ b/ipc/glue/Shmem.cpp @@ -241,6 +241,9 @@ Shmem::Shmem(PrivateIPDLCaller, SharedMemory* aSegment, id_t aId) mSize = static_cast<size_t>(header->mSize); size_t pageSize = SharedMemory::SystemPageSize(); + MOZ_ASSERT(mSegment->Size() - (2 * pageSize) >= mSize, + "illegal size in shared memory segment"); + // transition into the "mapped" state by protecting the front and // back sentinels (which guard against buffer under/overflows) mSegment->Protect(frontSentinel, pageSize, RightsNone); @@ -373,6 +376,13 @@ void Shmem::Dealloc(PrivateIPDLCaller, SharedMemory* aSegment) { #else // !defined(DEBUG) +Shmem::Shmem(PrivateIPDLCaller, SharedMemory* aSegment, id_t aId) + : mSegment(aSegment), mData(aSegment->memory()), mSize(0), mId(aId) { + mSize = static_cast<size_t>(*PtrToSize(mSegment)); + MOZ_RELEASE_ASSERT(mSegment->Size() - sizeof(uint32_t) >= mSize, + "illegal size in shared memory segment"); +} + // static already_AddRefed<Shmem::SharedMemory> Shmem::Alloc(PrivateIPDLCaller, size_t aNBytes, diff --git a/ipc/glue/Shmem.h b/ipc/glue/Shmem.h index 48a3779d2c286..cb0bb024f8c3c 100644 --- a/ipc/glue/Shmem.h +++ b/ipc/glue/Shmem.h @@ -84,14 +84,7 @@ class Shmem final { Shmem(const Shmem& aOther) = default; -#if !defined(DEBUG) - Shmem(PrivateIPDLCaller, SharedMemory* aSegment, id_t aId) - : mSegment(aSegment), mData(aSegment->memory()), mSize(0), mId(aId) { - mSize = static_cast<size_t>(*PtrToSize(mSegment)); - } -#else Shmem(PrivateIPDLCaller, SharedMemory* aSegment, id_t aId); -#endif ~Shmem() { // Shmem only holds a "weak ref" to the actual segment, which is -- To stop receiving notification emails like this one, please contact the administrator of this repository.