# HG changeset patch
# User Tom Ritter <tom@mozilla.com>
# Date 1528394907 18000
#      Thu Jun 07 13:08:27 2018 -0500
# Node ID ffb6c5c06905538fb887464e9553e7b47cdf7575
# Parent  1987e062f1e5bf2998bb8e9d96353c5ccb0cc281
Bug 1461421 Use OffsetOf to calculate the location of parameters_ rather than making assumptions about the parent class r?bobowen

MozReview-Commit-ID: D7REZiAIMpN

diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
+++ b/security/sandbox/chromium/sandbox/win/src/crosscall_params.h
@@ -78,16 +78,17 @@ union MultiType {
   ULONG_PTR ulong_ptr;
 };
 
 // Maximum number of IPC parameters currently supported.
 // To increase this value, we have to:
 //  - Add another Callback typedef to Dispatcher.
 //  - Add another case to the switch on SharedMemIPCServer::InvokeCallback.
 //  - Add another case to the switch in GetActualAndMaxBufferSize
+//  - Add another case to the switch in GetMinDeclaredActualCallParamsSize
 const int kMaxIpcParams = 9;
 
 // Contains the information about a parameter in the ipc buffer.
 struct ParamInfo {
   ArgType type_;
   uint32_t offset_;
   uint32_t size_;
 };
@@ -287,16 +288,18 @@ class ActualCallParams : public CrossCal
  protected:
   ActualCallParams() : CrossCallParams(IpcTag::UNUSED, NUMBER_PARAMS) {}
 
  private:
   ParamInfo param_info_[NUMBER_PARAMS + 1];
   char parameters_[BLOCK_SIZE - sizeof(CrossCallParams) -
                    sizeof(ParamInfo) * (NUMBER_PARAMS + 1)];
   DISALLOW_COPY_AND_ASSIGN(ActualCallParams);
+
+  friend uint32_t GetMinDeclaredActualCallParamsSize(uint32_t param_count);
 };
 
 static_assert(sizeof(ActualCallParams<1, 1024>) == 1024, "bad size buffer");
 static_assert(sizeof(ActualCallParams<2, 1024>) == 1024, "bad size buffer");
 static_assert(sizeof(ActualCallParams<3, 1024>) == 1024, "bad size buffer");
 
 }  // namespace sandbox
 
diff --git a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc
--- a/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc
+++ b/security/sandbox/chromium/sandbox/win/src/crosscall_server.cc
@@ -28,30 +28,31 @@ namespace {
 
 // The buffer for a message must match the max channel size.
 const size_t kMaxBufferSize = sandbox::kIPCChannelSize;
 
 }  // namespace
 
 namespace sandbox {
 
+// The template types are used to calculate the maximum expected size.
+typedef ActualCallParams<0, kMaxBufferSize> ActualCP0;
+typedef ActualCallParams<1, kMaxBufferSize> ActualCP1;
+typedef ActualCallParams<2, kMaxBufferSize> ActualCP2;
+typedef ActualCallParams<3, kMaxBufferSize> ActualCP3;
+typedef ActualCallParams<4, kMaxBufferSize> ActualCP4;
+typedef ActualCallParams<5, kMaxBufferSize> ActualCP5;
+typedef ActualCallParams<6, kMaxBufferSize> ActualCP6;
+typedef ActualCallParams<7, kMaxBufferSize> ActualCP7;
+typedef ActualCallParams<8, kMaxBufferSize> ActualCP8;
+typedef ActualCallParams<9, kMaxBufferSize> ActualCP9;
+
 // Returns the actual size for the parameters in an IPC buffer. Returns
 // zero if the |param_count| is zero or too big.
 uint32_t GetActualBufferSize(uint32_t param_count, void* buffer_base) {
-  // The template types are used to calculate the maximum expected size.
-  typedef ActualCallParams<1, kMaxBufferSize> ActualCP1;
-  typedef ActualCallParams<2, kMaxBufferSize> ActualCP2;
-  typedef ActualCallParams<3, kMaxBufferSize> ActualCP3;
-  typedef ActualCallParams<4, kMaxBufferSize> ActualCP4;
-  typedef ActualCallParams<5, kMaxBufferSize> ActualCP5;
-  typedef ActualCallParams<6, kMaxBufferSize> ActualCP6;
-  typedef ActualCallParams<7, kMaxBufferSize> ActualCP7;
-  typedef ActualCallParams<8, kMaxBufferSize> ActualCP8;
-  typedef ActualCallParams<9, kMaxBufferSize> ActualCP9;
-
   // Retrieve the actual size and the maximum size of the params buffer.
   switch (param_count) {
     case 0:
       return 0;
     case 1:
       return reinterpret_cast<ActualCP1*>(buffer_base)->GetSize();
     case 2:
       return reinterpret_cast<ActualCP2*>(buffer_base)->GetSize();
@@ -69,16 +70,45 @@ uint32_t GetActualBufferSize(uint32_t pa
       return reinterpret_cast<ActualCP8*>(buffer_base)->GetSize();
     case 9:
       return reinterpret_cast<ActualCP9*>(buffer_base)->GetSize();
     default:
       return 0;
   }
 }
 
+// Returns the minimum size for the parameters in an IPC buffer. Returns
+// zero if the |param_count| is less than zero or too big.
+uint32_t GetMinDeclaredActualCallParamsSize(uint32_t param_count) {
+  switch (param_count) {
+    case 0:
+      return offsetof(ActualCP0, parameters_);
+    case 1:
+      return offsetof(ActualCP1, parameters_);
+    case 2:
+      return offsetof(ActualCP2, parameters_);
+    case 3:
+      return offsetof(ActualCP3, parameters_);
+    case 4:
+      return offsetof(ActualCP4, parameters_);
+    case 5:
+      return offsetof(ActualCP5, parameters_);
+    case 6:
+      return offsetof(ActualCP6, parameters_);
+    case 7:
+      return offsetof(ActualCP7, parameters_);
+    case 8:
+      return offsetof(ActualCP8, parameters_);
+    case 9:
+      return offsetof(ActualCP9, parameters_);
+    default:
+      return 0;
+  }
+}
+
 // Verifies that the declared sizes of an IPC buffer are within range.
 bool IsSizeWithinRange(uint32_t buffer_size,
                        uint32_t min_declared_size,
                        uint32_t declared_size) {
   if ((buffer_size < min_declared_size) ||
       (sizeof(CrossCallParamsEx) > min_declared_size)) {
     // Minimal computed size bigger than existing buffer or param_count
     // integer overflow.
@@ -133,18 +163,17 @@ CrossCallParamsEx* CrossCallParamsEx::Cr
   // will catch memory access violations so we don't crash.
   __try {
     CrossCallParams* call_params =
         reinterpret_cast<CrossCallParams*>(buffer_base);
 
     // Check against the minimum size given the number of stated params
     // if too small we bail out.
     param_count = call_params->GetParamsCount();
-    min_declared_size =
-        sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo));
+    min_declared_size = GetMinDeclaredActualCallParamsSize(param_count);
 
     // Initial check for the buffer being big enough to determine the actual
     // buffer size.
     if (buffer_size < min_declared_size)
       return nullptr;
 
     // Retrieve the declared size which if it fails returns 0.
     declared_size = GetActualBufferSize(param_count, buffer_base);
@@ -158,18 +187,17 @@ CrossCallParamsEx* CrossCallParamsEx::Cr
     copied_params = reinterpret_cast<CrossCallParamsEx*>(backing_mem);
     memcpy(backing_mem, call_params, declared_size);
 
     // Avoid compiler optimizations across this point. Any value stored in
     // memory should be stored for real, and values previously read from memory
     // should be actually read.
     std::atomic_thread_fence(std::memory_order_seq_cst);
 
-    min_declared_size =
-        sizeof(CrossCallParams) + ((param_count + 1) * sizeof(ParamInfo));
+    min_declared_size = GetMinDeclaredActualCallParamsSize(param_count);
 
     // Check that the copied buffer is still valid.
     if (copied_params->GetParamsCount() != param_count ||
         GetActualBufferSize(param_count, backing_mem) != declared_size ||
         !IsSizeWithinRange(buffer_size, min_declared_size, declared_size)) {
       delete[] backing_mem;
       return nullptr;
     }