-
- Downloads
Fix potential integer overflow in hash container create/resize (#1812)
The sized constructors, reserve(), and rehash() methods of
absl::{flat,node}_hash_{set,map} did not impose an upper bound on
their size argument. As a result, it was possible for a caller to pass
a very large size that would cause an integer overflow when computing
the size of the container's backing store. Subsequent accesses to the
container might then access out-of-bounds memory.
The fix is in two parts:
1) Update max_size() to return the maximum number of items that can be
stored in the container
2) Validate the size arguments to the constructors, reserve(), and
rehash() methods, and abort the program when the argument is invalid
We've looked at uses of these containers in Google codebases like
Chrome, and determined this vulnerability is likely to be difficult to
exploit. This is primarily because container sizes are rarely
attacker-controlled.
The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.
Showing
- MODULE.bazel 1 addition, 1 deletionMODULE.bazel
- absl/base/config.h 1 addition, 1 deletionabsl/base/config.h
- absl/container/internal/raw_hash_set.h 14 additions, 1 deletionabsl/container/internal/raw_hash_set.h
- absl/container/internal/raw_hash_set_test.cc 8 additions, 0 deletionsabsl/container/internal/raw_hash_set_test.cc
Loading
Please register or sign in to comment