Check that the read attr struct size is at most equal to the declared…

… size of the event payload. Any remaining bytes are event IDs. But if the declared payload size is smaller, subtracting these unsigned values when computing the number of IDs yields a very large number, which subsequently leads to a memory allocation failure. PiperOrigin-RevId: 688313672
google · Dec 9, 2024 · 3a715e1 · 3a715e1
1 parent 6395752
commit 3a715e1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/quipper/perf_reader.cc b/src/quipper/perf_reader.cc
@@ -2360,6 +2360,12 @@ bool PerfReader::ReadAttrEventBlock(DataReader* data, size_t size) {
 
   // attr.attr.size has been upgraded to the current size of perf_event_attr.
   const size_t actual_attr_size = data->Tell() - initial_offset;
+  if (size < actual_attr_size) {
+    LOG(ERROR) << "Declared payload size " << size << " of "
+               << "PERF_RECORD_HEADER_ATTR event is less than the number of "
+               << "bytes read for the attr_event struct " << actual_attr_size;
+    return false;
+  }
 
   const size_t num_ids =
       (size - actual_attr_size) / sizeof(decltype(attr.ids)::value_type);