Bug 1742864 - Sanitize the input frame pointer given to DoFramePointerStackWalk. r=gerald

Differential Revision: https://phabricator.services.mozilla.com/D144396

mozglue/misc/StackWalk.cpp

@@ -876,6 +876,20 @@ static void DoFramePointerStackWalk(MozWalkStackCallback aCallback,
   FrameSkipper skipper(aFirstFramePC);
   uint32_t numFrames = 0;
 
+  // Sanitize the given aBp. Assume that something reasonably close to
+  // but before the stack end is going be a valid frame pointer. Also
+  // check that it is an aligned address. This increases the chances
+  // that if the pointer is not valid (which might happen if the caller
+  // called __builtin_frame_address(1) and its frame is busted for some
+  // reason), we won't read it, leading to a crash. Because the calling
+  // code is not using frame pointers when returning, it might actually
+  // recover just fine.
+  static const uintptr_t kMaxStackSize = 8 * 1024 * 1024;
+  if (uintptr_t(aBp) < uintptr_t(aStackEnd) - std::min(kMaxStackSize, uintptr_t(aStackEnd)) ||
+      aBp >= aStackEnd || (uintptr_t(aBp) & 3)) {
+    return;
+  }
+
   while (aBp) {
     void** next = (void**)*aBp;
     // aBp may not be a frame pointer on i386 if code was compiled with