Bug 1747514 - Fix some pointer arithmetic issues in RLBox. r=shravanrn

We were double-allocating in TransferBuffer, but that was canceling out the fact that we were only half-copying. Differential Revision: https://phabricator.services.mozilla.com/D134669
2021-12-25 06:00:25 +00:00 · 2021-12-25 06:00:25 +00:00 · 7be8e183ab
--- a/third_party/rlbox/include/rlbox_sandbox.hpp
+++ b/third_party/rlbox/include/rlbox_sandbox.hpp
@ -556,7 +556,7 @@ public:
    }
    detail::dynamic_check(is_pointer_in_sandbox_memory(ptr),
                          "Malloc returned pointer outside the sandbox memory");
-    auto ptr_end = reinterpret_cast<uintptr_t>(ptr + (count - 1));
+    auto ptr_end = reinterpret_cast<uintptr_t>(ptr + (total_size - 1));
    detail::dynamic_check(
      is_in_same_sandbox(ptr, reinterpret_cast<void*>(ptr_end)),
      "Malloc returned a pointer whose range goes beyond sandbox memory");
--- a/third_party/rlbox/include/rlbox_stdlib.hpp
+++ b/third_party/rlbox/include/rlbox_stdlib.hpp
@ -212,7 +212,7 @@ inline tainted_int_hint memcmp(rlbox_sandbox<T_Sbx>& sandbox,
 * - if the sandbox allows, adds the buffer to the existing sandbox memory
 * @param sandbox Target sandbox
 * @param src Raw pointer to the buffer
- * @param num Number of bytes in the buffer
+ * @param num Number of T-sized elements in the buffer
 * @param free_source_on_copy If the source buffer was copied, this variable
 * controls whether copy_memory_or_grant_access should call delete on the src.
 * This calls delete[] if num > 1.
@ -246,7 +246,7 @@ tainted<T*, T_Sbx> copy_memory_or_grant_access(rlbox_sandbox<T_Sbx>& sandbox,
  using T_nocv = std::remove_cv_t<T>;
  tainted<T_nocv*, T_Sbx> copy =
    sandbox.template malloc_in_sandbox<T_nocv>(num_trunc);
-  rlbox::memcpy(sandbox, copy, src, num_trunc);
+  rlbox::memcpy(sandbox, copy, src, num * sizeof(T));
  if (free_source_on_copy) {
    free(const_cast<void*>(reinterpret_cast<const void*>(src)));
  }
--- a/xpcom/base/RLBoxUtils.h
+++ b/xpcom/base/RLBoxUtils.h
@ -24,8 +24,8 @@ class MOZ_STACK_CLASS RLBoxTransferBufferToSandbox {
                               const size_t aLen)
      : mSandbox(aSandbox), mCopied(false), mBuf(nullptr) {
    if (aBuf) {
-      mBuf = rlbox::copy_memory_or_grant_access(
-          *mSandbox, aBuf, aLen * sizeof(T), false, mCopied);
+      mBuf = rlbox::copy_memory_or_grant_access(*mSandbox, aBuf, aLen, false,
+                                                mCopied);
    }
  };
  ~RLBoxTransferBufferToSandbox() {