Handle possible array size overflow

janvorli · janvorli · commit d056127c9afa · 2024-06-10T21:32:08.000+02:00
In the StackTraceArray::Allocate
diff --git a/src/coreclr/vm/object.cpp b/src/coreclr/vm/object.cpp
@@ -1484,14 +1484,14 @@ void StackTraceArray::Allocate(size_t size)
     }
     CONTRACTL_END;
 
-    size_t raw_size = size * sizeof(StackTraceElement) + sizeof(ArrayHeader);
+    S_SIZE_T raw_size = S_SIZE_T(size) * S_SIZE_T(sizeof(StackTraceElement)) + S_SIZE_T(sizeof(ArrayHeader));
 
-    if (!FitsIn<DWORD>(raw_size))
+    if (raw_size.IsOverflow() || !FitsIn<DWORD>(raw_size.Value())
     {
         EX_THROW(EEMessageException, (kOverflowException, IDS_EE_ARRAY_DIMENSIONS_EXCEEDED));
     }
    
-    SetArray(I1ARRAYREF(AllocatePrimitiveArray(ELEMENT_TYPE_I1, static_cast<DWORD>(raw_size))));
+    SetArray(I1ARRAYREF(AllocatePrimitiveArray(ELEMENT_TYPE_I1, static_cast<DWORD>(raw_size.Value()))));
     SetSize(0);
     SetKeepAliveItemsCount(0);
     SetObjectThread();

Original file line number	Diff line number	Diff line change
`@@ -1484,14 +1484,14 @@ void StackTraceArray::Allocate(size_t size)`
`1484`	`1484`	`}`
`1485`	`1485`	`CONTRACTL_END;`
`1486`	`1486`
`1487`		`- size_t raw_size = size * sizeof(StackTraceElement) + sizeof(ArrayHeader);`
	`1487`	`+ S_SIZE_T raw_size = S_SIZE_T(size) * S_SIZE_T(sizeof(StackTraceElement)) + S_SIZE_T(sizeof(ArrayHeader));`
`1488`	`1488`
`1489`		`- if (!FitsIn<DWORD>(raw_size))`
	`1489`	`+ if (raw_size.IsOverflow() \|\| !FitsIn<DWORD>(raw_size.Value())`
`1490`	`1490`	`{`
`1491`	`1491`	`EX_THROW(EEMessageException, (kOverflowException, IDS_EE_ARRAY_DIMENSIONS_EXCEEDED));`
`1492`	`1492`	`}`
`1493`	`1493`
`1494`		`- SetArray(I1ARRAYREF(AllocatePrimitiveArray(ELEMENT_TYPE_I1, static_cast<DWORD>(raw_size))));`
	`1494`	`+ SetArray(I1ARRAYREF(AllocatePrimitiveArray(ELEMENT_TYPE_I1, static_cast<DWORD>(raw_size.Value()))));`
`1495`	`1495`	`SetSize(0);`
`1496`	`1496`	`SetKeepAliveItemsCount(0);`
`1497`	`1497`	`SetObjectThread();`