fix(runtime): bound all crash-handler formatting (review finding from #86)#87
Merged
Merged
Conversation
…86) The seTranslator regs line formatted 110 chars + NUL into char info[96] -- a guaranteed 15-byte stack OOB write on every exception that reached the diagnostics path. It went unnoticed only because the handler never returns (no /GS check) and MSVC's local layout happened to be benign; the writes could still silently clobber the very state the diagnostics report. Quality-gate review caught it via byte-counting. - info[96] -> info[160] and every format in the handler switched to snprintf(sizeof) -- the crash path can no longer corrupt its own frame. - describeAddress/symbolName formatting bounded the same way (a pathologically long exe basename could overflow buf[160]). - The anonymous-image dump now VirtualQuery's the dump range itself (the allocation base's region can differ from the faulting IP's region; a nested fault inside the handler would truncate the panic). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Quality-gate review of #86 caught a real defect in the new diagnostics: the
seTranslatorregs line formats 110 chars + NUL intochar info[96]— a guaranteed 15-byte stack OOB write on every exception reaching the diagnostics path. It only appeared to work because the handler never returns (no /GS check fires) and the local layout happened to be benign; the write could still silently clobberpanicStr/cx/mbi— the very state being reported.Fixes, all within the crash handler:
info[96]→info[160]; every format in the handler now goes throughsnprintf(…,sizeof…)so the crash path can never corrupt its own frame again.describeAddress/symbolNameformatting bounded the same way (pathologically long exe basename could overflowbuf[160]).VirtualQuerys the dump range itself and clamps to the committed region (the allocation base's region can differ from the faulting IP's; a nested fault inside the handler would truncate the whole panic).Full
test.batgreen (includes the divzero crash-diagnostic contract, which exercises the handler end-to-end).🤖 Generated with Claude Code