From d946efec41a8206e1273f506691b2417c34ce594 Mon Sep 17 00:00:00 2001 From: mdh1418 Date: Fri, 5 Dec 2025 23:29:31 +0000 Subject: [PATCH 1/4] [IPCProtocol] Handle parsing truncated payloads --- src/native/eventpipe/ds-protocol.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/native/eventpipe/ds-protocol.c b/src/native/eventpipe/ds-protocol.c index 8338c8103a9550..496c438461b10b 100644 --- a/src/native/eventpipe/ds-protocol.c +++ b/src/native/eventpipe/ds-protocol.c @@ -396,7 +396,10 @@ ds_ipc_message_try_parse_value ( EP_ASSERT (buffer != NULL); EP_ASSERT (buffer_len != NULL); EP_ASSERT (value != NULL); - EP_ASSERT ((buffer_len - value_len) <= buffer_len); + EP_ASSERT (*buffer_len >= value_len); + + if (*buffer_len < value_len) + return false; memcpy (value, *buffer, value_len); *buffer = *buffer + value_len; From 43fbcbd66716e75bbacd9c91749979898ff1450b Mon Sep 17 00:00:00 2001 From: mdh1418 Date: Sat, 6 Dec 2025 00:19:29 +0000 Subject: [PATCH 2/4] [IPCProtocol] Prevent LoadProfiler read past buffer --- src/native/eventpipe/ds-profiler-protocol.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/native/eventpipe/ds-profiler-protocol.c b/src/native/eventpipe/ds-profiler-protocol.c index ea7035eb980c68..e1415e6a92cdb0 100644 --- a/src/native/eventpipe/ds-profiler-protocol.c +++ b/src/native/eventpipe/ds-profiler-protocol.c @@ -70,7 +70,7 @@ attach_profiler_command_try_parse_payload ( !ds_ipc_message_try_parse_value (&buffer_cursor, &buffer_cursor_len, (uint8_t *)&instance->profiler_guid, (uint32_t)ARRAY_SIZE (instance->profiler_guid)) || !ds_ipc_message_try_parse_string_utf16_t (&buffer_cursor, &buffer_cursor_len, &instance->profiler_path) || !ds_ipc_message_try_parse_uint32_t (&buffer_cursor, &buffer_cursor_len, &instance->client_data_len) || - !(buffer_cursor_len <= instance->client_data_len)) + !(buffer_cursor_len >= instance->client_data_len)) ep_raise_error (); instance->client_data = buffer_cursor; From 93ea92f64e8db99eb11679fad02ce0cdb071d26b Mon Sep 17 00:00:00 2001 From: mdh1418 Date: Sat, 6 Dec 2025 00:20:35 +0000 Subject: [PATCH 3/4] [IPCProtocol] Enforce aligned wchar deserialization --- src/native/eventpipe/ds-protocol.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/native/eventpipe/ds-protocol.c b/src/native/eventpipe/ds-protocol.c index 496c438461b10b..0dc0872ce54c9f 100644 --- a/src/native/eventpipe/ds-protocol.c +++ b/src/native/eventpipe/ds-protocol.c @@ -330,6 +330,8 @@ ipc_message_try_parse_string_utf16_t_byte_array ( bool result = false; + ep_raise_error_if_nok (((uintptr_t)*buffer & 0x1u) == 0); + ep_raise_error_if_nok (ds_ipc_message_try_parse_uint32_t (buffer, buffer_len, string_byte_array_len)); *string_byte_array_len *= sizeof (ep_char16_t); From 5ffb2bfdd7837b67b0dfd12fd11cb983196decc7 Mon Sep 17 00:00:00 2001 From: mdh1418 Date: Mon, 8 Dec 2025 01:25:07 +0000 Subject: [PATCH 4/4] Revert "[IPCProtocol] Enforce aligned wchar deserialization" This reverts commit 93ea92f64e8db99eb11679fad02ce0cdb071d26b. --- src/native/eventpipe/ds-protocol.c | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/native/eventpipe/ds-protocol.c b/src/native/eventpipe/ds-protocol.c index 0dc0872ce54c9f..496c438461b10b 100644 --- a/src/native/eventpipe/ds-protocol.c +++ b/src/native/eventpipe/ds-protocol.c @@ -330,8 +330,6 @@ ipc_message_try_parse_string_utf16_t_byte_array ( bool result = false; - ep_raise_error_if_nok (((uintptr_t)*buffer & 0x1u) == 0); - ep_raise_error_if_nok (ds_ipc_message_try_parse_uint32_t (buffer, buffer_len, string_byte_array_len)); *string_byte_array_len *= sizeof (ep_char16_t);