[base] Do not use va_args twice in asprintf()

(cherry picked from commit 3cff0cb) Bug: 1450536 Change-Id: Ib34d96935278869a63897f9a1c66afc98865d90f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4579347 Reviewed-by: Egor Pasko <pasko@chromium.org> Commit-Queue: Benoit Lize <lizeb@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1151796} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4594398 Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> Cr-Commit-Position: refs/branch-heads/5790@{#414} Cr-Branched-From: 1d71a33-refs/heads/main@{#1148114}
chromium · Jun 6, 2023 · c00b036 · c00b036
1 parent 76121b5
commit c00b036
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/base/allocator/partition_allocator/shim/allocator_shim_override_linker_wrapped_symbols.h b/base/allocator/partition_allocator/shim/allocator_shim_override_linker_wrapped_symbols.h
@@ -130,12 +130,19 @@ SHIM_ALWAYS_EXPORT char* __wrap_getcwd(char* buffer, size_t size) {
 SHIM_ALWAYS_EXPORT int __wrap_vasprintf(char** strp,
                                         const char* fmt,
                                         va_list va_args) {
+  // There are cases where we need to use the list of arguments twice, namely
+  // when the original buffer is too small. It is not allowed to walk the list
+  // twice, so make a copy for the second invocation of vsnprintf().
+  va_list va_args_copy;
+  va_copy(va_args_copy, va_args);
+
   constexpr int kInitialSize = 128;
   *strp = static_cast<char*>(
       malloc(kInitialSize));  // Our malloc() doesn't return nullptr.
 
   int actual_size = vsnprintf(*strp, kInitialSize, fmt, va_args);
   if (actual_size < 0) {
+    va_end(va_args_copy);
     return actual_size;
   }
   *strp =
@@ -148,9 +155,13 @@ SHIM_ALWAYS_EXPORT int __wrap_vasprintf(char** strp,
   // This is very lightly used in Chromium in practice, see crbug.com/116558 for
   // details.
   if (actual_size >= kInitialSize) {
-    return vsnprintf(*strp, static_cast<size_t>(actual_size + 1), fmt, va_args);
+    int ret = vsnprintf(*strp, static_cast<size_t>(actual_size + 1), fmt,
+                        va_args_copy);
+    va_end(va_args_copy);
+    return ret;
   }
 
+  va_end(va_args_copy);
   return actual_size;
 }
 

diff --git a/base/allocator/partition_allocator/shim/allocator_shim_unittest.cc b/base/allocator/partition_allocator/shim/allocator_shim_unittest.cc
@@ -746,6 +746,28 @@ TEST_F(AllocatorShimTest, InterceptVasprintf) {
   // Should not crash.
 }
 
+TEST_F(AllocatorShimTest, InterceptLongVasprintf) {
+  char* str = nullptr;
+  const char* lorem_ipsum =
+      "Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed non risus. "
+      "Suspendisse lectus tortor, dignissim sit amet, adipiscing nec, "
+      "ultricies sed, dolor. Cras elementum ultrices diam. Maecenas ligula "
+      "massa, varius a, semper congue, euismod non, mi. Proin porttitor, orci "
+      "nec nonummy molestie, enim est eleifend mi, non fermentum diam nisl sit "
+      "amet erat. Duis semper. Duis arcu massa, scelerisque vitae, consequat "
+      "in, pretium a, enim. Pellentesque congue. Ut in risus volutpat libero "
+      "pharetra tempor. Cras vestibulum bibendum augue. Praesent egestas leo "
+      "in pede. Praesent blandit odio eu enim. Pellentesque sed dui ut augue "
+      "blandit sodales. Vestibulum ante ipsum primis in faucibus orci luctus "
+      "et ultrices posuere cubilia Curae; Aliquam nibh. Mauris ac mauris sed "
+      "pede pellentesque fermentum. Maecenas adipiscing ante non diam sodales "
+      "hendrerit.";
+  int err = asprintf(&str, "%s", lorem_ipsum);
+  EXPECT_EQ(err, static_cast<int>(strlen(lorem_ipsum)));
+  EXPECT_TRUE(str);
+  free(str);
+}
+
 #endif  // BUILDFLAG(USE_PARTITION_ALLOC_AS_MALLOC)
 
 #endif  // BUILDFLAG(IS_ANDROID)