[XRay][compiler-rt] Fix oob memory access in FDR BufferQueue iterator (#90940)

rickyz · web-flow · commit 21a39dfb17a4 · 2024-05-27T16:32:57.000-07:00
Before this change, the FDR BufferQueue iterator could access oob memory
due to checks of the form `!Buffers[Offset].Used &amp;&amp; Offset != Max`. This
allows access to `Buffers[Max]`, which is past the end of the `Buffers`
array. This can lead to crashes when that memory is not mapped. Fix this
by testing `Offset != Max` first.
diff --git a/compiler-rt/lib/xray/xray_buffer_queue.h b/compiler-rt/lib/xray/xray_buffer_queue.h
@@ -87,7 +87,7 @@ class BufferQueue {
       DCHECK_NE(Offset, Max);
       do {
         ++Offset;
-      } while (!Buffers[Offset].Used && Offset != Max);
+      } while (Offset != Max && !Buffers[Offset].Used);
       return *this;
     }
 
@@ -107,7 +107,7 @@ class BufferQueue {
           Max(M) {
       // We want to advance to the first Offset where the 'Used' property is
       // true, or to the end of the list/queue.
-      while (!Buffers[Offset].Used && Offset != Max) {
+      while (Offset != Max && !Buffers[Offset].Used) {
         ++Offset;
       }
     }

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ class BufferQueue {`
`87`	`87`	`DCHECK_NE(Offset, Max);`
`88`	`88`	`do {`
`89`	`89`	`++Offset;`
`90`		`- } while (!Buffers[Offset].Used && Offset != Max);`
	`90`	`+ } while (Offset != Max && !Buffers[Offset].Used);`
`91`	`91`	`return *this;`
`92`	`92`	`}`
`93`	`93`
`@@ -107,7 +107,7 @@ class BufferQueue {`
`107`	`107`	`Max(M) {`
`108`	`108`	`// We want to advance to the first Offset where the 'Used' property is`
`109`	`109`	`// true, or to the end of the list/queue.`
`110`		`- while (!Buffers[Offset].Used && Offset != Max) {`
	`110`	`+ while (Offset != Max && !Buffers[Offset].Used) {`
`111`	`111`	`++Offset;`
`112`	`112`	`}`
`113`	`113`	`}`