Use buffer size in LenVal::GetDataSize

If `TransferFromSandboxee` fails, the size saved in struct might not correspond to size of buffer, possibly leading to OOB reads/writes in user code. PiperOrigin-RevId: 623106099 Change-Id: I61b070bba5fc81b13558d0c415a08cd4ee95c685
google · Apr 9, 2024 · 0b1b48c · 0b1b48c
1 parent aa6ed45
commit 0b1b48c
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/sandboxed_api/var_lenval.h b/sandboxed_api/var_lenval.h
@@ -59,7 +59,7 @@ class LenVal : public Var {
   std::string ToString() const final { return "LenVal"; }
 
   absl::Status ResizeData(RPCChannel* rpc_channel, size_t size);
-  size_t GetDataSize() const { return struct_.data().size; }
+  size_t GetDataSize() const { return array_.GetSize(); }
   uint8_t* GetData() const { return array_.GetData(); }
   void* GetRemote() const final { return struct_.GetRemote(); }