From 4de32c788d352fd34bce4ffb0c8650e5501be0f7 Mon Sep 17 00:00:00 2001 From: themiswang Date: Fri, 27 Dec 2024 15:26:30 -0500 Subject: [PATCH] add explanation of how alloc works (#14288) --- .../Models/Record/FIRCLSReportAdapter.m | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/Crashlytics/Crashlytics/Models/Record/FIRCLSReportAdapter.m b/Crashlytics/Crashlytics/Models/Record/FIRCLSReportAdapter.m index 2cbcdb9ef23..900f93c20ee 100644 --- a/Crashlytics/Crashlytics/Models/Record/FIRCLSReportAdapter.m +++ b/Crashlytics/Crashlytics/Models/Record/FIRCLSReportAdapter.m @@ -256,6 +256,21 @@ - (google_crashlytics_Platforms)protoPlatformFromString:(NSString *)str { * @param data The data to copy into the new bytes array. */ pb_bytes_array_t *FIRCLSEncodeData(NSData *data) { + // We have received couple security tickets before for using malloc here. + // Here is a short explaination on how it is calculated so buffer overflow is prevented: + // We will alloc an amount of memeory for struct `pb_bytes_array_t`, this struct contains two + // attributes: + // pb_size_t size + // pb_byte_t bytes[1] + // It contains the size the of the data and the actually data information in byte form (which + // is represented by a pointer), for more information check the declaration in nanopb/pb.h. + + // For size, NSData return size in `unsigned long` type which is the same size as `pb_size_t` and + // it is declared in compile time depending on the arch of system. If overflow happened it should + // happend at NSData level first when user trying to inserting data to NSData. + // For bytes, it is just a strict memeory copy of the data in NSData. + // The whole structure will be freed as a part of process for deallocing report in dealloc() of + // this class pb_bytes_array_t *pbBytes = malloc(PB_BYTES_ARRAY_T_ALLOCSIZE(data.length)); if (pbBytes == NULL) { return NULL;