diff options
author | Will Harris <wfh@chromium.org> | 2023-03-02 16:49:42 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-03 15:21:33 +0000 |
commit | 6b578494777c1c699d960595333d23721b3d82a0 (patch) | |
tree | 538a321159f81d851997643634841b81f31cfb1a | |
parent | 44cf17806860755efe126c31526dc44c88631878 (diff) | |
download | qtwebengine-chromium-6b578494777c1c699d960595333d23721b3d82a0.tar.gz |
[Backport] CVE-2023-1219: Heap buffer overflow in Metrics (1/3)
Cherry-pick of patch originally reviewed on:
https://chromium-review.googlesource.com/c/chromium/src/+/4279513:
Prevent potential integer overflow in PersistentMemoryAllocator
BUG=1415328
(cherry picked from commit 19de280a0c28065acf2a7e001af5c981698a461c)
Change-Id: I66dcae6a1aacc1310ddd715033b3704c932b9800
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4250177
Commit-Queue: Will Harris <wfh@chromium.org>
Commit-Queue: Alexei Svitkine <asvitkine@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1105177}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4279513
Commit-Queue: Zakhar Voit <voit@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1400}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468174
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/base/metrics/persistent_memory_allocator.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc index 7c04629d846..9d7bf0a9ae6 100644 --- a/chromium/base/metrics/persistent_memory_allocator.cc +++ b/chromium/base/metrics/persistent_memory_allocator.cc @@ -533,7 +533,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const { uint32_t size = block->size; // Header was verified by GetBlock() but a malicious actor could change // the value between there and here. Check it again. - if (size <= sizeof(BlockHeader) || ref + size > mem_size_) { + uint32_t total_size; + if (size <= sizeof(BlockHeader) || + !base::CheckAdd(ref, size).AssignIfValid(&total_size) || + total_size > mem_size_) { SetCorrupt(); return 0; } |