[Backport] CVE-2022-1876: Heap buffer overflow in DevTools

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3584284: UIDevTools: fix bounds check for websocket connections Bug: 1313600 Change-Id: Ic97da6e5cf5595d530a100bc8bbbee12467cef05 Reviewed-by: Robert Sesek <rsesek@chromium.org> Commit-Queue: Leonard Grey <lgrey@chromium.org> Cr-Commit-Position: refs/heads/main@{#991786} Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Leonard Grey <lgrey@chromium.org> 2022-04-12 23:14:06 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-06-16 19:52:55 +0000
commit: 60882e1d01a545f2fe9f99b667fd76677d6b88f5 (patch)
tree: caea03d4722102b8bedc250d5f67e317741980d5
parent: 58ec380b8c395255ea27535c63c2853d657b3125 (diff)
download: qtwebengine-chromium-60882e1d01a545f2fe9f99b667fd76677d6b88f5.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/chromium/components/ui_devtools/devtools_server.cc b/chromium/components/ui_devtools/devtools_server.cc
index e4d47751e98..b77494e3d96 100644
--- a/chromium/components/ui_devtools/devtools_server.cc
+++ b/chromium/components/ui_devtools/devtools_server.cc
@@ -212,8 +212,9 @@ void UiDevToolsServer::OnWebSocketRequest(
   size_t target_id = 0;
   if (info.path.empty() ||
       !base::StringToSizeT(info.path.substr(1), &target_id) ||
-      target_id > clients_.size())
+      target_id >= clients_.size()) {
     return;
+  }
 
   UiDevToolsClient* client = clients_[target_id].get();
   // Only one user can inspect the client at a time
author	Leonard Grey <lgrey@chromium.org>	2022-04-12 23:14:06 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-06-16 19:52:55 +0000
commit	60882e1d01a545f2fe9f99b667fd76677d6b88f5 (patch)
tree	caea03d4722102b8bedc250d5f67e317741980d5
parent	58ec380b8c395255ea27535c63c2853d657b3125 (diff)
download	qtwebengine-chromium-60882e1d01a545f2fe9f99b667fd76677d6b88f5.tar.gz