diff options
-rw-r--r-- | chromium/base/metrics/persistent_memory_allocator.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc index 1db378acea9..5dc3484abd6 100644 --- a/chromium/base/metrics/persistent_memory_allocator.cc +++ b/chromium/base/metrics/persistent_memory_allocator.cc @@ -546,7 +546,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const { uint32_t size = block->size; // Header was verified by GetBlock() but a malicious actor could change // the value between there and here. Check it again. - if (size <= sizeof(BlockHeader) || ref + size > mem_size_) { + uint32_t total_size; + if (size <= sizeof(BlockHeader) || + !base::CheckAdd(ref, size).AssignIfValid(&total_size) || + total_size > mem_size_) { SetCorrupt(); return 0; } |