diff options
author | Will Harris <wfh@chromium.org> | 2023-03-02 16:49:42 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-03-24 10:06:39 +0000 |
commit | f0f74eb107199ff36e2b70103e8fe21b659c8866 (patch) | |
tree | 705e198afb8d10558631af0cb0662cd2d93921f2 | |
parent | 17fe88a2d7da7d6150fdcbcb764d4f029da4f3f7 (diff) | |
download | qtwebengine-chromium-f0f74eb107199ff36e2b70103e8fe21b659c8866.tar.gz |
[Backport] CVE-2023-1219: Heap buffer overflow in Metrics (1/3)
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4279513:
Prevent potential integer overflow in PersistentMemoryAllocator
BUG=1415328
(cherry picked from commit 19de280a0c28065acf2a7e001af5c981698a461c)
Change-Id: I66dcae6a1aacc1310ddd715033b3704c932b9800
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4250177
Commit-Queue: Will Harris <wfh@chromium.org>
Commit-Queue: Alexei Svitkine <asvitkine@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1105177}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4279513
Commit-Queue: Zakhar Voit <voit@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1400}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468220
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/base/metrics/persistent_memory_allocator.cc | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc index 1db378acea9..5dc3484abd6 100644 --- a/chromium/base/metrics/persistent_memory_allocator.cc +++ b/chromium/base/metrics/persistent_memory_allocator.cc @@ -546,7 +546,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const { uint32_t size = block->size; // Header was verified by GetBlock() but a malicious actor could change // the value between there and here. Check it again. - if (size <= sizeof(BlockHeader) || ref + size > mem_size_) { + uint32_t total_size; + if (size <= sizeof(BlockHeader) || + !base::CheckAdd(ref, size).AssignIfValid(&total_size) || + total_size > mem_size_) { SetCorrupt(); return 0; } |