[Backport] CVE-2023-1219: Heap buffer overflow in Metrics (1/3)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4279513:
Prevent potential integer overflow in PersistentMemoryAllocator

BUG=1415328

(cherry picked from commit 19de280a0c28065acf2a7e001af5c981698a461c)

Change-Id: I66dcae6a1aacc1310ddd715033b3704c932b9800
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4250177
Commit-Queue: Will Harris <wfh@chromium.org>
Commit-Queue: Alexei Svitkine <asvitkine@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1105177}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4279513
Commit-Queue: Zakhar Voit <voit@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1400}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/468220
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 4 insertions, 1 deletions

diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc
index 1db378acea9..5dc3484abd6 100644
--- a/chromium/base/metrics/persistent_memory_allocator.cc
+++ b/chromium/base/metrics/persistent_memory_allocator.cc
@@ -546,7 +546,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const {
   uint32_t size = block->size;
   // Header was verified by GetBlock() but a malicious actor could change
   // the value between there and here. Check it again.
-  if (size <= sizeof(BlockHeader) || ref + size > mem_size_) {
+  uint32_t total_size;
+  if (size <= sizeof(BlockHeader) ||
+      !base::CheckAdd(ref, size).AssignIfValid(&total_size) ||
+      total_size > mem_size_) {
     SetCorrupt();
     return 0;
   }