diff options
author | Will Harris <wfh@chromium.org> | 2023-03-02 10:23:28 +0000 |
---|---|---|
committer | Michael BrĂ¼ning <michael.bruning@qt.io> | 2023-04-04 11:25:58 +0000 |
commit | 9dd9b39ef9d0e6db80e598d5ad2a2b98451f5323 (patch) | |
tree | 6b99dcb81db891203e2429c819bc5dd1fbe4a139 | |
parent | ca58730e230cacf8eb0e97ac070f8e3beed8c738 (diff) | |
download | qtwebengine-chromium-9dd9b39ef9d0e6db80e598d5ad2a2b98451f5323.tar.gz |
[Backport] CVE-2023-1220: Heap buffer overflow in UMA
Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4289351:
Fix potential out of bounds write in base::SampleVectorBase
BUG=1417185
(cherry picked from commit 552939b035e724e022fedb90fd80cd008e441fcf)
Change-Id: I70719d0f9afb81dda373f88ab3a1c177397659ec
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4265437
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1106984}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4289351
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1397}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469843
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
-rw-r--r-- | chromium/base/metrics/sample_vector.cc | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/chromium/base/metrics/sample_vector.cc b/chromium/base/metrics/sample_vector.cc index ce1ea737abd..87c78096253 100644 --- a/chromium/base/metrics/sample_vector.cc +++ b/chromium/base/metrics/sample_vector.cc @@ -266,6 +266,12 @@ void SampleVectorBase::MoveSingleSampleToCounts() { if (sample.count == 0) return; + // Stop here if the sample bucket would be out of range for the AtomicCount + // array. + if (sample.bucket >= counts_size()) { + return; + } + // Move the value into storage. Sum and redundant-count already account // for this entry so no need to call IncreaseSumAndCount(). subtle::NoBarrier_AtomicIncrement(&counts()[sample.bucket], sample.count); |