[Backport] CVE-2023-1220: Heap buffer overflow in UMA

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/4289351:
Fix potential out of bounds write in base::SampleVectorBase

BUG=1417185

(cherry picked from commit 552939b035e724e022fedb90fd80cd008e441fcf)

Change-Id: I70719d0f9afb81dda373f88ab3a1c177397659ec
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4265437
Commit-Queue: Will Harris <wfh@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1106984}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4289351
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Victor-Gabriel Savu <vsavu@google.com>
Owners-Override: Victor-Gabriel Savu <vsavu@google.com>
Cr-Commit-Position: refs/branch-heads/5359@{#1397}
Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469843
Reviewed-by: Michal Klocek <michal.klocek@qt.io>

1 files changed, 6 insertions, 0 deletions

diff --git a/chromium/base/metrics/sample_vector.cc b/chromium/base/metrics/sample_vector.cc
index ce1ea737abd..87c78096253 100644
--- a/chromium/base/metrics/sample_vector.cc
+++ b/chromium/base/metrics/sample_vector.cc
@@ -266,6 +266,12 @@ void SampleVectorBase::MoveSingleSampleToCounts() {
   if (sample.count == 0)
     return;
 
+  // Stop here if the sample bucket would be out of range for the AtomicCount
+  // array.
+  if (sample.bucket >= counts_size()) {
+    return;
+  }
+
   // Move the value into storage. Sum and redundant-count already account
   // for this entry so no need to call IncreaseSumAndCount().
   subtle::NoBarrier_AtomicIncrement(&counts()[sample.bucket], sample.count);