[Backport] CVE-2023-1219: Heap buffer overflow in Metrics (3/3)

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4280124: Prevent potential integer overflow in PersistentMemoryAllocator https://crrev.com/c/4250177 added an extra check for potential integer overflow in GetAllocSize but forgot to add the same check in GetBlock. This meant that it was possible to get a pointer to a block but calling GetAllocSize on the same block would return zero. This change makes the two functions consistent with each other so calling GetBlock on invalid data will return nullptr. BUG=1417317,1415328 (cherry picked from commit 81be8e8f2e13a9f1fe6d3150205a3c13af1db6e9) Change-Id: I8eb3d91bae4528fc97517d202baf337536a4c81f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4264177 Commit-Queue: Alexei Svitkine <asvitkine@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1107105} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4280124 Owners-Override: Victor-Gabriel Savu <vsavu@google.com> Reviewed-by: Victor-Gabriel Savu <vsavu@google.com> Commit-Queue: Zakhar Voit <voit@google.com> Cr-Commit-Position: refs/branch-heads/5359@{#1402} Cr-Branched-From: 27d3765d341b09369006d030f83f582a29eb57ae-refs/heads/main@{#1058933} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/469842 Reviewed-by: Michal Klocek <michal.klocek@qt.io>
author: Will Harris <wfh@chromium.org> 2023-03-02 17:21:30 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-04-04 11:25:49 +0000
commit: ca58730e230cacf8eb0e97ac070f8e3beed8c738 (patch)
tree: 3027f8e164e0d412cdd41ff8ac7e65d070c5de28
parent: c1d9b7fd4fa278262704795779b7e9011c102566 (diff)
download: qtwebengine-chromium-ca58730e230cacf8eb0e97ac070f8e3beed8c738.tar.gz
1 files changed, 12 insertions, 2 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc
index 015ec5cf288..7143bb7d294 100644
--- a/chromium/base/metrics/persistent_memory_allocator.cc
+++ b/chromium/base/metrics/persistent_memory_allocator.cc
@@ -888,8 +888,13 @@ PersistentMemoryAllocator::GetBlock(Reference ref, uint32_t type_id,
   if (ref % kAllocAlignment != 0)
     return nullptr;
   size += sizeof(BlockHeader);
-  if (ref + size > mem_size_)
+  uint32_t total_size;
+  if (!base::CheckAdd(ref, size).AssignIfValid(&total_size)) {
+    return nullptr;
+  }
+  if (total_size > mem_size_) {
     return nullptr;
+  }
 
   // Validation of referenced block-header.
   if (!free_ok) {
@@ -899,8 +904,13 @@ PersistentMemoryAllocator::GetBlock(Reference ref, uint32_t type_id,
       return nullptr;
     if (block->size < size)
       return nullptr;
-    if (ref + block->size > mem_size_)
+    uint32_t block_size;
+    if (!base::CheckAdd(ref, block->size).AssignIfValid(&block_size)) {
       return nullptr;
+    }
+    if (block_size > mem_size_) {
+      return nullptr;
+    }
     if (type_id != 0 &&
         block->type_id.load(std::memory_order_relaxed) != type_id) {
       return nullptr;
author	Will Harris <wfh@chromium.org>	2023-03-02 17:21:30 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-04-04 11:25:49 +0000
commit	ca58730e230cacf8eb0e97ac070f8e3beed8c738 (patch)
tree	3027f8e164e0d412cdd41ff8ac7e65d070c5de28
parent	c1d9b7fd4fa278262704795779b7e9011c102566 (diff)
download	qtwebengine-chromium-ca58730e230cacf8eb0e97ac070f8e3beed8c738.tar.gz