[Backport] CVE-2019-5788

Harden against overflows of OperationID a bit better.

Rather than having a UAF when OperationID overflows instead overwrite
the old operation with the new one. Can still cause weirdness, but at
least won't result in UAF. Also update OperationID to uint64_t to
make sure we don't overflow to begin with.

Bug: 925864
Reviewed-on: https://chromium-review.googlesource.com/c/1441498
Change-Id: Ie13274f1966a6d751a0f5e0ceaf7554afc2e2f2f
Reviewed-by: Michael Brüning <michael.bruning@qt.io>

2 files changed, 3 insertions, 2 deletions

diff --git a/chromium/storage/browser/fileapi/file_system_operation_runner.cc b/chromium/storage/browser/fileapi/file_system_operation_runner.cc
index fbda72b3cdf..a8b00657e34 100644
--- a/chromium/storage/browser/fileapi/file_system_operation_runner.cc
+++ b/chromium/storage/browser/fileapi/file_system_operation_runner.cc
@@ -701,7 +701,8 @@ FileSystemOperationRunner::BeginOperation(
     base::WeakPtr<BeginOperationScoper> scope) {
   OperationHandle handle;
   handle.id = next_operation_id_++;
-  operations_.emplace(handle.id, std::move(operation));
+  DCHECK(operations_.find(handle.id) == operations_.end());
+  operations_[handle.id] = std::move(operation);
   handle.scope = scope;
   return handle;
 }
diff --git a/chromium/storage/browser/fileapi/file_system_operation_runner.h b/chromium/storage/browser/fileapi/file_system_operation_runner.h
index a330f4802d5..97f9e0d8116 100644
--- a/chromium/storage/browser/fileapi/file_system_operation_runner.h
+++ b/chromium/storage/browser/fileapi/file_system_operation_runner.h
@@ -53,7 +53,7 @@ class STORAGE_EXPORT FileSystemOperationRunner
   using CopyOrMoveOption = FileSystemOperation::CopyOrMoveOption;
   using GetMetadataField = FileSystemOperation::GetMetadataField;
 
-  using OperationID = int;
+  using OperationID = uint64_t;
 
   virtual ~FileSystemOperationRunner();