summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--chromium/base/metrics/persistent_memory_allocator.cc5
1 files changed, 4 insertions, 1 deletions
diff --git a/chromium/base/metrics/persistent_memory_allocator.cc b/chromium/base/metrics/persistent_memory_allocator.cc
index 1db378acea9..5dc3484abd6 100644
--- a/chromium/base/metrics/persistent_memory_allocator.cc
+++ b/chromium/base/metrics/persistent_memory_allocator.cc
@@ -546,7 +546,10 @@ size_t PersistentMemoryAllocator::GetAllocSize(Reference ref) const {
uint32_t size = block->size;
// Header was verified by GetBlock() but a malicious actor could change
// the value between there and here. Check it again.
- if (size <= sizeof(BlockHeader) || ref + size > mem_size_) {
+ uint32_t total_size;
+ if (size <= sizeof(BlockHeader) ||
+ !base::CheckAdd(ref, size).AssignIfValid(&total_size) ||
+ total_size > mem_size_) {
SetCorrupt();
return 0;
}
View Lorry Controller Status