1 files changed, 8 insertions, 8 deletions

diff --git a/chromium/third_party/blink/renderer/platform/wtf/text/cstring.cc b/chromium/third_party/blink/renderer/platform/wtf/text/cstring.cc
index 63c4c4382cc..33ac70a692a 100644
--- a/chromium/third_party/blink/renderer/platform/wtf/text/cstring.cc
+++ b/chromium/third_party/blink/renderer/platform/wtf/text/cstring.cc
@@ -27,24 +27,24 @@
 #include "third_party/blink/renderer/platform/wtf/text/cstring.h"
 
 #include <string.h>
+#include "base/numerics/checked_math.h"
 #include "third_party/blink/renderer/platform/wtf/allocator/partitions.h"
 #include "third_party/blink/renderer/platform/wtf/ascii_ctype.h"
+#include "third_party/blink/renderer/platform/wtf/std_lib_extras.h"
 
 namespace WTF {
 
 scoped_refptr<CStringImpl> CStringImpl::CreateUninitialized(size_t length,
                                                             char*& data) {
-  // TODO(esprehn): This doesn't account for the NUL.
-  CHECK_LT(length,
-           (std::numeric_limits<unsigned>::max() - sizeof(CStringImpl)));
-
+  unsigned length_in_unsigned = SafeCast<unsigned>(length);
+  base::CheckedNumeric<size_t> size = length;
   // The +1 is for the terminating NUL character.
-  size_t size = sizeof(CStringImpl) + length + 1;
-  CStringImpl* buffer = static_cast<CStringImpl*>(
-      Partitions::BufferMalloc(size, WTF_HEAP_PROFILER_TYPE_NAME(CStringImpl)));
+  size += sizeof(CStringImpl) + 1;
+  CStringImpl* buffer = static_cast<CStringImpl*>(Partitions::BufferMalloc(
+      size.ValueOrDie(), WTF_HEAP_PROFILER_TYPE_NAME(CStringImpl)));
   data = reinterpret_cast<char*>(buffer + 1);
   data[length] = '\0';
-  return base::AdoptRef(new (buffer) CStringImpl(length));
+  return base::AdoptRef(new (buffer) CStringImpl(length_in_unsigned));
 }
 
 void CStringImpl::operator delete(void* ptr) {