[Backport] CVE-2023-4362: Heap buffer overflow in Mojom IDL

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4742429: Add hardening CHECK in mojojs for large buffers. Bug: 1316379 Change-Id: I7a3a50cd9c1434cc86b4b2aa45a491c812832a3a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4742429 Auto-Submit: Jonathan Hao <phao@chromium.org> Reviewed-by: Ken Rockot <rockot@google.com> Commit-Queue: Ken Rockot <rockot@google.com> Cr-Commit-Position: refs/heads/main@{#1179071} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/503196 Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Jonathan Hao <phao@chromium.org> 2023-08-03 16:12:56 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2023-09-14 09:47:42 +0000
commit: 3bf928ef51c9ef418de17bc7c4d9ac49ea76a6db (patch)
tree: cdd294dd81e4c78d3f70f108271f25fa76258438
parent: 419ccc596a8fe69b071067213efd19be0659e605 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/chromium/mojo/public/cpp/bindings/lib/message.cc b/chromium/mojo/public/cpp/bindings/lib/message.cc
index 8c489947606..ba0b148adb1 100644
--- a/chromium/mojo/public/cpp/bindings/lib/message.cc
+++ b/chromium/mojo/public/cpp/bindings/lib/message.cc
@@ -270,7 +270,7 @@ Message::Message(base::span<const uint8_t> payload,
 
   void* buffer;
   uint32_t buffer_size;
-  DCHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size()));
+  CHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size()));
   DCHECK(base::IsValueInRangeForNumericType<uint32_t>(handles.size()));
   MojoAppendMessageDataOptions options;
   options.struct_size = sizeof(options);
author	Jonathan Hao <phao@chromium.org>	2023-08-03 16:12:56 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2023-09-14 09:47:42 +0000
commit	3bf928ef51c9ef418de17bc7c4d9ac49ea76a6db (patch)
tree	cdd294dd81e4c78d3f70f108271f25fa76258438
parent	419ccc596a8fe69b071067213efd19be0659e605 (diff)