1 files changed, 7 insertions, 1 deletions

diff --git a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
index de0b768b63b..add4c004423 100644
--- a/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
+++ b/chromium/mojo/edk/system/data_pipe_producer_dispatcher.cc
@@ -333,7 +333,9 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
 
   const SerializedState* state = static_cast<const SerializedState*>(data);
   if (!state->options.capacity_num_bytes || !state->options.element_num_bytes ||
-      state->options.capacity_num_bytes < state->options.element_num_bytes) {
+      state->options.capacity_num_bytes < state->options.element_num_bytes ||
+      state->write_offset >= state->options.capacity_num_bytes ||
+      state->available_capacity > state->options.capacity_num_bytes) {
     return nullptr;
   }
 
@@ -366,6 +368,10 @@ DataPipeProducerDispatcher::Deserialize(const void* data,
     dispatcher->peer_closed_ = state->flags & kFlagPeerClosed;
     if (!dispatcher->InitializeNoLock())
       return nullptr;
+    if (state->options.capacity_num_bytes >
+        dispatcher->ring_buffer_mapping_->GetLength()) {
+      return nullptr;
+    }
     dispatcher->UpdateSignalsStateNoLock();
   }