[Backport] CVE-2023-4362: Heap buffer overflow in Mojom IDL

Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/4742429: Add hardening CHECK in mojojs for large buffers. Bug: 1316379 Change-Id: I7a3a50cd9c1434cc86b4b2aa45a491c812832a3a Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4742429 Auto-Submit: Jonathan Hao <[email protected]> Reviewed-by: Ken Rockot <[email protected]> Commit-Queue: Ken Rockot <[email protected]> Cr-Commit-Position: refs/heads/main@{#1179071} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/499076 Reviewed-by: Allan Sandfeld Jensen <[email protected]>
qt · Aug 25, 2023 · 83284f5 · 83284f5
1 parent 131a16d
commit 83284f5
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/chromium/mojo/public/cpp/bindings/lib/message.cc b/chromium/mojo/public/cpp/bindings/lib/message.cc
@@ -271,7 +271,7 @@ Message::Message(base::span<const uint8_t> payload,
 
   void* buffer;
   uint32_t buffer_size;
-  DCHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size()));
+  CHECK(base::IsValueInRangeForNumericType<uint32_t>(payload.size()));
   DCHECK(base::IsValueInRangeForNumericType<uint32_t>(handles.size()));
   MojoAppendMessageDataOptions options;
   options.struct_size = sizeof(options);