Fix errors caused by unsafe conversions to/from size_t

Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
Committed: https://crrev.com/4b510033b7c3286e244d38351d2a8868c5e6a7b6
Cr-Commit-Position: refs/heads/master@{#368890}

[Justin Novosad, 2016-01-11 18:30:31]

junov@chromium.org changed reviewers:
+ haraken@chromium.org

[Justin Novosad, 2016-01-11 18:30:31]

PTAL

[Justin Novosad, 2016-01-11 18:31:50]

Description was changed from

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by usingsafeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
==========

to

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
==========

[haraken, 2016-01-11 23:56:12]

LGTM

[Justin Novosad, 2016-01-12 15:37:09]

The CQ bit was checked by junov@chromium.org

[commit-bot: I haz the power, 2016-01-12 15:37:31]

CQ is trying da patch. Follow status at
 https://chromium-cq-status.appspot.com/patch-status/1571233003/40001
View timeline at
 https://chromium-cq-status.appspot.com/patch-timeline/1571233003/40001

[commit-bot: I haz the power, 2016-01-12 16:20:32]

Description was changed from

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
==========

to

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
==========

[commit-bot: I haz the power, 2016-01-12 16:20:33]

Committed patchset #3 (id:40001)

[commit-bot: I haz the power, 2016-01-12 16:21:53]

Description was changed from

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899
==========

to

==========
Fix errors caused by unsafe conversions to/from size_t

The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.

The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.

The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.

BUG=474899

Committed: https://crrev.com/4b510033b7c3286e244d38351d2a8868c5e6a7b6
Cr-Commit-Position: refs/heads/master@{#368890}
==========

[commit-bot: I haz the power, 2016-01-12 16:21:54]

Patchset 3 (id:??) landed as
https://crrev.com/4b510033b7c3286e244d38351d2a8868c5e6a7b6
Cr-Commit-Position: refs/heads/master@{#368890}