Fix integer overflow in software compositor

content/browser/renderer_host/software_frame_manager.cc

Index: content/browser/renderer_host/software_frame_manager.cc
diff --git a/content/browser/renderer_host/software_frame_manager.cc b/content/browser/renderer_host/software_frame_manager.cc
index cb4efb6f04e8bd27391033ebfbc2fea2d86a6190..387dc00d5287ed2c9ad0ebd2cf05f811b6cc8237 100644
--- a/content/browser/renderer_host/software_frame_manager.cc
+++ b/content/browser/renderer_host/software_frame_manager.cc
@@ -7,6 +7,7 @@
 #include "base/bind.h"
 #include "base/callback_helpers.h"
 #include "base/debug/alias.h"
+#include "base/numerics/safe_math.h"
 #include "content/browser/renderer_host/dip_util.h"
 #include "content/public/browser/user_metrics.h"
 
@@ -96,7 +97,15 @@ bool SoftwareFrameManager::SwapToNewFrame(
 
   // The NULL handle is used in testing.
   if (base::SharedMemory::IsHandleValid(shared_memory->handle())) {
-    const size_t size_in_bytes = 4 * frame_data->size.GetArea();
+    base::CheckedNumeric<size_t> size_in_bytes_checked =
+        base::CheckedNumeric<size_t>(4) *
+        base::CheckedNumeric<size_t>(frame_data->size.width()) *
+        base::CheckedNumeric<size_t>(frame_data->size.height());

[jschuh, 2014/03/14 06:14:12]

This is fine, but is there a good reason not to have overflow checks in
gfx::SizeBase::GetArea() and gfx::SizeBase::Expand()? We can just have integer
overflow saturate to numeric_limits<Type>::max(), to preserve the current
interface (and it parallels flooring the negative values to zero elsewhere in
the class).

[ccameron, 2014/03/14 19:38:14]

Filed issue 352761 on it.

+    if (!size_in_bytes_checked.IsValid()) {
+      DLOG(ERROR) << "Integer overflow when computing bytes to map.";
+      return false;
+    }
+    size_t size_in_bytes = size_in_bytes_checked.ValueOrDie();
 #ifdef OS_WIN
     if (!shared_memory->Map(0)) {
       DLOG(ERROR) << "Unable to map renderer memory.";