Check for integer overflow in allocations.

Check for integer overflow in allocations.

BUG=669751
Review-Url: https://codereview.chromium.org/2957583004
Cr-Commit-Position: refs/heads/master@{#482392}
Committed: https://chromium.googlesource.com/chromium/src/+/66d7c69f7d8c8d63138066ad74a89524f3a4e250

[palmer, 2017-06-23 23:09:05]

palmer@chromium.org changed reviewers:
+ haraken@chromium.org

[palmer, 2017-06-23 23:09:23]

Should be nice and simple.

We may need to audit for similar call sites.

[palmer, 2017-06-23 23:09:28]

The CQ bit was checked by palmer@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-23 23:09:43]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[palmer, 2017-06-23 23:16:40]

The CQ bit was checked by palmer@chromium.org to run a CQ dry run

[commit-bot: I haz the power, 2017-06-23 23:16:56]

Dry run: CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-24 01:26:22]

The CQ bit was unchecked by commit-bot@chromium.org

[commit-bot: I haz the power, 2017-06-24 01:26:22]

Dry run: This issue passed the CQ dry run.

[haraken, 2017-06-24 09:55:36]

LGTM!

How did you find these call sites?

[sof, 2017-06-25 06:31:31]

https://codereview.chromium.org/2957583004/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/css/CSSSelectorList.cpp (right):

https://codereview.chromium.org/2957583004/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/css/CSSSelectorList.cpp:50:
WTF::Partitions::GetAllocationSize(sizeof(CSSSelector), length),
This is reversing the arguments from the declared (count, size) params, which
suggests the method name isn't as helpful as it could be (why a 'getter'?)
CheckedArraySize(), CheckedAllocationSize(), or you could provide a template
method that's parameterized over T -- CheckedSizeof<T>(count).

[palmer, 2017-06-26 18:43:08]

> How did you find these call sites?

`grep -ri alloc *` usually turns up something of interest to security people. ;)
I suspect there are more such call sites.

[palmer, 2017-06-26 18:55:13]

https://codereview.chromium.org/2957583004/diff/20001/third_party/WebKit/Sour...
File third_party/WebKit/Source/core/css/CSSSelectorList.cpp (right):

https://codereview.chromium.org/2957583004/diff/20001/third_party/WebKit/Sour...
third_party/WebKit/Source/core/css/CSSSelectorList.cpp:50:
WTF::Partitions::GetAllocationSize(sizeof(CSSSelector), length),
Changed the name to |ComputeAllocationSize| and switched the arguments.

[palmer, 2017-06-26 18:55:55]

The CQ bit was checked by palmer@chromium.org

[palmer, 2017-06-26 18:55:55]

The patchset sent to the CQ was uploaded after l-g-t-m from haraken@chromium.org
Link to the patchset: https://codereview.chromium.org/2957583004/#ps40001
(title: "Rename the function to |ComputeAllocationSize|.")

[commit-bot: I haz the power, 2017-06-26 18:56:09]

CQ is trying da patch.

Follow status at:
https://chromium-cq-status.appspot.com/v2/patch-status/codereview.chromium.or...

[commit-bot: I haz the power, 2017-06-26 20:56:28]

CQ is committing da patch.

Bot data: {"patchset_id": 40001, "attempt_start_ts": 1498503355200290,
"parent_rev": "4cae001bbc27f26a91b5242c7fb0ee7d307d990a", "commit_rev":
"66d7c69f7d8c8d63138066ad74a89524f3a4e250"}

[commit-bot: I haz the power, 2017-06-26 20:56:42]

Description was changed from

==========
Check for integer overflow in allocations.

BUG=669751
==========

to

==========
Check for integer overflow in allocations.

BUG=669751

Review-Url: https://codereview.chromium.org/2957583004
Cr-Commit-Position: refs/heads/master@{#482392}
Committed:
https://chromium.googlesource.com/chromium/src/+/66d7c69f7d8c8d63138066ad74a8...
==========

[commit-bot: I haz the power, 2017-06-26 20:56:45]

Committed patchset #3 (id:40001) as
https://chromium.googlesource.com/chromium/src/+/66d7c69f7d8c8d63138066ad74a8...