Fix potential out of bounds write in base::SampleVectorBase BUG=1417185 Change-Id: I70719d0f9afb81dda373f88ab3a1c177397659ec Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4265437 Reviewed-by: Alexei Svitkine <[email protected]> Commit-Queue: Will Harris <[email protected]> Cr-Commit-Position: refs/heads/main@{#1106984}

commit: 552939b035e724e022fedb90fd80cd008e441fcf [log] [tgz]
author: Will Harris <[email protected]> Fri Feb 17 21:09:35 2023
committer: Chromium LUCI CQ <[email protected]> Fri Feb 17 21:09:35 2023
tree: 87c9e730e94432732621f40594a8e64a8a7176d4
parent: 2957ce35574b134906b8c5576627081183743706 [diff] [blame]
diff --git a/base/metrics/sample_vector.cc b/base/metrics/sample_vector.cc
index e3cdc5d..2a46445 100644
--- a/base/metrics/sample_vector.cc
+++ b/base/metrics/sample_vector.cc

@@ -276,6 +276,12 @@
   if (sample.count == 0)
     return;
 
+  // Stop here if the sample bucket would be out of range for the AtomicCount
+  // array.
+  if (sample.bucket >= counts_size()) {
+    return;
+  }
+
   // Move the value into storage. Sum and redundant-count already account
   // for this entry so no need to call IncreaseSumAndCount().
   subtle::NoBarrier_AtomicIncrement(&counts()[sample.bucket], sample.count);
commit	552939b035e724e022fedb90fd80cd008e441fcf	[log] [tgz]
author	Will Harris <[email protected]>	Fri Feb 17 21:09:35 2023
committer	Chromium LUCI CQ <[email protected]>	Fri Feb 17 21:09:35 2023
tree	87c9e730e94432732621f40594a8e64a8a7176d4
parent	2957ce35574b134906b8c5576627081183743706 [diff] [blame]