-
Sergei Glazunov authored
It's common for C++ code to have pointers right past the end of an allocation, i.e. of the form |allocation_start + allocation_size|. When |PartitionAllocGetSlotStart| receives such a pointer and the size of the allocation equals the size of its bucket, the function returns the address of the next slot (or even the area outside the slot span). Subsequent |PartitionRefCount| operations may then modify the reference count of an unrelated object or corrupt the slot's free list pointer (if it is in the "freed" state). Instead of adding more fields to the CheckedPtr ignore list, we modify |PartitionAllocGetSlotStart| to support past-the-end pointers. In addition, remove the workaround for a bug that has been caused by the past-the-end pointer in |base::BigEndianWriter::ptr_|. Bug: 1073933, 1164636 Change-Id: Ia582680d9d6c83357f45123416a86a52661fa71c Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2636354 Commit-Queue: Sergei Glazunov <glazunov@google.com> Reviewed-by:
Daniel Cheng <dcheng@chromium.org> Reviewed-by:
Bartek Nowierski <bartekn@chromium.org> Reviewed-by:
Kentaro Hara <haraken@chromium.org> Cr-Commit-Position: refs/heads/master@{#846076}
0afe22b8
