[BlobStorage] Fixing potential overflow

Bug: 779314
Change-Id: I74612639d20544e4c12230569c7b88fbe669ec03
Reviewed-on: https://chromium-review.googlesource.com/747725Reviewed-by: Victor Costan <pwnall@chromium.org>
Commit-Queue: Daniel Murphy <dmurph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#512977}

storage/browser/blob/blob_storage_context.cc

@@ -169,7 +169,10 @@ BlobStorageContext::BlobFlattener::BlobFlattener(
       }
 
       // Validate our reference has good offset & length.
-      if (input_element.offset() + length > ref_entry->total_size()) {
+      uint64_t end_byte;
+      if (!base::CheckAdd(input_element.offset(), length)
+               .AssignIfValid(&end_byte) ||
+          end_byte > ref_entry->total_size()) {
         status = BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS;
         return;
       }

storage/browser/blob/blob_storage_context_unittest.cc

@@ -889,6 +889,24 @@ TEST_F(BlobStorageContextTest, BuildBlobCombinations) {
   EXPECT_EQ(0lu, context_->memory_controller().disk_usage());
 }
 
+TEST_F(BlobStorageContextTest, NegativeSlice) {
+  const std::string kId1("id1");
+  const std::string kId2("id2");
+
+  std::unique_ptr<BlobDataHandle> handle = SetupBasicBlob(kId1);
+
+  EXPECT_EQ(1lu, context_->memory_controller().memory_usage());
+
+  BlobDataBuilder builder(kId2);
+  builder.AppendBlob(kId1, static_cast<uint64_t>(-10), 11);
+  std::unique_ptr<BlobDataHandle> handle2 = context_->BuildBlob(
+      builder, BlobStorageContext::TransportAllowedCallback());
+
+  EXPECT_TRUE(handle2->IsBroken());
+  EXPECT_EQ(BlobStatus::ERR_INVALID_CONSTRUCTION_ARGUMENTS,
+            handle2->GetBlobStatus());
+}
+
 // TODO(michaeln): tests for the deprecated url stuff
 
 }  // namespace storage