Fix an integer overflow when creating FileNetLogObserver with a large maximum size.

Bug: 959929
Change-Id: I5f0784568f0d6147fc32de5c54b1f8799f472ef9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1600636Reviewed-by: David Benjamin <davidben@chromium.org>
Commit-Queue: Eric Roman <eroman@chromium.org>
Cr-Commit-Position: refs/heads/master@{#657773}

net/log/file_net_log_observer.cc

@@ -15,6 +15,7 @@
 #include "base/files/file_util.h"
 #include "base/json/json_writer.h"
 #include "base/logging.h"
+#include "base/numerics/clamped_math.h"
 #include "base/sequenced_task_runner.h"
 #include "base/strings/string_number_conversions.h"
 #include "base/synchronization/lock.h"
@@ -460,11 +461,13 @@ std::unique_ptr<FileNetLogObserver> FileNetLogObserver::CreateInternal(
       log_path, inprogress_dir_path, std::move(pre_existing_log_file),
       max_event_file_size, total_num_event_files, file_task_runner));
 
-  scoped_refptr<WriteQueue> write_queue(new WriteQueue(max_total_size * 2));
+  uint64_t write_queue_memory_max =
+      base::MakeClampedNum<uint64_t>(max_total_size) * 2;
 
-  return std::unique_ptr<FileNetLogObserver>(
-      new FileNetLogObserver(file_task_runner, std::move(file_writer),
-                             std::move(write_queue), std::move(constants)));
+  return base::WrapUnique(new FileNetLogObserver(
+      file_task_runner, std::move(file_writer),
+      base::WrapRefCounted(new WriteQueue(write_queue_memory_max)),
+      std::move(constants)));
 }
 
 FileNetLogObserver::FileNetLogObserver(

net/log/file_net_log_observer_unittest.cc

@@ -309,7 +309,7 @@ class FileNetLogObserverBoundedTest : public ::testing::Test,
   }
 
   void CreateAndStartObserving(std::unique_ptr<base::Value> constants,
-                               int total_file_size,
+                               uint64_t total_file_size,
                                int num_files) {
     logger_ = FileNetLogObserver::CreateBoundedForTests(
         log_path_, total_file_size, num_files, std::move(constants));
@@ -939,6 +939,34 @@ TEST_F(FileNetLogObserverBoundedTest, PreExistingUsesSpecifiedDir) {
   EXPECT_FALSE(base::PathExists(GetInprogressDirectory()));
 }
 
+// Creates a bounded log with a very large total size and verifies that events
+// are not dropped. This is a regression test for https://crbug.com/959929 in
+// which the WriteQueue size was calculated by the possibly overflowed
+// expression |total_file_size * 2|.
+TEST_F(FileNetLogObserverBoundedTest, LargeWriteQueueSize) {
+  TestClosure closure;
+
+  // This is a large value such that multiplying it by 2 will overflow to a much
+  // smaller value (5).
+  uint64_t total_file_size = 0x8000000000000005;
+
+  CreateAndStartObserving(nullptr, total_file_size, kTotalNumFiles);
+
+  // Send 3 dummy events. This isn't a lot of data, however if WriteQueue was
+  // initialized using the overflowed value of |total_file_size * 2| (which is
+  // 5), then the effective limit would prevent any events from being written.
+  AddEntries(logger_.get(), 3, kDummyEventSize);
+
+  logger_->StopObserving(nullptr, closure.closure());
+
+  closure.WaitForResult();
+
+  // Verify the written log.
+  std::unique_ptr<ParsedNetLog> log = ReadNetLogFromDisk(log_path_);
+  ASSERT_TRUE(log);
+  ASSERT_EQ(3u, log->events->GetSize());
+}
+
 void AddEntriesViaNetLog(NetLog* net_log, int num_entries) {
   for (int i = 0; i < num_entries; i++) {
     net_log->AddGlobalEntry(NetLogEventType::PAC_JAVASCRIPT_ERROR);