[net] Use ClampedNumeric in BackoffEntry::CalculateReleaseTime

This fixes a fuzzer-discovered integer overflow. The modified line was attempting to compute (1 - -2147483648). Bug: 1133024 Change-Id: I5193e61fe3a144cce760b836d41e6d802eaccd14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2437483Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#812188}

[net] Use ClampedNumeric in BackoffEntry::CalculateReleaseTime
This fixes a fuzzer-discovered integer overflow. The modified line was attempting to compute (1 - -2147483648). Bug: 1133024 Change-Id: I5193e61fe3a144cce760b836d41e6d802eaccd14 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2437483Reviewed-by: Maksim Orlovich <morlovich@chromium.org> Commit-Queue: Dan McArdle <dmcardle@chromium.org> Cr-Commit-Position: refs/heads/master@{#812188}
5b10d616 · Dan McArdle · Commit Bot · 49bb6911 · 5b10d616
Commit 5b10d616 authored Sep 30, 2020 by Dan McArdle Committed by Commit Bot Sep 30, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

net/base/backoff_entry.cc net/base/backoff_entry.cc +3 -2

No files found.
--- a/net/base/backoff_entry.cc
+++ b/net/base/backoff_entry.cc
@@ -9,6 +9,7 @@
 #include <limits>
 #include "base/check_op.h"
+#include "base/numerics/clamped_math.h"
 #include "base/numerics/safe_math.h"
 #include "base/rand_util.h"
 #include "base/time/tick_clock.h"
@@ -119,8 +120,8 @@ base::TimeTicks BackoffEntry::GetTimeTicksNow() const {
 }
 base::TimeTicks BackoffEntry::CalculateReleaseTime() const {
-  int effective_failure_count =
+  base::ClampedNumeric<int> effective_failure_count =
-      std::max(0, failure_count_ - policy_->num_errors_to_ignore);
+      base::ClampSub(failure_count_, policy_->num_errors_to_ignore).Max(0);
  // If always_use_initial_delay is true, it's equivalent to
  // the effective_failure_count always being one greater than when it's false.