The correct type for the size of a chunk of memory is size_t.

By using uint32, we have bugs on 64-bit platforms: callers passing in a size_t, will have their size truncated, potentially allocating a smaller
chunk than requested. There are a few places this happens, including on the
receiving ends of IPCs(!)

However, coversely, other callers of the API might directly assign the
memory chunk's length to uint32, leading to a different possible truncation
problem. This is guaraded against by limiting operations internally to
std::numeric_limits<uint32_t> in size for now.

There's some minor cascade effects that make the CL look larger than it is.

BUG=164678
Review URL: https://codereview.chromium.org/11446048

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@175987 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 3 insertions, 0 deletions

diff --git a/base/shared_memory_android.cc b/base/shared_memory_android.cc
index a5beceb..e2c683c 100644
--- a/base/shared_memory_android.cc
+++ b/base/shared_memory_android.cc
@@ -19,6 +19,9 @@ namespace base {
 bool SharedMemory::Create(const SharedMemoryCreateOptions& options) {
   DCHECK_EQ(-1, mapped_file_ );
 
+  if (options.size > static_cast<size_t>(std::numeric_limits<int>::max()))
+    return false;
+
   // "name" is just a label in ashmem. It is visible in /proc/pid/maps.
   mapped_file_ = ashmem_create_region(
       options.name == NULL ? "" : options.name->c_str(),