From 7d8ee943ec4d6a93b3e74f8dc0edd5044ebd5831 Mon Sep 17 00:00:00 2001
From: Chirag M Shah <chirag_m_shah@apple.com>
Date: Thu, 26 Jan 2023 13:21:10 -0800
Subject: [PATCH] Cherry-pick 252432.954@safari-7614-branch (114407780ae6).
 rdar://104668013

    Guard against overflow when growing the buffer
    rdar://problem/103000322

    Reviewed by Jonathan Bedard and Chris Dumez.

    * Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp:
    (WebKit::HistoryEntryDataEncoder::grow):
    (WebKit::HistoryEntryDataEncoder::growCapacity):

    Canonical link: https://commits.webkit.org/252432.954@safari-7614-branch

Canonical link: https://commits.webkit.org/259452@main
---
 .../UIProcess/mac/LegacySessionStateCoding.cpp   | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp b/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp
index c15b56826195..80da39b91dc1 100644
--- a/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp
+++ b/Source/WebKit/UIProcess/mac/LegacySessionStateCoding.cpp
@@ -29,6 +29,7 @@
 #include "APIData.h"
 #include "SessionState.h"
 #include <mutex>
+#include <wtf/CheckedArithmetic.h>
 #include <wtf/MallocPtr.h>
 #include <wtf/cf/TypeCastsCF.h>
 #include <wtf/text/StringView.h>
@@ -224,11 +225,14 @@ class HistoryEntryDataEncoder {
     {
         size_t alignedSize = ((m_bufferSize + alignment - 1) / alignment) * alignment;
 
-        growCapacity(alignedSize + size);
+        Checked<size_t> bufferSize = size;
+        bufferSize += alignedSize;
+
+        growCapacity(bufferSize.value());
 
         std::memset(m_buffer.get() + m_bufferSize, 0, alignedSize - m_bufferSize);
 
-        m_bufferSize = alignedSize + size;
+        m_bufferSize = bufferSize.value();
         m_bufferPointer = m_buffer.get() + m_bufferSize;
 
         return m_buffer.get() + alignedSize;
@@ -239,12 +243,12 @@ class HistoryEntryDataEncoder {
         if (newSize <= m_bufferCapacity)
             return;
 
-        size_t newCapacity = m_bufferCapacity * 2;
+        Checked<size_t> newCapacity = m_bufferCapacity;
         while (newCapacity < newSize)
-            newCapacity *= 2;
+            newCapacity *= 2U;
 
-        m_buffer.realloc(newCapacity);
-        m_bufferCapacity = newCapacity;
+        m_buffer.realloc(newCapacity.value());
+        m_bufferCapacity = newCapacity.value();
     }
 
     size_t m_bufferSize;