Fix potential handle reuse in Mojo

Fixed: 1270333 Change-Id: Ife188d519092e4e634355fd53d97c85009771b76 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3414063 Auto-Submit: Ken Rockot <rockot@google.com> Reviewed-by: Daniel Cheng <dcheng@chromium.org> Commit-Queue: Daniel Cheng <dcheng@chromium.org> Cr-Commit-Position: refs/heads/main@{#962946}
chromium · Jan 25, 2022 · 76eca90 · 76eca90
1 parent cbada26
commit 76eca90
Showing 1 changed file with 9 additions and 3 deletions.
diff --git a/mojo/core/handle_table.cc b/mojo/core/handle_table.cc
@@ -65,13 +65,19 @@ bool HandleTable::AddDispatchersFromTransit(
     const std::vector<Dispatcher::DispatcherInTransit>& dispatchers,
     MojoHandle* handles) {
   // Oops, we're out of handles.
-  if (next_available_handle_ == MOJO_HANDLE_INVALID)
+  if (next_available_handle_ == MOJO_HANDLE_INVALID) {
     return false;
+  }
+
+  // MOJO_HANDLE_INVALID is zero.
+  DCHECK_GE(next_available_handle_, 1u);
 
-  DCHECK_LE(dispatchers.size(), std::numeric_limits<uint32_t>::max());
   // If this insertion would cause handle overflow, we're out of handles.
-  if (next_available_handle_ + dispatchers.size() < next_available_handle_)
+  const uint32_t num_handles_available =
+      std::numeric_limits<uint32_t>::max() - next_available_handle_ + 1;
+  if (num_handles_available < dispatchers.size()) {
     return false;
+  }
 
   for (size_t i = 0; i < dispatchers.size(); ++i) {
     MojoHandle handle = MOJO_HANDLE_INVALID;