[M148] WTF: Use base::checked_cast for size casting in Vector constructors [chromium/src : refs/branch-heads/7778]

1 view
Skip to first unread message

Kent Tamura (Gerrit)

unread,
May 21, 2026, 11:06:26 PM (14 days ago) May 21
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Kent Tamura, Chromium LUCI CQ, android-bu...@system.gserviceaccount.com, rubber-...@appspot.gserviceaccount.com, blink-...@chromium.org, kinuko...@chromium.org, blink-re...@chromium.org

Kent Tamura voted Code-Review+1

Code-Review+1
Open in Gerrit

Related details

Attention set is empty
Submit Requirements:
  • requirement satisfiedCode-Owners
  • requirement satisfiedCode-Review
  • requirement satisfiedLint
  • requirement satisfiedReview-Enforcement
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: comment
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7778
Gerrit-Change-Id: Iff0edf2a1ce40da294c77f9c5eeb5898ac56611b
Gerrit-Change-Number: 7868934
Gerrit-PatchSet: 2
Gerrit-Reviewer: Kent Tamura <tk...@chromium.org>
Gerrit-Comment-Date: Fri, 22 May 2026 03:05:58 +0000
Gerrit-HasComments: No
Gerrit-Has-Labels: Yes
satisfied_requirement
open
diffy

Chromium LUCI CQ (Gerrit)

unread,
May 22, 2026, 12:47:28 AM (14 days ago) May 22
to chrome-che...@chops-service-accounts.iam.gserviceaccount.com, Kent Tamura, android-bu...@system.gserviceaccount.com, rubber-...@appspot.gserviceaccount.com, blink-...@chromium.org, kinuko...@chromium.org, blink-re...@chromium.org

Chromium LUCI CQ submitted the change

Change information

Commit message:
[M148] WTF: Use base::checked_cast for size casting in Vector constructors

Original change's description:
> WTF: Use base::checked_cast for size casting in Vector constructors
>
> Initializing a blink::Vector from a base::span or a range uses size_t
> for the input size, but blink::Vector internally uses wtf_size_t
> (32-bit) for its size representation.
>
> This change introduces base::checked_cast<wtf_size_t> during
> construction to ensure that if the input size exceeds the 32-bit limit,
> the process crashes safely. This prevents silent integer truncation,
> which could otherwise lead to memory safety issues such as buffer
> overflows.
>
> No unit tests are added because it is impractical to allocate a 4GB+
> buffer to trigger this condition in a standard test environment.
>
> Bug: 514746176
> Change-Id: Iff0edf2a1ce40da294c77f9c5eeb5898ac56611b
> Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/7861980
> Reviewed-by: Kentaro Hara <har...@chromium.org>
> Commit-Queue: Kent Tamura <tk...@chromium.org>
> Auto-Submit: Kent Tamura <tk...@chromium.org>
> Cr-Commit-Position: refs/heads/main@{#1633311}

(cherry picked from commit ddf427ac6b17eb7fc8ffb41adbac960acbe4d73d)
Bug: 515275045,514746176
Change-Id: Iff0edf2a1ce40da294c77f9c5eeb5898ac56611b
Reviewed-by: Kent Tamura <tk...@chromium.org>
Cr-Commit-Position: refs/branch-heads/7778@{#3462}
Cr-Branched-From: 77f495ee216d4c3cc784d33658bad4778c0680ee-refs/heads/main@{#1610480}
Files:
  • M third_party/blink/renderer/platform/wtf/vector.h
Change size: XS
Delta: 1 file changed, 4 insertions(+), 4 deletions(-)
Branch: refs/branch-heads/7778
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: chromium/src
Gerrit-Branch: refs/branch-heads/7778
Gerrit-Change-Id: Iff0edf2a1ce40da294c77f9c5eeb5898ac56611b
Gerrit-Change-Number: 7868934
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages