Fix errors caused by unsafe conversions to/from size_t
The real world error this CL fixes is in initCSSFontFace where
allocating a buffer with a size between 2G and 4G would cause an
unsigned to int conversion that overflowed into the sign bit. While
investigating this issue, many other unsafe cast were found and are
fixed by this change. SharedBuffer was changed to use size_t
consistently and a new intrumentation pattern was implemented to
prevent call sites of SharedBuffer from performing unsafe casts.
The underlying issue is a rabbit hole, and this CL does not propagate
all the way through (which would be an unmanageably large patch). At
the far reaches of this change some unsafe casts were kept (ex. int to
size_t), but the safety of those casts was mitigated by adding run-time
checks, implemented by using safeCast<size_t>.
The check in safeCast<T> was changed from ASSERT to RELEASE_ASSERT to
better protect against potential security vulnerabilities. The
reasoning is that many of the values that pass through safeCast are
buffer sizes or array indices, so bad casts may lead to memory access
errors. When this situation is encountered we prefer to intentionally
crash the process.
BUG=474899
Review URL: https://codereview.chromium.org/1571233003
Cr-Commit-Position: refs/heads/master@{#368890}
46 files changed
