CVE-2025-0838 - Heap buffer overflow vulnerable in Abseil-cpp

CVE-2025-0838 - Heap buffer overflow vulnerable in Abseil-cpp

Origin: https://github.com/abseil/abseil-cpp/commit/5a0e2cb5e3958dd90bb8569a2766622cb74d90c1
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098903

Backported for bookworm from upstream.
From 5a0e2cb5e3958dd90bb8569a2766622cb74d90c1 Mon Sep 17 00:00:00 2001
From: Derek Mauro <dmauro@google.com>
Date: Thu, 23 Jan 2025 06:33:43 -0800
Subject: [PATCH] Fix potential integer overflow in hash container
 create/resize

The sized constructors, reserve(), and rehash() methods of
absl::{flat,node}_hash_{set,map} did not impose an upper bound on
their size argument. As a result, it was possible for a caller to pass
a very large size that would cause an integer overflow when computing
the size of the container's backing store. Subsequent accesses to the
container might then access out-of-bounds memory.

The fix is in two parts:

1) Update max_size() to return the maximum number of items that can be
stored in the container

2) Validate the size arguments to the constructors, reserve(), and
rehash() methods, and abort the program when the argument is invalid

We've looked at uses of these containers in Google codebases like
Chrome, and determined this vulnerability is likely to be difficult to
exploit. This is primarily because container sizes are rarely
attacker-controlled.

The bug was discovered by Dmitry Vyukov <dvyukov@google.com>.

PiperOrigin-RevId: 718841870
Change-Id: Ic09dc9de140a35dbb45ab9d90f58383cf2de8286

Gbp-Pq: Name CVE-2025-0838.patch