From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001 From: Boris Zbarsky Date: Mon, 1 Jun 2015 16:59:26 -0700 Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in XHR. r=baku a=lizzard --- content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp index 58a9ee0..56d1aa3 100644 --- a/content/base/src/nsXMLHttpRequest.cpp +++ b/content/base/src/nsXMLHttpRequest.cpp @@ -7,6 +7,7 @@ #include "nsXMLHttpRequest.h" #include "mozilla/ArrayUtils.h" +#include "mozilla/CheckedInt.h" #include "mozilla/dom/XMLHttpRequestUploadBinding.h" #include "mozilla/EventDispatcher.h" #include "mozilla/EventListenerManager.h" @@ -3897,26 +3898,30 @@ bool ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen, uint32_t aMaxGrowth) { + CheckedUint32 neededCapacity = mLength; + neededCapacity += aDataLen; + if (!neededCapacity.isValid()) { + return false; + } if (mLength + aDataLen > mCapacity) { - uint32_t newcap; + CheckedUint32 newcap = mCapacity; // Double while under aMaxGrowth or if not specified. if (!aMaxGrowth || mCapacity < aMaxGrowth) { - newcap = mCapacity * 2; + newcap *= 2; } else { - newcap = mCapacity + aMaxGrowth; + newcap += aMaxGrowth; } - // But make sure there's always enough to satisfy our request. - if (newcap < mLength + aDataLen) { - newcap = mLength + aDataLen; + if (!newcap.isValid()) { + return false; } - // Did we overflow? - if (newcap < mCapacity) { - return false; + // But make sure there's always enough to satisfy our request. + if (newcap.value() < neededCapacity.value()) { + newcap = neededCapacity; } - if (!setCapacity(newcap)) { + if (!setCapacity(newcap.value())) { return false; } } -- 2.4.3