53 lines
1.7 KiB
Diff
53 lines
1.7 KiB
Diff
From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
|
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
|
Date: Tue, 23 Jun 2015 10:47:38 -0400
|
|
Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
|
|
nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
|
|
|
|
---
|
|
content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
|
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
|
|
index 56d1aa3..86425d7 100644
|
|
--- a/content/base/src/nsXMLHttpRequest.cpp
|
|
+++ b/content/base/src/nsXMLHttpRequest.cpp
|
|
@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
|
|
&destBufferLen);
|
|
NS_ENSURE_SUCCESS(rv, rv);
|
|
|
|
- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
|
|
+ uint32_t size = mResponseText.Length() + destBufferLen;
|
|
+ if (size < (uint32_t)destBufferLen) {
|
|
+ return NS_ERROR_OUT_OF_MEMORY;
|
|
+ }
|
|
+
|
|
+ if (!mResponseText.SetCapacity(size, fallible_t())) {
|
|
return NS_ERROR_OUT_OF_MEMORY;
|
|
}
|
|
|
|
char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
|
|
|
|
- int32_t totalChars = mResponseText.Length();
|
|
+ CheckedInt32 totalChars = mResponseText.Length();
|
|
|
|
// This code here is basically a copy of a similar thing in
|
|
// nsScanner::Append(const char* aBuffer, uint32_t aLen).
|
|
@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
|
|
MOZ_ASSERT(NS_SUCCEEDED(rv));
|
|
|
|
totalChars += destlen;
|
|
+ if (!totalChars.isValid()) {
|
|
+ return NS_ERROR_OUT_OF_MEMORY;
|
|
+ }
|
|
|
|
- mResponseText.SetLength(totalChars);
|
|
-
|
|
+ mResponseText.SetLength(totalChars.value());
|
|
return NS_OK;
|
|
}
|
|
|
|
--
|
|
2.4.3
|
|
|