mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-01 09:02:59 -05:00
67 lines
2 KiB
Diff
67 lines
2 KiB
Diff
|
From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
|
||
|
From: Boris Zbarsky <bzbarsky@mit.edu>
|
||
|
Date: Mon, 1 Jun 2015 16:59:26 -0700
|
||
|
Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
|
||
|
XHR. r=baku a=lizzard
|
||
|
|
||
|
---
|
||
|
content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
|
||
|
1 file changed, 15 insertions(+), 10 deletions(-)
|
||
|
|
||
|
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
|
||
|
index 58a9ee0..56d1aa3 100644
|
||
|
--- a/content/base/src/nsXMLHttpRequest.cpp
|
||
|
+++ b/content/base/src/nsXMLHttpRequest.cpp
|
||
|
@@ -7,6 +7,7 @@
|
||
|
#include "nsXMLHttpRequest.h"
|
||
|
|
||
|
#include "mozilla/ArrayUtils.h"
|
||
|
+#include "mozilla/CheckedInt.h"
|
||
|
#include "mozilla/dom/XMLHttpRequestUploadBinding.h"
|
||
|
#include "mozilla/EventDispatcher.h"
|
||
|
#include "mozilla/EventListenerManager.h"
|
||
|
@@ -3897,26 +3898,30 @@ bool
|
||
|
ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
|
||
|
uint32_t aMaxGrowth)
|
||
|
{
|
||
|
+ CheckedUint32 neededCapacity = mLength;
|
||
|
+ neededCapacity += aDataLen;
|
||
|
+ if (!neededCapacity.isValid()) {
|
||
|
+ return false;
|
||
|
+ }
|
||
|
if (mLength + aDataLen > mCapacity) {
|
||
|
- uint32_t newcap;
|
||
|
+ CheckedUint32 newcap = mCapacity;
|
||
|
// Double while under aMaxGrowth or if not specified.
|
||
|
if (!aMaxGrowth || mCapacity < aMaxGrowth) {
|
||
|
- newcap = mCapacity * 2;
|
||
|
+ newcap *= 2;
|
||
|
} else {
|
||
|
- newcap = mCapacity + aMaxGrowth;
|
||
|
+ newcap += aMaxGrowth;
|
||
|
}
|
||
|
|
||
|
- // But make sure there's always enough to satisfy our request.
|
||
|
- if (newcap < mLength + aDataLen) {
|
||
|
- newcap = mLength + aDataLen;
|
||
|
+ if (!newcap.isValid()) {
|
||
|
+ return false;
|
||
|
}
|
||
|
|
||
|
- // Did we overflow?
|
||
|
- if (newcap < mCapacity) {
|
||
|
- return false;
|
||
|
+ // But make sure there's always enough to satisfy our request.
|
||
|
+ if (newcap.value() < neededCapacity.value()) {
|
||
|
+ newcap = neededCapacity;
|
||
|
}
|
||
|
|
||
|
- if (!setCapacity(newcap)) {
|
||
|
+ if (!setCapacity(newcap.value())) {
|
||
|
return false;
|
||
|
}
|
||
|
}
|
||
|
--
|
||
|
2.4.3
|
||
|
|