summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2739.patch
blob: 9f70db8cf9dab1c46c68a560d9c208114d02dad0 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 1 Jun 2015 16:59:26 -0700
Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
 XHR. r=baku a=lizzard

---
 content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
index 58a9ee0..56d1aa3 100644
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -7,6 +7,7 @@
 #include "nsXMLHttpRequest.h"
 
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/CheckedInt.h"
 #include "mozilla/dom/XMLHttpRequestUploadBinding.h"
 #include "mozilla/EventDispatcher.h"
 #include "mozilla/EventListenerManager.h"
@@ -3897,26 +3898,30 @@ bool
 ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
                            uint32_t aMaxGrowth)
 {
+  CheckedUint32 neededCapacity = mLength;
+  neededCapacity += aDataLen;
+  if (!neededCapacity.isValid()) {
+    return false;
+  }
   if (mLength + aDataLen > mCapacity) {
-    uint32_t newcap;
+    CheckedUint32 newcap = mCapacity;
     // Double while under aMaxGrowth or if not specified.
     if (!aMaxGrowth || mCapacity < aMaxGrowth) {
-      newcap = mCapacity * 2;
+      newcap *= 2;
     } else {
-      newcap = mCapacity + aMaxGrowth;
+      newcap += aMaxGrowth;
     }
 
-    // But make sure there's always enough to satisfy our request.
-    if (newcap < mLength + aDataLen) {
-      newcap = mLength + aDataLen;
+    if (!newcap.isValid()) {
+      return false;
     }
 
-    // Did we overflow?
-    if (newcap < mCapacity) {
-      return false;
+    // But make sure there's always enough to satisfy our request.
+    if (newcap.value() < neededCapacity.value()) {
+      newcap = neededCapacity;
     }
 
-    if (!setCapacity(newcap)) {
+    if (!setCapacity(newcap.value())) {
       return false;
     }
   }
-- 
2.4.3