[XPCOM:Glue] Crash safely when TArray replacements are OOB.

In the unlikely event of TArray element replacement calls are OOB, crash safely with a debug breakpoint instead of corrupting memory.
author: Matt A. Tobin <email@mattatobin.com> 2022-10-05 17:43:48 -0500
committer: Matt A. Tobin <email@mattatobin.com> 2022-10-05 17:43:48 -0500
commit: 875f8916352cda572a764f39eea533e27241796f (patch)
tree: 4414730ebb6d84feafa21fdbca40474a68f68ff6
parent: 7e0d94a048cb7a73af5638f46bdb65794bcc4292 (diff)
download: aura-central-875f8916352cda572a764f39eea533e27241796f.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h
index 22d6ab7b3..03913a376 100644
--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -2018,6 +2018,12 @@ auto
 nsTArray_Impl<E, Alloc>::ReplaceElementsAt(index_type aStart, size_type aCount,
                                            const Item* aArray, size_type aArrayLen) -> elem_type*
 {
+  if (MOZ_UNLIKELY(aStart > Length())) {
+    InvalidArrayIndex_CRASH(aStart, Length());
+  }
+  if (MOZ_UNLIKELY(aCount > Length() - aStart)) {
+    InvalidArrayIndex_CRASH(aStart + aCount, Length());
+  }
   // Adjust memory allocation up-front to catch errors.
   if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
         Length() + aArrayLen - aCount, sizeof(elem_type)))) {
author	Matt A. Tobin <email@mattatobin.com>	2022-10-05 17:43:48 -0500
committer	Matt A. Tobin <email@mattatobin.com>	2022-10-05 17:43:48 -0500
commit	875f8916352cda572a764f39eea533e27241796f (patch)
tree	4414730ebb6d84feafa21fdbca40474a68f68ff6
parent	7e0d94a048cb7a73af5638f46bdb65794bcc4292 (diff)
download	aura-central-875f8916352cda572a764f39eea533e27241796f.tar.gz