diff options
author | Moonchild <moonchild@palemoon.org> | 2020-07-09 11:22:40 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2020-07-09 11:22:40 +0000 |
commit | baec109aa982df4961538fab254072db96726463 (patch) | |
tree | 87a8020404bea42ef2a95e98c5cbcec81cf53248 /image | |
parent | ec869cd4d1e191ee9dbd6ca6c4bc4d181cb42148 (diff) | |
download | aura-central-baec109aa982df4961538fab254072db96726463.tar.gz |
[image] Add a sanity check to JPEG encoder buffer handling, just in case.
Diffstat (limited to 'image')
-rw-r--r-- | image/encoders/jpeg/nsJPEGEncoder.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/image/encoders/jpeg/nsJPEGEncoder.cpp b/image/encoders/jpeg/nsJPEGEncoder.cpp index 04cfef07b..e5835c295 100644 --- a/image/encoders/jpeg/nsJPEGEncoder.cpp +++ b/image/encoders/jpeg/nsJPEGEncoder.cpp @@ -8,6 +8,7 @@ #include "nsString.h" #include "nsStreamUtils.h" #include "gfxColor.h" +#include "mozilla/CheckedInt.h" #include <setjmp.h> #include "jerror.h" @@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo) that->mImageBufferUsed = that->mImageBufferSize; // expand buffer, just double size each time - that->mImageBufferSize *= 2; + uint8_t* newBuf = nullptr; + CheckedInt<uint32_t> bufSize = + CheckedInt<uint32_t>(that->mImageBufferSize) * 2; + if (bufSize.isValid()) { + that->mImageBufferSize = bufSize.value(); + newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize); + } - uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer, - that->mImageBufferSize); if (!newBuf) { // can't resize, just zero (this will keep us from writing more) free(that->mImageBuffer); |