From 875f8916352cda572a764f39eea533e27241796f Mon Sep 17 00:00:00 2001
From: "Matt A. Tobin" <email@mattatobin.com>
Date: Wed, 5 Oct 2022 17:43:48 -0500
Subject: [XPCOM:Glue] Crash safely when TArray replacements are OOB.

In the unlikely event of TArray element replacement calls are OOB, crash safely
with a debug breakpoint instead of corrupting memory.
---
 xpcom/glue/nsTArray.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h
index 22d6ab7b3..03913a376 100644
--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -2018,6 +2018,12 @@ auto
 nsTArray_Impl<E, Alloc>::ReplaceElementsAt(index_type aStart, size_type aCount,
                                            const Item* aArray, size_type aArrayLen) -> elem_type*
 {
+  if (MOZ_UNLIKELY(aStart > Length())) {
+    InvalidArrayIndex_CRASH(aStart, Length());
+  }
+  if (MOZ_UNLIKELY(aCount > Length() - aStart)) {
+    InvalidArrayIndex_CRASH(aStart + aCount, Length());
+  }
   // Adjust memory allocation up-front to catch errors.
   if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
         Length() + aArrayLen - aCount, sizeof(elem_type)))) {
-- 
cgit v1.2.3