summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorPale Moon <git-repo@palemoon.org>2018-05-15 23:01:38 +0200
committerPale Moon <git-repo@palemoon.org>2018-05-15 23:01:38 +0200
commit62022a2f0728920ef85fffe5149d2a4b64296ad1 (patch)
treeb3352b759c72fe8057a2d0b7913d5c1e6c42912e
parente98258a892cf2320b9bc327d65bae6b8e5bf16f5 (diff)
downloadpalemoon-gre-62022a2f0728920ef85fffe5149d2a4b64296ad1.tar.gz
Add sanity checks in nsScriptableUConv.cpp
-rw-r--r--intl/uconv/nsScriptableUConv.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/intl/uconv/nsScriptableUConv.cpp b/intl/uconv/nsScriptableUConv.cpp
index 15764c17e..294f7e324 100644
--- a/intl/uconv/nsScriptableUConv.cpp
+++ b/intl/uconv/nsScriptableUConv.cpp
@@ -11,6 +11,7 @@
#include "nsIUnicodeDecoder.h"
#include "nsIUnicodeEncoder.h"
#include "mozilla/dom/EncodingUtils.h"
+#include "mozilla/CheckedInt.h"
using mozilla::dom::EncodingUtils;
@@ -39,7 +40,12 @@ nsScriptableUnicodeConverter::ConvertFromUnicodeWithLength(const nsAString& aSrc
const nsAFlatString& flatSrc = PromiseFlatString(aSrc);
rv = mEncoder->GetMaxLength(flatSrc.get(), inLength, aOutLen);
if (NS_SUCCEEDED(rv)) {
- *_retval = (char*)moz_malloc(*aOutLen+1);
+ mozilla::CheckedInt<int32_t> needed(*aOutLen);
+ needed += 1;
+ if (!needed.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ *_retval = (char*)moz_malloc(needed.value());
if (!*_retval)
return NS_ERROR_OUT_OF_MEMORY;
@@ -151,7 +157,13 @@ nsScriptableUnicodeConverter::ConvertFromByteArray(const uint8_t* aData,
inLength, &outLength);
if (NS_SUCCEEDED(rv))
{
- char16_t* buf = (char16_t*)moz_malloc((outLength+1)*sizeof(char16_t));
+ mozilla::CheckedInt<nsACString::size_type> needed(outLength);
+ needed += 1;
+ needed *= sizeof(char16_t);
+ if (!needed.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ char16_t* buf = (char16_t*)moz_malloc(needed.value());
if (!buf)
return NS_ERROR_OUT_OF_MEMORY;