diff options
| author | Moonchild <moonchild@palemoon.org> | 2022-07-03 15:38:40 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-07-03 15:38:40 +0000 |
| commit | ac9e93e5e60f54ec58c6b9ad4f09b696bce148e5 (patch) | |
| tree | 18dbff91ba66b4186e28560342861a11dfe3a5d9 | |
| parent | 2485e982f3743822dd249d8f36e3591d8c7d517b (diff) | |
| download | uxp-ac9e93e5e60f54ec58c6b9ad4f09b696bce148e5.tar.gz | |
[XPCOM] Crash safely when TArray replacements are OOB.
In the unlikely event of TArray element replacement calls are OOB, crash safely
with a debug breakpoint instead of corrupting memory.
| -rw-r--r-- | xpcom/glue/nsTArray.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h index 22d6ab7b39..03913a3765 100644 --- a/xpcom/glue/nsTArray.h +++ b/xpcom/glue/nsTArray.h @@ -2018,6 +2018,12 @@ auto nsTArray_Impl<E, Alloc>::ReplaceElementsAt(index_type aStart, size_type aCount, const Item* aArray, size_type aArrayLen) -> elem_type* { + if (MOZ_UNLIKELY(aStart > Length())) { + InvalidArrayIndex_CRASH(aStart, Length()); + } + if (MOZ_UNLIKELY(aCount > Length() - aStart)) { + InvalidArrayIndex_CRASH(aStart + aCount, Length()); + } // Adjust memory allocation up-front to catch errors. if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>( Length() + aArrayLen - aCount, sizeof(elem_type)))) { |