diff options
| author | Moonchild <moonchild@palemoon.org> | 2022-07-03 15:38:40 +0000 |
|---|---|---|
| committer | Moonchild <moonchild@palemoon.org> | 2022-07-03 15:49:44 +0000 |
| commit | dd4d9eb032bd16eb66182d68dac8719eedf3cfaf (patch) | |
| tree | eef86c44d939475d85ff1e93cfea66d95c4d9e05 | |
| parent | 8b94f1e480f2a3ce372264e2de4870cb1c17ec8e (diff) | |
| download | uxp-RB20220707.tar.gz | |
[XPCOM] Crash safely when TArray replacements are OOB.RB20220707
In the unlikely event of TArray element replacement calls are OOB, crash safely
with a debug breakpoint instead of corrupting memory.
| -rw-r--r-- | xpcom/glue/nsTArray.h | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h index 22d6ab7b39..03913a3765 100644 --- a/xpcom/glue/nsTArray.h +++ b/xpcom/glue/nsTArray.h @@ -2018,6 +2018,12 @@ auto nsTArray_Impl<E, Alloc>::ReplaceElementsAt(index_type aStart, size_type aCount, const Item* aArray, size_type aArrayLen) -> elem_type* { + if (MOZ_UNLIKELY(aStart > Length())) { + InvalidArrayIndex_CRASH(aStart, Length()); + } + if (MOZ_UNLIKELY(aCount > Length() - aStart)) { + InvalidArrayIndex_CRASH(aStart + aCount, Length()); + } // Adjust memory allocation up-front to catch errors. if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>( Length() + aArrayLen - aCount, sizeof(elem_type)))) { |