Check for integer overflow in AesTask::DoCrypto() (DiD)

After calling mResult.SetLength(mData.Length() + 16) we should check that the integer addition didn't overflow. It seems at the moment impossible to create ArrayBuffers of size >= 0x0xfffffff0, however adding a check here doesn't hurt. mResult.Length() is passed to the PK11 API functions as a maxOut parameter and should be checked by the softoken crypto algorithm implementations. AES-ECB and AES-GCM seem to do that correctly.
author: wolfbeast <mcwerewolf@gmail.com> 2018-01-28 10:25:49 +0100
committer: wolfbeast <mcwerewolf@gmail.com> 2018-02-08 12:53:40 +0100
commit: acbd84f5741451d67e0fbaa3b85fdafc85dab5f9 (patch)
tree: 17539cacb7e8dc90f85bf76e9a8c8bf0653b7d6a
parent: b62fce0dc0c77a5788c331db32b3996e4020e2a5 (diff)
download: uxp-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index 57a7da186c..f5fc7b5bc9 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -716,6 +716,11 @@ private:
       return NS_ERROR_DOM_INVALID_ACCESS_ERR;
     }
 
+    // Check whether the integer addition would overflow.
+    if (std::numeric_limits<CryptoBuffer::size_type>::max() - 16 < mData.Length()) {
+      return NS_ERROR_DOM_DATA_ERR;
+    }
+
     // Initialize the output buffer (enough space for padding / a full tag)
     uint32_t dataLen = mData.Length();
     uint32_t maxLen = dataLen + 16;
author	wolfbeast <mcwerewolf@gmail.com>	2018-01-28 10:25:49 +0100
committer	wolfbeast <mcwerewolf@gmail.com>	2018-02-08 12:53:40 +0100
commit	acbd84f5741451d67e0fbaa3b85fdafc85dab5f9 (patch)
tree	17539cacb7e8dc90f85bf76e9a8c8bf0653b7d6a
parent	b62fce0dc0c77a5788c331db32b3996e4020e2a5 (diff)
download	uxp-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar.gz