summaryrefslogtreecommitdiff
path: root/image
diff options
context:
space:
mode:
authorMoonchild <moonchild@palemoon.org>2020-07-09 11:22:40 +0000
committerMoonchild <moonchild@palemoon.org>2020-07-09 11:22:40 +0000
commit64be1dc3291b4335f4496a9f57c856c5c192947d (patch)
tree87a8020404bea42ef2a95e98c5cbcec81cf53248 /image
parent7cebdd7815b3953fbb76e0e38fab5dc856f5fb48 (diff)
downloaduxp-64be1dc3291b4335f4496a9f57c856c5c192947d.tar.gz
[image] Add a sanity check to JPEG encoder buffer handling, just in case.
Diffstat (limited to 'image')
-rw-r--r--image/encoders/jpeg/nsJPEGEncoder.cpp11
1 files changed, 8 insertions, 3 deletions
diff --git a/image/encoders/jpeg/nsJPEGEncoder.cpp b/image/encoders/jpeg/nsJPEGEncoder.cpp
index 04cfef07b2..e5835c295f 100644
--- a/image/encoders/jpeg/nsJPEGEncoder.cpp
+++ b/image/encoders/jpeg/nsJPEGEncoder.cpp
@@ -8,6 +8,7 @@
#include "nsString.h"
#include "nsStreamUtils.h"
#include "gfxColor.h"
+#include "mozilla/CheckedInt.h"
#include <setjmp.h>
#include "jerror.h"
@@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo)
that->mImageBufferUsed = that->mImageBufferSize;
// expand buffer, just double size each time
- that->mImageBufferSize *= 2;
+ uint8_t* newBuf = nullptr;
+ CheckedInt<uint32_t> bufSize =
+ CheckedInt<uint32_t>(that->mImageBufferSize) * 2;
+ if (bufSize.isValid()) {
+ that->mImageBufferSize = bufSize.value();
+ newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
+ }
- uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
- that->mImageBufferSize);
if (!newBuf) {
// can't resize, just zero (this will keep us from writing more)
free(that->mImageBuffer);
generated by cgit v1.2.3 (git 2.26.2) at 2024-11-10 05:27:47 +0000