Bug 1440926 - Use overflow-checking math when computing Big5 max length. r=emk, a=RyanVM

MozReview-Commit-ID: 1Gney5cYyhu

2 files changed, 26 insertions, 7 deletions

diff --git a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
index 8dbf84a147..b07df3d76e 100644
--- a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
+++ b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
@@ -152,7 +152,17 @@ nsBIG5ToUnicode::GetMaxLength(const char* aSrc,
 {
   // The length of the output in UTF-16 code units never exceeds the length
   // of the input in bytes.
-  *aDestLength = aSrcLength + (mPendingTrail ? 1 : 0) + (mBig5Lead ? 1 : 0);
+  mozilla::CheckedInt32 length = aSrcLength;
+  if (mPendingTrail) {
+    length += 1;
+  }
+  if (mBig5Lead) {
+    length += 1;
+  }
+  if (!length.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  *aDestLength = length.value();
   return NS_OK;
 }
 
diff --git a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
index c3c9658dfb..b30be2f9b9 100644
--- a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
+++ b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
@@ -211,12 +211,21 @@ nsUnicodeToBIG5::GetMaxLength(const char16_t* aSrc,
                               int32_t aSrcLength,
                               int32_t* aDestLength)
 {
-  *aDestLength = (aSrcLength * 2) +
-                 (mPendingTrail ? 1 : 0) +
-                 // If the lead ends up being paired, the bytes produced
-                 // are already included above.
-                 // If not, it produces a single '?'.
-                 (mUtf16Lead ? 1 : 0);
+  mozilla::CheckedInt32 length = aSrcLength;
+  length *= 2;
+  if (mPendingTrail) {
+    length += 1;
+  }
+  // If the lead ends up being paired, the bytes produced
+  // are already included above.
+  // If not, it produces a single '?'.
+  if (mUtf16Lead) {
+    length += 1;
+  }
+  if (!length.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+  *aDestLength = length.value();
   return NS_OK;
 }