[html parser] Check for integer overflow when computing new buffer sizes.

author: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
committer: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
commit: 525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree: cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/nsHtml5Tokenizer.cpp
parent: 77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download: uxp-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/parser/html/nsHtml5Tokenizer.cpp b/parser/html/nsHtml5Tokenizer.cpp
index 60285ce8ee..4c6a32f731 100644
--- a/parser/html/nsHtml5Tokenizer.cpp
+++ b/parser/html/nsHtml5Tokenizer.cpp
@@ -1,7 +1,7 @@
 /*
  * Copyright (c) 2005-2007 Henri Sivonen
  * Copyright (c) 2007-2015 Mozilla Foundation
- * Copyright (c) 2018-2020 Moonchild Productions
+ * Copyright (c) 2018-2021 Moonchild Productions
  * Copyright (c) 2020 Binary Outcast
  * Portions of comments Copyright 2004-2010 Apple Computer, Inc., Mozilla
  * Foundation, and Opera Software ASA.
@@ -249,7 +249,7 @@ nsHtml5Tokenizer::emitStrBuf()
 void 
 nsHtml5Tokenizer::appendStrBuf(char16_t* buffer, int32_t offset, int32_t length)
 {
-  int32_t newLen = strBufLen + length;
+  int32_t newLen = nsHtml5Portability::checkedAdd(strBufLen, length);
   MOZ_ASSERT(newLen <= strBuf.length, "Previous buffer length insufficient.");
   if (MOZ_UNLIKELY(strBuf.length < newLen)) {
     if (MOZ_UNLIKELY(!EnsureBufferSpace(length))) {
author	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
committer	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
commit	525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree	cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/nsHtml5Tokenizer.cpp
parent	77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download	uxp-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz