From ac9e93e5e60f54ec58c6b9ad4f09b696bce148e5 Mon Sep 17 00:00:00 2001
From: Moonchild <moonchild@palemoon.org>
Date: Sun, 3 Jul 2022 15:38:40 +0000
Subject: [XPCOM] Crash safely when TArray replacements are OOB.

In the unlikely event of TArray element replacement calls are OOB, crash safely
with a debug breakpoint instead of corrupting memory.
---
 xpcom/glue/nsTArray.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/xpcom/glue/nsTArray.h b/xpcom/glue/nsTArray.h
index 22d6ab7b39..03913a3765 100644
--- a/xpcom/glue/nsTArray.h
+++ b/xpcom/glue/nsTArray.h
@@ -2018,6 +2018,12 @@ auto
 nsTArray_Impl<E, Alloc>::ReplaceElementsAt(index_type aStart, size_type aCount,
                                            const Item* aArray, size_type aArrayLen) -> elem_type*
 {
+  if (MOZ_UNLIKELY(aStart > Length())) {
+    InvalidArrayIndex_CRASH(aStart, Length());
+  }
+  if (MOZ_UNLIKELY(aCount > Length() - aStart)) {
+    InvalidArrayIndex_CRASH(aStart + aCount, Length());
+  }
   // Adjust memory allocation up-front to catch errors.
   if (!ActualAlloc::Successful(this->template EnsureCapacity<ActualAlloc>(
         Length() + aArrayLen - aCount, sizeof(elem_type)))) {
-- 
cgit v1.2.3