From 5b108e652d31cf3d800a97dbc8d1df524841a73c Mon Sep 17 00:00:00 2001
From: Valentin Gosu <valentin.gosu@gmail.com>
Date: Tue, 5 Jun 2018 16:37:34 +0200
Subject: Sanity-check in nsStandardURL::Deserialize(). r=mayhemer, a=RyanVM

Also add test for faulty nsStandardURL deserialization.

See Bug 1392739.
---
 netwerk/base/nsStandardURL.cpp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'netwerk/base/nsStandardURL.cpp')

diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
index e2a290e4dc..dff4ecbc03 100644
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -3455,8 +3455,10 @@ FromIPCSegment(const nsACString& aSpec, const ipc::StandardURLSegment& aSegment,
         return false;
     }
 
+    CheckedInt<uint32_t> segmentLen = aSegment.position();
+    segmentLen += aSegment.length();
     // Make sure the segment does not extend beyond the spec.
-    if (NS_WARN_IF(aSegment.position() + aSegment.length() > aSpec.Length())) {
+    if (NS_WARN_IF(!segmentLen.isValid() || segmentLen.value() > aSpec.Length())) {
         return false;
     }
 
-- 
cgit v1.2.3