Bug 1300140 - Return error when IME attribute array doesn't have valid. r=masayuki
authorMakoto Kato <m_kato@ga2.so-net.ne.jp>
Wed, 14 Sep 2016 11:09:00 +0900
changeset 313847 facf5812faffa05e6037e96c92a5835d12937966
parent 313846 002b4c56b913fcce358c53ee69d70cc777ba5fa4
child 313848 4bdbbae12cb345de1d0dd52759a1824d031c7f91
push id32264
push usercbook@mozilla.com
push dateWed, 14 Sep 2016 10:18:20 +0000
treeherderautoland@b9c4a0402a0a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmasayuki
bugs1300140
milestone51.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1300140 - Return error when IME attribute array doesn't have valid. r=masayuki MozReview-Commit-ID: 2paKhQNSR11
widget/windows/IMMHandler.cpp
--- a/widget/windows/IMMHandler.cpp
+++ b/widget/windows/IMMHandler.cpp
@@ -1990,16 +1990,22 @@ IMMHandler::DispatchCompositionChangeEve
         MOZ_LOG(gIMMLog, LogLevel::Info,
           ("DispatchCompositionChangeEvent, mClauseArray[%ld]=%lu. "
            "This is larger than mCompositionString.Length()=%lu",
            i + 1, current, mCompositionString.Length()));
         current = int32_t(mCompositionString.Length());
       }
 
       uint32_t length = current - lastOffset;
+      if (NS_WARN_IF(lastOffset >= mAttributeArray.Length())) {
+        MOZ_LOG(gIMMLog, LogLevel::Error,
+          ("DispatchCompositionChangeEvent, FAILED due to invalid data of "
+            "mClauseArray or mAttributeArray"));
+        return;
+      }
       TextRangeType textRangeType =
         PlatformToNSAttr(mAttributeArray[lastOffset]);
       rv = dispatcher->AppendClauseToPendingComposition(length, textRangeType);
       if (NS_WARN_IF(NS_FAILED(rv))) {
         MOZ_LOG(gIMMLog, LogLevel::Error,
           ("DispatchCompositionChangeEvent, FAILED due to"
            "TextEventDispatcher::AppendClauseToPendingComposition() failure"));
         return;