Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus
authorMichal Novotny <michal.novotny@gmail.com>
Wed, 20 Jul 2016 17:15:32 +0200
changeset 305853 311e127edfff
parent 305852 f90a9f8af37c
child 305854 3158fb3b7e23
push id79682
push usermnovotny@mozilla.com
push dateWed, 20 Jul 2016 15:15:39 +0000
treeherdermozilla-inbound@311e127edfff [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus
bugs1287266
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1564,19 +1564,23 @@ WebSocketChannel::ProcessInput(uint8_t *
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n",
          payloadLength64, avail));
 
-    if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) {
+    CheckedInt<int64_t> payloadLengthChecked(payloadLength64);
+    payloadLengthChecked += mFragmentAccumulator;
+    if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() >
+        mMaxMessageSize) {
       return NS_ERROR_FILE_TOO_BIG;
     }
+
     uint32_t payloadLength = static_cast<uint32_t>(payloadLength64);
 
     if (avail < payloadLength)
       break;
 
     LOG(("WebSocketChannel::ProcessInput: Frame accumulated - opcode %d\n",
          opcode));