Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus
authorMichal Novotny <michal.novotny@gmail.com>
Wed, 20 Jul 2016 17:15:32 +0200
changeset 305853 311e127edfff11350cfa5beb2cee1310cd3d1aa7
parent 305852 f90a9f8af37c202842f5d9c5b2928004124ab5e1
child 305854 3158fb3b7e2327a57547b203b20a57e654ccce77
push id79682
push usermnovotny@mozilla.com
push dateWed, 20 Jul 2016 15:15:39 +0000
treeherdermozilla-inbound@311e127edfff [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus
bugs1287266
milestone50.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1564,19 +1564,23 @@ WebSocketChannel::ProcessInput(uint8_t *
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n",
          payloadLength64, avail));
 
-    if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) {
+    CheckedInt<int64_t> payloadLengthChecked(payloadLength64);
+    payloadLengthChecked += mFragmentAccumulator;
+    if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() >
+        mMaxMessageSize) {
       return NS_ERROR_FILE_TOO_BIG;
     }
+
     uint32_t payloadLength = static_cast<uint32_t>(payloadLength64);
 
     if (avail < payloadLength)
       break;
 
     LOG(("WebSocketChannel::ProcessInput: Frame accumulated - opcode %d\n",
          opcode));