Bug 1527277 - Part 3: Validate usage of string iterator. r=peterv
authorEric Rahm <erahm@mozilla.com>
Wed, 06 Mar 2019 18:55:54 +0000
changeset 462705 b4fef176bc8fde4e580823740639f51c6e43c58f
parent 462704 7ce2309548dab8af0285f3224cb344640089f59b
child 462706 60142f1fcb4c417e648e11875b4ada3720d5a2e8
push id112326
push userccoroiu@mozilla.com
push dateThu, 07 Mar 2019 04:41:19 +0000
treeherdermozilla-inbound@a6f8093bf1a2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerspeterv
bugs1527277
milestone67.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1527277 - Part 3: Validate usage of string iterator. r=peterv Differential Revision: https://phabricator.services.mozilla.com/D20580
dom/xslt/xslt/txFormatNumberFunctionCall.cpp
--- a/dom/xslt/xslt/txFormatNumberFunctionCall.cpp
+++ b/dom/xslt/xslt/txFormatNumberFunctionCall.cpp
@@ -270,17 +270,30 @@ nsresult txFormatNumberFunctionCall::eva
                 1 +                            // decimal separator
                 maxFractionSize +              // fractions
                 (intDigits - 1) / groupSize);  // group separators
 
   int32_t i = bufIntDigits + maxFractionSize - 1;
   bool carry = (0 <= i + 1) && (i + 1 < buflen) && (buf[i + 1] >= '5');
   bool hasFraction = false;
 
-  uint32_t resPos = res.Length() - 1;
+  CheckedUint32 resPos = CheckedUint32(res.Length()) - 1;
+
+#define CHECKED_SET_CHAR(c)                                       \
+  if (!resPos.isValid() || !res.SetCharAt(c, resPos--.value())) { \
+    ReportInvalidArg(aContext);                                   \
+    return NS_ERROR_XPATH_INVALID_ARG;                            \
+  }
+
+#define CHECKED_TRUNCATE()             \
+  if (!resPos.isValid()) {             \
+    ReportInvalidArg(aContext);        \
+    return NS_ERROR_XPATH_INVALID_ARG; \
+  }                                    \
+  res.Truncate(resPos--.value());
 
   // Fractions
   for (; i >= bufIntDigits; --i) {
     int digit;
     if (i >= buflen || i < 0) {
       digit = 0;
     } else {
       digit = buf[i] - '0';
@@ -288,27 +301,27 @@ nsresult txFormatNumberFunctionCall::eva
 
     if (carry) {
       digit = (digit + 1) % 10;
       carry = digit == 0;
     }
 
     if (hasFraction || digit != 0 || i < bufIntDigits + minFractionSize) {
       hasFraction = true;
-      res.SetCharAt((char16_t)(digit + format->mZeroDigit), resPos--);
+      CHECKED_SET_CHAR((char16_t)(digit + format->mZeroDigit));
     } else {
-      res.Truncate(resPos--);
+      CHECKED_TRUNCATE();
     }
   }
 
   // Decimal separator
   if (hasFraction) {
-    res.SetCharAt(format->mDecimalSeparator, resPos--);
+    CHECKED_SET_CHAR(format->mDecimalSeparator);
   } else {
-    res.Truncate(resPos--);
+    CHECKED_TRUNCATE();
   }
 
   // Integer digits
   for (i = 0; i < intDigits; ++i) {
     int digit;
     if (bufIntDigits - i - 1 >= buflen || bufIntDigits - i - 1 < 0) {
       digit = 0;
     } else {
@@ -316,27 +329,30 @@ nsresult txFormatNumberFunctionCall::eva
     }
 
     if (carry) {
       digit = (digit + 1) % 10;
       carry = digit == 0;
     }
 
     if (i != 0 && i % groupSize == 0) {
-      res.SetCharAt(format->mGroupingSeparator, resPos--);
+      CHECKED_SET_CHAR(format->mGroupingSeparator);
     }
 
-    res.SetCharAt((char16_t)(digit + format->mZeroDigit), resPos--);
+    CHECKED_SET_CHAR((char16_t)(digit + format->mZeroDigit));
   }
 
+#undef CHECKED_SET_CHAR
+#undef CHECKED_TRUNCATE
+
   if (carry) {
     if (i % groupSize == 0) {
-      res.Insert(format->mGroupingSeparator, resPos + 1);
+      res.Insert(format->mGroupingSeparator, resPos.value() + 1);
     }
-    res.Insert((char16_t)(1 + format->mZeroDigit), resPos + 1);
+    res.Insert((char16_t)(1 + format->mZeroDigit), resPos.value() + 1);
   }
 
   if (!hasFraction && !intDigits && !carry) {
     // If we havn't added any characters we add a '0'
     // This can only happen for formats like '##.##'
     res.Append(format->mZeroDigit);
   }