Bug 1373371 - Properly convert index in RemoveElementsAt. r=froydnj
authorEric Rahm <erahm@mozilla.com>
Mon, 19 Jun 2017 17:09:54 -0700
changeset 386016 337103b85c025be555c107c7710ebe25d2feb6ed
parent 386015 a4cba1dec3a6460c90f340a6201cead3e33574b3
child 386017 0d50bf107005b01f497f27dacd2975b85aabc461
push id32673
push userarchaeopteryx@coole-files.de
push dateFri, 13 Oct 2017 09:13:17 +0000
treeherdermozilla-central@196dadb2fe50 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfroydnj
bugs1373371
milestone58.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1373371 - Properly convert index in RemoveElementsAt. r=froydnj MozReview-Commit-ID: 2CRrUmOxA9B
xpcom/ds/nsTArray.h
--- a/xpcom/ds/nsTArray.h
+++ b/xpcom/ds/nsTArray.h
@@ -8,16 +8,17 @@
 #define nsTArray_h__
 
 #include "nsTArrayForwardDeclare.h"
 #include "mozilla/Alignment.h"
 #include "mozilla/ArrayIterator.h"
 #include "mozilla/Assertions.h"
 #include "mozilla/Attributes.h"
 #include "mozilla/BinarySearch.h"
+#include "mozilla/CheckedInt.h"
 #include "mozilla/fallible.h"
 #include "mozilla/MathAlgorithms.h"
 #include "mozilla/MemoryReporting.h"
 #include "mozilla/Move.h"
 #include "mozilla/ReverseIterator.h"
 #include "mozilla/TypeTraits.h"
 #include "mozilla/Span.h"
 
@@ -2048,19 +2049,24 @@ nsTArray_Impl<E, Alloc>::ReplaceElements
   return Elements() + aStart;
 }
 
 template<typename E, class Alloc>
 void
 nsTArray_Impl<E, Alloc>::RemoveElementsAt(index_type aStart, size_type aCount)
 {
   MOZ_ASSERT(aCount == 0 || aStart < Length(), "Invalid aStart index");
-  MOZ_ASSERT(aStart + aCount <= Length(), "Invalid length");
-  // Check that the previous assert didn't overflow
-  MOZ_ASSERT(aStart <= aStart + aCount, "Start index plus length overflows");
+
+  mozilla::CheckedInt<index_type> rangeEnd = aStart;
+  rangeEnd += aCount;
+
+  if (MOZ_UNLIKELY(!rangeEnd.isValid() || rangeEnd.value() > Length())) {
+    InvalidArrayIndex_CRASH(aStart, Length());
+  }
+
   DestructRange(aStart, aCount);
   this->template ShiftData<InfallibleAlloc>(aStart, aCount, 0,
                                             sizeof(elem_type),
                                             MOZ_ALIGNOF(elem_type));
 }
 
 template<typename E, class Alloc>
 template<typename Predicate>