Bug 1392739 - Use CheckedInt in nsStandardURL::Deserialize(). r=mayhemer
authorValentin Gosu <valentin.gosu@gmail.com>
Mon, 04 Jun 2018 13:57:51 +0200
changeset 421175 5c47f8a1bad20a61a1ec699cc6508e21f39a7a98
parent 421174 9ea974e9f568ec4ef151702c35333d850c38ab5d
child 421176 f72ceb91e620b9b95806132fe9ca3687fab49b68
push id34089
push userdluca@mozilla.com
push dateMon, 04 Jun 2018 18:11:55 +0000
treeherdermozilla-central@d8f180ab7492 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmayhemer
bugs1392739
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1392739 - Use CheckedInt in nsStandardURL::Deserialize(). r=mayhemer
netwerk/base/nsStandardURL.cpp
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -22,17 +22,16 @@
 #include "mozilla/ipc/URIUtils.h"
 #include "mozilla/TextUtils.h"
 #include <algorithm>
 #include "nsContentUtils.h"
 #include "prprf.h"
 #include "nsReadableUtils.h"
 #include "mozilla/net/MozURL_ffi.h"
 
-
 //
 // setenv MOZ_LOG nsStandardURL:5
 //
 static LazyLogModule gStandardURLLog("nsStandardURL");
 
 // The Chromium code defines its own LOG macro which we don't want
 #undef LOG
 #define LOG(args)     MOZ_LOG(gStandardURLLog, LogLevel::Debug, args)
@@ -3488,18 +3487,20 @@ FromIPCSegment(const nsACString& aSpec, 
         return true;
     }
 
     // A value of -1 means an empty segment, but < -1 is undefined.
     if (NS_WARN_IF(aSegment.length() < -1)) {
         return false;
     }
 
+    CheckedInt<uint32_t> segmentLen = aSegment.position();
+    segmentLen += aSegment.length();
     // Make sure the segment does not extend beyond the spec.
-    if (NS_WARN_IF(aSegment.position() + aSegment.length() > aSpec.Length())) {
+    if (NS_WARN_IF(!segmentLen.isValid() || segmentLen.value() > aSpec.Length())) {
         return false;
     }
 
     aTarget.mPos = aSegment.position();
     aTarget.mLen = aSegment.length();
 
     return true;
 }