Bug 914374 - Fix buffer overflow in BCJ_X86_filter when the given buffer is too small. r=nfroyd
authorMike Hommey <mh+mozilla@glandium.org>
Wed, 11 Sep 2013 08:15:39 +0900
changeset 146394 5e8290749d6079fd9bff462d9c37fde9704f60af
parent 146393 ccd82434a1fc51e077910da392a81b4cba2a1cfb
child 146395 c38b60b9063e0c8d9121e9793ab669f20c260cd8
push id25259
push usermh@glandium.org
push dateTue, 10 Sep 2013 23:17:07 +0000
treeherdermozilla-central@c38b60b9063e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnfroyd
bugs914374
milestone26.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 914374 - Fix buffer overflow in BCJ_X86_filter when the given buffer is too small. r=nfroyd
mozglue/linker/SeekableZStream.cpp
--- a/mozglue/linker/SeekableZStream.cpp
+++ b/mozglue/linker/SeekableZStream.cpp
@@ -175,17 +175,17 @@ BCJ_X86_filter(off_t offset, SeekableZSt
     { true, true, true, false, true, false, false, false };
 
   static const uint32_t MASK_TO_BIT_NUMBER[8] =
     { 0, 1, 2, 2, 3, 3, 3, 3 };
 
   uint32_t prev_mask = 0;
   uint32_t prev_pos = 0;
 
-  for (size_t i = 0; i <= size - 5;) {
+  for (size_t i = 0; i + 5 <= size;) {
     uint8_t b = buf[i];
     if (b != 0xe8 && b != 0xe9) {
       ++i;
       continue;
     }
 
     const uint32_t off = offset + (uint32_t)(i) - prev_pos;
     prev_pos = offset + (uint32_t)(i);