Bug 887420 - Do not read off the end of the transfer map, r=Waldo
authorSteve Fink <sfink@mozilla.com>
Wed, 17 Jul 2013 15:12:19 -0700
changeset 139350 641e812ba1addca43e1862db13239ee99acff647
parent 139349 3b7d3727478a7a2b93224d0f136e630d55ce365a
child 139351 fcd125af48819ee961c512eab9a41c69b4153133
push id24988
push useremorley@mozilla.com
push dateMon, 22 Jul 2013 13:46:20 +0000
treeherdermozilla-central@f80683d8c3e7 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo
bugs887420
milestone25.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 887420 - Do not read off the end of the transfer map, r=Waldo
js/src/jsclone.cpp
--- a/js/src/jsclone.cpp
+++ b/js/src/jsclone.cpp
@@ -129,16 +129,22 @@ js::ClearStructuredClone(const uint64_t 
     if (tag == SCTAG_TRANSFER_MAP_HEADER) {
         if ((TransferableMapHeader)uint32_t(u) == SCTAG_TM_NOT_MARKED) {
             while (point != end) {
                 uint64_t u = LittleEndian::readUint64(point++);
                 uint32_t tag = uint32_t(u >> 32);
                 if (tag == SCTAG_TRANSFER_MAP) {
                     u = LittleEndian::readUint64(point++);
                     js_free(reinterpret_cast<void*>(u));
+                } else {
+                    // The only things in the transfer map should be
+                    // SCTAG_TRANSFER_MAP tags paired with pointers. If we find
+                    // any other tag, we've walked off the end of the transfer
+                    // map.
+                    break;
                 }
             }
         }
     }
 
     js_free((void *)data);
     return true;
 }