Bug 1456975 - Check fields in nsMozIconURI deserialization. r=agaynor
authorValentin Gosu <valentin.gosu@gmail.com>
Wed, 02 May 2018 14:53:13 +0200
changeset 420304 6af9d912eef5f79eda192689ca8414664502cf37
parent 420303 f9b9cf74f59808e4649e958554143b26c02c142a
child 420305 d44967058ffac46e41d09530a2439332b01e0f92
push id34069
push usernerli@mozilla.com
push dateTue, 29 May 2018 21:42:06 +0000
treeherdermozilla-central@89d79c2258be [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersagaynor
bugs1456975
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1456975 - Check fields in nsMozIconURI deserialization. r=agaynor
image/decoders/icon/nsIconURI.cpp
--- a/image/decoders/icon/nsIconURI.cpp
+++ b/image/decoders/icon/nsIconURI.cpp
@@ -710,17 +710,27 @@ nsMozIconURI::Deserialize(const URIParam
       return false;
     }
   }
 
   mSize = params.size();
   mContentType = params.contentType();
   mFileName = params.fileName();
   mStockIcon = params.stockIcon();
+
+  if (params.iconSize() < -1 ||
+      params.iconSize() >= (int32_t) ArrayLength(kSizeStrings)) {
+    return false;
+  }
   mIconSize = params.iconSize();
+
+  if (params.iconState() < -1 ||
+      params.iconState() >= (int32_t) ArrayLength(kStateStrings)) {
+    return false;
+  }
   mIconState = params.iconState();
 
   return true;
 }
 
 NS_IMETHODIMP
 nsMozIconURI::GetInnerURI(nsIURI** aURI)
 {