Bug 709483. Fix off-by-one error in the call to memmove that could cause us to copy memory we didn't own. r=bzbarsky
authorChristian Holler <choller@mozilla.com>
Wed, 14 Dec 2011 23:42:15 -0500
changeset 82613 a3f62505cd16c5f4633bb3a0388ba1ac33e6aa06
parent 82612 a41a3d8816000594e36b2098a9cba316ea51998c
child 82614 ba1d8b3a53e493de189974d450fb5c543d7fb27d
push id21687
push userbzbarsky@mozilla.com
push dateThu, 15 Dec 2011 04:44:47 +0000
treeherdermozilla-central@ae42e4497ff2 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbzbarsky
bugs709483
milestone11.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 709483. Fix off-by-one error in the call to memmove that could cause us to copy memory we didn't own. r=bzbarsky
dom/base/nsDOMClassInfo.cpp
--- a/dom/base/nsDOMClassInfo.cpp
+++ b/dom/base/nsDOMClassInfo.cpp
@@ -2219,18 +2219,20 @@ nsDOMClassInfo::RegisterExternalClasses(
     };                                                                        \
                                                                               \
     /* Compact the interface list */                                          \
     size_t count = ArrayLength(interface_list);                               \
     /* count is the number of array entries, which is one greater than the */ \
     /* number of interfaces due to the terminating null */                    \
     for (size_t i = 0; i < count - 1; ++i) {                                  \
       if (!interface_list[i]) {                                               \
+        /* We are moving the element at index i+1 and successors, */          \
+        /* so we must move only count - (i+1) elements total. */              \
         memmove(&interface_list[i], &interface_list[i+1],                     \
-                sizeof(nsIID*) * (count - i));                                \
+                sizeof(nsIID*) * (count - (i+1)));                            \
         /* Make sure to examine the new pointer we ended up with at this */   \
         /* slot, since it may be null too */                                  \
         --i;                                                                  \
         --count;                                                              \
       }                                                                       \
     }                                                                         \
                                                                               \
     d.mInterfaces = interface_list;                                           \