b=920987 check for ovrflw in addition r=ehsan
authorKarl Tomlinson <karlt+@karlt.net>
Sat, 28 Sep 2013 12:11:26 +1200
changeset 149121 d976524b87747f4935cc47fbaa38b23f8c1b4645
parent 149120 79cba73c77ba2acc2c6fdc955db2d5529c2f43f9
child 149122 840d3d8c39a0a8d4184c2e2cbb7fcfcc7c352f73
push id25374
push usercbook@mozilla.com
push dateSun, 29 Sep 2013 09:37:16 +0000
treeherdermozilla-central@8f805d3ef377 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan
bugs920987
milestone27.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
b=920987 check for ovrflw in addition r=ehsan
content/media/webaudio/AudioBuffer.cpp
--- a/content/media/webaudio/AudioBuffer.cpp
+++ b/content/media/webaudio/AudioBuffer.cpp
@@ -6,16 +6,17 @@
 
 #include "AudioBuffer.h"
 #include "mozilla/dom/AudioBufferBinding.h"
 #include "jsfriendapi.h"
 #include "mozilla/ErrorResult.h"
 #include "AudioSegment.h"
 #include "AudioChannelFormat.h"
 #include "mozilla/PodOperations.h"
+#include "mozilla/CheckedInt.h"
 #include "AudioNodeEngine.h"
 
 namespace mozilla {
 namespace dom {
 
 NS_IMPL_CYCLE_COLLECTION_CLASS(AudioBuffer)
 
 NS_IMPL_CYCLE_COLLECTION_UNLINK_BEGIN(AudioBuffer)
@@ -108,18 +109,20 @@ AudioBuffer::RestoreJSChannelData(JSCont
   return true;
 }
 
 void
 AudioBuffer::CopyFromChannel(const Float32Array& aDestination, uint32_t aChannelNumber,
                              uint32_t aStartInChannel, ErrorResult& aRv)
 {
   uint32_t length = aDestination.Length();
+  CheckedInt<uint32_t> end = aStartInChannel;
+  end += length;
   if (aChannelNumber >= NumberOfChannels() ||
-      aStartInChannel + length >= mLength) {
+      !end.isValid() || end.value() >= mLength) {
     aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
     return;
   }
 
   if (!mSharedChannels && JS_GetTypedArrayLength(mJSChannels[aChannelNumber]) != mLength) {
     // The array was probably neutered
     aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
     return;
@@ -132,18 +135,20 @@ AudioBuffer::CopyFromChannel(const Float
 }
 
 void
 AudioBuffer::CopyToChannel(JSContext* aJSContext, const Float32Array& aSource,
                            uint32_t aChannelNumber, uint32_t aStartInChannel,
                            ErrorResult& aRv)
 {
   uint32_t length = aSource.Length();
+  CheckedInt<uint32_t> end = aStartInChannel;
+  end += length;
   if (aChannelNumber >= NumberOfChannels() ||
-      aStartInChannel + length >= mLength) {
+      !end.isValid() || end.value() >= mLength) {
     aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
     return;
   }
 
   if (!mSharedChannels && JS_GetTypedArrayLength(mJSChannels[aChannelNumber]) != mLength) {
     // The array was probably neutered
     aRv.Throw(NS_ERROR_DOM_INDEX_SIZE_ERR);
     return;