Bug 1424261, r=valentin
authorGijs Kruitbosch <gijskruitbosch@gmail.com>
Tue, 12 Dec 2017 10:53:50 -0600
changeset 396930 dc198f688d39013ec8fb15d831e02f7e9f0f1505
parent 396929 236ad715d7548c2a0ac400aeadc12627885e764b
child 396931 03ef90764d7a475cf103fcdc970ad76e336937c2
push id33117
push userebalazs@mozilla.com
push dateWed, 20 Dec 2017 09:47:43 +0000
treeherdermozilla-central@a235bf4868ab [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersvalentin
bugs1424261
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1424261, r=valentin
image/decoders/icon/nsIconURI.cpp
--- a/image/decoders/icon/nsIconURI.cpp
+++ b/image/decoders/icon/nsIconURI.cpp
@@ -213,17 +213,20 @@ nsMozIconURI::SetSpec(const nsACString& 
   mContentType.Truncate();
   mFileName.Truncate();
   mStockIcon.Truncate();
   mIconSize = -1;
   mIconState = -1;
 
   nsAutoCString iconSpec(aSpec);
   if (!Substring(iconSpec, 0,
-                 MOZICON_SCHEME_LEN).EqualsLiteral(MOZICON_SCHEME)) {
+                 MOZICON_SCHEME_LEN).EqualsLiteral(MOZICON_SCHEME) ||
+      (!Substring(iconSpec, MOZICON_SCHEME_LEN, 7).EqualsLiteral("file://") &&
+       // Checking for the leading '//' will match both the '//stock/' and '//.foo' cases:
+       !Substring(iconSpec, MOZICON_SCHEME_LEN, 2).EqualsLiteral("//"))) {
     return NS_ERROR_MALFORMED_URI;
   }
 
   int32_t questionMarkPos = iconSpec.Find("?");
   if (questionMarkPos != -1 &&
       static_cast<int32_t>(iconSpec.Length()) > (questionMarkPos + 1)) {
     extractAttributeValue(iconSpec.get(), "contentType=", mContentType);
 
@@ -293,16 +296,21 @@ nsMozIconURI::SetSpec(const nsACString& 
   nsresult rv;
   nsCOMPtr<nsIIOService> ioService(do_GetService(NS_IOSERVICE_CONTRACTID, &rv));
   NS_ENSURE_SUCCESS(rv, rv);
 
   nsCOMPtr<nsIURI> uri;
   ioService->NewURI(iconPath, nullptr, nullptr, getter_AddRefs(uri));
   mIconURL = do_QueryInterface(uri);
   if (mIconURL) {
+    // The inner URI should be a 'file:' one. If not, bail.
+    bool isFile = false;
+    if (!NS_SUCCEEDED(mIconURL->SchemeIs("file", &isFile)) || !isFile) {
+      return NS_ERROR_MALFORMED_URI;
+    }
     mFileName.Truncate();
   } else if (mFileName.IsEmpty()) {
     return NS_ERROR_MALFORMED_URI;
   }
 
   return NS_OK;
 }