Bug 914374 - Fix buffer overflow in BCJ_X86_filter when the given buffer is too small. r=nfroyd
authorMike Hommey <mh+mozilla@glandium.org>
Wed, 11 Sep 2013 08:15:39 +0900
changeset 146394 5e8290749d6079fd9bff462d9c37fde9704f60af
parent 146393 ccd82434a1fc51e077910da392a81b4cba2a1cfb
child 146395 c38b60b9063e0c8d9121e9793ab669f20c260cd8
push id1
push userroot
push dateMon, 20 Oct 2014 17:29:22 +0000
reviewersnfroyd
bugs914374
milestone26.0a1
Bug 914374 - Fix buffer overflow in BCJ_X86_filter when the given buffer is too small. r=nfroyd
mozglue/linker/SeekableZStream.cpp
--- a/mozglue/linker/SeekableZStream.cpp
+++ b/mozglue/linker/SeekableZStream.cpp
@@ -175,17 +175,17 @@ BCJ_X86_filter(off_t offset, SeekableZSt
     { true, true, true, false, true, false, false, false };
 
   static const uint32_t MASK_TO_BIT_NUMBER[8] =
     { 0, 1, 2, 2, 3, 3, 3, 3 };
 
   uint32_t prev_mask = 0;
   uint32_t prev_pos = 0;
 
-  for (size_t i = 0; i <= size - 5;) {
+  for (size_t i = 0; i + 5 <= size;) {
     uint8_t b = buf[i];
     if (b != 0xe8 && b != 0xe9) {
       ++i;
       continue;
     }
 
     const uint32_t off = offset + (uint32_t)(i) - prev_pos;
     prev_pos = offset + (uint32_t)(i);