Bug 1509685 - Add more bounds checking in nsMsgDBView::UpdateDisplayMessage() to avoid crashes. r=alta88
authorJorg K <jorgk@jorgk.com>
Tue, 27 Nov 2018 21:11:03 +0100
changeset 33788 35f0ac2f08163a9ffeadf5de6bb7c14be5ea6353
parent 33787 fab70cf9e35485946adfc8a507210a6f837c64e0
child 33789 096fefc1934f9102b2b00d9ca75632898e4191b6
push id388
push userclokep@gmail.com
push dateMon, 28 Jan 2019 20:54:56 +0000
reviewersalta88
bugs1509685
Bug 1509685 - Add more bounds checking in nsMsgDBView::UpdateDisplayMessage() to avoid crashes. r=alta88
mailnews/base/src/nsMsgDBView.cpp
--- a/mailnews/base/src/nsMsgDBView.cpp
+++ b/mailnews/base/src/nsMsgDBView.cpp
@@ -1166,28 +1166,32 @@ nsMsgDBView::UpdateDisplayMessage(nsMsgV
   // Get the subject and the folder for the message and inform the front
   // end that we changed the message we are currently displaying.
   nsresult rv;
   nsCOMPtr <nsIMsgDBHdr> msgHdr;
   rv = GetMsgHdrForViewIndex(viewPosition, getter_AddRefs(msgHdr));
   NS_ENSURE_SUCCESS(rv,rv);
 
   nsString subject;
+  if (viewPosition >= (nsMsgViewIndex)m_flags.Length())
+    return NS_MSG_INVALID_DBVIEW_INDEX;
   FetchSubject(msgHdr, m_flags[viewPosition], subject);
 
   nsCString keywords;
   rv = msgHdr->GetStringProperty("keywords", getter_Copies(keywords));
   NS_ENSURE_SUCCESS(rv,rv);
 
   nsCOMPtr<nsIMsgFolder> folder = m_viewFolder ? m_viewFolder : m_folder;
 
   mCommandUpdater->DisplayMessageChanged(folder, subject, keywords);
 
   if (folder)
   {
+    if (viewPosition >= (nsMsgViewIndex)m_keys.Length())
+      return NS_MSG_INVALID_DBVIEW_INDEX;
     rv = folder->SetLastMessageLoaded(m_keys[viewPosition]);
     NS_ENSURE_SUCCESS(rv,rv);
   }
 
   return NS_OK;
 }
 
 // Given a msg key, we will load the message for it.