Fix for
bug 554255 (Limit resource use to something sane). r=sicking, sr=jst.
--- a/content/xslt/src/xslt/txNodeSorter.cpp
+++ b/content/xslt/src/xslt/txNodeSorter.cpp
@@ -173,17 +173,25 @@ txNodeSorter::sortNodeSet(txNodeSet* aNo
txNodeSetContext* evalContext = new txNodeSetContext(aNodes, aEs);
NS_ENSURE_TRUE(evalContext, NS_ERROR_OUT_OF_MEMORY);
rv = aEs->pushEvalContext(evalContext);
NS_ENSURE_SUCCESS(rv, rv);
// Create and set up memoryblock for sort-values and indexarray
PRUint32 len = static_cast<PRUint32>(aNodes->size());
- void* mem = PR_Malloc(len * (sizeof(PRUint32) + mNKeys * sizeof(TxObject*)));
+
+ // Limit resource use to something sane.
+ PRUint32 itemSize = sizeof(PRUint32) + mNKeys * sizeof(TxObject*);
+ if (mNKeys > (PR_UINT32_MAX - sizeof(PRUint32)) / sizeof(TxObject*) ||
+ len >= PR_UINT32_MAX / itemSize) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ void* mem = PR_Malloc(len * itemSize);
NS_ENSURE_TRUE(mem, NS_ERROR_OUT_OF_MEMORY);
PRUint32* indexes = static_cast<PRUint32*>(mem);
TxObject** sortValues = reinterpret_cast<TxObject**>(indexes + len);
PRUint32 i;
for (i = 0; i < len; ++i) {
indexes[i] = i;