Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus, a=sylvestre
authorMichal Novotny <michal.novotny@gmail.com>
Wed, 20 Jul 2016 17:15:32 +0200
changeset 325498 99b62d79d2e4
parent 325497 b1b12cb06176
child 325499 8fd80dfc8f7d
push id9818
push usercbook@mozilla.com
push dateFri, 22 Jul 2016 10:21:14 +0000
treeherdermozilla-aurora@99b62d79d2e4 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus, sylvestre
bugs1287266
milestone49.0a2
Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus, a=sylvestre
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1560,19 +1560,23 @@ WebSocketChannel::ProcessInput(uint8_t *
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n",
          payloadLength64, avail));
 
-    if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) {
+    CheckedInt<int64_t> payloadLengthChecked(payloadLength64);
+    payloadLengthChecked += mFragmentAccumulator;
+    if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() >
+        mMaxMessageSize) {
       return NS_ERROR_FILE_TOO_BIG;
     }
+
     uint32_t payloadLength = static_cast<uint32_t>(payloadLength64);
 
     if (avail < payloadLength)
       break;
 
     LOG(("WebSocketChannel::ProcessInput: Frame accumulated - opcode %d\n",
          opcode));