Bug 1258376: Validate DEVMODE data length from PrintData before deserialization. r=jimm
authorBob Owen <bobowencode@gmail.com>
Wed, 06 Apr 2016 10:27:31 +0100
changeset 315691 b0b19497c80c49c7f3fe259faf052fde16acf80c
parent 315690 9f0609cb275d1a0bb2916886e3f5b4c3644d9837
child 315692 5448e34dc116967151f3f6a0271d8ae4a2304796
push id9480
push userjlund@mozilla.com
push dateMon, 25 Apr 2016 17:12:58 +0000
treeherdermozilla-aurora@0d6a91c76a9e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjimm
bugs1258376
milestone48.0a1
Bug 1258376: Validate DEVMODE data length from PrintData before deserialization. r=jimm
widget/windows/nsPrintOptionsWin.cpp
--- a/widget/windows/nsPrintOptionsWin.cpp
+++ b/widget/windows/nsPrintOptionsWin.cpp
@@ -121,33 +121,37 @@ nsPrintOptionsWin::DeserializeToPrintSet
     psWin->SetDriverName(data.driverName().get());
 
     psWin->SetPrintableWidthInInches(data.printableWidthInInches());
     psWin->SetPrintableHeightInInches(data.printableHeightInInches());
 
     nsXPIDLString printerName;
     settings->GetPrinterName(getter_Copies(printerName));
 
-    DEVMODEW* devModeRaw = (DEVMODEW*)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY,
-                                                  data.devModeData().Length());
-    if (!devModeRaw) {
-      return NS_ERROR_OUT_OF_MEMORY;
-    }
-
-    nsAutoDevMode devMode(devModeRaw);
-    devModeRaw = nullptr;
+    if (data.devModeData().IsEmpty()) {
+      psWin->SetDevMode(nullptr);
+    } else {
+      // Check minimum length of DEVMODE data.
+      auto devModeDataLength = data.devModeData().Length();
+      if (devModeDataLength < sizeof(DEVMODEW)) {
+        NS_WARNING("DEVMODE data is too short.");
+        return NS_ERROR_FAILURE;
+      }
 
-    // Seems a bit silly to copy the buffer out, just so that SetDevMode can
-    // copy it again. However, if I attempt to just pass
-    // data.devModeData.Elements() casted to an DEVMODEW* to SetDevMode, I get
-    // a "Conversion loses qualifiers" build-time error because
-    // data.devModeData.Elements() is of type const char *.
-    memcpy(devMode.get(), data.devModeData().Elements(), data.devModeData().Length());
+      DEVMODEW* devMode = reinterpret_cast<DEVMODEW*>(
+        const_cast<uint8_t*>(data.devModeData().Elements()));
 
-    psWin->SetDevMode(devMode); // Copies
+      // Check actual length of DEVMODE data.
+      if ((devMode->dmSize + devMode->dmDriverExtra) != devModeDataLength) {
+        NS_WARNING("DEVMODE length is incorrect.");
+        return NS_ERROR_FAILURE;
+      }
+
+      psWin->SetDevMode(devMode); // Copies
+    }
   }
 
   return NS_OK;
 }
 
 nsresult nsPrintOptionsWin::_CreatePrintSettings(nsIPrintSettings **_retval)
 {
   *_retval = nullptr;