Bug 990794 - Crash on ovrfl in AllocateAudioBlock. r=roc, a=sledru
authorKarl Tomlinson <karlt+@karlt.net>
Thu, 03 Apr 2014 21:12:54 +1300
changeset 183650 004a7c15d761
parent 183649 51a84afe085d
child 183651 26f9d2df24af
child 183652 274a8f367ac7
child 183654 71439d266704
push id3434
push userryanvm@gmail.com
push date2014-04-07 16:57 +0000
Treeherderresults
reviewersroc, sledru
bugs990794
milestone29.0
Bug 990794 - Crash on ovrfl in AllocateAudioBlock. r=roc, a=sledru
content/media/AudioNodeEngine.cpp
--- a/content/media/AudioNodeEngine.cpp
+++ b/content/media/AudioNodeEngine.cpp
@@ -10,20 +10,25 @@
 #include "AudioNodeEngineNEON.h"
 #endif
 
 namespace mozilla {
 
 void
 AllocateAudioBlock(uint32_t aChannelCount, AudioChunk* aChunk)
 {
+  CheckedInt<size_t> size = WEBAUDIO_BLOCK_SIZE;
+  size *= aChannelCount;
+  size *= sizeof(float);
+  if (!size.isValid()) {
+    MOZ_CRASH();
+  }
   // XXX for SIMD purposes we should do something here to make sure the
   // channel buffers are 16-byte aligned.
-  nsRefPtr<SharedBuffer> buffer =
-    SharedBuffer::Create(WEBAUDIO_BLOCK_SIZE*aChannelCount*sizeof(float));
+  nsRefPtr<SharedBuffer> buffer = SharedBuffer::Create(size.value());
   aChunk->mDuration = WEBAUDIO_BLOCK_SIZE;
   aChunk->mChannelData.SetLength(aChannelCount);
   float* data = static_cast<float*>(buffer->Data());
   for (uint32_t i = 0; i < aChannelCount; ++i) {
     aChunk->mChannelData[i] = data + i*WEBAUDIO_BLOCK_SIZE;
   }
   aChunk->mBuffer = buffer.forget();
   aChunk->mVolume = 1.0f;