Bug 1188234, part 2 - Add bounds checking in nsXULPrototypeElement::Deserialize(). r=smaug
authorAndrew McCreight <continuation@gmail.com>
Tue, 04 Aug 2015 13:06:14 -0700
changeset 287844 36ee2ada09b9d7fa81610162de3bcbdbf75b435f
parent 287843 d70f26619ecab349024eec4f743d825d37dcb7e2
child 287845 e7f9116e94682165128c28196d8775be0718032c
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1188234
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1188234, part 2 - Add bounds checking in nsXULPrototypeElement::Deserialize(). r=smaug Make sure we don't do an out-of-bounds read if we read out a bogus value.
dom/xul/nsXULElement.cpp
--- a/dom/xul/nsXULElement.cpp
+++ b/dom/xul/nsXULElement.cpp
@@ -2302,17 +2302,17 @@ nsXULPrototypeElement::Deserialize(nsIOb
                                    nsIURI* aDocumentURI,
                                    const nsTArray<nsRefPtr<mozilla::dom::NodeInfo>> *aNodeInfos)
 {
     NS_PRECONDITION(aNodeInfos, "missing nodeinfo array");
 
     // Read Node Info
     uint32_t number = 0;
     nsresult rv = aStream->Read32(&number);
-    mNodeInfo = aNodeInfos->ElementAt(number);
+    mNodeInfo = aNodeInfos->SafeElementAt(number, nullptr);
     if (!mNodeInfo)
         return NS_ERROR_UNEXPECTED;
 
     // Read Attributes
     nsresult tmp = aStream->Read32(&number);
     if (NS_FAILED(tmp)) {
       rv = tmp;
     }
@@ -2325,17 +2325,17 @@ nsXULPrototypeElement::Deserialize(nsIOb
             return NS_ERROR_OUT_OF_MEMORY;
 
         nsAutoString attributeValue;
         for (i = 0; i < mNumAttributes; ++i) {
             tmp = aStream->Read32(&number);
             if (NS_FAILED(tmp)) {
               rv = tmp;
             }
-            mozilla::dom::NodeInfo* ni = aNodeInfos->ElementAt(number);
+            mozilla::dom::NodeInfo* ni = aNodeInfos->SafeElementAt(number, nullptr);
             if (!ni)
                 return NS_ERROR_UNEXPECTED;
 
             mAttributes[i].mName.SetTo(ni);
 
             tmp = aStream->ReadString(attributeValue);
             if (NS_FAILED(tmp)) {
               rv = tmp;