Bug 990794 - Crash on ovrfl in SharedBuffer::Create(). r=roc, a=sledru
authorKarl Tomlinson <karlt+@karlt.net>
Thu, 03 Apr 2014 21:12:29 +1300
changeset 183649 51a84afe085d
parent 183648 ea5b3027bb42
child 183650 004a7c15d761
push id3434
push userryanvm@gmail.com
push date2014-04-07 16:57 +0000
treeherdermozilla-beta@004a7c15d761 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc, sledru
bugs990794
milestone29.0
Bug 990794 - Crash on ovrfl in SharedBuffer::Create(). r=roc, a=sledru
content/media/SharedBuffer.h
--- a/content/media/SharedBuffer.h
+++ b/content/media/SharedBuffer.h
@@ -1,16 +1,17 @@
 /* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this file,
  * You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #ifndef MOZILLA_SHAREDBUFFER_H_
 #define MOZILLA_SHAREDBUFFER_H_
 
+#include "mozilla/CheckedInt.h"
 #include "mozilla/mozalloc.h"
 #include "nsCOMPtr.h"
 #include "nsAutoPtr.h"
 
 namespace mozilla {
 
 /**
  * Base class for objects with a thread-safe refcount and a virtual
@@ -31,17 +32,22 @@ public:
  * is divisible by 4.
  */
 class SharedBuffer : public ThreadSharedObject {
 public:
   void* Data() { return this + 1; }
 
   static already_AddRefed<SharedBuffer> Create(size_t aSize)
   {
-    void* m = moz_xmalloc(sizeof(SharedBuffer) + aSize);
+    CheckedInt<size_t> size = sizeof(SharedBuffer);
+    size += aSize;
+    if (!size.isValid()) {
+      MOZ_CRASH();
+    }
+    void* m = moz_xmalloc(size.value());
     nsRefPtr<SharedBuffer> p = new (m) SharedBuffer();
     NS_ASSERTION((reinterpret_cast<char*>(p.get() + 1) - reinterpret_cast<char*>(p.get())) % 4 == 0,
                  "SharedBuffers should be at least 4-byte aligned");
     return p.forget();
   }
 
   size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const {
     return aMallocSizeOf(this);