Bug 990794 - Crash on ovrfl in AllocateAudioBlock. r=roc, a=sledru
authorKarl Tomlinson <karlt+@karlt.net>
Thu, 03 Apr 2014 21:12:54 +1300
changeset 191577 56d760bc26ac773cd4a55bba73029d19d932fa72
parent 191576 500c93ec076adc11364cc8730b71f0026e6221c6
child 191578 5cc3fa9d6e68e86f98822e6661e010dab56d7acd
push id3503
push userraliiev@mozilla.com
push dateMon, 28 Apr 2014 18:51:11 +0000
treeherdermozilla-beta@c95ac01e332e [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersroc, sledru
bugs990794
milestone30.0a2
Bug 990794 - Crash on ovrfl in AllocateAudioBlock. r=roc, a=sledru
content/media/AudioNodeEngine.cpp
--- a/content/media/AudioNodeEngine.cpp
+++ b/content/media/AudioNodeEngine.cpp
@@ -10,20 +10,25 @@
 #include "AudioNodeEngineNEON.h"
 #endif
 
 namespace mozilla {
 
 void
 AllocateAudioBlock(uint32_t aChannelCount, AudioChunk* aChunk)
 {
+  CheckedInt<size_t> size = WEBAUDIO_BLOCK_SIZE;
+  size *= aChannelCount;
+  size *= sizeof(float);
+  if (!size.isValid()) {
+    MOZ_CRASH();
+  }
   // XXX for SIMD purposes we should do something here to make sure the
   // channel buffers are 16-byte aligned.
-  nsRefPtr<SharedBuffer> buffer =
-    SharedBuffer::Create(WEBAUDIO_BLOCK_SIZE*aChannelCount*sizeof(float));
+  nsRefPtr<SharedBuffer> buffer = SharedBuffer::Create(size.value());
   aChunk->mDuration = WEBAUDIO_BLOCK_SIZE;
   aChunk->mChannelData.SetLength(aChannelCount);
   float* data = static_cast<float*>(buffer->Data());
   for (uint32_t i = 0; i < aChannelCount; ++i) {
     aChunk->mChannelData[i] = data + i*WEBAUDIO_BLOCK_SIZE;
   }
   aChunk->mBuffer = buffer.forget();
   aChunk->mVolume = 1.0f;