Bug 887420 - Do not read off the end of the transfer map. r=Waldo, a=abillings
authorSteve Fink <sfink@mozilla.com>
Wed, 17 Jul 2013 15:12:19 -0700
changeset 143127 65afba378972
parent 143126 5c46eea500a8
child 143128 ee2a5acd8281
child 143130 8b103274f2d1
child 143132 b154fb80409e
push id2663
push userryanvm@gmail.com
push dateMon, 22 Jul 2013 21:30:20 +0000
treeherdermozilla-beta@65afba378972 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersWaldo, abillings
bugs887420
milestone23.0
Bug 887420 - Do not read off the end of the transfer map. r=Waldo, a=abillings
js/src/jsclone.cpp
--- a/js/src/jsclone.cpp
+++ b/js/src/jsclone.cpp
@@ -130,16 +130,22 @@ js::ClearStructuredClone(const uint64_t 
     if (tag == SCTAG_TRANSFER_MAP_HEADER) {
         if ((TransferableMapHeader)uint32_t(u) == SCTAG_TM_NOT_MARKED) {
             while (point != end) {
                 uint64_t u = LittleEndian::readUint64(point++);
                 uint32_t tag = uint32_t(u >> 32);
                 if (tag == SCTAG_TRANSFER_MAP) {
                     u = LittleEndian::readUint64(point++);
                     js_free(reinterpret_cast<void*>(u));
+                } else {
+                    // The only things in the transfer map should be
+                    // SCTAG_TRANSFER_MAP tags paired with pointers. If we find
+                    // any other tag, we've walked off the end of the transfer
+                    // map.
+                    break;
                 }
             }
         }
     }
 
     js_free((void *)data);
     return true;
 }