Bug 1266578 - OOM crash if malloc fails in ProcessIncomingMessages(). r=billm
authorAndrew McCreight <continuation@gmail.com>
Thu, 21 Apr 2016 15:23:25 -0700
changeset 332263 98b498a402eb0589e394d839ac0bcc59c54a2d60
parent 332262 8b29568cb7e23d313b054d5cfcb02a62d24b504e
child 332264 c550088d726eeaa1b4c0399a8d00f70bfa20e4b9
push id6048
push userkmoir@mozilla.com
push dateMon, 06 Jun 2016 19:02:08 +0000
treeherdermozilla-beta@46d72a56c57d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbillm
bugs1266578
milestone48.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1266578 - OOM crash if malloc fails in ProcessIncomingMessages(). r=billm This allocation is for no more than 32kb, so make it infallible rather than try to recover.
ipc/chromium/src/chrome/common/ipc_channel_posix.cc
ipc/chromium/src/chrome/common/ipc_channel_win.cc
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
@@ -442,17 +442,17 @@ bool Channel::ChannelImpl::ProcessIncomi
 
           // At this point the remaining data is at the front of
           // input_overflow_buf_. p will get fixed up at the end of the
           // loop. Set it to null here to make sure no one uses it.
           p = nullptr;
           overflowp = message_tail = input_overflow_buf_.data();
           end = overflowp + input_overflow_buf_.size();
         } else {
-          buf = (char*)malloc(len);
+          buf = (char*)moz_xmalloc(len);
           memcpy(buf, p, len);
         }
         Message m(buf, len, Message::OWNS);
         if (m.header()->num_fds) {
           // the message has file descriptors
           const char* error = NULL;
           if (m.header()->num_fds > num_fds - fds_i) {
             // the message has been completely received, but we didn't get
--- a/ipc/chromium/src/chrome/common/ipc_channel_win.cc
+++ b/ipc/chromium/src/chrome/common/ipc_channel_win.cc
@@ -398,17 +398,17 @@ bool Channel::ChannelImpl::ProcessIncomi
 
           // At this point the remaining data is at the front of
           // input_overflow_buf_. p will get fixed up at the end of the
           // loop. Set it to null here to make sure no one uses it.
           p = nullptr;
           message_tail = input_overflow_buf_.data();
           end = message_tail + input_overflow_buf_.size();
         } else {
-          buf = (char*)malloc(len);
+          buf = (char*)moz_xmalloc(len);
           memcpy(buf, p, len);
         }
         Message m(buf, len, Message::OWNS);
 #ifdef IPC_MESSAGE_DEBUG_EXTRA
         DLOG(INFO) << "received message on channel @" << this <<
                       " with type " << m.type();
 #endif
         if (m.routing_id() == MSG_ROUTING_NONE &&