Bug 1499366 - Part 1: Check shift while reading uint32. r=Yoric
authorTooru Fujisawa <arai_a@mac.com>
Tue, 16 Oct 2018 23:11:56 +0900
changeset 497245 bca5f70008c94e9a74c2d8d7272c10edcfa9c404
parent 497217 237c50cb98bca9418e4c2e157371d0bd335b481c
child 497246 c96e54bae30c098a4b10a42721bf58295a1409f7
push id9996
push userarchaeopteryx@coole-files.de
push dateThu, 18 Oct 2018 18:37:15 +0000
treeherdermozilla-beta@8efe26839243 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersYoric
bugs1499366
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1499366 - Part 1: Check shift while reading uint32. r=Yoric
js/src/frontend/BinTokenReaderMultipart.cpp
--- a/js/src/frontend/BinTokenReaderMultipart.cpp
+++ b/js/src/frontend/BinTokenReaderMultipart.cpp
@@ -491,16 +491,20 @@ BinTokenReaderMultipart::readInternalUin
         }
 
         result = newResult;
         shift += 7;
 
         if ((byte & 1) == 0) {
             return result;
         }
+
+        if (shift >= 32) {
+            return raiseError("Overflow during readInternalUint32");
+        }
     }
 }
 
 
 BinTokenReaderMultipart::AutoTaggedTuple::AutoTaggedTuple(BinTokenReaderMultipart& reader)
     : AutoBase(reader)
 { }