Bug 1188234, part 3 - Make allocation of nsXULPrototypeAttribute fallible in nsXULPrototypeElement::Deserialize(). r=smaug
authorAndrew McCreight <continuation@gmail.com>
Tue, 04 Aug 2015 13:06:14 -0700
changeset 287845 e7f9116e94682165128c28196d8775be0718032c
parent 287844 36ee2ada09b9d7fa81610162de3bcbdbf75b435f
child 287846 04ae99b066a1b3eea9b89abf56e6cb5965808c31
push id5067
push userraliiev@mozilla.com
push dateMon, 21 Sep 2015 14:04:52 +0000
treeherdermozilla-beta@14221ffe5b2f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerssmaug
bugs1188234
milestone42.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1188234, part 3 - Make allocation of nsXULPrototypeAttribute fallible in nsXULPrototypeElement::Deserialize(). r=smaug If we read out a bogus value of |mNumAttributes|, it could be extremely large, causing the allocation of |mAttributes| to fail.
dom/xul/nsXULElement.cpp
--- a/dom/xul/nsXULElement.cpp
+++ b/dom/xul/nsXULElement.cpp
@@ -2315,17 +2315,17 @@ nsXULPrototypeElement::Deserialize(nsIOb
     nsresult tmp = aStream->Read32(&number);
     if (NS_FAILED(tmp)) {
       rv = tmp;
     }
     mNumAttributes = int32_t(number);
 
     uint32_t i;
     if (mNumAttributes > 0) {
-        mAttributes = new nsXULPrototypeAttribute[mNumAttributes];
+        mAttributes = new (fallible) nsXULPrototypeAttribute[mNumAttributes];
         if (! mAttributes)
             return NS_ERROR_OUT_OF_MEMORY;
 
         nsAutoString attributeValue;
         for (i = 0; i < mNumAttributes; ++i) {
             tmp = aStream->Read32(&number);
             if (NS_FAILED(tmp)) {
               rv = tmp;