Bug 1168207. Be a bit more careful with overflow checking in XHR. r=baku a=lizzard
authorBoris Zbarsky <bzbarsky@mit.edu>
Mon, 01 Jun 2015 16:59:26 -0700
changeset 201200 6d8096018db64d32e2117705ee0a516c9f20ef49
parent 201199 c836d179c4ba231a4f2ad8cb5ff71dcf99ab6e50
child 201201 088d28723fcd1b04ce933316c03422b2561bac17
push id276
push userkwierso@gmail.com
push dateTue, 02 Jun 2015 00:00:00 +0000
treeherdermozilla-esr31@6d8096018db6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersbaku, lizzard
bugs1168207
milestone31.7.0
Bug 1168207. Be a bit more careful with overflow checking in XHR. r=baku a=lizzard
content/base/src/nsXMLHttpRequest.cpp
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -2,16 +2,17 @@
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsXMLHttpRequest.h"
 
 #include "mozilla/ArrayUtils.h"
+#include "mozilla/CheckedInt.h"
 #include "mozilla/dom/XMLHttpRequestUploadBinding.h"
 #include "mozilla/EventDispatcher.h"
 #include "mozilla/EventListenerManager.h"
 #include "mozilla/MemoryReporting.h"
 #include "nsDOMBlobBuilder.h"
 #include "nsIDOMDocument.h"
 #include "nsIDOMProgressEvent.h"
 #include "nsIJARChannel.h"
@@ -3892,36 +3893,40 @@ ArrayBufferBuilder::setCapacity(uint32_t
 
   return true;
 }
 
 bool
 ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
                            uint32_t aMaxGrowth)
 {
+  CheckedUint32 neededCapacity = mLength;
+  neededCapacity += aDataLen;
+  if (!neededCapacity.isValid()) {
+    return false;
+  }
   if (mLength + aDataLen > mCapacity) {
-    uint32_t newcap;
+    CheckedUint32 newcap = mCapacity;
     // Double while under aMaxGrowth or if not specified.
     if (!aMaxGrowth || mCapacity < aMaxGrowth) {
-      newcap = mCapacity * 2;
+      newcap *= 2;
     } else {
-      newcap = mCapacity + aMaxGrowth;
+      newcap += aMaxGrowth;
+    }
+
+    if (!newcap.isValid()) {
+      return false;
     }
 
     // But make sure there's always enough to satisfy our request.
-    if (newcap < mLength + aDataLen) {
-      newcap = mLength + aDataLen;
+    if (newcap.value() < neededCapacity.value()) {
+      newcap = neededCapacity;
     }
 
-    // Did we overflow?
-    if (newcap < mCapacity) {
-      return false;
-    }
-
-    if (!setCapacity(newcap)) {
+    if (!setCapacity(newcap.value())) {
       return false;
     }
   }
 
   // Assert that the region isn't overlapping so we can memcpy.
   MOZ_ASSERT(!areOverlappingRegions(aNewData, aDataLen, mDataPtr + mLength,
                                     aDataLen));