Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
authorAndrea Marchesini <amarchesini@mozilla.com>
Tue, 23 Jun 2015 10:47:38 -0400
changeset 201238 7707a37fe47782de41e8a3efbd0822f3a17dcee8
parent 201237 e9d051380cfa6e134b029c079f2269430dcd5769
child 201239 c81c5e3eca8c6b049e6e38fcb5ed8c93285391a8
child 201241 036b844a4d01ec7622bcbe2ec5867a745bfe7a7d
push id294
push userryanvm@gmail.com
push dateWed, 24 Jun 2015 05:25:38 +0000
treeherdermozilla-esr31@7707a37fe477 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, bz, abillings
bugs1170809
milestone31.7.0
Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
content/base/src/nsXMLHttpRequest.cpp
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -650,38 +650,45 @@ nsXMLHttpRequest::AppendToResponseText(c
 {
   NS_ENSURE_STATE(mDecoder);
 
   int32_t destBufferLen;
   nsresult rv = mDecoder->GetMaxLength(aSrcBuffer, aSrcBufferLen,
                                        &destBufferLen);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
+  uint32_t size = mResponseText.Length() + destBufferLen;
+  if (size < (uint32_t)destBufferLen) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  if (!mResponseText.SetCapacity(size, fallible_t())) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
 
-  int32_t totalChars = mResponseText.Length();
+  CheckedInt32 totalChars = mResponseText.Length();
 
   // This code here is basically a copy of a similar thing in
   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
   int32_t srclen = (int32_t)aSrcBufferLen;
   int32_t destlen = (int32_t)destBufferLen;
   rv = mDecoder->Convert(aSrcBuffer,
                          &srclen,
                          destBuffer,
                          &destlen);
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   totalChars += destlen;
-
-  mResponseText.SetLength(totalChars);
-
+  if (!totalChars.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  mResponseText.SetLength(totalChars.value());
   return NS_OK;
 }
 
 /* readonly attribute AString responseText; */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseText(nsAString& aResponseText)
 {
   ErrorResult rv;