Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus, a=sylvestre
authorMichal Novotny <michal.novotny@gmail.com>
Wed, 20 Jul 2016 17:15:32 +0200
changeset 312199 bc2f5467b33d
parent 312198 6711ccb0184e
child 312200 10c9453407de
push id213
push userkwierso@gmail.com
push dateMon, 29 Aug 2016 17:22:22 +0000
treeherdermozilla-esr45@fd5052e343df [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmcmanus, sylvestre
bugs1287266
milestone45.3.1
Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus, a=sylvestre
netwerk/protocol/websocket/WebSocketChannel.cpp
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1558,19 +1558,23 @@ WebSocketChannel::ProcessInput(uint8_t *
     }
 
     payload = mFramePtr + framingLength;
     avail -= framingLength;
 
     LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n",
          payloadLength64, avail));
 
-    if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) {
+    CheckedInt<int64_t> payloadLengthChecked(payloadLength64);
+    payloadLengthChecked += mFragmentAccumulator;
+    if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() >
+        mMaxMessageSize) {
       return NS_ERROR_FILE_TOO_BIG;
     }
+
     uint32_t payloadLength = static_cast<uint32_t>(payloadLength64);
 
     if (avail < payloadLength)
       break;
 
     LOG(("WebSocketChannel::ProcessInput: Frame accumulated - opcode %d\n",
          opcode));