Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
authorAndrea Marchesini <amarchesini@mozilla.com>
Tue, 23 Jun 2015 10:47:38 -0400
changeset 253640 281ed9edce03b8f4407c05129510dd612a345738
parent 253639 4ae44083194b260a5af86679a2bff5cfef34ba04
child 253641 470f4457f01d17cec6b558daf862c15d13c1d063
push id4828
push userryanvm@gmail.com
push dateWed, 24 Jun 2015 20:57:41 +0000
treeherdermozilla-esr52@1e9835314fe8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, bz, abillings
bugs1170809
milestone39.0
Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
dom/base/nsXMLHttpRequest.cpp
--- a/dom/base/nsXMLHttpRequest.cpp
+++ b/dom/base/nsXMLHttpRequest.cpp
@@ -669,38 +669,45 @@ nsXMLHttpRequest::AppendToResponseText(c
 {
   NS_ENSURE_STATE(mDecoder);
 
   int32_t destBufferLen;
   nsresult rv = mDecoder->GetMaxLength(aSrcBuffer, aSrcBufferLen,
                                        &destBufferLen);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible)) {
+  uint32_t size = mResponseText.Length() + destBufferLen;
+  if (size < (uint32_t)destBufferLen) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  if (!mResponseText.SetCapacity(size, fallible)) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
 
-  int32_t totalChars = mResponseText.Length();
+  CheckedInt32 totalChars = mResponseText.Length();
 
   // This code here is basically a copy of a similar thing in
   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
   int32_t srclen = (int32_t)aSrcBufferLen;
   int32_t destlen = (int32_t)destBufferLen;
   rv = mDecoder->Convert(aSrcBuffer,
                          &srclen,
                          destBuffer,
                          &destlen);
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   totalChars += destlen;
-
-  mResponseText.SetLength(totalChars);
-
+  if (!totalChars.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  mResponseText.SetLength(totalChars.value());
   return NS_OK;
 }
 
 /* readonly attribute AString responseText; */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseText(nsAString& aResponseText)
 {
   ErrorResult rv;