Bug 1362303: Avoid crashes when dragging on macOS due to failed allocations of large shmem segments. r=glandium, a=IanN CLOSED TREE DONTBUILD SEAMONKEY_2_49_ESR_RELBRANCH
authorStephen A Pohl <spohl.mozilla.bugs@gmail.com>
Tue, 06 Mar 2018 13:21:54 -0500
branchSEAMONKEY_2_49_ESR_RELBRANCH
changeset 357523 90c72bd787e34b7adc511e48e523352fda2eedbf
parent 357522 82f1f98a1707f123bbfa4b819608f9bad2d1a77e
child 357524 24913c4cc9684dc88c1418f01c024644c642ebf0
push id7834
push userfrgrahl@gmx.net
push dateSun, 13 Jan 2019 12:17:02 +0000
treeherdermozilla-esr52@6e4ad8a8f2e8 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersglandium, IanN
bugs1362303
milestone52.9.1
Bug 1362303: Avoid crashes when dragging on macOS due to failed allocations of large shmem segments. r=glandium, a=IanN CLOSED TREE DONTBUILD mozilla-esr52 SEAMONKEY_2_49_ESR_RELBRANCH
dom/base/nsContentUtils.cpp
ipc/glue/SharedMemoryBasic_mach.mm
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -7947,16 +7947,17 @@ GetSurfaceDataImpl(mozilla::gfx::DataSou
   if (!aSurface->Map(mozilla::gfx::DataSourceSurface::MapType::READ, &map)) {
     return GetSurfaceDataContext::NullValue();
   }
 
   mozilla::gfx::IntSize size = aSurface->GetSize();
   mozilla::CheckedInt32 requiredBytes =
     mozilla::CheckedInt32(map.mStride) * mozilla::CheckedInt32(size.height);
   if (!requiredBytes.isValid()) {
+    aSurface->Unmap();
     return GetSurfaceDataContext::NullValue();
   }
 
   size_t maxBufLen = requiredBytes.value();
   mozilla::gfx::SurfaceFormat format = aSurface->GetFormat();
 
   // Surface data handling is totally nuts. This is the magic one needs to
   // know to access the data.
--- a/ipc/glue/SharedMemoryBasic_mach.mm
+++ b/ipc/glue/SharedMemoryBasic_mach.mm
@@ -542,19 +542,21 @@ SharedMemoryBasic::Create(size_t size)
   memory_object_size_t memoryObjectSize = round_page(size);
 
   kr = mach_make_memory_entry_64(mach_task_self(),
                                  &memoryObjectSize,
                                  address,
                                  VM_PROT_DEFAULT,
                                  &mPort,
                                  MACH_PORT_NULL);
-  if (kr != KERN_SUCCESS) {
+  if (kr != KERN_SUCCESS || memoryObjectSize < round_page(size)) {
     LOG_ERROR("Failed to make memory entry (%zu bytes). %s (%x)\n",
               size, mach_error_string(kr), kr);
+    CloseHandle();
+    mach_vm_deallocate(mach_task_self(), address, round_page(size));
     return false;
   }
 
   mMemory = toPointer(address);
   Mapped(size);
   return true;
 }