Bug 1349340 - Don't allocate an unrealistically huge buffer in getting the surface data for DnD. r=nical, a=lizzard
authorCervantes Yu <cyu@mozilla.com>
Fri, 24 Mar 2017 17:40:24 +0800
changeset 379336 6fad55fc79faa030ced318b90bf7b61ef963472c
parent 379335 7b103a5d2f60fcb7839680200c455ff86d6e52aa
child 379337 2894d0fa21c936747c3f2da7a21338411cd3b78b
push id1419
push userjlund@mozilla.com
push dateMon, 10 Apr 2017 20:44:07 +0000
treeherdermozilla-release@5e6801b73ef6 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersnical, lizzard
bugs1349340
milestone53.0
Bug 1349340 - Don't allocate an unrealistically huge buffer in getting the surface data for DnD. r=nical, a=lizzard
dom/base/nsContentUtils.cpp
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -7977,17 +7977,21 @@ GetSurfaceDataImpl(mozilla::gfx::DataSou
   mozilla::gfx::DataSourceSurface::MappedSurface map;
   if (!aSurface->Map(mozilla::gfx::DataSourceSurface::MapType::READ, &map)) {
     return GetSurfaceDataContext::NullValue();
   }
 
   mozilla::gfx::IntSize size = aSurface->GetSize();
   mozilla::CheckedInt32 requiredBytes =
     mozilla::CheckedInt32(map.mStride) * mozilla::CheckedInt32(size.height);
-  size_t maxBufLen = requiredBytes.isValid() ? requiredBytes.value() : 0;
+  if (!requiredBytes.isValid()) {
+    return GetSurfaceDataContext::NullValue();
+  }
+
+  size_t maxBufLen = requiredBytes.value();
   mozilla::gfx::SurfaceFormat format = aSurface->GetFormat();
 
   // Surface data handling is totally nuts. This is the magic one needs to
   // know to access the data.
   size_t bufLen = maxBufLen - map.mStride + (size.width * BytesPerPixel(format));
 
   // nsDependentCString wants null-terminated string.
   typename GetSurfaceDataContext::ReturnType surfaceData = aContext.Allocate(maxBufLen + 1);