Bug 1473943. Make blob bounds checks safe. r=mstange
authorJeff Muizelaar <jmuizelaar@mozilla.com>
Thu, 23 Aug 2018 19:53:21 +0000
changeset 490916 73ffc23ea21b0b78a5f85fac1f475164a8b2dd8c
parent 490915 2622040931e64baff36decfec3cec21301f02270
child 490917 85cd8690798999c98fde1394b1136af99298132b
push id1815
push userffxbld-merge
push dateMon, 15 Oct 2018 10:40:45 +0000
treeherdermozilla-release@18d4c09e9378 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersmstange
bugs1473943
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1473943. Make blob bounds checks safe. r=mstange Differential Revision: https://phabricator.services.mozilla.com/D4038
gfx/webrender_bindings/Moz2DImageRenderer.cpp
--- a/gfx/webrender_bindings/Moz2DImageRenderer.cpp
+++ b/gfx/webrender_bindings/Moz2DImageRenderer.cpp
@@ -302,18 +302,20 @@ static bool Moz2DRenderCallback(const Ra
       memcpy(&y1, buf + pos + 1 * sizeof(int32_t), sizeof(y1));
       memcpy(&x2, buf + pos + 2 * sizeof(int32_t), sizeof(x2));
       memcpy(&y2, buf + pos + 3 * sizeof(int32_t), sizeof(y2));
       pos += sizeof(int32_t) * 4;
       return IntRectAbsolute(x1, y1, x2, y2);
     }
 
   };
-  //XXX: Make safe
+
+  MOZ_RELEASE_ASSERT(aBlob.length() > sizeof(size_t));
   size_t indexOffset = *(size_t*)(aBlob.end().get()-sizeof(size_t));
+  MOZ_RELEASE_ASSERT(indexOffset + sizeof(size_t) <= aBlob.length());
   Reader reader(aBlob.begin().get()+indexOffset, aBlob.length()-sizeof(size_t)-indexOffset);
 
   bool ret;
   size_t offset = 0;
   auto absBounds = IntRectAbsolute::FromRect(bounds);
   while (reader.pos < reader.len) {
     size_t end = reader.ReadSize();
     size_t extra_end = reader.ReadSize();