Bug 1485943 - Avoid writing past the logical length of a string in AlternateServices.cpp. r=dragana
authorHenri Sivonen <hsivonen@hsivonen.fi>
Wed, 29 Aug 2018 08:39:42 +0000
changeset 491515 79ff858fea6bdff2ae0d7d1fa8c7fd98c0895f0f
parent 491514 75b8ac536f30108bcefb6ffa139a1b57bc43f878
child 491516 f10df314fc4df9312555af4cc0c6fd7bb32a3b76
push id1815
push userffxbld-merge
push dateMon, 15 Oct 2018 10:40:45 +0000
treeherdermozilla-release@18d4c09e9378 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdragana
bugs1485943
milestone63.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1485943 - Avoid writing past the logical length of a string in AlternateServices.cpp. r=dragana MozReview-Commit-ID: 4xPYaAbGaEI Differential Revision: https://phabricator.services.mozilla.com/D4512
netwerk/protocol/http/AlternateServices.cpp
--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -764,23 +764,28 @@ TransactionObserver::OnStartRequest(nsIR
   return NS_OK;
 }
 
 NS_IMETHODIMP
 TransactionObserver::OnDataAvailable(nsIRequest *aRequest, nsISupports *aContext,
                                      nsIInputStream *aStream, uint64_t aOffset, uint32_t aCount)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  uint64_t newLen = aCount + mWKResponse.Length();
+  uint32_t oldLen = mWKResponse.Length();
+  uint64_t newLen = aCount + oldLen;
   if (newLen < MAX_WK) {
-    char *startByte =  reinterpret_cast<char *>(mWKResponse.BeginWriting()) + mWKResponse.Length();
+    nsresult rv;
+    auto handle = mWKResponse.BulkWrite(newLen, oldLen, false, rv);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
     uint32_t amtRead;
-    if (NS_SUCCEEDED(aStream->Read(startByte, aCount, &amtRead))) {
-      MOZ_ASSERT(mWKResponse.Length() + amtRead < MAX_WK);
-      mWKResponse.SetLength(mWKResponse.Length() + amtRead);
+    if (NS_SUCCEEDED(aStream->Read(handle.Elements() + oldLen, aCount, &amtRead))) {
+      MOZ_ASSERT(oldLen + amtRead <= newLen);
+      handle.Finish(oldLen + amtRead, false);
       LOG(("TransactionObserver onDataAvailable %p read %d of .wk [%d]\n",
            this, amtRead, mWKResponse.Length()));
     } else {
       LOG(("TransactionObserver onDataAvailable %p read error\n", this));
     }
   }
   return NS_OK;
 }