Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, a=abillings
☠☠ backed out by 0c9c9cb75c06 ☠ ☠
authorAndrea Marchesini <amarchesini@mozilla.com>
Wed, 10 Jun 2015 09:25:14 -0400
changeset 275000 bae7437861e7e747d0edafe98d7e0f81e0b0ecd0
parent 274999 b71e1e1d26ce4863337a0bfde13c309f5ff9f5dd
child 275001 58d4afb8473a4a56abfc097bff63949fb1f2a2bd
push id863
push userraliiev@mozilla.com
push dateMon, 03 Aug 2015 13:22:43 +0000
treeherdermozilla-release@f6321b14228d [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersehsan, abillings
bugs1170809
milestone40.0a2
Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, a=abillings
dom/base/nsXMLHttpRequest.cpp
--- a/dom/base/nsXMLHttpRequest.cpp
+++ b/dom/base/nsXMLHttpRequest.cpp
@@ -669,38 +669,47 @@ nsXMLHttpRequest::AppendToResponseText(c
 {
   NS_ENSURE_STATE(mDecoder);
 
   int32_t destBufferLen;
   nsresult rv = mDecoder->GetMaxLength(aSrcBuffer, aSrcBufferLen,
                                        &destBufferLen);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible)) {
+  CheckedInt32 neededCapacity = destBufferLen;
+  neededCapacity += mResponseText.Length();
+
+  if (neededCapacity.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  if (!mResponseText.SetCapacity(neededCapacity.value(), fallible)) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
 
-  int32_t totalChars = mResponseText.Length();
+  CheckedInt32 totalChars = mResponseText.Length();
 
   // This code here is basically a copy of a similar thing in
   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
   int32_t srclen = (int32_t)aSrcBufferLen;
   int32_t destlen = (int32_t)destBufferLen;
   rv = mDecoder->Convert(aSrcBuffer,
                          &srclen,
                          destBuffer,
                          &destlen);
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   totalChars += destlen;
-
-  mResponseText.SetLength(totalChars);
-
+  if (!totalChars.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  mResponseText.SetLength(totalChars.value());
   return NS_OK;
 }
 
 /* readonly attribute AString responseText; */
 NS_IMETHODIMP
 nsXMLHttpRequest::GetResponseText(nsAString& aResponseText)
 {
   ErrorResult rv;