Bug 1456975 - Check fields in nsMozIconURI deserialization. r=agaynor, a=RyanVM
authorValentin Gosu <valentin.gosu@gmail.com>
Wed, 02 May 2018 14:53:13 +0200
changeset 473500 d31a2ab994fd49bf2641540ee38354c183f5ab9b
parent 473499 5a428c9953abbbac43fb43a9c4e424630a760dee
child 473501 267ac0403602e61866090391cac76bfe89becea1
push id1728
push userjlund@mozilla.com
push dateMon, 18 Jun 2018 21:12:27 +0000
treeherdermozilla-release@c296fde26f5f [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersagaynor, RyanVM
bugs1456975
milestone61.0
Bug 1456975 - Check fields in nsMozIconURI deserialization. r=agaynor, a=RyanVM
image/decoders/icon/nsIconURI.cpp
--- a/image/decoders/icon/nsIconURI.cpp
+++ b/image/decoders/icon/nsIconURI.cpp
@@ -710,17 +710,27 @@ nsMozIconURI::Deserialize(const URIParam
       return false;
     }
   }
 
   mSize = params.size();
   mContentType = params.contentType();
   mFileName = params.fileName();
   mStockIcon = params.stockIcon();
+
+  if (params.iconSize() < -1 ||
+      params.iconSize() >= (int32_t) ArrayLength(kSizeStrings)) {
+    return false;
+  }
   mIconSize = params.iconSize();
+
+  if (params.iconState() < -1 ||
+      params.iconState() >= (int32_t) ArrayLength(kStateStrings)) {
+    return false;
+  }
   mIconState = params.iconState();
 
   return true;
 }
 
 NS_IMETHODIMP
 nsMozIconURI::GetInnerURI(nsIURI** aURI)
 {