Bug 1450353. r=tnikkel, a=jcristau
authorAndrew Osmond <aosmond@mozilla.com>
Thu, 11 Jun 2020 23:13:09 +0000
changeset 600867 f1c8364c72de60e268571d01c247fb95abf4ec70
parent 600866 02ebf58165068f69bfd9fafdb9b8b22092e0da7b
child 600868 1e8edd35e3238c07666d070f9ffcd2d2a1450c81
push id2361
push userjcristau@mozilla.com
push dateMon, 22 Jun 2020 18:14:30 +0000
treeherdermozilla-release@1e8edd35e323 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstnikkel, jcristau
bugs1450353
milestone78.0
Bug 1450353. r=tnikkel, a=jcristau Differential Revision: https://phabricator.services.mozilla.com/D79303
image/encoders/jpeg/nsJPEGEncoder.cpp
--- a/image/encoders/jpeg/nsJPEGEncoder.cpp
+++ b/image/encoders/jpeg/nsJPEGEncoder.cpp
@@ -3,16 +3,17 @@
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 #include "nsJPEGEncoder.h"
 #include "prprf.h"
 #include "nsString.h"
 #include "nsStreamUtils.h"
 #include "gfxColor.h"
+#include "mozilla/CheckedInt.h"
 
 extern "C" {
 #include "jpeglib.h"
 }
 
 #include <setjmp.h>
 #include "jerror.h"
 
@@ -438,20 +439,24 @@ boolean nsJPEGEncoderInternal::emptyOutp
 
   // When we're reallocing the buffer we need to take the lock to ensure
   // that nobody is trying to read from the buffer we are destroying
   ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor);
 
   that->mImageBufferUsed = that->mImageBufferSize;
 
   // expand buffer, just double size each time
-  that->mImageBufferSize *= 2;
+  uint8_t* newBuf = nullptr;
+  CheckedInt<uint32_t> bufSize =
+      CheckedInt<uint32_t>(that->mImageBufferSize) * 2;
+  if (bufSize.isValid()) {
+    that->mImageBufferSize = bufSize.value();
+    newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
+  }
 
-  uint8_t* newBuf =
-      (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
   if (!newBuf) {
     // can't resize, just zero (this will keep us from writing more)
     free(that->mImageBuffer);
     that->mImageBuffer = nullptr;
     that->mImageBufferSize = 0;
     that->mImageBufferUsed = 0;
 
     // This seems to be the only way to do errors through the JPEG library.  We
@@ -491,9 +496,9 @@ void nsJPEGEncoderInternal::errorExit(jp
       break;
     default:
       error_code = NS_ERROR_FAILURE;
   }
 
   // Return control to the setjmp point.  We pass an nsresult masquerading as
   // an int, which works because the setjmp() caller casts it back.
   longjmp(err->setjmp_buffer, static_cast<int>(error_code));
-}
\ No newline at end of file
+}