Bug 1485943 - Avoid writing past the logical length of a string in AlternateServices.cpp. r=dragana
authorHenri Sivonen <hsivonen@hsivonen.fi>
Wed, 29 Aug 2018 08:39:42 +0000
changeset 482198 79ff858fea6bdff2ae0d7d1fa8c7fd98c0895f0f
parent 482197 75b8ac536f30108bcefb6ffa139a1b57bc43f878
child 482199 f10df314fc4df9312555af4cc0c6fd7bb32a3b76
push id232
push userfmarier@mozilla.com
push dateWed, 05 Sep 2018 20:45:54 +0000
reviewersdragana
bugs1485943
milestone63.0a1
Bug 1485943 - Avoid writing past the logical length of a string in AlternateServices.cpp. r=dragana MozReview-Commit-ID: 4xPYaAbGaEI Differential Revision: https://phabricator.services.mozilla.com/D4512
netwerk/protocol/http/AlternateServices.cpp
--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -764,23 +764,28 @@ TransactionObserver::OnStartRequest(nsIR
   return NS_OK;
 }
 
 NS_IMETHODIMP
 TransactionObserver::OnDataAvailable(nsIRequest *aRequest, nsISupports *aContext,
                                      nsIInputStream *aStream, uint64_t aOffset, uint32_t aCount)
 {
   MOZ_ASSERT(NS_IsMainThread());
-  uint64_t newLen = aCount + mWKResponse.Length();
+  uint32_t oldLen = mWKResponse.Length();
+  uint64_t newLen = aCount + oldLen;
   if (newLen < MAX_WK) {
-    char *startByte =  reinterpret_cast<char *>(mWKResponse.BeginWriting()) + mWKResponse.Length();
+    nsresult rv;
+    auto handle = mWKResponse.BulkWrite(newLen, oldLen, false, rv);
+    if (NS_FAILED(rv)) {
+      return rv;
+    }
     uint32_t amtRead;
-    if (NS_SUCCEEDED(aStream->Read(startByte, aCount, &amtRead))) {
-      MOZ_ASSERT(mWKResponse.Length() + amtRead < MAX_WK);
-      mWKResponse.SetLength(mWKResponse.Length() + amtRead);
+    if (NS_SUCCEEDED(aStream->Read(handle.Elements() + oldLen, aCount, &amtRead))) {
+      MOZ_ASSERT(oldLen + amtRead <= newLen);
+      handle.Finish(oldLen + amtRead, false);
       LOG(("TransactionObserver onDataAvailable %p read %d of .wk [%d]\n",
            this, amtRead, mWKResponse.Length()));
     } else {
       LOG(("TransactionObserver onDataAvailable %p read error\n", this));
     }
   }
   return NS_OK;
 }