Bug 974353 - In OpenExisting, check that the IPC-passed Shmem size matches the size stored in the SharedMemory header. And don't leak the segment on error. - r=bent
authorBenoit Jacob <bjacob@mozilla.com>
Wed, 26 Feb 2014 14:10:55 -0500
changeset 171055 a4c3a2e400b272a3b5d66c502cb37a7b62c76576
parent 171054 36b02f8ee7738ad84a968cafd7fd4e17aa7693f7
child 171056 f13e25bfdfbcc666652a712f56df43187ab13832
push id270
push userpvanderbeken@mozilla.com
push dateThu, 06 Mar 2014 09:24:21 +0000
reviewersbent
bugs974353
milestone30.0a1
Bug 974353 - In OpenExisting, check that the IPC-passed Shmem size matches the size stored in the SharedMemory header. And don't leak the segment on error. - r=bent
ipc/glue/Shmem.cpp
--- a/ipc/glue/Shmem.cpp
+++ b/ipc/glue/Shmem.cpp
@@ -451,19 +451,26 @@ Shmem::OpenExisting(IHadBetterBeIPDLCode
   else {
     NS_ERROR("unknown shmem type");
     return nullptr;
   }
 
   if (!segment)
     return 0;
 
+  Header* header = GetHeader(segment);
+
+  if (size != header->mSize) {
+    NS_ERROR("Wrong size for this Shmem!");
+    delete segment;
+    return nullptr;
+  }
+
   // The caller of this function may not know whether the segment is
   // unsafe or not
-  Header* header = GetHeader(segment);
   if (!header->mUnsafe && aProtect)
     Protect(segment);
 
   return segment;
 }
 
 // static
 void
@@ -566,18 +573,19 @@ Shmem::OpenExisting(IHadBetterBeIPDLCode
 #endif
   else {
     return nullptr;
   }
 
   if (!segment)
     return 0;
 
-  // this is the only validity check done OPT builds
+  // this is the only validity check done in non-DEBUG builds
   if (size != static_cast<size_t>(*PtrToSize(segment))) {
+    delete segment;
     return nullptr;
   }
 
   return segment;
 }
 
 // static
 void