Bug 1318766 - Validate length in SubstringTuple. r=froydnj
authorEric Rahm <erahm@mozilla.com>
Fri, 02 Dec 2016 10:35:35 -0800
changeset 325161 d35117ca7509b057b8fc57e210f147617a13a493
parent 325160 ccc5ede0fd337923f51a7ebe2bb1f6504d53fe61
child 325162 32dba5242f0f0d1fb75ec533ad507456ff6d3633
push id24
push usermaklebus@msu.edu
push dateTue, 20 Dec 2016 03:11:33 +0000
reviewersfroydnj
bugs1318766
milestone53.0a1
Bug 1318766 - Validate length in SubstringTuple. r=froydnj MozReview-Commit-ID: JuwQS8jpKcX
xpcom/string/nsTSubstringTuple.cpp
--- a/xpcom/string/nsTSubstringTuple.cpp
+++ b/xpcom/string/nsTSubstringTuple.cpp
@@ -1,52 +1,55 @@
 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
 /* vim: set ts=8 sts=2 et sw=2 tw=80: */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
+#include "mozilla/CheckedInt.h"
 
 /**
  * computes the aggregate string length
  */
 
 nsTSubstringTuple_CharT::size_type
 nsTSubstringTuple_CharT::Length() const
 {
-  uint32_t len;
+  mozilla::CheckedInt<size_type> len;
   if (mHead) {
     len = mHead->Length();
   } else {
     len = TO_SUBSTRING(mFragA).Length();
   }
 
-  return len + TO_SUBSTRING(mFragB).Length();
+  len += TO_SUBSTRING(mFragB).Length();
+  MOZ_RELEASE_ASSERT(len.isValid(), "Substring tuple length is invalid");
+  return len.value();
 }
 
 
 /**
  * writes the aggregate string to the given buffer. aBufLen is assumed
  * to be equal to or greater than the value returned by the Length()
  * method.  the string written to |aBuf| is not null-terminated.
  */
 
 void
 nsTSubstringTuple_CharT::WriteTo(char_type* aBuf, uint32_t aBufLen) const
 {
   const substring_type& b = TO_SUBSTRING(mFragB);
 
-  NS_ASSERTION(aBufLen >= b.Length(), "buffer too small");
+  MOZ_RELEASE_ASSERT(aBufLen >= b.Length(), "buffer too small");
   uint32_t headLen = aBufLen - b.Length();
   if (mHead) {
     mHead->WriteTo(aBuf, headLen);
   } else {
     const substring_type& a = TO_SUBSTRING(mFragA);
 
-    NS_ASSERTION(a.Length() == headLen, "buffer incorrectly sized");
+    MOZ_RELEASE_ASSERT(a.Length() == headLen, "buffer incorrectly sized");
     char_traits::copy(aBuf, a.Data(), a.Length());
   }
 
   char_traits::copy(aBuf + headLen, b.Data(), b.Length());
 
 #if 0
   // we need to write out data into |aBuf|, ending at |aBuf + aBufLen|. So our
   // data needs to precede |aBuf + aBufLen| exactly. We trust that the buffer