Bug 665936 - string crash found while fuzzing WebGL shaders - r=jrmuizel, a=drivers
authorBenoit Jacob <bjacob@mozilla.com>
Thu, 07 Jul 2011 20:01:17 -0400
changeset 70542 e05336fe9f4ff5a6f72cd6ec79d17cc84af54f85
parent 70541 78f4d3045e2619fb2b60699479a8939670cfebd4
child 70543 37dc24eeac59702a08d6107135b5a4e96ac8af21
push id1
push usersledru@mozilla.com
push dateThu, 04 Dec 2014 17:57:20 +0000
reviewersjrmuizel, drivers
bugs665936
milestone6.0
Bug 665936 - string crash found while fuzzing WebGL shaders - r=jrmuizel, a=drivers
content/canvas/src/WebGLContextGL.cpp
--- a/content/canvas/src/WebGLContextGL.cpp
+++ b/content/canvas/src/WebGLContextGL.cpp
@@ -4039,21 +4039,29 @@ WebGLContext::GetShaderSource(nsIWebGLSh
 
 NS_IMETHODIMP
 WebGLContext::ShaderSource(nsIWebGLShader *sobj, const nsAString& source)
 {
     WebGLShader *shader;
     WebGLuint shadername;
     if (!GetConcreteObjectAndGLName("shaderSource: shader", sobj, &shader, &shadername))
         return NS_OK;
-
-    if (!NS_IsAscii(nsPromiseFlatString(source).get()))
+    
+    const nsPromiseFlatString& flatSource = PromiseFlatString(source);
+
+    if (!NS_IsAscii(flatSource.get()))
         return ErrorInvalidValue("shaderSource: non-ascii characters found in source");
 
-    shader->SetSource(NS_LossyConvertUTF16toASCII(source));
+    const nsCString& sourceCString = NS_LossyConvertUTF16toASCII(flatSource);
+    
+    const PRUint32 maxSourceLength = (PRUint32(1)<<18) - 1;
+    if (sourceCString.Length() > maxSourceLength)
+        return ErrorInvalidValue("shaderSource: source has more than %d characters", maxSourceLength);
+    
+    shader->SetSource(sourceCString);
 
     shader->SetNeedsTranslation();
 
     return NS_OK;
 }
 
 NS_IMETHODIMP
 WebGLContext::VertexAttribPointer(WebGLuint index, WebGLint size, WebGLenum type,