aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-2740.patch
blob: caafa52a23617391719e419f63872358dfda8378 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
From: Andrea Marchesini <amarchesini@mozilla.com>
Date: Tue, 23 Jun 2015 10:47:38 -0400
Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
 nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings

---
 content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
index 56d1aa3..86425d7 100644
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
                                        &destBufferLen);
   NS_ENSURE_SUCCESS(rv, rv);
 
-  if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
+  uint32_t size = mResponseText.Length() + destBufferLen;
+  if (size < (uint32_t)destBufferLen) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
+
+  if (!mResponseText.SetCapacity(size, fallible_t())) {
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
   char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
 
-  int32_t totalChars = mResponseText.Length();
+  CheckedInt32 totalChars = mResponseText.Length();
 
   // This code here is basically a copy of a similar thing in
   // nsScanner::Append(const char* aBuffer, uint32_t aLen).
@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
   MOZ_ASSERT(NS_SUCCEEDED(rv));
 
   totalChars += destlen;
+  if (!totalChars.isValid()) {
+    return NS_ERROR_OUT_OF_MEMORY;
+  }
 
-  mResponseText.SetLength(totalChars);
-
+  mResponseText.SetLength(totalChars.value());
   return NS_OK;
 }
 
-- 
2.4.3