diff options
author | Henri Sivonen <hsivonen@hsivonen.fi> | 2018-02-28 14:09:26 -0500 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-03-14 11:21:36 +0100 |
commit | bd819cc43653220abdbfe040ba5c721e9861241c (patch) | |
tree | 3f526b2577a75eac4fec75a8af15876214f72b00 | |
parent | 8c25427afc8d4b9fae10cf188a5966dd69d0548f (diff) | |
download | UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.gz UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.lz UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.xz UXP-bd819cc43653220abdbfe040ba5c721e9861241c.zip |
Bug 1440926 - Use overflow-checking math when computing Big5 max length. r=emk, a=RyanVM
MozReview-Commit-ID: 1Gney5cYyhu
-rw-r--r-- | intl/uconv/ucvtw/nsBIG5ToUnicode.cpp | 12 | ||||
-rw-r--r-- | intl/uconv/ucvtw/nsUnicodeToBIG5.cpp | 21 |
2 files changed, 26 insertions, 7 deletions
diff --git a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp index 8dbf84a14..b07df3d76 100644 --- a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp +++ b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp @@ -152,7 +152,17 @@ nsBIG5ToUnicode::GetMaxLength(const char* aSrc, { // The length of the output in UTF-16 code units never exceeds the length // of the input in bytes. - *aDestLength = aSrcLength + (mPendingTrail ? 1 : 0) + (mBig5Lead ? 1 : 0); + mozilla::CheckedInt32 length = aSrcLength; + if (mPendingTrail) { + length += 1; + } + if (mBig5Lead) { + length += 1; + } + if (!length.isValid()) { + return NS_ERROR_OUT_OF_MEMORY; + } + *aDestLength = length.value(); return NS_OK; } diff --git a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp index c3c9658df..b30be2f9b 100644 --- a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp +++ b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp @@ -211,12 +211,21 @@ nsUnicodeToBIG5::GetMaxLength(const char16_t* aSrc, int32_t aSrcLength, int32_t* aDestLength) { - *aDestLength = (aSrcLength * 2) + - (mPendingTrail ? 1 : 0) + - // If the lead ends up being paired, the bytes produced - // are already included above. - // If not, it produces a single '?'. - (mUtf16Lead ? 1 : 0); + mozilla::CheckedInt32 length = aSrcLength; + length *= 2; + if (mPendingTrail) { + length += 1; + } + // If the lead ends up being paired, the bytes produced + // are already included above. + // If not, it produces a single '?'. + if (mUtf16Lead) { + length += 1; + } + if (!length.isValid()) { + return NS_ERROR_OUT_OF_MEMORY; + } + *aDestLength = length.value(); return NS_OK; } |