diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2017-06-20 17:50:15 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-05 15:52:58 +0100 |
commit | a54e46aeb5497ec0c54ec453e6e0b22b2b54792b (patch) | |
tree | f039dc21944278c3ea4895eab733ac55aab99a89 | |
parent | e021cb5c71464de14aa332ec013501e9a37038f7 (diff) | |
download | UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.gz UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.lz UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.xz UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.zip |
Check for too large allocation size in BasicPlanarYCbCrImage::CopyData (DiD)
-rw-r--r-- | gfx/layers/basic/BasicImages.cpp | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/gfx/layers/basic/BasicImages.cpp b/gfx/layers/basic/BasicImages.cpp index ed9447207..fc1be6e9a 100644 --- a/gfx/layers/basic/BasicImages.cpp +++ b/gfx/layers/basic/BasicImages.cpp @@ -11,6 +11,7 @@ #include "gfxASurface.h" // for gfxASurface, etc #include "gfxPlatform.h" // for gfxPlatform, gfxImageFormat #include "gfxUtils.h" // for gfxUtils +#include "mozilla/CheckedInt.h" #include "mozilla/mozalloc.h" // for operator delete[], etc #include "mozilla/RefPtr.h" #include "mozilla/UniquePtr.h" @@ -111,7 +112,13 @@ BasicPlanarYCbCrImage::CopyData(const Data& aData) gfxImageFormat iFormat = gfx::SurfaceFormatToImageFormat(format); mStride = gfxASurface::FormatStrideForWidth(iFormat, size.width); - mDecodedBuffer = AllocateBuffer(size.height * mStride); + mozilla::CheckedInt32 requiredBytes = + mozilla::CheckedInt32(size.height) * mozilla::CheckedInt32(mStride); + if (!requiredBytes.isValid()) { + // invalid size + return false; + } + mDecodedBuffer = AllocateBuffer(requiredBytes.value()); if (!mDecodedBuffer) { // out of memory return false; |