diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2017-10-06 13:23:44 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-08 13:36:42 +0100 |
commit | 4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2 (patch) | |
tree | 7bffaa4b17903de58996261ac465d08c601d6d85 | |
parent | b9b545e7ddcbbe5934d905805db1d6a436862737 (diff) | |
download | UXP-4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2.tar UXP-4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2.tar.gz UXP-4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2.tar.lz UXP-4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2.tar.xz UXP-4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2.zip |
Fix ReadCompressedIndexDataValuesFromBlob().
-rw-r--r-- | dom/indexedDB/ActorsParent.cpp | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp index 702d5c985..c0cb69149 100644 --- a/dom/indexedDB/ActorsParent.cpp +++ b/dom/indexedDB/ActorsParent.cpp @@ -7,6 +7,7 @@ #include "ActorsParent.h" #include <algorithm> +#include <stdint.h> // UINTPTR_MAX, uintptr_t #include "FileInfo.h" #include "FileManager.h" #include "IDBObjectStore.h" @@ -859,6 +860,11 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, "ReadCompressedIndexDataValuesFromBlob", js::ProfileEntry::Category::STORAGE); + if (uintptr_t(aBlobData) > UINTPTR_MAX - aBlobDataLength) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_FILE_CORRUPTED; + } + const uint8_t* blobDataIter = aBlobData; const uint8_t* blobDataEnd = aBlobData + aBlobDataLength; @@ -878,7 +884,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(keyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + keyBufferLength > blobDataEnd)) { + NS_WARN_IF(keyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - keyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } @@ -896,7 +903,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (sortKeyBufferLength > 0) { if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(sortKeyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + sortKeyBufferLength > blobDataEnd)) { + NS_WARN_IF(sortKeyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - sortKeyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } |