Merge branch 'ported-upstream'

4 files changed, 50 insertions, 23 deletions

diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index 57a7da186..f5fc7b5bc 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -716,6 +716,11 @@ private:
       return NS_ERROR_DOM_INVALID_ACCESS_ERR;
     }
 
+    // Check whether the integer addition would overflow.
+    if (std::numeric_limits<CryptoBuffer::size_type>::max() - 16 < mData.Length()) {
+      return NS_ERROR_DOM_DATA_ERR;
+    }
+
     // Initialize the output buffer (enough space for padding / a full tag)
     uint32_t dataLen = mData.Length();
     uint32_t maxLen = dataLen + 16;
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp
index 702d5c985..c0cb69149 100644
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -7,6 +7,7 @@
 #include "ActorsParent.h"
 
 #include <algorithm>
+#include <stdint.h> // UINTPTR_MAX, uintptr_t
 #include "FileInfo.h"
 #include "FileManager.h"
 #include "IDBObjectStore.h"
@@ -859,6 +860,11 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
                  "ReadCompressedIndexDataValuesFromBlob",
                  js::ProfileEntry::Category::STORAGE);
 
+  if (uintptr_t(aBlobData) > UINTPTR_MAX - aBlobDataLength) {
+    IDB_REPORT_INTERNAL_ERR();
+    return NS_ERROR_FILE_CORRUPTED;
+  }
+
   const uint8_t* blobDataIter = aBlobData;
   const uint8_t* blobDataEnd = aBlobData + aBlobDataLength;
 
@@ -878,7 +884,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
 
     if (NS_WARN_IF(blobDataIter == blobDataEnd) ||
         NS_WARN_IF(keyBufferLength > uint64_t(UINT32_MAX)) ||
-        NS_WARN_IF(blobDataIter + keyBufferLength > blobDataEnd)) {
+        NS_WARN_IF(keyBufferLength > uintptr_t(blobDataEnd)) ||
+        NS_WARN_IF(blobDataIter > blobDataEnd - keyBufferLength)) {
       IDB_REPORT_INTERNAL_ERR();
       return NS_ERROR_FILE_CORRUPTED;
     }
@@ -896,7 +903,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
     if (sortKeyBufferLength > 0) {
       if (NS_WARN_IF(blobDataIter == blobDataEnd) ||
           NS_WARN_IF(sortKeyBufferLength > uint64_t(UINT32_MAX)) ||
-          NS_WARN_IF(blobDataIter + sortKeyBufferLength > blobDataEnd)) {
+          NS_WARN_IF(sortKeyBufferLength > uintptr_t(blobDataEnd)) ||
+          NS_WARN_IF(blobDataIter > blobDataEnd - sortKeyBufferLength)) {
         IDB_REPORT_INTERNAL_ERR();
         return NS_ERROR_FILE_CORRUPTED;
       }
diff --git a/gfx/layers/composite/FPSCounter.cpp b/gfx/layers/composite/FPSCounter.cpp
index 02ffc4b2c..b8e93eb97 100644
--- a/gfx/layers/composite/FPSCounter.cpp
+++ b/gfx/layers/composite/FPSCounter.cpp
@@ -210,7 +210,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd)
   const int bufferSize = 256;
   char buffer[bufferSize];
   int writtenCount = SprintfLiteral(buffer, "FPS Data for: %s\n", mFPSName);
-  MOZ_ASSERT(writtenCount >= 0);
+  MOZ_ASSERT(writtenCount < bufferSize);
+  if (writtenCount >= bufferSize) {
+    return;
+  }
   PR_Write(fd, buffer, writtenCount);
 
   ResetReverseIterator();
@@ -225,8 +228,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd)
   while (HasNext(startTimeStamp)) {
     TimeDuration duration = previousSample - nextTimeStamp;
     writtenCount = SprintfLiteral(buffer, "%f,\n", duration.ToMilliseconds());
-
-    MOZ_ASSERT(writtenCount >= 0);
+    MOZ_ASSERT(writtenCount < bufferSize);
+    if (writtenCount >= bufferSize) {
+      continue;
+    }
     PR_Write(fd, buffer, writtenCount);
 
     previousSample = nextTimeStamp;
@@ -299,8 +304,13 @@ FPSCounter::PrintFPS()
 void
 FPSCounter::PrintHistogram(std::map<int, int>& aHistogram)
 {
+  if (aHistogram.size() == 0) {
+    return;
+  }
+
   int length = 0;
   const int kBufferLength = 512;
+  int availableSpace = kBufferLength;
   char buffer[kBufferLength];
 
   for (std::map<int, int>::iterator iter = aHistogram.begin();
@@ -309,9 +319,14 @@ FPSCounter::PrintHistogram(std::map<int, int>& aHistogram)
     int fps = iter->first;
     int count = iter->second;
 
-    length += snprintf(buffer + length, kBufferLength - length,
-                       "FPS: %d = %d. ", fps, count);
-    NS_ASSERTION(length >= kBufferLength, "Buffer overrun while printing FPS histogram.");
+    int lengthRequired = snprintf(buffer + length, availableSpace,
+                                  "FPS: %d = %d. ", fps, count);
+    // Ran out of buffer space. Oh well - just print what we have.
+    if (lengthRequired > availableSpace) {
+      break;
+    }
+    length += lengthRequired;
+    availableSpace -= lengthRequired;
   }
 
   printf_stderr("%s\n", buffer);
diff --git a/js/xpconnect/src/XPCJSID.cpp b/js/xpconnect/src/XPCJSID.cpp
index b9cbee7be..1e14c1bdf 100644
--- a/js/xpconnect/src/XPCJSID.cpp
+++ b/js/xpconnect/src/XPCJSID.cpp
@@ -456,27 +456,26 @@ nsJSIID::Enumerate(nsIXPConnectWrappedNative* wrapper,
 static nsresult
 FindObjectForHasInstance(JSContext* cx, HandleObject objArg, MutableHandleObject target)
 {
+    using namespace mozilla::jsipc;
     RootedObject obj(cx, objArg), proto(cx);
-
-    while (obj && !IS_WN_REFLECTOR(obj) &&
-           !IsDOMObject(obj) && !mozilla::jsipc::IsCPOW(obj))
-    {
-        if (js::IsWrapper(obj)) {
-            obj = js::CheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
-            continue;
+    while (true) {
+        // Try the object, or the wrappee if allowed.
+        JSObject* o = js::IsWrapper(obj) ? js::CheckedUnwrap(obj, false) : obj;
+        if (o && (IS_WN_REFLECTOR(o) || IsDOMObject(o) || IsCPOW(o))) {
+            target.set(o);
+            return NS_OK;
         }
 
-        {
-            JSAutoCompartment ac(cx, obj);
-            if (!js::GetObjectProto(cx, obj, &proto))
-                return NS_ERROR_FAILURE;
+        // Walk the prototype chain from the perspective of the callee (i.e.
+        // respecting Xrays if they exist).
+        if (!js::GetObjectProto(cx, obj, &proto))
+            return NS_ERROR_FAILURE;
+        if (!proto) {
+            target.set(nullptr);
+            return NS_OK;
         }
-
         obj = proto;
     }
-
-    target.set(obj);
-    return NS_OK;
 }
 
 nsresult