diff options
author | wolfbeast <mcwerewolf@gmail.com> | 2018-02-08 14:04:54 +0100 |
---|---|---|
committer | wolfbeast <mcwerewolf@gmail.com> | 2018-02-08 14:04:54 +0100 |
commit | bb828464e868b7571548f17ec3eaebd26f5078a2 (patch) | |
tree | 7bffaa4b17903de58996261ac465d08c601d6d85 /dom/indexedDB/ActorsParent.cpp | |
parent | 44cd9f2a915a4879371c5e0b059acc3e5a2378b0 (diff) | |
parent | 4099ff7494f2add95d35eb4ae0de12ab1fcf2aa2 (diff) | |
download | UXP-bb828464e868b7571548f17ec3eaebd26f5078a2.tar UXP-bb828464e868b7571548f17ec3eaebd26f5078a2.tar.gz UXP-bb828464e868b7571548f17ec3eaebd26f5078a2.tar.lz UXP-bb828464e868b7571548f17ec3eaebd26f5078a2.tar.xz UXP-bb828464e868b7571548f17ec3eaebd26f5078a2.zip |
Merge branch 'ported-upstream'
Diffstat (limited to 'dom/indexedDB/ActorsParent.cpp')
-rw-r--r-- | dom/indexedDB/ActorsParent.cpp | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp index 702d5c985..c0cb69149 100644 --- a/dom/indexedDB/ActorsParent.cpp +++ b/dom/indexedDB/ActorsParent.cpp @@ -7,6 +7,7 @@ #include "ActorsParent.h" #include <algorithm> +#include <stdint.h> // UINTPTR_MAX, uintptr_t #include "FileInfo.h" #include "FileManager.h" #include "IDBObjectStore.h" @@ -859,6 +860,11 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, "ReadCompressedIndexDataValuesFromBlob", js::ProfileEntry::Category::STORAGE); + if (uintptr_t(aBlobData) > UINTPTR_MAX - aBlobDataLength) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_FILE_CORRUPTED; + } + const uint8_t* blobDataIter = aBlobData; const uint8_t* blobDataEnd = aBlobData + aBlobDataLength; @@ -878,7 +884,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(keyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + keyBufferLength > blobDataEnd)) { + NS_WARN_IF(keyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - keyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } @@ -896,7 +903,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (sortKeyBufferLength > 0) { if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(sortKeyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + sortKeyBufferLength > blobDataEnd)) { + NS_WARN_IF(sortKeyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - sortKeyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } |