[image] Add a sanity check to JPEG encoder buffer handling, just in case.

1 files changed, 8 insertions, 3 deletions

diff --git a/image/encoders/jpeg/nsJPEGEncoder.cpp b/image/encoders/jpeg/nsJPEGEncoder.cpp
index 04cfef07b..e5835c295 100644
--- a/image/encoders/jpeg/nsJPEGEncoder.cpp
+++ b/image/encoders/jpeg/nsJPEGEncoder.cpp
@@ -8,6 +8,7 @@
 #include "nsString.h"
 #include "nsStreamUtils.h"
 #include "gfxColor.h"
+#include "mozilla/CheckedInt.h"
 
 #include <setjmp.h>
 #include "jerror.h"
@@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo)
   that->mImageBufferUsed = that->mImageBufferSize;
 
   // expand buffer, just double size each time
-  that->mImageBufferSize *= 2;
+  uint8_t* newBuf = nullptr;
+  CheckedInt<uint32_t> bufSize =
+      CheckedInt<uint32_t>(that->mImageBufferSize) * 2;
+  if (bufSize.isValid()) {
+    that->mImageBufferSize = bufSize.value();
+    newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
+  }
 
-  uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
-                                      that->mImageBufferSize);
   if (!newBuf) {
     // can't resize, just zero (this will keep us from writing more)
     free(that->mImageBuffer);