diff options
| author | wolfbeast <mcwerewolf@gmail.com> | 2018-12-17 14:12:04 +0100 |
|---|---|---|
| committer | wolfbeast <mcwerewolf@gmail.com> | 2018-12-17 14:12:04 +0100 |
| commit | 51b821b3fdc5a7eab2369cb6a6680598a6264b08 (patch) | |
| tree | f3608a518bbb9e31b0a42b9a10742fb11ef5b39b /image | |
| parent | 8e44bbb43789e585fab9fc1ce8becc94b45d566c (diff) | |
| parent | 680c3eadb6aaec1f3653636db081a519e0f62ef5 (diff) | |
| download | UXP-51b821b3fdc5a7eab2369cb6a6680598a6264b08.tar UXP-51b821b3fdc5a7eab2369cb6a6680598a6264b08.tar.gz UXP-51b821b3fdc5a7eab2369cb6a6680598a6264b08.tar.lz UXP-51b821b3fdc5a7eab2369cb6a6680598a6264b08.tar.xz UXP-51b821b3fdc5a7eab2369cb6a6680598a6264b08.zip | |
Merge branch 'master' into Sync-weave
Diffstat (limited to 'image')
| -rw-r--r-- | image/encoders/png/nsPNGEncoder.cpp | 52 | ||||
| -rw-r--r-- | image/encoders/png/nsPNGEncoder.h | 1 |
2 files changed, 40 insertions, 13 deletions
diff --git a/image/encoders/png/nsPNGEncoder.cpp b/image/encoders/png/nsPNGEncoder.cpp index 66294146d..abe6f35b4 100644 --- a/image/encoders/png/nsPNGEncoder.cpp +++ b/image/encoders/png/nsPNGEncoder.cpp @@ -9,6 +9,7 @@ #include "nsStreamUtils.h" #include "nsString.h" #include "prprf.h" +#include "mozilla/CheckedInt.h" using namespace mozilla; @@ -703,30 +704,55 @@ nsPNGEncoder::WriteCallback(png_structp png, png_bytep data, return; } - if (that->mImageBufferUsed + size > that->mImageBufferSize) { + CheckedUint32 sizeNeeded = CheckedUint32(that->mImageBufferUsed) + size; + if (!sizeNeeded.isValid()) { + // Take the lock to ensure that nobody is trying to read from the buffer + // we are destroying + ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor); + + that->NullOutImageBuffer(); + return; + } + + if (sizeNeeded.value() > that->mImageBufferSize) { // When we're reallocing the buffer we need to take the lock to ensure // that nobody is trying to read from the buffer we are destroying ReentrantMonitorAutoEnter autoEnter(that->mReentrantMonitor); - // expand buffer, just double each time - that->mImageBufferSize *= 2; - uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer, - that->mImageBufferSize); - if (!newBuf) { - // can't resize, just zero (this will keep us from writing more) - free(that->mImageBuffer); - that->mImageBuffer = nullptr; - that->mImageBufferSize = 0; - that->mImageBufferUsed = 0; - return; + while (sizeNeeded.value() > that->mImageBufferSize) { + // expand buffer, just double each time + CheckedUint32 bufferSize = CheckedUint32(that->mImageBufferSize) * 2; + if (!bufferSize.isValid()) { + that->NullOutImageBuffer(); + return; + } + that->mImageBufferSize *= 2; + uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer, + that->mImageBufferSize); + if (!newBuf) { + // can't resize, just zero (this will keep us from writing more) + that->NullOutImageBuffer(); + return; + } + that->mImageBuffer = newBuf; } - that->mImageBuffer = newBuf; } + memcpy(&that->mImageBuffer[that->mImageBufferUsed], data, size); that->mImageBufferUsed += size; that->NotifyListener(); } +void nsPNGEncoder::NullOutImageBuffer() +{ + mReentrantMonitor.AssertCurrentThreadIn(); + + free(mImageBuffer); + mImageBuffer = nullptr; + mImageBufferSize = 0; + mImageBufferUsed = 0; +} + void nsPNGEncoder::NotifyListener() { diff --git a/image/encoders/png/nsPNGEncoder.h b/image/encoders/png/nsPNGEncoder.h index 95e7d5c19..8c2239c11 100644 --- a/image/encoders/png/nsPNGEncoder.h +++ b/image/encoders/png/nsPNGEncoder.h @@ -54,6 +54,7 @@ protected: static void WarningCallback(png_structp png_ptr, png_const_charp warning_msg); static void ErrorCallback(png_structp png_ptr, png_const_charp error_msg); static void WriteCallback(png_structp png, png_bytep data, png_size_t size); + void NullOutImageBuffer(); void NotifyListener(); png_struct* mPNG; |