summaryrefslogtreecommitdiffstats
path: root/intl/uconv/ucvtw
diff options
context:
space:
mode:
authorHenri Sivonen <hsivonen@hsivonen.fi>2018-02-28 14:09:26 -0500
committerwolfbeast <mcwerewolf@gmail.com>2018-03-14 11:21:36 +0100
commitbd819cc43653220abdbfe040ba5c721e9861241c (patch)
tree3f526b2577a75eac4fec75a8af15876214f72b00 /intl/uconv/ucvtw
parent8c25427afc8d4b9fae10cf188a5966dd69d0548f (diff)
downloadUXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar
UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.gz
UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.lz
UXP-bd819cc43653220abdbfe040ba5c721e9861241c.tar.xz
UXP-bd819cc43653220abdbfe040ba5c721e9861241c.zip
Bug 1440926 - Use overflow-checking math when computing Big5 max length. r=emk, a=RyanVM
MozReview-Commit-ID: 1Gney5cYyhu
Diffstat (limited to 'intl/uconv/ucvtw')
-rw-r--r--intl/uconv/ucvtw/nsBIG5ToUnicode.cpp12
-rw-r--r--intl/uconv/ucvtw/nsUnicodeToBIG5.cpp21
2 files changed, 26 insertions, 7 deletions
diff --git a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
index 8dbf84a14..b07df3d76 100644
--- a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
+++ b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp
@@ -152,7 +152,17 @@ nsBIG5ToUnicode::GetMaxLength(const char* aSrc,
{
// The length of the output in UTF-16 code units never exceeds the length
// of the input in bytes.
- *aDestLength = aSrcLength + (mPendingTrail ? 1 : 0) + (mBig5Lead ? 1 : 0);
+ mozilla::CheckedInt32 length = aSrcLength;
+ if (mPendingTrail) {
+ length += 1;
+ }
+ if (mBig5Lead) {
+ length += 1;
+ }
+ if (!length.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ *aDestLength = length.value();
return NS_OK;
}
diff --git a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
index c3c9658df..b30be2f9b 100644
--- a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
+++ b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp
@@ -211,12 +211,21 @@ nsUnicodeToBIG5::GetMaxLength(const char16_t* aSrc,
int32_t aSrcLength,
int32_t* aDestLength)
{
- *aDestLength = (aSrcLength * 2) +
- (mPendingTrail ? 1 : 0) +
- // If the lead ends up being paired, the bytes produced
- // are already included above.
- // If not, it produces a single '?'.
- (mUtf16Lead ? 1 : 0);
+ mozilla::CheckedInt32 length = aSrcLength;
+ length *= 2;
+ if (mPendingTrail) {
+ length += 1;
+ }
+ // If the lead ends up being paired, the bytes produced
+ // are already included above.
+ // If not, it produces a single '?'.
+ if (mUtf16Lead) {
+ length += 1;
+ }
+ if (!length.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ *aDestLength = length.value();
return NS_OK;
}