summaryrefslogtreecommitdiffstats
path: root/widget/windows
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-05-29 11:05:41 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-05-29 11:54:18 +0200
commitf3b1a919be9c55bdbbde6c9d009e3d8073495ae7 (patch)
tree5e0c536b6edbb1f13e35e93d0c5d685c1aa66796 /widget/windows
parentf5a5fc82d004e50865e23ce1618df290859b4c94 (diff)
downloadUXP-f3b1a919be9c55bdbbde6c9d009e3d8073495ae7.tar
UXP-f3b1a919be9c55bdbbde6c9d009e3d8073495ae7.tar.gz
UXP-f3b1a919be9c55bdbbde6c9d009e3d8073495ae7.tar.lz
UXP-f3b1a919be9c55bdbbde6c9d009e3d8073495ae7.tar.xz
UXP-f3b1a919be9c55bdbbde6c9d009e3d8073495ae7.zip
Perform a size check when dealing with clipboard data to be sure.
Follow-up to 0b6d9a47051be9ef4d064c6f7c60717da91d0bc2
Diffstat (limited to 'widget/windows')
-rw-r--r--widget/windows/nsClipboard.cpp16
1 files changed, 10 insertions, 6 deletions
diff --git a/widget/windows/nsClipboard.cpp b/widget/windows/nsClipboard.cpp
index c93f351c8..0ca9568d0 100644
--- a/widget/windows/nsClipboard.cpp
+++ b/widget/windows/nsClipboard.cpp
@@ -291,16 +291,20 @@ nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void ** aData, uint32_t * aLe
nsresult result = NS_ERROR_FAILURE;
if (aHGBL != nullptr) {
LPSTR lpStr = (LPSTR) GlobalLock(aHGBL);
- DWORD allocSize = GlobalSize(aHGBL);
- char* data = static_cast<char*>(malloc(allocSize + 3));
+ CheckedInt<uint32_t> allocSize = CheckedInt<uint32_t>(GlobalSize(aHGBL)) + 3;
+ if (!allocSize.isValid()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ char* data = static_cast<char*>(malloc(allocSize.value()));
if ( data ) {
- memcpy ( data, lpStr, allocSize );
- data[allocSize] = data[allocSize + 1] = data[allocSize + 2] =
- '\0'; // null terminate for safety
+ uint32_t size = allocSize.value() - 3;
+ memcpy(data, lpStr, size);
+ // null terminate for safety
+ data[size] = data[size + 1] = data[size + 2] = '\0';
GlobalUnlock(aHGBL);
*aData = data;
- *aLen = allocSize;
+ *aLen = size;
result = NS_OK;
}