summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--dom/crypto/WebCryptoTask.cpp5
-rw-r--r--dom/indexedDB/ActorsParent.cpp12
-rw-r--r--gfx/layers/composite/FPSCounter.cpp27
-rw-r--r--js/xpconnect/src/XPCJSID.cpp29
4 files changed, 50 insertions, 23 deletions
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index 57a7da186..f5fc7b5bc 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -716,6 +716,11 @@ private:
return NS_ERROR_DOM_INVALID_ACCESS_ERR;
}
+ // Check whether the integer addition would overflow.
+ if (std::numeric_limits<CryptoBuffer::size_type>::max() - 16 < mData.Length()) {
+ return NS_ERROR_DOM_DATA_ERR;
+ }
+
// Initialize the output buffer (enough space for padding / a full tag)
uint32_t dataLen = mData.Length();
uint32_t maxLen = dataLen + 16;
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp
index 702d5c985..c0cb69149 100644
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -7,6 +7,7 @@
#include "ActorsParent.h"
#include <algorithm>
+#include <stdint.h> // UINTPTR_MAX, uintptr_t
#include "FileInfo.h"
#include "FileManager.h"
#include "IDBObjectStore.h"
@@ -859,6 +860,11 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
"ReadCompressedIndexDataValuesFromBlob",
js::ProfileEntry::Category::STORAGE);
+ if (uintptr_t(aBlobData) > UINTPTR_MAX - aBlobDataLength) {
+ IDB_REPORT_INTERNAL_ERR();
+ return NS_ERROR_FILE_CORRUPTED;
+ }
+
const uint8_t* blobDataIter = aBlobData;
const uint8_t* blobDataEnd = aBlobData + aBlobDataLength;
@@ -878,7 +884,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
if (NS_WARN_IF(blobDataIter == blobDataEnd) ||
NS_WARN_IF(keyBufferLength > uint64_t(UINT32_MAX)) ||
- NS_WARN_IF(blobDataIter + keyBufferLength > blobDataEnd)) {
+ NS_WARN_IF(keyBufferLength > uintptr_t(blobDataEnd)) ||
+ NS_WARN_IF(blobDataIter > blobDataEnd - keyBufferLength)) {
IDB_REPORT_INTERNAL_ERR();
return NS_ERROR_FILE_CORRUPTED;
}
@@ -896,7 +903,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData,
if (sortKeyBufferLength > 0) {
if (NS_WARN_IF(blobDataIter == blobDataEnd) ||
NS_WARN_IF(sortKeyBufferLength > uint64_t(UINT32_MAX)) ||
- NS_WARN_IF(blobDataIter + sortKeyBufferLength > blobDataEnd)) {
+ NS_WARN_IF(sortKeyBufferLength > uintptr_t(blobDataEnd)) ||
+ NS_WARN_IF(blobDataIter > blobDataEnd - sortKeyBufferLength)) {
IDB_REPORT_INTERNAL_ERR();
return NS_ERROR_FILE_CORRUPTED;
}
diff --git a/gfx/layers/composite/FPSCounter.cpp b/gfx/layers/composite/FPSCounter.cpp
index 02ffc4b2c..b8e93eb97 100644
--- a/gfx/layers/composite/FPSCounter.cpp
+++ b/gfx/layers/composite/FPSCounter.cpp
@@ -210,7 +210,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd)
const int bufferSize = 256;
char buffer[bufferSize];
int writtenCount = SprintfLiteral(buffer, "FPS Data for: %s\n", mFPSName);
- MOZ_ASSERT(writtenCount >= 0);
+ MOZ_ASSERT(writtenCount < bufferSize);
+ if (writtenCount >= bufferSize) {
+ return;
+ }
PR_Write(fd, buffer, writtenCount);
ResetReverseIterator();
@@ -225,8 +228,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd)
while (HasNext(startTimeStamp)) {
TimeDuration duration = previousSample - nextTimeStamp;
writtenCount = SprintfLiteral(buffer, "%f,\n", duration.ToMilliseconds());
-
- MOZ_ASSERT(writtenCount >= 0);
+ MOZ_ASSERT(writtenCount < bufferSize);
+ if (writtenCount >= bufferSize) {
+ continue;
+ }
PR_Write(fd, buffer, writtenCount);
previousSample = nextTimeStamp;
@@ -299,8 +304,13 @@ FPSCounter::PrintFPS()
void
FPSCounter::PrintHistogram(std::map<int, int>& aHistogram)
{
+ if (aHistogram.size() == 0) {
+ return;
+ }
+
int length = 0;
const int kBufferLength = 512;
+ int availableSpace = kBufferLength;
char buffer[kBufferLength];
for (std::map<int, int>::iterator iter = aHistogram.begin();
@@ -309,9 +319,14 @@ FPSCounter::PrintHistogram(std::map<int, int>& aHistogram)
int fps = iter->first;
int count = iter->second;
- length += snprintf(buffer + length, kBufferLength - length,
- "FPS: %d = %d. ", fps, count);
- NS_ASSERTION(length >= kBufferLength, "Buffer overrun while printing FPS histogram.");
+ int lengthRequired = snprintf(buffer + length, availableSpace,
+ "FPS: %d = %d. ", fps, count);
+ // Ran out of buffer space. Oh well - just print what we have.
+ if (lengthRequired > availableSpace) {
+ break;
+ }
+ length += lengthRequired;
+ availableSpace -= lengthRequired;
}
printf_stderr("%s\n", buffer);
diff --git a/js/xpconnect/src/XPCJSID.cpp b/js/xpconnect/src/XPCJSID.cpp
index b9cbee7be..1e14c1bdf 100644
--- a/js/xpconnect/src/XPCJSID.cpp
+++ b/js/xpconnect/src/XPCJSID.cpp
@@ -456,27 +456,26 @@ nsJSIID::Enumerate(nsIXPConnectWrappedNative* wrapper,
static nsresult
FindObjectForHasInstance(JSContext* cx, HandleObject objArg, MutableHandleObject target)
{
+ using namespace mozilla::jsipc;
RootedObject obj(cx, objArg), proto(cx);
-
- while (obj && !IS_WN_REFLECTOR(obj) &&
- !IsDOMObject(obj) && !mozilla::jsipc::IsCPOW(obj))
- {
- if (js::IsWrapper(obj)) {
- obj = js::CheckedUnwrap(obj, /* stopAtWindowProxy = */ false);
- continue;
+ while (true) {
+ // Try the object, or the wrappee if allowed.
+ JSObject* o = js::IsWrapper(obj) ? js::CheckedUnwrap(obj, false) : obj;
+ if (o && (IS_WN_REFLECTOR(o) || IsDOMObject(o) || IsCPOW(o))) {
+ target.set(o);
+ return NS_OK;
}
- {
- JSAutoCompartment ac(cx, obj);
- if (!js::GetObjectProto(cx, obj, &proto))
- return NS_ERROR_FAILURE;
+ // Walk the prototype chain from the perspective of the callee (i.e.
+ // respecting Xrays if they exist).
+ if (!js::GetObjectProto(cx, obj, &proto))
+ return NS_ERROR_FAILURE;
+ if (!proto) {
+ target.set(nullptr);
+ return NS_OK;
}
-
obj = proto;
}
-
- target.set(obj);
- return NS_OK;
}
nsresult