diff options
-rw-r--r-- | dom/crypto/WebCryptoTask.cpp | 5 | ||||
-rw-r--r-- | dom/indexedDB/ActorsParent.cpp | 12 | ||||
-rw-r--r-- | gfx/layers/composite/FPSCounter.cpp | 27 | ||||
-rw-r--r-- | js/xpconnect/src/XPCJSID.cpp | 29 |
4 files changed, 50 insertions, 23 deletions
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp index 57a7da186..f5fc7b5bc 100644 --- a/dom/crypto/WebCryptoTask.cpp +++ b/dom/crypto/WebCryptoTask.cpp @@ -716,6 +716,11 @@ private: return NS_ERROR_DOM_INVALID_ACCESS_ERR; } + // Check whether the integer addition would overflow. + if (std::numeric_limits<CryptoBuffer::size_type>::max() - 16 < mData.Length()) { + return NS_ERROR_DOM_DATA_ERR; + } + // Initialize the output buffer (enough space for padding / a full tag) uint32_t dataLen = mData.Length(); uint32_t maxLen = dataLen + 16; diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp index 702d5c985..c0cb69149 100644 --- a/dom/indexedDB/ActorsParent.cpp +++ b/dom/indexedDB/ActorsParent.cpp @@ -7,6 +7,7 @@ #include "ActorsParent.h" #include <algorithm> +#include <stdint.h> // UINTPTR_MAX, uintptr_t #include "FileInfo.h" #include "FileManager.h" #include "IDBObjectStore.h" @@ -859,6 +860,11 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, "ReadCompressedIndexDataValuesFromBlob", js::ProfileEntry::Category::STORAGE); + if (uintptr_t(aBlobData) > UINTPTR_MAX - aBlobDataLength) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_FILE_CORRUPTED; + } + const uint8_t* blobDataIter = aBlobData; const uint8_t* blobDataEnd = aBlobData + aBlobDataLength; @@ -878,7 +884,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(keyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + keyBufferLength > blobDataEnd)) { + NS_WARN_IF(keyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - keyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } @@ -896,7 +903,8 @@ ReadCompressedIndexDataValuesFromBlob(const uint8_t* aBlobData, if (sortKeyBufferLength > 0) { if (NS_WARN_IF(blobDataIter == blobDataEnd) || NS_WARN_IF(sortKeyBufferLength > uint64_t(UINT32_MAX)) || - NS_WARN_IF(blobDataIter + sortKeyBufferLength > blobDataEnd)) { + NS_WARN_IF(sortKeyBufferLength > uintptr_t(blobDataEnd)) || + NS_WARN_IF(blobDataIter > blobDataEnd - sortKeyBufferLength)) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_FILE_CORRUPTED; } diff --git a/gfx/layers/composite/FPSCounter.cpp b/gfx/layers/composite/FPSCounter.cpp index 02ffc4b2c..b8e93eb97 100644 --- a/gfx/layers/composite/FPSCounter.cpp +++ b/gfx/layers/composite/FPSCounter.cpp @@ -210,7 +210,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd) const int bufferSize = 256; char buffer[bufferSize]; int writtenCount = SprintfLiteral(buffer, "FPS Data for: %s\n", mFPSName); - MOZ_ASSERT(writtenCount >= 0); + MOZ_ASSERT(writtenCount < bufferSize); + if (writtenCount >= bufferSize) { + return; + } PR_Write(fd, buffer, writtenCount); ResetReverseIterator(); @@ -225,8 +228,10 @@ FPSCounter::WriteFrameTimeStamps(PRFileDesc* fd) while (HasNext(startTimeStamp)) { TimeDuration duration = previousSample - nextTimeStamp; writtenCount = SprintfLiteral(buffer, "%f,\n", duration.ToMilliseconds()); - - MOZ_ASSERT(writtenCount >= 0); + MOZ_ASSERT(writtenCount < bufferSize); + if (writtenCount >= bufferSize) { + continue; + } PR_Write(fd, buffer, writtenCount); previousSample = nextTimeStamp; @@ -299,8 +304,13 @@ FPSCounter::PrintFPS() void FPSCounter::PrintHistogram(std::map<int, int>& aHistogram) { + if (aHistogram.size() == 0) { + return; + } + int length = 0; const int kBufferLength = 512; + int availableSpace = kBufferLength; char buffer[kBufferLength]; for (std::map<int, int>::iterator iter = aHistogram.begin(); @@ -309,9 +319,14 @@ FPSCounter::PrintHistogram(std::map<int, int>& aHistogram) int fps = iter->first; int count = iter->second; - length += snprintf(buffer + length, kBufferLength - length, - "FPS: %d = %d. ", fps, count); - NS_ASSERTION(length >= kBufferLength, "Buffer overrun while printing FPS histogram."); + int lengthRequired = snprintf(buffer + length, availableSpace, + "FPS: %d = %d. ", fps, count); + // Ran out of buffer space. Oh well - just print what we have. + if (lengthRequired > availableSpace) { + break; + } + length += lengthRequired; + availableSpace -= lengthRequired; } printf_stderr("%s\n", buffer); diff --git a/js/xpconnect/src/XPCJSID.cpp b/js/xpconnect/src/XPCJSID.cpp index b9cbee7be..1e14c1bdf 100644 --- a/js/xpconnect/src/XPCJSID.cpp +++ b/js/xpconnect/src/XPCJSID.cpp @@ -456,27 +456,26 @@ nsJSIID::Enumerate(nsIXPConnectWrappedNative* wrapper, static nsresult FindObjectForHasInstance(JSContext* cx, HandleObject objArg, MutableHandleObject target) { + using namespace mozilla::jsipc; RootedObject obj(cx, objArg), proto(cx); - - while (obj && !IS_WN_REFLECTOR(obj) && - !IsDOMObject(obj) && !mozilla::jsipc::IsCPOW(obj)) - { - if (js::IsWrapper(obj)) { - obj = js::CheckedUnwrap(obj, /* stopAtWindowProxy = */ false); - continue; + while (true) { + // Try the object, or the wrappee if allowed. + JSObject* o = js::IsWrapper(obj) ? js::CheckedUnwrap(obj, false) : obj; + if (o && (IS_WN_REFLECTOR(o) || IsDOMObject(o) || IsCPOW(o))) { + target.set(o); + return NS_OK; } - { - JSAutoCompartment ac(cx, obj); - if (!js::GetObjectProto(cx, obj, &proto)) - return NS_ERROR_FAILURE; + // Walk the prototype chain from the perspective of the callee (i.e. + // respecting Xrays if they exist). + if (!js::GetObjectProto(cx, obj, &proto)) + return NS_ERROR_FAILURE; + if (!proto) { + target.set(nullptr); + return NS_OK; } - obj = proto; } - - target.set(obj); - return NS_OK; } nsresult |