From bd819cc43653220abdbfe040ba5c721e9861241c Mon Sep 17 00:00:00 2001 From: Henri Sivonen Date: Wed, 28 Feb 2018 14:09:26 -0500 Subject: Bug 1440926 - Use overflow-checking math when computing Big5 max length. r=emk, a=RyanVM MozReview-Commit-ID: 1Gney5cYyhu --- intl/uconv/ucvtw/nsBIG5ToUnicode.cpp | 12 +++++++++++- intl/uconv/ucvtw/nsUnicodeToBIG5.cpp | 21 +++++++++++++++------ 2 files changed, 26 insertions(+), 7 deletions(-) (limited to 'intl/uconv/ucvtw') diff --git a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp index 8dbf84a14..b07df3d76 100644 --- a/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp +++ b/intl/uconv/ucvtw/nsBIG5ToUnicode.cpp @@ -152,7 +152,17 @@ nsBIG5ToUnicode::GetMaxLength(const char* aSrc, { // The length of the output in UTF-16 code units never exceeds the length // of the input in bytes. - *aDestLength = aSrcLength + (mPendingTrail ? 1 : 0) + (mBig5Lead ? 1 : 0); + mozilla::CheckedInt32 length = aSrcLength; + if (mPendingTrail) { + length += 1; + } + if (mBig5Lead) { + length += 1; + } + if (!length.isValid()) { + return NS_ERROR_OUT_OF_MEMORY; + } + *aDestLength = length.value(); return NS_OK; } diff --git a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp index c3c9658df..b30be2f9b 100644 --- a/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp +++ b/intl/uconv/ucvtw/nsUnicodeToBIG5.cpp @@ -211,12 +211,21 @@ nsUnicodeToBIG5::GetMaxLength(const char16_t* aSrc, int32_t aSrcLength, int32_t* aDestLength) { - *aDestLength = (aSrcLength * 2) + - (mPendingTrail ? 1 : 0) + - // If the lead ends up being paired, the bytes produced - // are already included above. - // If not, it produces a single '?'. - (mUtf16Lead ? 1 : 0); + mozilla::CheckedInt32 length = aSrcLength; + length *= 2; + if (mPendingTrail) { + length += 1; + } + // If the lead ends up being paired, the bytes produced + // are already included above. + // If not, it produces a single '?'. + if (mUtf16Lead) { + length += 1; + } + if (!length.isValid()) { + return NS_ERROR_OUT_OF_MEMORY; + } + *aDestLength = length.value(); return NS_OK; } -- cgit v1.2.3