summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-01-28 10:25:49 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-02-08 12:53:40 +0100
commitacbd84f5741451d67e0fbaa3b85fdafc85dab5f9 (patch)
tree17539cacb7e8dc90f85bf76e9a8c8bf0653b7d6a
parentb62fce0dc0c77a5788c331db32b3996e4020e2a5 (diff)
downloadUXP-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar
UXP-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar.gz
UXP-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar.lz
UXP-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.tar.xz
UXP-acbd84f5741451d67e0fbaa3b85fdafc85dab5f9.zip
Check for integer overflow in AesTask::DoCrypto() (DiD)
After calling mResult.SetLength(mData.Length() + 16) we should check that the integer addition didn't overflow. It seems at the moment impossible to create ArrayBuffers of size >= 0x0xfffffff0, however adding a check here doesn't hurt. mResult.Length() is passed to the PK11 API functions as a maxOut parameter and should be checked by the softoken crypto algorithm implementations. AES-ECB and AES-GCM seem to do that correctly.
-rw-r--r--dom/crypto/WebCryptoTask.cpp5
1 files changed, 5 insertions, 0 deletions
diff --git a/dom/crypto/WebCryptoTask.cpp b/dom/crypto/WebCryptoTask.cpp
index 57a7da186..f5fc7b5bc 100644
--- a/dom/crypto/WebCryptoTask.cpp
+++ b/dom/crypto/WebCryptoTask.cpp
@@ -716,6 +716,11 @@ private:
return NS_ERROR_DOM_INVALID_ACCESS_ERR;
}
+ // Check whether the integer addition would overflow.
+ if (std::numeric_limits<CryptoBuffer::size_type>::max() - 16 < mData.Length()) {
+ return NS_ERROR_DOM_DATA_ERR;
+ }
+
// Initialize the output buffer (enough space for padding / a full tag)
uint32_t dataLen = mData.Length();
uint32_t maxLen = dataLen + 16;