Sanity-check in nsStandardURL::Deserialize(). r=mayhemer, a=RyanVM

Also add test for faulty nsStandardURL deserialization.

See Bug 1392739.

2 files changed, 19 insertions, 1 deletions

diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp
index e2a290e4d..dff4ecbc0 100644
--- a/netwerk/base/nsStandardURL.cpp
+++ b/netwerk/base/nsStandardURL.cpp
@@ -3455,8 +3455,10 @@ FromIPCSegment(const nsACString& aSpec, const ipc::StandardURLSegment& aSegment,
         return false;
     }
 
+    CheckedInt<uint32_t> segmentLen = aSegment.position();
+    segmentLen += aSegment.length();
     // Make sure the segment does not extend beyond the spec.
-    if (NS_WARN_IF(aSegment.position() + aSegment.length() > aSpec.Length())) {
+    if (NS_WARN_IF(!segmentLen.isValid() || segmentLen.value() > aSpec.Length())) {
         return false;
     }
 
diff --git a/netwerk/test/gtest/TestStandardURL.cpp b/netwerk/test/gtest/TestStandardURL.cpp
index ccab556a9..a013f351c 100644
--- a/netwerk/test/gtest/TestStandardURL.cpp
+++ b/netwerk/test/gtest/TestStandardURL.cpp
@@ -4,8 +4,11 @@
 #include "nsCOMPtr.h"
 #include "nsNetCID.h"
 #include "nsIURL.h"
+#include "nsIStandardURL.h"
 #include "nsString.h"
 #include "nsComponentManagerUtils.h"
+#include "nsIIPCSerializableURI.h"
+#include "mozilla/ipc/URIUtils.h"
 
 TEST(TestStandardURL, Simple) {
     nsCOMPtr<nsIURL> url( do_CreateInstance(NS_STANDARDURL_CONTRACTID) );
@@ -67,3 +70,16 @@ MOZ_GTEST_BENCH(TestStandardURL, Perf, [] {
         url->GetRef(out);
     }
 });
+
+TEST(TestStandardURL, Deserialize_Bug1392739)
+{
+  mozilla::ipc::StandardURLParams standard_params;
+  standard_params.urlType() = nsIStandardURL::URLTYPE_STANDARD;
+  standard_params.spec() = NS_LITERAL_CSTRING("");
+  standard_params.host() = mozilla::ipc::StandardURLSegment(4294967295, 1);
+
+  mozilla::ipc::URIParams params(standard_params);
+
+  nsCOMPtr<nsIIPCSerializableURI> url = do_CreateInstance(NS_STANDARDURL_CID);
+  ASSERT_EQ(url->Deserialize(params), false);
+}