summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2017-06-20 17:50:15 +0200
committerwolfbeast <mcwerewolf@gmail.com>2018-02-05 15:52:58 +0100
commita54e46aeb5497ec0c54ec453e6e0b22b2b54792b (patch)
treef039dc21944278c3ea4895eab733ac55aab99a89
parente021cb5c71464de14aa332ec013501e9a37038f7 (diff)
downloadUXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar
UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.gz
UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.lz
UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.tar.xz
UXP-a54e46aeb5497ec0c54ec453e6e0b22b2b54792b.zip
Check for too large allocation size in BasicPlanarYCbCrImage::CopyData (DiD)
-rw-r--r--gfx/layers/basic/BasicImages.cpp9
1 files changed, 8 insertions, 1 deletions
diff --git a/gfx/layers/basic/BasicImages.cpp b/gfx/layers/basic/BasicImages.cpp
index ed9447207..fc1be6e9a 100644
--- a/gfx/layers/basic/BasicImages.cpp
+++ b/gfx/layers/basic/BasicImages.cpp
@@ -11,6 +11,7 @@
#include "gfxASurface.h" // for gfxASurface, etc
#include "gfxPlatform.h" // for gfxPlatform, gfxImageFormat
#include "gfxUtils.h" // for gfxUtils
+#include "mozilla/CheckedInt.h"
#include "mozilla/mozalloc.h" // for operator delete[], etc
#include "mozilla/RefPtr.h"
#include "mozilla/UniquePtr.h"
@@ -111,7 +112,13 @@ BasicPlanarYCbCrImage::CopyData(const Data& aData)
gfxImageFormat iFormat = gfx::SurfaceFormatToImageFormat(format);
mStride = gfxASurface::FormatStrideForWidth(iFormat, size.width);
- mDecodedBuffer = AllocateBuffer(size.height * mStride);
+ mozilla::CheckedInt32 requiredBytes =
+ mozilla::CheckedInt32(size.height) * mozilla::CheckedInt32(mStride);
+ if (!requiredBytes.isValid()) {
+ // invalid size
+ return false;
+ }
+ mDecodedBuffer = AllocateBuffer(requiredBytes.value());
if (!mDecodedBuffer) {
// out of memory
return false;