summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@gmail.com>2018-12-01 12:05:45 +0100
committerwolfbeast <mcwerewolf@gmail.com>2018-12-01 12:05:45 +0100
commitf8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc (patch)
tree0d8838f0ffb9c6602029129c28992e0ec6d88a7e
parentd7bb175713020feba859d4a769d632db2946e6ef (diff)
downloadUXP-f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc.tar
UXP-f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc.tar.gz
UXP-f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc.tar.lz
UXP-f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc.tar.xz
UXP-f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc.zip
Limit the CSS string length for resolved variables to sane values.
This resolves #891
-rw-r--r--layout/style/nsCSSParser.cpp9
1 files changed, 9 insertions, 0 deletions
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index b361cf0c2..33e5fe56d 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -1549,6 +1549,9 @@ protected:
// All data from successfully parsed properties are placed into |mData|.
nsCSSExpandedDataBlock mData;
+
+ // Value to make sure our resolved variable results stay within sane limits.
+ const int32_t MAX_CSS_VAR_LENGTH = 10240;
public:
// Used from nsCSSParser constructors and destructors
@@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec(
// Invalid variable with no fallback.
return false;
}
+ // Make sure we are still using sane sizes for value and
+ // variableValue, and abort if OOB.
+ if (value.Length() > MAX_CSS_VAR_LENGTH ||
+ variableValue.Length() > MAX_CSS_VAR_LENGTH) {
+ return false;
+ }
// Valid variable with no fallback.
AppendTokens(value, valueFirstToken, valueLastToken,
varFirstToken, varLastToken, variableValue);