summaryrefslogtreecommitdiffstats
path: root/intl/uconv/nsScriptableUConv.cpp
diff options
context:
space:
mode:
authorHenri Sivonen <hsivonen@hsivonen.fi>2018-03-27 15:22:31 -0400
committerwolfbeast <mcwerewolf@gmail.com>2018-04-19 11:32:08 +0200
commit0b5cb08596f57d5c56003734e6b35aca26e71fad (patch)
treeb9b6ce91d742c7c51a6a4d3b466e0a79af5aab59 /intl/uconv/nsScriptableUConv.cpp
parentba71cc45fef6dfaecef8f5edf65ce1f1ff457624 (diff)
downloadUXP-0b5cb08596f57d5c56003734e6b35aca26e71fad.tar
UXP-0b5cb08596f57d5c56003734e6b35aca26e71fad.tar.gz
UXP-0b5cb08596f57d5c56003734e6b35aca26e71fad.tar.lz
UXP-0b5cb08596f57d5c56003734e6b35aca26e71fad.tar.xz
UXP-0b5cb08596f57d5c56003734e6b35aca26e71fad.zip
Bug 1443891. r=emk, a=RyanVM
MozReview-Commit-ID: AkUTNnVslMf
Diffstat (limited to 'intl/uconv/nsScriptableUConv.cpp')
-rw-r--r--intl/uconv/nsScriptableUConv.cpp16
1 files changed, 14 insertions, 2 deletions
diff --git a/intl/uconv/nsScriptableUConv.cpp b/intl/uconv/nsScriptableUConv.cpp
index 7d4e932e2..43889ffa2 100644
--- a/intl/uconv/nsScriptableUConv.cpp
+++ b/intl/uconv/nsScriptableUConv.cpp
@@ -11,6 +11,7 @@
#include "nsIUnicodeDecoder.h"
#include "nsIUnicodeEncoder.h"
#include "mozilla/dom/EncodingUtils.h"
+#include "mozilla/CheckedInt.h"
using mozilla::dom::EncodingUtils;
@@ -39,7 +40,12 @@ nsScriptableUnicodeConverter::ConvertFromUnicodeWithLength(const nsAString& aSrc
const nsAFlatString& flatSrc = PromiseFlatString(aSrc);
rv = mEncoder->GetMaxLength(flatSrc.get(), inLength, aOutLen);
if (NS_SUCCEEDED(rv)) {
- *_retval = (char*)malloc(*aOutLen+1);
+ mozilla::CheckedInt<int32_t> needed(*aOutLen);
+ needed += 1;
+ if (!needed.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ *_retval = (char*)malloc(needed.value());
if (!*_retval)
return NS_ERROR_OUT_OF_MEMORY;
@@ -145,7 +151,13 @@ nsScriptableUnicodeConverter::ConvertFromByteArray(const uint8_t* aData,
inLength, &outLength);
if (NS_SUCCEEDED(rv))
{
- char16_t* buf = (char16_t*)malloc((outLength+1) * sizeof(char16_t));
+ mozilla::CheckedInt<nsACString::size_type> needed(outLength);
+ needed += 1;
+ needed *= sizeof(char16_t);
+ if (!needed.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+ char16_t* buf = (char16_t*)malloc(needed.value());
if (!buf)
return NS_ERROR_OUT_OF_MEMORY;