Merge branch 'master' into Pale_Moon-release

# Conflicts:
#	application/palemoon/components/feeds/FeedWriter.js
#	application/palemoon/config/version.txt
#	security/manager/ssl/nsSTSPreloadList.errors
#	security/manager/ssl/nsSTSPreloadList.inc

1 files changed, 9 insertions, 0 deletions

diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp
index b361cf0c2..736c66f87 100644
--- a/layout/style/nsCSSParser.cpp
+++ b/layout/style/nsCSSParser.cpp
@@ -1549,6 +1549,9 @@ protected:
 
   // All data from successfully parsed properties are placed into |mData|.
   nsCSSExpandedDataBlock mData;
+  
+  // Value to make sure our resolved variable results stay within sane limits.
+  const uint32_t MAX_CSS_VAR_LENGTH = 10240;
 
 public:
   // Used from nsCSSParser constructors and destructors
@@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec(
               // Invalid variable with no fallback.
               return false;
             }
+            // Make sure we are still using sane sizes for value and
+            // variableValue, and abort if OOB.
+            if (value.Length() > MAX_CSS_VAR_LENGTH ||
+                variableValue.Length() > MAX_CSS_VAR_LENGTH) {
+              return false;
+            }
             // Valid variable with no fallback.
             AppendTokens(value, valueFirstToken, valueLastToken,
                          varFirstToken, varLastToken, variableValue);