diff options
| -rw-r--r-- | layout/style/nsCSSParser.cpp | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp index b361cf0c2..33e5fe56d 100644 --- a/layout/style/nsCSSParser.cpp +++ b/layout/style/nsCSSParser.cpp @@ -1549,6 +1549,9 @@ protected: // All data from successfully parsed properties are placed into |mData|. nsCSSExpandedDataBlock mData; + + // Value to make sure our resolved variable results stay within sane limits. + const int32_t MAX_CSS_VAR_LENGTH = 10240; public: // Used from nsCSSParser constructors and destructors @@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec( // Invalid variable with no fallback. return false; } + // Make sure we are still using sane sizes for value and + // variableValue, and abort if OOB. + if (value.Length() > MAX_CSS_VAR_LENGTH || + variableValue.Length() > MAX_CSS_VAR_LENGTH) { + return false; + } // Valid variable with no fallback. AppendTokens(value, valueFirstToken, valueLastToken, varFirstToken, varLastToken, variableValue); |