From 835749ed6d411f006fe9d90ba7479233dcfe8ec7 Mon Sep 17 00:00:00 2001
From: Pale Moon <git-repo@palemoon.org>
Date: Sat, 5 May 2018 12:20:42 +0200
Subject: Perform some sanity checks on nsMozIconURI.

---
 image/decoders/icon/nsIconURI.cpp | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'image/decoders/icon')

diff --git a/image/decoders/icon/nsIconURI.cpp b/image/decoders/icon/nsIconURI.cpp
index 632a733fe..473ded218 100644
--- a/image/decoders/icon/nsIconURI.cpp
+++ b/image/decoders/icon/nsIconURI.cpp
@@ -688,7 +688,17 @@ nsMozIconURI::Deserialize(const URIParams& aParams)
   mContentType = params.contentType();
   mFileName = params.fileName();
   mStockIcon = params.stockIcon();
+
+  if (params.iconSize() < -1 ||
+      params.iconSize() >= (int32_t) ArrayLength(kSizeStrings)) {
+    return false;
+  }
   mIconSize = params.iconSize();
+
+  if (params.iconState() < -1 ||
+      params.iconState() >= (int32_t) ArrayLength(kStateStrings)) {
+    return false;
+  }
   mIconState = params.iconState();
 
   return true;
-- 
cgit v1.2.3