From 0c5a41e89412fb441318327157abc75c670898d5 Mon Sep 17 00:00:00 2001
From: Moonchild <moonchild@palemoon.org>
Date: Thu, 9 Jul 2020 11:22:40 +0000
Subject: [image] Add a sanity check to JPEG encoder buffer handling, just in
 case.

---
 image/encoders/jpeg/nsJPEGEncoder.cpp | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

(limited to 'image')

diff --git a/image/encoders/jpeg/nsJPEGEncoder.cpp b/image/encoders/jpeg/nsJPEGEncoder.cpp
index 04cfef07b..e5835c295 100644
--- a/image/encoders/jpeg/nsJPEGEncoder.cpp
+++ b/image/encoders/jpeg/nsJPEGEncoder.cpp
@@ -8,6 +8,7 @@
 #include "nsString.h"
 #include "nsStreamUtils.h"
 #include "gfxColor.h"
+#include "mozilla/CheckedInt.h"
 
 #include <setjmp.h>
 #include "jerror.h"
@@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo)
   that->mImageBufferUsed = that->mImageBufferSize;
 
   // expand buffer, just double size each time
-  that->mImageBufferSize *= 2;
+  uint8_t* newBuf = nullptr;
+  CheckedInt<uint32_t> bufSize =
+      CheckedInt<uint32_t>(that->mImageBufferSize) * 2;
+  if (bufSize.isValid()) {
+    that->mImageBufferSize = bufSize.value();
+    newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize);
+  }
 
-  uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer,
-                                      that->mImageBufferSize);
   if (!newBuf) {
     // can't resize, just zero (this will keep us from writing more)
     free(that->mImageBuffer);
-- 
cgit v1.2.3