From 0b5cb08596f57d5c56003734e6b35aca26e71fad Mon Sep 17 00:00:00 2001
From: Henri Sivonen <hsivonen@hsivonen.fi>
Date: Tue, 27 Mar 2018 15:22:31 -0400
Subject: Bug 1443891. r=emk, a=RyanVM

MozReview-Commit-ID: AkUTNnVslMf
---
 intl/uconv/nsScriptableUConv.cpp | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

(limited to 'intl/uconv')

diff --git a/intl/uconv/nsScriptableUConv.cpp b/intl/uconv/nsScriptableUConv.cpp
index 7d4e932e2..43889ffa2 100644
--- a/intl/uconv/nsScriptableUConv.cpp
+++ b/intl/uconv/nsScriptableUConv.cpp
@@ -11,6 +11,7 @@
 #include "nsIUnicodeDecoder.h"
 #include "nsIUnicodeEncoder.h"
 #include "mozilla/dom/EncodingUtils.h"
+#include "mozilla/CheckedInt.h"
 
 using mozilla::dom::EncodingUtils;
 
@@ -39,7 +40,12 @@ nsScriptableUnicodeConverter::ConvertFromUnicodeWithLength(const nsAString& aSrc
   const nsAFlatString& flatSrc = PromiseFlatString(aSrc);
   rv = mEncoder->GetMaxLength(flatSrc.get(), inLength, aOutLen);
   if (NS_SUCCEEDED(rv)) {
-    *_retval = (char*)malloc(*aOutLen+1);
+    mozilla::CheckedInt<int32_t> needed(*aOutLen);
+    needed += 1;
+    if (!needed.isValid()) {
+      return NS_ERROR_OUT_OF_MEMORY;
+    }
+    *_retval = (char*)malloc(needed.value());
     if (!*_retval)
       return NS_ERROR_OUT_OF_MEMORY;
 
@@ -145,7 +151,13 @@ nsScriptableUnicodeConverter::ConvertFromByteArray(const uint8_t* aData,
                               inLength, &outLength);
   if (NS_SUCCEEDED(rv))
   {
-    char16_t* buf = (char16_t*)malloc((outLength+1) * sizeof(char16_t));
+    mozilla::CheckedInt<nsACString::size_type> needed(outLength);
+    needed += 1;
+    needed *= sizeof(char16_t);
+    if (!needed.isValid()) {
+      return NS_ERROR_OUT_OF_MEMORY;
+    }
+    char16_t* buf = (char16_t*)malloc(needed.value());
     if (!buf)
       return NS_ERROR_OUT_OF_MEMORY;
 
-- 
cgit v1.2.3