From f8e83e7e6dacb7fe00ccb52f62af634bc05dbdfc Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Sat, 1 Dec 2018 12:05:45 +0100 Subject: Limit the CSS string length for resolved variables to sane values. This resolves #891 --- layout/style/nsCSSParser.cpp | 9 +++++++++ 1 file changed, 9 insertions(+) (limited to 'layout/style/nsCSSParser.cpp') diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp index b361cf0c2..33e5fe56d 100644 --- a/layout/style/nsCSSParser.cpp +++ b/layout/style/nsCSSParser.cpp @@ -1549,6 +1549,9 @@ protected: // All data from successfully parsed properties are placed into |mData|. nsCSSExpandedDataBlock mData; + + // Value to make sure our resolved variable results stay within sane limits. + const int32_t MAX_CSS_VAR_LENGTH = 10240; public: // Used from nsCSSParser constructors and destructors @@ -2802,6 +2805,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec( // Invalid variable with no fallback. return false; } + // Make sure we are still using sane sizes for value and + // variableValue, and abort if OOB. + if (value.Length() > MAX_CSS_VAR_LENGTH || + variableValue.Length() > MAX_CSS_VAR_LENGTH) { + return false; + } // Valid variable with no fallback. AppendTokens(value, valueFirstToken, valueLastToken, varFirstToken, varLastToken, variableValue); -- cgit v1.2.3 From dfce7fa7b664815bbce363d252033094a0dfe843 Mon Sep 17 00:00:00 2001 From: wolfbeast Date: Fri, 4 Jan 2019 16:03:13 +0100 Subject: Make MAX_CSS_VAR_LENGTH unsigned to avoid warnings. Follow-up for #891. Tag #457. --- layout/style/nsCSSParser.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'layout/style/nsCSSParser.cpp') diff --git a/layout/style/nsCSSParser.cpp b/layout/style/nsCSSParser.cpp index 33e5fe56d..736c66f87 100644 --- a/layout/style/nsCSSParser.cpp +++ b/layout/style/nsCSSParser.cpp @@ -1551,7 +1551,7 @@ protected: nsCSSExpandedDataBlock mData; // Value to make sure our resolved variable results stay within sane limits. - const int32_t MAX_CSS_VAR_LENGTH = 10240; + const uint32_t MAX_CSS_VAR_LENGTH = 10240; public: // Used from nsCSSParser constructors and destructors -- cgit v1.2.3