[tbb-commits] [tor-browser/tor-browser-24.7.0esr-3.x-1] Backport two integer overflow patches.
mikeperry at torproject.org
mikeperry at torproject.org
Fri Aug 29 05:57:39 UTC 2014
commit d765da2ed5b5724a1adc4d8e73a552cbc0fe033d
Author: Mike Perry <mikeperry-git at torproject.org>
Date: Thu Aug 28 16:04:57 2014 -0700
Backport two integer overflow patches.
https://hg.mozilla.org/mozilla-central/rev/14ad832ecbcd
https://hg.mozilla.org/mozilla-central/rev/c00387255d25
https://bugzilla.mozilla.org/show_bug.cgi?id=922603
https://bugzilla.mozilla.org/show_bug.cgi?id=811122
---
image/src/imgFrame.cpp | 10 +++-------
js/src/vm/Interpreter-inl.h | 8 ++------
2 files changed, 5 insertions(+), 13 deletions(-)
diff --git a/image/src/imgFrame.cpp b/image/src/imgFrame.cpp
index c1b4022..33d1b3a 100644
--- a/image/src/imgFrame.cpp
+++ b/image/src/imgFrame.cpp
@@ -19,6 +19,7 @@ static bool gDisableOptimize = false;
#include "cairo.h"
#include "GeckoProfiler.h"
#include "mozilla/Likely.h"
+#include "mozilla/CheckedInt.h"
#if defined(XP_WIN)
@@ -54,13 +55,8 @@ static bool AllowedImageSize(int32_t aWidth, int32_t aHeight)
}
// check to make sure we don't overflow a 32-bit
- int32_t tmp = aWidth * aHeight;
- if (MOZ_UNLIKELY(tmp / aHeight != aWidth)) {
- NS_WARNING("width or height too large");
- return false;
- }
- tmp = tmp * 4;
- if (MOZ_UNLIKELY(tmp / 4 != aWidth * aHeight)) {
+ CheckedInt32 requiredBytes = CheckedInt32(aWidth) * CheckedInt32(aHeight) * 4;
+ if (MOZ_UNLIKELY(!requiredBytes.isValid())) {
NS_WARNING("width or height too large");
return false;
}
diff --git a/js/src/vm/Interpreter-inl.h b/js/src/vm/Interpreter-inl.h
index b5818e4..0a665d1 100644
--- a/js/src/vm/Interpreter-inl.h
+++ b/js/src/vm/Interpreter-inl.h
@@ -368,13 +368,9 @@ AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc,
{
if (lhs.isInt32() && rhs.isInt32()) {
int32_t l = lhs.toInt32(), r = rhs.toInt32();
- int32_t sum = l + r;
- if (JS_UNLIKELY(bool((l ^ sum) & (r ^ sum) & 0x80000000))) {
- res->setDouble(double(l) + double(r));
+ double d = double(l) + double(r);
+ if (!res->setNumber(d))
types::TypeScript::MonitorOverflow(cx, script, pc);
- } else {
- res->setInt32(sum);
- }
return true;
}
More information about the tbb-commits
mailing list