commit b1f011d993b4a00db2cb50c49dea38ec5188fdb0 Author: Mike Perry mikeperry-git@torproject.org Date: Thu Aug 28 16:04:57 2014 -0700
Backport two integer overflow patches.
https://hg.mozilla.org/mozilla-central/rev/14ad832ecbcd https://hg.mozilla.org/mozilla-central/rev/c00387255d25
https://bugzilla.mozilla.org/show_bug.cgi?id=922603 https://bugzilla.mozilla.org/show_bug.cgi?id=811122 --- image/src/imgFrame.cpp | 10 +++------- js/src/vm/Interpreter-inl.h | 8 ++------ 2 files changed, 5 insertions(+), 13 deletions(-)
diff --git a/image/src/imgFrame.cpp b/image/src/imgFrame.cpp index c1b4022..33d1b3a 100644 --- a/image/src/imgFrame.cpp +++ b/image/src/imgFrame.cpp @@ -19,6 +19,7 @@ static bool gDisableOptimize = false; #include "cairo.h" #include "GeckoProfiler.h" #include "mozilla/Likely.h" +#include "mozilla/CheckedInt.h"
#if defined(XP_WIN)
@@ -54,13 +55,8 @@ static bool AllowedImageSize(int32_t aWidth, int32_t aHeight) }
// check to make sure we don't overflow a 32-bit - int32_t tmp = aWidth * aHeight; - if (MOZ_UNLIKELY(tmp / aHeight != aWidth)) { - NS_WARNING("width or height too large"); - return false; - } - tmp = tmp * 4; - if (MOZ_UNLIKELY(tmp / 4 != aWidth * aHeight)) { + CheckedInt32 requiredBytes = CheckedInt32(aWidth) * CheckedInt32(aHeight) * 4; + if (MOZ_UNLIKELY(!requiredBytes.isValid())) { NS_WARNING("width or height too large"); return false; } diff --git a/js/src/vm/Interpreter-inl.h b/js/src/vm/Interpreter-inl.h index b5818e4..0a665d1 100644 --- a/js/src/vm/Interpreter-inl.h +++ b/js/src/vm/Interpreter-inl.h @@ -368,13 +368,9 @@ AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc, { if (lhs.isInt32() && rhs.isInt32()) { int32_t l = lhs.toInt32(), r = rhs.toInt32(); - int32_t sum = l + r; - if (JS_UNLIKELY(bool((l ^ sum) & (r ^ sum) & 0x80000000))) { - res->setDouble(double(l) + double(r)); + double d = double(l) + double(r); + if (!res->setNumber(d)) types::TypeScript::MonitorOverflow(cx, script, pc); - } else { - res->setInt32(sum); - } return true; }