[tbb-commits] [tor-browser/tor-browser-24.7.0esr-4.x-2] Backport two integer overflow patches.

mikeperry at torproject.org mikeperry at torproject.org
Thu Aug 28 23:11:30 UTC 2014


commit b1f011d993b4a00db2cb50c49dea38ec5188fdb0
Author: Mike Perry <mikeperry-git at torproject.org>
Date:   Thu Aug 28 16:04:57 2014 -0700

    Backport two integer overflow patches.
    
    https://hg.mozilla.org/mozilla-central/rev/14ad832ecbcd
    https://hg.mozilla.org/mozilla-central/rev/c00387255d25
    
    https://bugzilla.mozilla.org/show_bug.cgi?id=922603
    https://bugzilla.mozilla.org/show_bug.cgi?id=811122
---
 image/src/imgFrame.cpp      |   10 +++-------
 js/src/vm/Interpreter-inl.h |    8 ++------
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/image/src/imgFrame.cpp b/image/src/imgFrame.cpp
index c1b4022..33d1b3a 100644
--- a/image/src/imgFrame.cpp
+++ b/image/src/imgFrame.cpp
@@ -19,6 +19,7 @@ static bool gDisableOptimize = false;
 #include "cairo.h"
 #include "GeckoProfiler.h"
 #include "mozilla/Likely.h"
+#include "mozilla/CheckedInt.h"
 
 #if defined(XP_WIN)
 
@@ -54,13 +55,8 @@ static bool AllowedImageSize(int32_t aWidth, int32_t aHeight)
   }
 
   // check to make sure we don't overflow a 32-bit
-  int32_t tmp = aWidth * aHeight;
-  if (MOZ_UNLIKELY(tmp / aHeight != aWidth)) {
-    NS_WARNING("width or height too large");
-    return false;
-  }
-  tmp = tmp * 4;
-  if (MOZ_UNLIKELY(tmp / 4 != aWidth * aHeight)) {
+  CheckedInt32 requiredBytes = CheckedInt32(aWidth) * CheckedInt32(aHeight) * 4;
+  if (MOZ_UNLIKELY(!requiredBytes.isValid())) {
     NS_WARNING("width or height too large");
     return false;
   }
diff --git a/js/src/vm/Interpreter-inl.h b/js/src/vm/Interpreter-inl.h
index b5818e4..0a665d1 100644
--- a/js/src/vm/Interpreter-inl.h
+++ b/js/src/vm/Interpreter-inl.h
@@ -368,13 +368,9 @@ AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc,
 {
     if (lhs.isInt32() && rhs.isInt32()) {
         int32_t l = lhs.toInt32(), r = rhs.toInt32();
-        int32_t sum = l + r;
-        if (JS_UNLIKELY(bool((l ^ sum) & (r ^ sum) & 0x80000000))) {
-            res->setDouble(double(l) + double(r));
+        double d = double(l) + double(r);
+        if (!res->setNumber(d))
             types::TypeScript::MonitorOverflow(cx, script, pc);
-        } else {
-            res->setInt32(sum);
-        }
         return true;
     }
 



More information about the tbb-commits mailing list