Bug 623998 - Reduce frameset size limit - r=roc a=blocking2.0:final

2024-09-13 09:24:08 -07:00 · 2011-01-25 14:38:07 +13:00 · 2011-01-25 14:38:07 +13:00 · 4e29108ec5
commit 4e29108ec5
parent f990fed68b
3 changed files with 33 additions and 5 deletions
--- a/content/html/content/public/nsIFrameSetElement.h
+++ b/content/html/content/public/nsIFrameSetElement.h
@ -65,6 +65,12 @@ struct nsFramesetSpec {
  nscoord        mValue;
 };

+/**
+ * The maximum number of entries allowed in the frame set element row
+ * or column spec.
+ */
+#define NS_MAX_FRAMESET_SPEC_COUNT 16000
+
 /**
 * This interface is used by the nsFramesetFrame to access the parsed
 * values of the "rows" and "cols" attributes
--- a/content/html/content/src/nsHTMLFrameSetElement.cpp
+++ b/content/html/content/src/nsHTMLFrameSetElement.cpp
@ -322,12 +322,11 @@ nsHTMLFrameSetElement::ParseRowCol(const nsAString & aValue,
  spec.StripChars(" \n\r\t\"\'");
  spec.Trim(",");
  
-#define MAX_FRAMESET_SPEC_COUNT 100000
  // Count the commas. Don't count more than X commas (bug 576447).
-  PR_STATIC_ASSERT(MAX_FRAMESET_SPEC_COUNT * sizeof(nsFramesetSpec) < (1 << 30));
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT * sizeof(nsFramesetSpec) < (1 << 30));
  PRInt32 commaX = spec.FindChar(sComma);
  PRInt32 count = 1;
-  while (commaX != kNotFound && count < MAX_FRAMESET_SPEC_COUNT) {
+  while (commaX != kNotFound && count < NS_MAX_FRAMESET_SPEC_COUNT) {
    count++;
    commaX = spec.FindChar(sComma, commaX + 1);
  }
--- a/layout/generic/nsFrameSetFrame.cpp
+++ b/layout/generic/nsFrameSetFrame.cpp
@ -319,13 +319,19 @@ nsHTMLFramesetFrame::Init(nsIContent*      aContent,
  NS_ENSURE_SUCCESS(result, result);
  result = ourContent->GetColSpec(&mNumCols, &colSpecs);
  NS_ENSURE_SUCCESS(result, result);
+
+  // Maximum value of mNumRows and mNumCols is NS_MAX_FRAMESET_SPEC_COUNT
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nscoord));
  mRowSizes  = new nscoord[mNumRows];
  mColSizes  = new nscoord[mNumCols];
  if (!mRowSizes || !mColSizes)
    return NS_ERROR_OUT_OF_MEMORY; 

+  // Ensure we can't overflow numCells
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < PR_INT32_MAX / NS_MAX_FRAMESET_SPEC_COUNT);
  PRInt32 numCells = mNumRows*mNumCols;

+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nsHTMLFramesetBorderFrame*));
  mVerBorders    = new nsHTMLFramesetBorderFrame*[mNumCols];  // 1 more than number of ver borders
  if (!mVerBorders)
    return NS_ERROR_OUT_OF_MEMORY;
@ -339,9 +345,15 @@ nsHTMLFramesetFrame::Init(nsIContent*      aContent,

  for (int horX = 0; horX < mNumRows; horX++)
    mHorBorders[horX]    = nsnull;
-     
+ 
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
+                   < UINT_MAX / sizeof(PRInt32) / NS_MAX_FRAMESET_SPEC_COUNT); 
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
+                   < UINT_MAX / sizeof(nsFrameborder) / NS_MAX_FRAMESET_SPEC_COUNT); 
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
+                   < UINT_MAX / sizeof(nsBorderColor) / NS_MAX_FRAMESET_SPEC_COUNT); 
  mChildTypes = new PRInt32[numCells]; 
-  mChildFrameborder  = new nsFrameborder[numCells]; 
+  mChildFrameborder  = new nsFrameborder[numCells];
  mChildBorderColors  = new nsBorderColor[numCells]; 
  if (!mChildTypes || !mChildFrameborder || !mChildBorderColors)
    return NS_ERROR_OUT_OF_MEMORY;
@ -528,6 +540,9 @@ void nsHTMLFramesetFrame::CalculateRowCol(nsPresContext*       aPresContext,
                                          const nsFramesetSpec* aSpecs, 
                                          nscoord*              aValues)
 {
+  // aNumSpecs maximum value is NS_MAX_FRAMESET_SPEC_COUNT
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(PRInt32));
+
  PRInt32  fixedTotal = 0;
  PRInt32  numFixed = 0;
  nsAutoArrayPtr<PRInt32> fixed(new PRInt32[aNumSpecs]);
@ -997,6 +1012,11 @@ nsHTMLFramesetFrame::Reflow(nsPresContext*          aPresContext,
  nsFrameborder           frameborder = GetFrameBorder();

  if (firstTime) {
+    // Check for overflow in memory allocations using mNumCols and mNumRows
+    // which have a maxium value of NS_MAX_FRAMESET_SPEC_COUNT.
+    PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(PRBool));
+    PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nscolor));
+
    verBordersVis = new PRBool[mNumCols];
    NS_ENSURE_TRUE(verBordersVis, NS_ERROR_OUT_OF_MEMORY);
    verBorderColors = new nscolor[mNumCols];
@ -1330,7 +1350,10 @@ nsHTMLFramesetFrame::RecalculateBorderResize()
    return;
  }

+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < PR_INT32_MAX / NS_MAX_FRAMESET_SPEC_COUNT);
  PRInt32 numCells = mNumRows * mNumCols; // max number of cells
+  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
+                   < UINT_MAX / sizeof(PRInt32) / NS_MAX_FRAMESET_SPEC_COUNT); 
  nsAutoArrayPtr<PRInt32> childTypes(new PRInt32[numCells]);
  if (NS_UNLIKELY(!childTypes)) {
    return;