Bug 1170809 - Improve the buffer size check in nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz

This commit is contained in:
Andrea Marchesini 2015-06-23 10:47:38 -04:00
parent 606d29044e
commit 67cc340ec1

View File

@ -678,13 +678,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
&destBufferLen);
NS_ENSURE_SUCCESS(rv, rv);
if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible)) {
uint32_t size = mResponseText.Length() + destBufferLen;
if (size < (uint32_t)destBufferLen) {
return NS_ERROR_OUT_OF_MEMORY;
}
if (!mResponseText.SetCapacity(size, fallible)) {
return NS_ERROR_OUT_OF_MEMORY;
}
char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
int32_t totalChars = mResponseText.Length();
CheckedInt32 totalChars = mResponseText.Length();
// This code here is basically a copy of a similar thing in
// nsScanner::Append(const char* aBuffer, uint32_t aLen).
@ -697,9 +702,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
MOZ_ASSERT(NS_SUCCEEDED(rv));
totalChars += destlen;
if (!totalChars.isValid()) {
return NS_ERROR_OUT_OF_MEMORY;
}
mResponseText.SetLength(totalChars);
mResponseText.SetLength(totalChars.value());
return NS_OK;
}