Better handling of overflowing integer values. (Bug 440230) r+sr=roc

2024-09-13 09:24:08 -07:00 · 2008-12-27 20:58:14 -05:00 · 2008-12-27 20:58:14 -05:00 · d67ed87895
commit d67ed87895
parent ce7842afac
5 changed files with 51 additions and 6 deletions
--- a/layout/style/nsCSSDeclaration.h
+++ b/layout/style/nsCSSDeclaration.h
@ -182,9 +182,17 @@ private:
    //
    friend class CSSStyleRuleImpl;
    void AddRef(void) {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking object");
+        return;
+      }
      ++mRefCnt;
    }
    void Release(void) {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking object");
+        return;
+      }
      NS_ASSERTION(0 < mRefCnt, "bad Release");
      if (0 == --mRefCnt) {
        delete this;
--- a/layout/style/nsCSSValue.h
+++ b/layout/style/nsCSSValue.h
@ -448,8 +448,21 @@ public:
    nsCOMPtr<nsIURI> mReferrer;
    nsCOMPtr<nsIPrincipal> mOriginPrincipal;

-    void AddRef() { ++mRefCnt; }
-    void Release() { if (--mRefCnt == 0) delete this; }
+    void AddRef() {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking nsCSSValue::URL");
+        return;
+      }
+      ++mRefCnt;
+    }
+    void Release() {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking nsCSSValue::URL");
+        return;
+      }
+      if (--mRefCnt == 0)
+        delete this;
+    }
  protected:
    nsrefcnt mRefCnt;
  };
@ -467,9 +480,15 @@ public:

    nsCOMPtr<imgIRequest> mRequest; // null == image load blocked or somehow failed

-    // Override AddRef/Release so we delete ourselves via the right pointer.
-    void AddRef() { ++mRefCnt; }
-    void Release() { if (--mRefCnt == 0) delete this; }
+    // Override Release so we delete correctly without a virtual destructor
+    void Release() {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking nsCSSValue::Image");
+        return;
+      }
+      if (--mRefCnt == 0)
+        delete this;
+    }
  };

 private:
--- a/layout/style/nsStyleContext.h
+++ b/layout/style/nsStyleContext.h
@ -80,12 +80,20 @@ public:
  NS_HIDDEN_(void) Destroy();

  nsrefcnt AddRef() {
+    if (mRefCnt == PR_UINT32_MAX) {
+      NS_WARNING("refcount overflow, leaking object");
+      return mRefCnt;
+    }
    ++mRefCnt;
    NS_LOG_ADDREF(this, mRefCnt, "nsStyleContext", sizeof(nsStyleContext));
    return mRefCnt;
  }

  nsrefcnt Release() {
+    if (mRefCnt == PR_UINT32_MAX) {
+      NS_WARNING("refcount overflow, leaking object");
+      return mRefCnt;
+    }
    --mRefCnt;
    NS_LOG_RELEASE(this, mRefCnt, "nsStyleContext");
    if (mRefCnt == 0) {
--- a/layout/style/nsStyleStruct.cpp
+++ b/layout/style/nsStyleStruct.cpp
@ -1741,6 +1741,10 @@ nsChangeHint nsStyleTextReset::MaxDifference()
 nsrefcnt
 nsCSSShadowArray::Release()
 {
+  if (mRefCnt == PR_UINT32_MAX) {
+    NS_WARNING("refcount overflow, leaking object");
+    return mRefCnt;
+  }
  mRefCnt--;
  if (mRefCnt == 0) {
    delete this;
--- a/layout/style/nsStyleStruct.h
+++ b/layout/style/nsStyleStruct.h
@ -358,7 +358,13 @@ class nsCSSShadowArray {
      }
    }

-    nsrefcnt AddRef() { return ++mRefCnt; }
+    nsrefcnt AddRef() {
+      if (mRefCnt == PR_UINT32_MAX) {
+        NS_WARNING("refcount overflow, leaking object");
+        return mRefCnt;
+      }
+      return ++mRefCnt;
+    }
    nsrefcnt Release();

    PRUint32 Length() const { return mLength; }