Bug 1287266 - Integer overflow check in WebSocketChannel::ProcessInput, r=mcmanus

2016-07-20 17:15:32 +02:00
parent e84f04bd6e
commit 9c831c7e14
1 changed files with 5 additions and 1 deletions
--- a/netwerk/protocol/websocket/WebSocketChannel.cpp
+++ b/netwerk/protocol/websocket/WebSocketChannel.cpp
@@ -1569,9 +1569,13 @@ WebSocketChannel::ProcessInput(uint8_t *buffer, uint32_t count)
    LOG(("WebSocketChannel::ProcessInput: payload %lld avail %lu\n",
         payloadLength64, avail));

-    if (payloadLength64 + mFragmentAccumulator > mMaxMessageSize) {
+    CheckedInt<int64_t> payloadLengthChecked(payloadLength64);
+    payloadLengthChecked += mFragmentAccumulator;
+    if (!payloadLengthChecked.isValid() || payloadLengthChecked.value() >
+        mMaxMessageSize) {
      return NS_ERROR_FILE_TOO_BIG;
    }
+
    uint32_t payloadLength = static_cast<uint32_t>(payloadLength64);

    if (avail < payloadLength)