[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor-browser/tor-browser-24.7.0esr-3.x-1] Backport two integer overflow patches.

To: tor-commits@xxxxxxxxxxxxxxxxxxxx, tbb-commits@xxxxxxxxxxxxxxxxxxxx
Subject: [tor-commits] [tor-browser/tor-browser-24.7.0esr-3.x-1] Backport two integer overflow patches.
From: mikeperry@xxxxxxxxxxxxxx
Date: Fri, 29 Aug 2014 05:57:39 +0000 (UTC)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 29 Aug 2014 01:57:51 -0400
List-archive: <http://lists.torproject.org/pipermail/tor-commits/>
List-help: <mailto:tor-commits-request@lists.torproject.org?subject=help>
List-id: "auto: code repository commits" <tor-commits.lists.torproject.org>
List-post: <mailto:tor-commits@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-commits>, <mailto:tor-commits-request@lists.torproject.org?subject=unsubscribe>
Patch-author: Mike Perry <mikeperry-git@xxxxxxxxxxxxxx>
Sender: "tor-commits" <tor-commits-bounces@xxxxxxxxxxxxxxxxxxxx>

commit d765da2ed5b5724a1adc4d8e73a552cbc0fe033d
Author: Mike Perry <mikeperry-git@xxxxxxxxxxxxxx>
Date:   Thu Aug 28 16:04:57 2014 -0700

    Backport two integer overflow patches.
    
    https://hg.mozilla.org/mozilla-central/rev/14ad832ecbcd
    https://hg.mozilla.org/mozilla-central/rev/c00387255d25
    
    https://bugzilla.mozilla.org/show_bug.cgi?id=922603
    https://bugzilla.mozilla.org/show_bug.cgi?id=811122
---
 image/src/imgFrame.cpp      |   10 +++-------
 js/src/vm/Interpreter-inl.h |    8 ++------
 2 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/image/src/imgFrame.cpp b/image/src/imgFrame.cpp
index c1b4022..33d1b3a 100644
--- a/image/src/imgFrame.cpp
+++ b/image/src/imgFrame.cpp
@@ -19,6 +19,7 @@ static bool gDisableOptimize = false;
 #include "cairo.h"
 #include "GeckoProfiler.h"
 #include "mozilla/Likely.h"
+#include "mozilla/CheckedInt.h"
 
 #if defined(XP_WIN)
 
@@ -54,13 +55,8 @@ static bool AllowedImageSize(int32_t aWidth, int32_t aHeight)
   }
 
   // check to make sure we don't overflow a 32-bit
-  int32_t tmp = aWidth * aHeight;
-  if (MOZ_UNLIKELY(tmp / aHeight != aWidth)) {
-    NS_WARNING("width or height too large");
-    return false;
-  }
-  tmp = tmp * 4;
-  if (MOZ_UNLIKELY(tmp / 4 != aWidth * aHeight)) {
+  CheckedInt32 requiredBytes = CheckedInt32(aWidth) * CheckedInt32(aHeight) * 4;
+  if (MOZ_UNLIKELY(!requiredBytes.isValid())) {
     NS_WARNING("width or height too large");
     return false;
   }
diff --git a/js/src/vm/Interpreter-inl.h b/js/src/vm/Interpreter-inl.h
index b5818e4..0a665d1 100644
--- a/js/src/vm/Interpreter-inl.h
+++ b/js/src/vm/Interpreter-inl.h
@@ -368,13 +368,9 @@ AddOperation(JSContext *cx, HandleScript script, jsbytecode *pc,
 {
     if (lhs.isInt32() && rhs.isInt32()) {
         int32_t l = lhs.toInt32(), r = rhs.toInt32();
-        int32_t sum = l + r;
-        if (JS_UNLIKELY(bool((l ^ sum) & (r ^ sum) & 0x80000000))) {
-            res->setDouble(double(l) + double(r));
+        double d = double(l) + double(r);
+        if (!res->setNumber(d))
             types::TypeScript::MonitorOverflow(cx, script, pc);
-        } else {
-            res->setInt32(sum);
-        }
         return true;
     }
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits

Prev by Author: [tor-commits] [tor-browser/esr24] No bug, Automated blocklist update from host bld-linux64-spot-075 - a=blocklist-update
Next by Author: [tor-commits] [tor-browser/tor-browser-24.7.0esr-3.x-1] fixup! Backport two integer overflow patches.
Previous by thread: [tor-commits] [tor-browser/esr24] No bug, Automated blocklist update from host bld-linux64-spot-075 - a=blocklist-update
Next by thread: [tor-commits] [tor-browser/tor-browser-24.7.0esr-3.x-1] fixup! Backport two integer overflow patches.
Index(es):
- Author
- Thread