diff options
author | Moonchild <moonchild@palemoon.org> | 2020-07-09 11:22:40 +0000 |
---|---|---|
committer | Moonchild <moonchild@palemoon.org> | 2020-07-09 11:22:40 +0000 |
commit | 64be1dc3291b4335f4496a9f57c856c5c192947d (patch) | |
tree | 87a8020404bea42ef2a95e98c5cbcec81cf53248 | |
parent | 7cebdd7815b3953fbb76e0e38fab5dc856f5fb48 (diff) | |
download | uxp-64be1dc3291b4335f4496a9f57c856c5c192947d.tar.gz |
[image] Add a sanity check to JPEG encoder buffer handling, just in case.
-rw-r--r-- | image/encoders/jpeg/nsJPEGEncoder.cpp | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/image/encoders/jpeg/nsJPEGEncoder.cpp b/image/encoders/jpeg/nsJPEGEncoder.cpp index 04cfef07b2..e5835c295f 100644 --- a/image/encoders/jpeg/nsJPEGEncoder.cpp +++ b/image/encoders/jpeg/nsJPEGEncoder.cpp @@ -8,6 +8,7 @@ #include "nsString.h" #include "nsStreamUtils.h" #include "gfxColor.h" +#include "mozilla/CheckedInt.h" #include <setjmp.h> #include "jerror.h" @@ -430,10 +431,14 @@ nsJPEGEncoder::emptyOutputBuffer(jpeg_compress_struct* cinfo) that->mImageBufferUsed = that->mImageBufferSize; // expand buffer, just double size each time - that->mImageBufferSize *= 2; + uint8_t* newBuf = nullptr; + CheckedInt<uint32_t> bufSize = + CheckedInt<uint32_t>(that->mImageBufferSize) * 2; + if (bufSize.isValid()) { + that->mImageBufferSize = bufSize.value(); + newBuf = (uint8_t*)realloc(that->mImageBuffer, that->mImageBufferSize); + } - uint8_t* newBuf = (uint8_t*)realloc(that->mImageBuffer, - that->mImageBufferSize); if (!newBuf) { // can't resize, just zero (this will keep us from writing more) free(that->mImageBuffer); |