diff options
author | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-05-29 11:05:41 +0200 |
---|---|---|
committer | wolfbeast <mcwerewolf@wolfbeast.com> | 2019-05-29 11:05:41 +0200 |
commit | 1fe365eba2d8c91f0afd8ea042fc7478488f9471 (patch) | |
tree | 9e2d75b9226dc4fbdd4843a9a6f2aff0ff9cdd1d | |
parent | 678a41b2957437320a1790bb0ce6ce8ebab0a0a9 (diff) | |
download | uxp-1fe365eba2d8c91f0afd8ea042fc7478488f9471.tar.gz |
Perform a size check when dealing with clipboard data to be sure.
Follow-up to 0b6d9a47051be9ef4d064c6f7c60717da91d0bc2
-rw-r--r-- | widget/windows/nsClipboard.cpp | 16 |
1 files changed, 10 insertions, 6 deletions
diff --git a/widget/windows/nsClipboard.cpp b/widget/windows/nsClipboard.cpp index c93f351c87..0ca9568d0c 100644 --- a/widget/windows/nsClipboard.cpp +++ b/widget/windows/nsClipboard.cpp @@ -291,16 +291,20 @@ nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void ** aData, uint32_t * aLe nsresult result = NS_ERROR_FAILURE; if (aHGBL != nullptr) { LPSTR lpStr = (LPSTR) GlobalLock(aHGBL); - DWORD allocSize = GlobalSize(aHGBL); - char* data = static_cast<char*>(malloc(allocSize + 3)); + CheckedInt<uint32_t> allocSize = CheckedInt<uint32_t>(GlobalSize(aHGBL)) + 3; + if (!allocSize.isValid()) { + return NS_ERROR_INVALID_ARG; + } + char* data = static_cast<char*>(malloc(allocSize.value())); if ( data ) { - memcpy ( data, lpStr, allocSize ); - data[allocSize] = data[allocSize + 1] = data[allocSize + 2] = - '\0'; // null terminate for safety + uint32_t size = allocSize.value() - 3; + memcpy(data, lpStr, size); + // null terminate for safety + data[size] = data[size + 1] = data[size + 2] = '\0'; GlobalUnlock(aHGBL); *aData = data; - *aLen = allocSize; + *aLen = size; result = NS_OK; } |