summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorwolfbeast <mcwerewolf@wolfbeast.com>2019-05-29 11:05:41 +0200
committerwolfbeast <mcwerewolf@wolfbeast.com>2019-05-29 11:05:41 +0200
commit1fe365eba2d8c91f0afd8ea042fc7478488f9471 (patch)
tree9e2d75b9226dc4fbdd4843a9a6f2aff0ff9cdd1d
parent678a41b2957437320a1790bb0ce6ce8ebab0a0a9 (diff)
downloaduxp-1fe365eba2d8c91f0afd8ea042fc7478488f9471.tar.gz
Perform a size check when dealing with clipboard data to be sure.
Follow-up to 0b6d9a47051be9ef4d064c6f7c60717da91d0bc2
-rw-r--r--widget/windows/nsClipboard.cpp16
1 files changed, 10 insertions, 6 deletions
diff --git a/widget/windows/nsClipboard.cpp b/widget/windows/nsClipboard.cpp
index c93f351c87..0ca9568d0c 100644
--- a/widget/windows/nsClipboard.cpp
+++ b/widget/windows/nsClipboard.cpp
@@ -291,16 +291,20 @@ nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void ** aData, uint32_t * aLe
nsresult result = NS_ERROR_FAILURE;
if (aHGBL != nullptr) {
LPSTR lpStr = (LPSTR) GlobalLock(aHGBL);
- DWORD allocSize = GlobalSize(aHGBL);
- char* data = static_cast<char*>(malloc(allocSize + 3));
+ CheckedInt<uint32_t> allocSize = CheckedInt<uint32_t>(GlobalSize(aHGBL)) + 3;
+ if (!allocSize.isValid()) {
+ return NS_ERROR_INVALID_ARG;
+ }
+ char* data = static_cast<char*>(malloc(allocSize.value()));
if ( data ) {
- memcpy ( data, lpStr, allocSize );
- data[allocSize] = data[allocSize + 1] = data[allocSize + 2] =
- '\0'; // null terminate for safety
+ uint32_t size = allocSize.value() - 3;
+ memcpy(data, lpStr, size);
+ // null terminate for safety
+ data[size] = data[size + 1] = data[size + 2] = '\0';
GlobalUnlock(aHGBL);
*aData = data;
- *aLen = allocSize;
+ *aLen = size;
result = NS_OK;
}