[html parser] Check for integer overflow when computing new buffer sizes.

author: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
committer: Moonchild <moonchild@palemoon.org> 2021-02-24 09:57:24 +0000
commit: 525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree: cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/nsHtml5MetaScanner.cpp
parent: 77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download: uxp-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/parser/html/nsHtml5MetaScanner.cpp b/parser/html/nsHtml5MetaScanner.cpp
index 9fa3d3a705..f7beddafd5 100644
--- a/parser/html/nsHtml5MetaScanner.cpp
+++ b/parser/html/nsHtml5MetaScanner.cpp
@@ -743,7 +743,7 @@ void
 nsHtml5MetaScanner::addToBuffer(int32_t c)
 {
   if (strBufLen == strBuf.length) {
-    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(strBuf.length + (strBuf.length << 1));
+    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(nsHtml5Portability::checkedAdd(strBuf.length, (strBuf.length << 1)));
     nsHtml5ArrayCopy::arraycopy(strBuf, newBuf, strBuf.length);
     strBuf = newBuf;
   }
author	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
committer	Moonchild <moonchild@palemoon.org>	2021-02-24 09:57:24 +0000
commit	525961c26137ca8a6416b9b2cd6b390593881be1 (patch)
tree	cbfcdf28587f39f4e7622652d1fb664736cef68f /parser/html/nsHtml5MetaScanner.cpp
parent	77d26e8bcd4c9cd94ffbaf4a035342f0d50b3438 (diff)
download	uxp-525961c26137ca8a6416b9b2cd6b390593881be1.tar.gz