Protect against an overly-large length. Patch from brendan, bug 335535, r=mrbkap

2025-03-04 15:51:37 +00:00 · 2006-04-26 21:46:53 +00:00 · 2006-04-26 21:46:53 +00:00 · 0cf9f4ba99
commit 0cf9f4ba99
parent 05a259f259
1 changed files with 5 additions and 0 deletions
--- a/js/src/jsstr.c
+++ b/js/src/jsstr.c
@ -2066,6 +2066,11 @@ tagify(JSContext *cx, JSObject *obj, jsval *argv,
    endlen = strlen(end);
    taglen += JSSTRING_LENGTH(str) + 2 + endlen + 1;    /* 'str</end>' */

+    if (taglen >= ~(size_t)0 / sizeof(jschar)) {
+        JS_ReportOutOfMemory(cx);
+        return JS_FALSE;
+    }
+
    tagbuf = (jschar *) JS_malloc(cx, (taglen + 1) * sizeof(jschar));
    if (!tagbuf)
        return JS_FALSE;