Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-20 08:45:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bug 1490702 - Verify values read from the input, even when we decide we don't need to draw the current command. r=jrmuizel

Browse Source 
extra_end gets copied to offset, which can be used in the following command (and needs to be sanitized).

Differential Revision: https://phabricator.services.mozilla.com/D14345

--HG--
extra : moz-landing-system : lando
This commit is contained in:
Matt Woodrow 2018-12-14 01:30:40 +00:00
parent ecedddea82
commit 4f4be35fa3
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
gfx/webrender_bindings/Moz2DImageRenderer.cpp
View File

@ -408,6 +408,9 @@ static bool Moz2DRenderCallback(const Range<const uint8_t> aBlob,
while (reader.pos < reader.len) {
size_t end = reader.ReadSize();
size_t extra_end = reader.ReadSize();
MOZ_RELEASE_ASSERT(extra_end >= end);
MOZ_RELEASE_ASSERT(extra_end < aBlob.length());
auto combinedBounds = absBounds.Intersect(reader.ReadBounds());
if (combinedBounds.IsEmpty()) {
offset = extra_end;
@ -415,9 +418,6 @@ static bool Moz2DRenderCallback(const Range<const uint8_t> aBlob,
}
layers::WebRenderTranslator translator(dt);
MOZ_RELEASE_ASSERT(extra_end >= end);
MOZ_RELEASE_ASSERT(extra_end < aBlob.length());
Reader fontReader(aBlob.begin().get() + end, extra_end - end);
size_t count = fontReader.ReadSize();
for (size_t i = 0; i < count; i++) {