mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-09 11:25:00 +00:00
Bug 1754724 - Clear up some more computations in expat code. r=farre, a=tritter
Depends on D140165 Differential Revision: https://phabricator.services.mozilla.com/D140166
This commit is contained in:
parent
5876a3de0f
commit
6431af8019
@ -5037,11 +5037,26 @@ doProlog(XML_Parser parser,
|
||||
case XML_ROLE_GROUP_OPEN:
|
||||
if (prologState.level >= groupSize) {
|
||||
if (groupSize) {
|
||||
/* Detect and prevent integer overflow */
|
||||
if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
}
|
||||
|
||||
char *temp = (char *)REALLOC(groupConnector, groupSize *= 2);
|
||||
if (temp == NULL)
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
groupConnector = temp;
|
||||
if (dtd->scaffIndex) {
|
||||
/* Detect and prevent integer overflow.
|
||||
* The preprocessor guard addresses the "always false" warning
|
||||
* from -Wtype-limits on platforms where
|
||||
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
|
||||
#if UINT_MAX >= SIZE_MAX
|
||||
if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
|
||||
return XML_ERROR_NO_MEMORY;
|
||||
}
|
||||
#endif
|
||||
|
||||
int *temp = (int *)REALLOC(dtd->scaffIndex,
|
||||
groupSize * sizeof(int));
|
||||
if (temp == NULL)
|
||||
|
Loading…
Reference in New Issue
Block a user