Bug 1439770, part 1 - Fix integer overflow in InterfaceDescriptorAddTypes. r=njn

num_additional_types is a uint8_t, so its max value is 255. 1 + 255 is not greater than 256, so the check will pass, but then num_additional_types += 1 will overflow in the next line. What I think happened is that bug 1249174 part 6 introduced a bounds check on an index (which is ok), but then part 8 repurposed this as a bounds check on the length. I noticed this because while writing the next patch I ended up with if (id->num_additional_types > 255) and then the compiler warned that the check would never fail. MozReview-Commit-ID: KqiaOyBjj7v --HG-- extra : rebase_source : 47b20ad2f5e39b05f467cc5b10041070db7fa774
2024-11-25 05:41:12 +00:00 · 2018-02-20 14:44:47 -08:00 · 2018-02-20 14:44:47 -08:00 · 70a2273632
commit 70a2273632
parent 43020d2ca4
1 changed files with 2 additions and 1 deletions
--- a/xpcom/typelib/xpt/xpt_struct.cpp
+++ b/xpcom/typelib/xpt/xpt_struct.cpp
@ -9,6 +9,7 @@
 #include "xpt_xdr.h"
 #include "xpt_struct.h"
 #include <string.h>
+#include <stdint.h>
 #include <stdio.h>

 using mozilla::WrapNotNull;
@ -187,7 +188,7 @@ InterfaceDescriptorAddTypes(XPTArena *arena, XPTInterfaceDescriptor *id,
    }
    id->additional_types = new_;

-    if (num + uint16_t(id->num_additional_types) > 256)
+    if (num + uint16_t(id->num_additional_types) > UINT8_MAX)
        return false;

    id->num_additional_types += num;