Perform a size check when dealing with clipboard data to be sure.

2019-06-12 13:44:53 +03:00 · 2019-06-12 13:44:53 +03:00 · f3e18922ba
parent 40f4bab5ae
commit f3e18922ba
1 changed files with 10 additions and 6 deletions
--- a/widget/windows/nsClipboard.cpp
+++ b/widget/windows/nsClipboard.cpp
@ -291,16 +291,20 @@ nsresult nsClipboard::GetGlobalData(HGLOBAL aHGBL, void ** aData, uint32_t * aLe
  nsresult  result = NS_ERROR_FAILURE;
  if (aHGBL != nullptr) {
    LPSTR lpStr = (LPSTR) GlobalLock(aHGBL);
-    DWORD allocSize = GlobalSize(aHGBL);
-    char* data = static_cast<char*>(malloc(allocSize + 3));
+    CheckedInt<uint32_t> allocSize = CheckedInt<uint32_t>(GlobalSize(aHGBL)) + 3;
+    if (!allocSize.isValid()) {
+      return NS_ERROR_INVALID_ARG;
+    }
+    char* data = static_cast<char*>(malloc(allocSize.value()));
    if ( data ) {    
-      memcpy ( data, lpStr, allocSize );
-      data[allocSize] = data[allocSize + 1] = data[allocSize + 2] =
-          '\0'; // null terminate for safety
+      uint32_t size = allocSize.value() - 3;
+      memcpy(data, lpStr, size);
+      // null terminate for safety
+      data[size] = data[size + 1] = data[size + 2] = '\0';

      GlobalUnlock(aHGBL);
      *aData = data;
-      *aLen = allocSize;
+      *aLen = size;

      result = NS_OK;
    }