1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
commit 94b1df91cc7f
Author: Eric Rahm <erahm@mozilla.com>
Date: Mon Jun 19 17:09:54 2017 -0700
Bug 1373371 - Properly convert index in RemoveElementsAt. r=froydnj, a=ritu
MozReview-Commit-ID: 2CRrUmOxA9B
--HG--
extra : source : 337103b85c025be555c107c7710ebe25d2feb6ed
---
xpcom/ds/nsTArray.h | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git xpcom/ds/nsTArray.h xpcom/ds/nsTArray.h
index 4e9b57126bfb..e0244846aca3 100644
--- xpcom/ds/nsTArray.h
+++ xpcom/ds/nsTArray.h
@@ -13,6 +13,7 @@
#include "mozilla/Assertions.h"
#include "mozilla/Attributes.h"
#include "mozilla/BinarySearch.h"
+#include "mozilla/CheckedInt.h"
#include "mozilla/fallible.h"
#include "mozilla/MathAlgorithms.h"
#include "mozilla/MemoryReporting.h"
@@ -2053,9 +2054,14 @@ void
nsTArray_Impl<E, Alloc>::RemoveElementsAt(index_type aStart, size_type aCount)
{
MOZ_ASSERT(aCount == 0 || aStart < Length(), "Invalid aStart index");
- MOZ_ASSERT(aStart + aCount <= Length(), "Invalid length");
- // Check that the previous assert didn't overflow
- MOZ_ASSERT(aStart <= aStart + aCount, "Start index plus length overflows");
+
+ mozilla::CheckedInt<index_type> rangeEnd = aStart;
+ rangeEnd += aCount;
+
+ if (MOZ_UNLIKELY(!rangeEnd.isValid() || rangeEnd.value() > Length())) {
+ InvalidArrayIndex_CRASH(aStart, Length());
+ }
+
DestructRange(aStart, aCount);
this->template ShiftData<InfallibleAlloc>(aStart, aCount, 0,
sizeof(elem_type),
|
