Bug 1332218 - Add boundary checks for array access in nsUrlClassifierPrefixSet::GetPrefixesNative. r=francois.
MozReview-Commit-ID: CpQYdTaEI3c
--- a/toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp
+++ b/toolkit/components/url-classifier/nsUrlClassifierPrefixSet.cpp
@@ -151,19 +151,26 @@ nsUrlClassifierPrefixSet::GetPrefixesNat
}
uint32_t prefixIdxLength = mIndexPrefixes.Length();
uint32_t prefixCnt = 0;
for (uint32_t i = 0; i < prefixIdxLength; i++) {
uint32_t prefix = mIndexPrefixes[i];
+ if (prefixCnt >= mTotalPrefixes) {
+ return NS_ERROR_FAILURE;
+ }
outArray[prefixCnt++] = prefix;
+
for (uint32_t j = 0; j < mIndexDeltas[i].Length(); j++) {
prefix += mIndexDeltas[i][j];
+ if (prefixCnt >= mTotalPrefixes) {
+ return NS_ERROR_FAILURE;
+ }
outArray[prefixCnt++] = prefix;
}
}
NS_ASSERTION(mTotalPrefixes == prefixCnt, "Lengths are inconsistent");
return NS_OK;
}