void-packages/srcpkgs/firefox/patches/fix-stack-overflow.patch

44 lines
1.9 KiB
Diff
Raw Normal View History

https://bugs.alpinelinux.org/issues/5559
https://bugzilla.mozilla.org/show_bug.cgi?id=1274732
--- netwerk/streamconv/converters/nsHTTPCompressConv.cpp
+++ netwerk/streamconv/converters/nsHTTPCompressConv.cpp
@@ -165,9 +165,8 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c
nsHTTPCompressConv *self = static_cast<nsHTTPCompressConv *>(closure);
*countRead = 0;
- const uint32_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop
- unsigned char outBuffer[kOutSize];
- unsigned char *outPtr;
+ const size_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop
+ uint8_t *outPtr;
size_t outSize;
size_t avail = aAvail;
BrotliResult res;
@@ -177,9 +176,15 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c
return NS_OK;
}
+ auto outBuffer = MakeUniqueFallible<uint8_t[]>(kOutSize);
+ if (outBuffer == nullptr) {
+ self->mBrotli->mStatus = NS_ERROR_OUT_OF_MEMORY;
+ return self->mBrotli->mStatus;
+ }
+
do {
outSize = kOutSize;
- outPtr = outBuffer;
+ outPtr = outBuffer.get();
// brotli api is documented in brotli/dec/decode.h and brotli/dec/decode.c
LOG(("nsHttpCompresssConv %p brotlihandler decompress %d\n", self, avail));
@@ -210,7 +215,7 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c
nsresult rv = self->do_OnDataAvailable(self->mBrotli->mRequest,
self->mBrotli->mContext,
self->mBrotli->mSourceOffset,
- reinterpret_cast<const char *>(outBuffer),
+ reinterpret_cast<const char *>(outBuffer.get()),
outSize);
LOG(("nsHttpCompressConv %p BrotliHandler ODA rv=%x", self, rv));
if (NS_FAILED(rv)) {