Bug 927687: Avoid unsigned integer wrapping in PL_ArenaAllocate. r=rrelyea.NSPR_4_10_2_BETA2

author: Wan-Teh Chang <wtc@google.com> 2013-10-30 12:15:55 -0700
committer: Wan-Teh Chang <wtc@google.com> 2013-10-30 12:15:55 -0700
commit: e6aedcd436b50c68db7129ac2bb04cc95a855c16 (patch)
tree: d898313a84115418bb1aae2631cca797529b9eb8
parent: 7d919144e9b6b84aee6314805369af8d040c3cdd (diff)
download: nspr-hg-e6aedcd436b50c68db7129ac2bb04cc95a855c16.tar.gz
1 files changed, 6 insertions, 2 deletions
diff --git a/lib/ds/plarena.c b/lib/ds/plarena.c
index 352c8a3d..95e1931e 100644
--- a/lib/ds/plarena.c
+++ b/lib/ds/plarena.c
@@ -196,8 +196,12 @@ PR_IMPLEMENT(void *) PL_ArenaAllocate(PLArenaPool *pool, PRUint32 nb)
     /* attempt to allocate from the heap */ 
     {  
         PRUint32 sz = PR_MAX(pool->arenasize, nb);
-        sz += sizeof *a + pool->mask;  /* header and alignment slop */
-        a = (PLArena*)PR_MALLOC(sz);
+        if (PR_UINT32_MAX - sz < sizeof *a + pool->mask) {
+            a = NULL;
+        } else {
+            sz += sizeof *a + pool->mask;  /* header and alignment slop */
+            a = (PLArena*)PR_MALLOC(sz);
+        }
         if ( NULL != a )  {
             a->limit = (PRUword)a + sz;
             a->base = a->avail = (PRUword)PL_ARENA_ALIGN(pool, a + 1);
author	Wan-Teh Chang <wtc@google.com>	2013-10-30 12:15:55 -0700
committer	Wan-Teh Chang <wtc@google.com>	2013-10-30 12:15:55 -0700
commit	e6aedcd436b50c68db7129ac2bb04cc95a855c16 (patch)
tree	d898313a84115418bb1aae2631cca797529b9eb8
parent	7d919144e9b6b84aee6314805369af8d040c3cdd (diff)
download	nspr-hg-e6aedcd436b50c68db7129ac2bb04cc95a855c16.tar.gz