From 976cf67e561616ea0db03fef681848acdcb887ab Mon Sep 17 00:00:00 2001
From: Jed Davis <jld@mozilla.com>
Date: Tue, 2 Aug 2022 16:44:38 +0200
Subject: Bug 1760611 - Add file descriptor sanity checks in NSPR poll.
 r=glandium

Thanks to Jesse Schwartzentruber for the suggestion.
---
 pr/src/md/unix/unix.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/pr/src/md/unix/unix.c b/pr/src/md/unix/unix.c
index d9e35925..f71d1f66 100644
--- a/pr/src/md/unix/unix.c
+++ b/pr/src/md/unix/unix.c
@@ -3641,7 +3641,8 @@ int poll(struct pollfd *filedes, unsigned long nfds, int timeout)
         int events = filedes[i].events;
         PRBool fdHasEvent = PR_FALSE;
 
-        if (osfd < 0) {
+        PR_ASSERT(osfd < FD_SETSIZE);
+        if (osfd < 0 || osfd >= FD_SETSIZE) {
             continue;  /* Skip this osfd. */
         }
 
@@ -3686,6 +3687,10 @@ int poll(struct pollfd *filedes, unsigned long nfds, int timeout)
             if (filedes[i].fd < 0) {
                 continue;
             }
+            if (filedes[i].fd >= FD_SETSIZE) {
+                filedes[i].revents |= POLLNVAL;
+                continue;
+            }
             if (FD_ISSET(filedes[i].fd, &rd)) {
                 if (filedes[i].events & POLLIN) {
                     filedes[i].revents |= POLLIN;
-- 
cgit v1.2.1