From ed2352bfe7e95f95bf52e2b5e1db56d0ffba787b Mon Sep 17 00:00:00 2001
From: "benjamin%smedbergs.us"
 <benjamin%smedbergs.us@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Mon, 26 Jan 2009 17:07:45 +0000
Subject: [PATCH] Bug 473587 - nsTString::ToInteger can overflow. Detect and
 prevent this condition, r+sr=dbaron

git-svn-id: svn://10.0.0.236/trunk@255922 18797224-902f-48f8-a5cc-f745e15eee43
---
 .../xpcom/string/src/nsTStringObsolete.cpp    |  9 +++++++
 mozilla/xpcom/tests/TestStrings.cpp           | 27 +++++++++++++++++++
 2 files changed, 36 insertions(+)

diff --git a/mozilla/xpcom/string/src/nsTStringObsolete.cpp b/mozilla/xpcom/string/src/nsTStringObsolete.cpp
index c1425a6ba07..6ee42d31140 100644
--- a/mozilla/xpcom/string/src/nsTStringObsolete.cpp
+++ b/mozilla/xpcom/string/src/nsTStringObsolete.cpp
@@ -193,6 +193,8 @@ nsTString_CharT::ToInteger( PRInt32* aErrorCode, PRUint32 aRadix ) const
       PRBool haveValue = PR_FALSE;
 
       while(cp<endcp){
+        PRInt32 oldresult = result;
+
         theChar=*cp++;
         if(('0'<=theChar) && (theChar<='9')){
           result = (theRadix * result) + (theChar-'0');
@@ -246,6 +248,13 @@ nsTString_CharT::ToInteger( PRInt32* aErrorCode, PRUint32 aRadix ) const
           //we've encountered a char that's not a legal number or sign
           break;
         }
+
+        if (result < oldresult) {
+          // overflow!
+          *aErrorCode = NS_ERROR_ILLEGAL_VALUE;
+          result = 0;
+          break;
+        }
       } //while
       if(negate)
         result=-result;
diff --git a/mozilla/xpcom/tests/TestStrings.cpp b/mozilla/xpcom/tests/TestStrings.cpp
index 1a8b293f3ca..87aed47e629 100644
--- a/mozilla/xpcom/tests/TestStrings.cpp
+++ b/mozilla/xpcom/tests/TestStrings.cpp
@@ -893,6 +893,32 @@ PRBool test_voided_autostr()
     return PR_TRUE;
   }
 
+struct ToIntegerTest
+{
+  const char *str;
+  PRUint32 radix;
+  PRInt32 result;
+  nsresult rv;
+};
+
+static const ToIntegerTest kToIntegerTests[] = {
+  { "123", 10, 123, NS_OK },
+  { "7b", 16, 123, NS_OK },
+  { "90194313659", 10, 0, NS_ERROR_ILLEGAL_VALUE },
+  { nsnull, 0, 0, 0 }
+};
+
+PRBool test_string_tointeger()
+{
+  PRInt32 rv;
+  for (const ToIntegerTest* t = kToIntegerTests; t->str; ++t) {
+    PRInt32 result = nsCAutoString(t->str).ToInteger(&rv, t->radix);
+    if (rv != t->rv || result != t->result)
+      return PR_FALSE;
+  }
+  return PR_TRUE;
+}
+
 //----
 
 typedef PRBool (*TestFunc)();
@@ -936,6 +962,7 @@ tests[] =
     { "test_stringbuffer", test_stringbuffer },
     { "test_voided", test_voided },
     { "test_voided_autostr", test_voided_autostr },
+    { "test_string_tointeger", test_string_tointeger },
     { nsnull, nsnull }
   };