Bug 473587 - nsTString::ToInteger can overflow. Detect and prevent this condition, r+sr=dbaron

git-svn-id: svn://10.0.0.236/trunk@255922 18797224-902f-48f8-a5cc-f745e15eee43
2009-01-26 17:07:45 +00:00
parent 32ee9dc1eb
commit ed2352bfe7
2 changed files with 36 additions and 0 deletions
--- a/mozilla/xpcom/string/src/nsTStringObsolete.cpp
+++ b/mozilla/xpcom/string/src/nsTStringObsolete.cpp
@@ -193,6 +193,8 @@ nsTString_CharT::ToInteger( PRInt32* aErrorCode, PRUint32 aRadix ) const
      PRBool haveValue = PR_FALSE;

      while(cp<endcp){
+        PRInt32 oldresult = result;
+
        theChar=*cp++;
        if(('0'<=theChar) && (theChar<='9')){
          result = (theRadix * result) + (theChar-'0');
@@ -246,6 +248,13 @@ nsTString_CharT::ToInteger( PRInt32* aErrorCode, PRUint32 aRadix ) const
          //we've encountered a char that's not a legal number or sign
          break;
        }
+
+        if (result < oldresult) {
+          // overflow!
+          *aErrorCode = NS_ERROR_ILLEGAL_VALUE;
+          result = 0;
+          break;
+        }
      } //while
      if(negate)
        result=-result;