Bug 1258376: Validate DEVMODE data length from PrintData before deserialization. r=jimm

widget/windows/nsPrintOptionsWin.cpp

@@ -126,23 +126,27 @@ nsPrintOptionsWin::DeserializeToPrintSettings(const PrintData& data,
     nsXPIDLString printerName;
     settings->GetPrinterName(getter_Copies(printerName));
 
-    DEVMODEW* devModeRaw = (DEVMODEW*)::HeapAlloc(::GetProcessHeap(), HEAP_ZERO_MEMORY,
-                                                  data.devModeData().Length());
-    if (!devModeRaw) {
-      return NS_ERROR_OUT_OF_MEMORY;
+    if (data.devModeData().IsEmpty()) {
+      psWin->SetDevMode(nullptr);
+    } else {
+      // Check minimum length of DEVMODE data.
+      auto devModeDataLength = data.devModeData().Length();
+      if (devModeDataLength < sizeof(DEVMODEW)) {
+        NS_WARNING("DEVMODE data is too short.");
+        return NS_ERROR_FAILURE;
+      }
+
+      DEVMODEW* devMode = reinterpret_cast<DEVMODEW*>(
+        const_cast<uint8_t*>(data.devModeData().Elements()));
+
+      // Check actual length of DEVMODE data.
+      if ((devMode->dmSize + devMode->dmDriverExtra) != devModeDataLength) {
+        NS_WARNING("DEVMODE length is incorrect.");
+        return NS_ERROR_FAILURE;
+      }
+
+      psWin->SetDevMode(devMode); // Copies
     }
-
-    nsAutoDevMode devMode(devModeRaw);
-    devModeRaw = nullptr;
-
-    // Seems a bit silly to copy the buffer out, just so that SetDevMode can
-    // copy it again. However, if I attempt to just pass
-    // data.devModeData.Elements() casted to an DEVMODEW* to SetDevMode, I get
-    // a "Conversion loses qualifiers" build-time error because
-    // data.devModeData.Elements() is of type const char *.
-    memcpy(devMode.get(), data.devModeData().Elements(), data.devModeData().Length());
-
-    psWin->SetDevMode(devMode); // Copies
   }
 
   return NS_OK;