Bug 1499105 - P1 - IDBFileHandle::Read() now throws error and returns nullptr if read size larger than 4GB r=janv,sg

IDBFileHandle::Read() calls CheckStateAndArgumentsForRead(), where the size of data to be read is also checked. If the size is larger than [[ https://www.qnx.com/developers/docs/6.4.1/dinkum_en/c99/stdint.html#INT32_MAX | INT32_MAX ]], JavaScript exception is thrown and Read() returns **nullptr**.

Since a compromised sender could send data of a larger size, size is checked again in FileHandle::VerifyRequestParams().

Please also check: [[ https://phabricator.services.mozilla.com/D59326 | D59326 ]] and [[ https://phabricator.services.mozilla.com/D59515 | D59515 ]].

Differential Revision: https://phabricator.services.mozilla.com/D58961

--HG--
extra : moz-landing-system : lando
This commit is contained in:
ssengupta 2020-01-14 13:01:18 +00:00
Родитель 6f5212c2c2
Коммит ce59756fd9
2 изменённых файлов: 10 добавлений и 0 удалений

Просмотреть файл

@ -1415,6 +1415,11 @@ bool FileHandle::VerifyRequestParams(const FileRequestParams& aParams) const {
return false;
}
if (NS_WARN_IF(params.size() > UINT32_MAX)) {
ASSERT_UNLESS_FUZZING();
return false;
}
break;
}

Просмотреть файл

@ -387,6 +387,11 @@ bool IDBFileHandle::CheckStateAndArgumentsForRead(uint64_t aSize,
return false;
}
if (aSize > UINT32_MAX) {
aRv.ThrowTypeError(u"Data size for read is too large.");
return false;
}
return true;
}