Bug 1499105 - P1 - IDBFileHandle::Read() now throws error and returns nullptr if read size larger than 4GB r=janv,sg

IDBFileHandle::Read() calls CheckStateAndArgumentsForRead(), where the size of data to be read is also checked. If the size is larger than [[ https://www.qnx.com/developers/docs/6.4.1/dinkum_en/c99/stdint.html#INT32_MAX | INT32_MAX ]], JavaScript exception is thrown and Read() returns **nullptr**.

Since a compromised sender could send data of a larger size, size is checked again in FileHandle::VerifyRequestParams().

Please also check: [[ https://phabricator.services.mozilla.com/D59326 | D59326 ]] and [[ https://phabricator.services.mozilla.com/D59515 | D59515 ]].

Differential Revision: https://phabricator.services.mozilla.com/D58961

--HG--
extra : moz-landing-system : lando

dom/filehandle/ActorsParent.cpp

@@ -1415,6 +1415,11 @@ bool FileHandle::VerifyRequestParams(const FileRequestParams& aParams) const {
         return false;
       }
 
+      if (NS_WARN_IF(params.size() > UINT32_MAX)) {
+        ASSERT_UNLESS_FUZZING();
+        return false;
+      }
+
       break;
     }
 

dom/indexedDB/IDBFileHandle.cpp

@@ -387,6 +387,11 @@ bool IDBFileHandle::CheckStateAndArgumentsForRead(uint64_t aSize,
     return false;
   }
 
+  if (aSize > UINT32_MAX) {
+    aRv.ThrowTypeError(u"Data size for read is too large.");
+    return false;
+  }
+
   return true;
 }