From 0623ead32d08199fbe7e1b69590c03a43b00c16f Mon Sep 17 00:00:00 2001
From: Steve Workman <sjhworkman@gmail.com>
Date: Wed, 21 Sep 2011 15:21:42 -0400
Subject: [PATCH] Bug 373899: Add checks to nsStandardURL. r=honzab

---
 netwerk/base/src/nsStandardURL.cpp | 20 ++++++++++++++++----
 netwerk/base/src/nsStandardURL.h   |  2 +-
 2 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/netwerk/base/src/nsStandardURL.cpp b/netwerk/base/src/nsStandardURL.cpp
index 775782acd39..404352cdabd 100644
--- a/netwerk/base/src/nsStandardURL.cpp
+++ b/netwerk/base/src/nsStandardURL.cpp
@@ -855,11 +855,23 @@ nsStandardURL::ParsePath(const char *spec, PRUint32 pathPos, PRInt32 pathLen)
 char *
 nsStandardURL::AppendToSubstring(PRUint32 pos,
                                  PRInt32 len,
-                                 const char *tail,
-                                 PRInt32 tailLen)
+                                 const char *tail)
 {
-    if (tailLen < 0)
-        tailLen = strlen(tail);
+    // Verify pos and length are within boundaries
+    if (pos > mSpec.Length())
+        return NULL;
+    if (len < 0)
+        return NULL;
+    if ((PRUint32)len > (mSpec.Length() - pos))
+        return NULL;
+    if (!tail)
+        return NULL;
+
+    PRUint32 tailLen = strlen(tail);
+
+    // Check for int overflow for proposed length of combined string
+    if (PR_UINT32_MAX - ((PRUint32)len + 1) < tailLen)
+        return NULL;
 
     char *result = (char *) NS_Alloc(len + tailLen + 1);
     if (result) {
diff --git a/netwerk/base/src/nsStandardURL.h b/netwerk/base/src/nsStandardURL.h
index d9b526853fc..a5689393211 100644
--- a/netwerk/base/src/nsStandardURL.h
+++ b/netwerk/base/src/nsStandardURL.h
@@ -214,7 +214,7 @@ private:
     nsresult ParseURL(const char *spec, PRInt32 specLen);
     nsresult ParsePath(const char *spec, PRUint32 pathPos, PRInt32 pathLen = -1);
 
-    char    *AppendToSubstring(PRUint32 pos, PRInt32 len, const char *tail, PRInt32 tailLen = -1);
+    char    *AppendToSubstring(PRUint32 pos, PRInt32 len, const char *tail);
 
     // dependent substring helpers
     const nsDependentCSubstring Segment(PRUint32 pos, PRInt32 len); // see below