From 50b3b5c24b2f9d57e71d73e27796508fa9e39cb9 Mon Sep 17 00:00:00 2001
From: "timeless%mozdev.org" <timeless%mozdev.org>
Date: Thu, 4 Aug 2005 01:52:01 +0000
Subject: [PATCH] Bug 303213 integer overflow in js patch by mrbkap r=brendan
 a=brendan

---
 js/src/jsstr.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/js/src/jsstr.c b/js/src/jsstr.c
index d1145535835..3e4753710e1 100644
--- a/js/src/jsstr.c
+++ b/js/src/jsstr.c
@@ -361,6 +361,12 @@ js_str_escape(JSContext *cx, JSObject *obj, uintN argc, jsval *argv, jsval *rval
         } else {
             newlength += 5; /* The character will be encoded as %uXXXX */
         }
+
+        /* NB: this works because newlength can be incremented by at most 5. */ 
+        if (newlength < length) {
+            JS_ReportOutOfMemory(cx);
+            return JS_FALSE;
+        }
     }
 
     if (newlength >= ~(size_t)0 / sizeof(jschar)) {