From 5327b587c9e588697f1616095ad507e11073226c Mon Sep 17 00:00:00 2001
From: "timeless%mozdev.org" <timeless%mozdev.org>
Date: Thu, 11 May 2006 13:24:42 +0000
Subject: [PATCH] Bug 336983 OOM crash [@ ConvertHTMLtoUCS2] unicodeData
 Pointer allocated by nsMemory::Alloc dereferenced without NULL check r=bz
 sr=bz

---
 widget/src/gtk2/nsClipboard.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/widget/src/gtk2/nsClipboard.cpp b/widget/src/gtk2/nsClipboard.cpp
index 7a845c9bccf..98acd0145c7 100644
--- a/widget/src/gtk2/nsClipboard.cpp
+++ b/widget/src/gtk2/nsClipboard.cpp
@@ -625,7 +625,7 @@ void ConvertHTMLtoUCS2(guchar * data, PRInt32 dataLength,
         *unicodeData = NS_REINTERPRET_CAST(PRUnichar*,
                        nsMemory::Alloc((outUnicodeLen + sizeof('\0')) *
                        sizeof(PRUnichar)));
-        if (unicodeData) {
+        if (*unicodeData) {
             memcpy(*unicodeData, data + sizeof(PRUnichar),
                    outUnicodeLen * sizeof(PRUnichar));
             (*unicodeData)[outUnicodeLen] = '\0';
@@ -662,7 +662,7 @@ void ConvertHTMLtoUCS2(guchar * data, PRInt32 dataLength,
             *unicodeData = NS_REINTERPRET_CAST(PRUnichar*,
                            nsMemory::Alloc((outUnicodeLen + sizeof('\0')) *
                            sizeof(PRUnichar)));
-            if (unicodeData) {
+            if (*unicodeData) {
                 PRInt32 numberTmp = dataLength;
                 decoder->Convert((const char *)data, &numberTmp,
                                  *unicodeData, &outUnicodeLen);