From cb2f1c60539427508f084bcfb96c004ce8fe675d Mon Sep 17 00:00:00 2001
From: Daniel Veditz <dveditz@cruzio.com>
Date: Fri, 24 Oct 2008 16:47:41 -0700
Subject: [PATCH] bug 443299: prevent potential OOM dos and null-deref crash.
 Patch by Justin Schuh, r=cbiesinger, sr=dveditz

---
 netwerk/streamconv/converters/nsDirIndexParser.cpp | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/netwerk/streamconv/converters/nsDirIndexParser.cpp b/netwerk/streamconv/converters/nsDirIndexParser.cpp
index 41b50fe2833..0927ee65948 100644
--- a/netwerk/streamconv/converters/nsDirIndexParser.cpp
+++ b/netwerk/streamconv/converters/nsDirIndexParser.cpp
@@ -190,6 +190,10 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
       ++pos;
     
     ++num;
+    // There are a maximum of six allowed header fields (doubled plus
+    // terminator, just in case) -- Bug 443299
+    if (num > (2 * NS_ARRAY_LENGTH(gFieldTable)))
+      return NS_ERROR_UNEXPECTED;
 
     if (! *pos)
       break;
@@ -200,6 +204,9 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
   } while (*pos);
 
   mFormat = new int[num+1];
+  // Prevent NULL Deref - Bug 443299 
+  if (mFormat == nsnull)
+    return NS_ERROR_OUT_OF_MEMORY;
   mFormat[num] = -1;
   
   int formatNum=0;