Macintosh-SW
/
tenfourfox
mirror of https://github.com/classilla/tenfourfox.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

limit maximum CSS value/variable lengths

This commit is contained in:
Cameron Kaiser 2019-01-07 20:18:45 -08:00
parent 99bece105f
commit 69249a563c
1 changed files with 9 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
layout/style/nsCSSParser.cpp
View File

@ -1436,6 +1436,9 @@ protected:
// All data from successfully parsed properties are placed into |mData|.
nsCSSExpandedDataBlock mData;
// Value to make sure our resolved variable results stay within sane limits.
const uint32_t MAX_CSS_VAR_LENGTH = 10240;
public:
// Used from nsCSSParser constructors and destructors
CSSParserImpl* mNextFree;
@ -2612,6 +2615,12 @@ CSSParserImpl::ResolveValueWithVariableReferencesRec(
// Invalid variable with no fallback.
return false;
}
// Make sure we are still using sane sizes for value and
// variableValue, and abort if OOB.
if (MOZ_UNLIKELY((value.Length() > MAX_CSS_VAR_LENGTH) ||
(variableValue.Length() > MAX_CSS_VAR_LENGTH))) {
return false;
}
// Valid variable with no fallback.
AppendTokens(value, valueFirstToken, valueLastToken,
varFirstToken, varLastToken, variableValue);