加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
CVE-2020-26960-1.patch 1.55 KB
一键复制 编辑 原始数据 按行查看 历史
wangxiao65 提交于 2021-01-07 15:15 . fix cves
# HG changeset patch
# User Jon Coppeard <jcoppeard@mozilla.com>
# Date 1603288236 0
# Wed Oct 21 13:50:36 2020 +0000
# Node ID 7e223284a9225c66b590aaad671c7448d1ff0b57
# Parent dfcb025567da9e33bf724520e0146fef3d776d5f
Bug 1670358 - Don't use realloc for shrinking nsTArrays and similar when RelocationStrategy::allowRealloc is false r=sg
My original patch handled the grow case but not the shrink case. When the
current and new allocation sizes are in different size classes jemalloc's
realloc will move the allocation when shrinking, not just truncate the existing
one.
Differential Revision: https://phabricator.services.mozilla.com/D93654
diff -r dfcb025567da -r 7e223284a922 xpcom/ds/nsTArray-inl.h
--- a/xpcom/ds/nsTArray-inl.h Thu Oct 22 07:36:15 2020 +0000
+++ b/xpcom/ds/nsTArray-inl.h Wed Oct 21 13:50:36 2020 +0000
@@ -259,10 +259,27 @@
}
size_type size = sizeof(Header) + length * aElemSize;
- void* ptr = nsTArrayFallibleAllocator::Realloc(mHdr, size);
- if (!ptr) {
- return;
+ void* ptr;
+
+ if (!RelocationStrategy::allowRealloc) {
+ // Malloc() and copy.
+ ptr = static_cast<Header*>(nsTArrayFallibleAllocator::Malloc(size));
+ if (!ptr) {
+ return;
+ }
+
+ RelocationStrategy::RelocateNonOverlappingRegionWithHeader(
+ ptr, mHdr, Length(), aElemSize);
+
+ nsTArrayFallibleAllocator::Free(mHdr);
+ } else {
+ // Realloc() existing data.
+ ptr = nsTArrayFallibleAllocator::Realloc(mHdr, size);
+ if (!ptr) {
+ return;
+ }
}
+
mHdr = static_cast<Header*>(ptr);
mHdr->mCapacity = length;
}
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化