From 2e44e0589f111f3e2f3ff3f181f5ccdff82123a0 Mon Sep 17 00:00:00 2001
From: Pale Moon <git-repo@palemoon.org>
Date: Thu, 22 Sep 2016 22:08:16 +0200
Subject: [PATCH] Add size check for large images.

---
 dom/base/ImageEncoder.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/dom/base/ImageEncoder.cpp b/dom/base/ImageEncoder.cpp
index 2fd5ecc568..3f84e41eb3 100644
--- a/dom/base/ImageEncoder.cpp
+++ b/dom/base/ImageEncoder.cpp
@@ -411,6 +411,11 @@ ImageEncoder::ExtractDataInternal(const nsAString& aType,
       imgStream = do_QueryInterface(aEncoder);
     }
   } else {
+    CheckedInt32 requiredBytes = CheckedInt32(aSize.width) * CheckedInt32(aSize.height) * 4;
+    if (MOZ_UNLIKELY(!requiredBytes.isValid())) {
+      return NS_ERROR_INVALID_ARG;
+    }
+
     // no context, so we have to encode an empty image
     // note that if we didn't have a current context, the spec says we're
     // supposed to just return transparent black pixels of the canvas