tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE
commit 18849893142db455caa555938315694e8fd77065
parent 5d8a3be70865190b7b4e39e0721d7a86cbf6d190
Author: Andrew McCreight <continuation@gmail.com>
Date:   Mon, 13 Oct 2025 13:47:15 +0000

Bug 1445260 - Add release-mode checks to Vector's operator[], back() and popBack(). r=nika

Also, while I am touching this file, change some typedefs to using.

Differential Revision: https://phabricator.services.mozilla.com/D266670

Diffstat:

Mmfbt/Vector.h | 26++++++++++++++++++--------


1 file changed, 18 insertions(+), 8 deletions(-)

diff --git a/mfbt/Vector.h b/mfbt/Vector.h
@@ -344,8 +344,8 @@ class MOZ_NON_PARAM MOZ_GSL_OWNER Vector final : private AllocPolicy {
   /* utilities */
   static constexpr bool kElemIsPod =
       std::is_trivial_v<T> && std::is_standard_layout_v<T>;
-  typedef detail::VectorImpl<T, MinInlineCapacity, AllocPolicy, kElemIsPod>
-      Impl;
+  using Impl =
+      detail::VectorImpl<T, MinInlineCapacity, AllocPolicy, kElemIsPod>;
   friend struct detail::VectorImpl<T, MinInlineCapacity, AllocPolicy,
                                    kElemIsPod>;
 
@@ -538,7 +538,7 @@ class MOZ_NON_PARAM MOZ_GSL_OWNER Vector final : private AllocPolicy {
  public:
   static const size_t sMaxInlineStorage = MinInlineCapacity;
 
-  typedef T ElementType;
+  using ElementType = T;
 
   explicit Vector(AllocPolicy);
   Vector() : Vector(AllocPolicy()) {}
@@ -583,25 +583,33 @@ class MOZ_NON_PARAM MOZ_GSL_OWNER Vector final : private AllocPolicy {
 
   T& operator[](size_t aIndex) {
     MOZ_ASSERT(!mEntered);
-    MOZ_ASSERT(aIndex < mLength);
+    if (MOZ_UNLIKELY(aIndex >= mLength)) {
+      mozilla::detail::InvalidArrayIndex_CRASH(aIndex, mLength);
+    }
     return begin()[aIndex];
   }
 
   const T& operator[](size_t aIndex) const {
     MOZ_ASSERT(!mEntered);
-    MOZ_ASSERT(aIndex < mLength);
+    if (MOZ_UNLIKELY(aIndex >= mLength)) {
+      mozilla::detail::InvalidArrayIndex_CRASH(aIndex, mLength);
+    }
     return begin()[aIndex];
   }
 
   T& back() {
     MOZ_ASSERT(!mEntered);
-    MOZ_ASSERT(!empty());
+    if (MOZ_UNLIKELY(empty())) {
+      mozilla::detail::InvalidArrayIndex_CRASH(0, 0);
+    }
     return *(end() - 1);
   }
 
   const T& back() const {
     MOZ_ASSERT(!mEntered);
-    MOZ_ASSERT(!empty());
+    if (MOZ_UNLIKELY(empty())) {
+      mozilla::detail::InvalidArrayIndex_CRASH(0, 0);
+    }
     return *(end() - 1);
   }
 
@@ -1519,7 +1527,9 @@ MOZ_ALWAYS_INLINE bool Vector<T, N, AP>::append(const U* aInsBegin,
 template <typename T, size_t N, class AP>
 MOZ_ALWAYS_INLINE void Vector<T, N, AP>::popBack() {
   MOZ_REENTRANCY_GUARD_ET_AL;
-  MOZ_ASSERT(!empty());
+  if (MOZ_UNLIKELY(empty())) {
+    mozilla::detail::InvalidArrayIndex_CRASH(0, 0);
+  }
   --mLength;
   endNoCheck()->~T();
 }