dev-libs/nss/files/nss-3.73-CVE-2024-0743.patch

# HG changeset patch
# User John Schanck <jschanck@mozilla.com>
# Date 1702322654 0
# Node ID 1bda168c0da97e19e5f14bc4227c15c0a9f493bf
# Parent  e934c6d1d4366d152e3307cb76af4c02667c9147
Bug 1867408 - add a defensive check for large ssl_DefSend return values. r=nkulatova

Differential Revision: https://phabricator.services.mozilla.com/D195054

diff --git a/lib/ssl/sslsecur.c b/lib/ssl/sslsecur.c
--- a/lib/ssl/sslsecur.c
+++ b/lib/ssl/sslsecur.c
@@ -483,17 +483,22 @@ ssl_SendSavedWriteData(sslSocket *ss)
     PORT_Assert(ss->opt.noLocks || ssl_HaveXmitBufLock(ss));
     if (ss->pendingBuf.len != 0) {
         SSL_TRC(5, ("%d: SSL[%d]: sending %d bytes of saved data",
                     SSL_GETPID(), ss->fd, ss->pendingBuf.len));
         rv = ssl_DefSend(ss, ss->pendingBuf.buf, ss->pendingBuf.len, 0);
         if (rv < 0) {
             return rv;
         }
-        ss->pendingBuf.len -= rv;
+        if (rv > ss->pendingBuf.len) {
+            PORT_Assert(0); /* This shouldn't happen */
+            ss->pendingBuf.len = 0;
+        } else {
+            ss->pendingBuf.len -= rv;
+        }
         if (ss->pendingBuf.len > 0 && rv > 0) {
             /* UGH !! This shifts the whole buffer down by copying it */
             PORT_Memmove(ss->pendingBuf.buf, ss->pendingBuf.buf + rv,
                          ss->pendingBuf.len);
         }
     }
     return rv;
 }