Running the crash in the debugger confirms the assumption from [comment 11](https://bugzilla.mozilla.org/show_bug.cgi?id=847347#c11). Though `Substring` just wraps the already allocated memory here it still checks the length against its [`kMaxCapacity`](https://searchfox.org/mozilla-central/rev/62494de24f8d4aa003b6ff911e025e07a6d7a117/xpcom/string/nsTSubstring.h#1357) member, which is significantly lower (aprox. 1GB) - and issues a `MOZ_RELEASE_ASSERT(CheckCapacity(aLength), "String is too large.");`. Though I can understand the rational behind assuming string allocations to not require explicit OOM error handling, in this case it would be advisable to have it. A naive approach could be to hand-check the allowed capacity like ``` // CheckCapacity checks, if the data can fit into a nsTSubstring if (!nsTSubstring<char>::CheckCapacity(aDataLen)) { return NS_ERROR_OUT_OF_MEMORY; } auto tmp = Substring(aFileData, aDataLen); nsCString encodedData; nsresult rv = Base64Encode(tmp, encodedData); NS_ENSURE_SUCCESS(rv, rv); ``` but `nsTSubstring<char>::CheckCapacity(aDataLen)` is a protected member of `nsTSubstring`. Probably a cleaner approach would be to add a public static function that checks capacity before constructing the substring object?
Bug 847347 Comment 13 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Running the crash in the debugger confirms the assumption from [comment 11](https://bugzilla.mozilla.org/show_bug.cgi?id=847347#c11). Though `Substring` just wraps the already allocated memory here it still checks the length against its [`kMaxCapacity`](https://searchfox.org/mozilla-central/rev/62494de24f8d4aa003b6ff911e025e07a6d7a117/xpcom/string/nsTSubstring.h#1357) member, which is significantly lower (aprox. 1GB) - and issues a `MOZ_RELEASE_ASSERT(CheckCapacity(aLength), "String is too large.");`. Though I can understand the rationale behind assuming string allocations to not require explicit OOM error handling, in this case it would be advisable to have it. A naive approach could be to hand-check the allowed capacity like ``` // CheckCapacity checks, if the data can fit into a nsTSubstring if (!nsTSubstring<char>::CheckCapacity(aDataLen)) { return NS_ERROR_OUT_OF_MEMORY; } auto tmp = Substring(aFileData, aDataLen); nsCString encodedData; nsresult rv = Base64Encode(tmp, encodedData); NS_ENSURE_SUCCESS(rv, rv); ``` but `nsTSubstring<char>::CheckCapacity(aDataLen)` is a protected member of `nsTSubstring`. Probably a cleaner approach would be to add a public static function that checks capacity before constructing the substring object?