Local storage can use 5M of quota per origin, and the IPC messages are limited to 512M. The data field sizes in the underlying database are limited to the maximum signed 32-bit integer. The compression header stores the uncompressed size as a 32-bit unsigned integer which is cast to size_t only on return. It's not easy to see how could this be exploitable.
Bug 1741210 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Local storage can use 5M of quota per origin, and the IPC messages are limited to 512M. The data field sizes in the underlying database are limited to the maximum signed 32-bit integer. The compression header stores the uncompressed size as a 32-bit unsigned integer which is cast to size_t only on return, see https://searchfox.org/mozilla-central/rev/fb8d77331582639ea6848a61dd8ee812fac31b77/dom/localstorage/SnappyUtils.cpp#23 and https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy-stubs-internal.h#535 and one more implementation https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy.cc#779 For me, it's not easy to see how to exploit this.
Local storage can use 5M of quota per origin, and the IPC messages are limited to 512M. The data field sizes in the underlying database are limited to the maximum signed 32-bit integer. The compression header stores the uncompressed size as a 32-bit unsigned integer which is cast to size_t only on return, see https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy.cc#431 , https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy-stubs-internal.h#535 and one more implementation https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy.cc#779 For me, it's not easy to see how to exploit this.
Local storage can use 5M of quota per origin, and the IPC messages are limited to 512M. The data field sizes in the underlying database are limited to the maximum signed 32-bit integer. The compression header stores the uncompressed size as a 32-bit unsigned integer which is cast to size_t only on return, see https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy.cc#431 , https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy-stubs-internal.h#535 and another implementation https://searchfox.org/mozilla-central/source/other-licenses/snappy/src/snappy.cc#779 For me, it's not easy to see how to exploit this.