Update NSPR to 4.12 and NSS to 3.23 on iOS

nspr/pr/src/io/prprf.c

 /* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
 /* This Source Code Form is subject to the terms of the Mozilla Public
  * License, v. 2.0. If a copy of the MPL was not distributed with this
  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
 
 /*
 ** Portable safe sprintf code.
 **
 ** Author: Kipp E.B. Hickman
 */
@@ skipping 19 matching lines @@
 ** XXX This needs to be internationalized!
 */
 
 typedef struct SprintfStateStr SprintfState;
 
 struct SprintfStateStr {
     int (*stuff)(SprintfState *ss, const char *sp, PRUint32 len);
 
     char *base;
     char *cur;
-    PRUint32 maxlen;
+    PRUint32 maxlen;  /* Must not exceed PR_INT32_MAX. */
 
     int (*func)(void *arg, const char *sp, PRUint32 len);
     void *arg;
 };
 
 /*
 ** Numbered Argument
 */
 struct NumArg {
     int type;           /* type of the numbered argument    */
@@ skipping 639 matching lines @@
 #ifdef WIN32
         const WCHAR *ws;
 #endif
     } u;
     const char *fmt0;
     static char *hex = "0123456789abcdef";
     static char *HEX = "0123456789ABCDEF";
     char *hexp;
     int rv, i;
     struct NumArg* nas = NULL;
-    struct NumArg* nap;
+    struct NumArg* nap = NULL;
     struct NumArg  nasArray[ NAS_DEFAULT_NUM ];
     char  pattern[20];
     const char* dolPt = NULL;  /* in "%4$.2f", dolPt will point to . */
 #ifdef WIN32
     char *pBuf = NULL;
 #endif
 
     /*
     ** build an argument array, IF the fmt is numbered argument
     ** list style, to contain the Numbered Argument list pointers
@@ skipping 342 matching lines @@
 
     return rv;
 }
 
 /************************************************************************/
 
 static int FuncStuff(SprintfState *ss, const char *sp, PRUint32 len)
 {
     int rv;
 
+    /*
+    ** We will add len to ss->maxlen at the end of the function. First check
+    ** if ss->maxlen + len would overflow or be greater than PR_INT32_MAX.
+    */
+    if (PR_UINT32_MAX - ss->maxlen < len || ss->maxlen + len > PR_INT32_MAX) {
+        return -1;
+    }
     rv = (*ss->func)(ss->arg, sp, len);
     if (rv < 0) {
         return rv;
     }
     ss->maxlen += len;
     return 0;
 }
 
 PR_IMPLEMENT(PRUint32) PR_sxprintf(PRStuffFunc func, void *arg, 
                                  const char *fmt, ...)
@@ skipping 25 matching lines @@
 ** Stuff routine that automatically grows the malloc'd output buffer
 ** before it overflows.
 */
 static int GrowStuff(SprintfState *ss, const char *sp, PRUint32 len)
 {
     ptrdiff_t off;
     char *newbase;
     PRUint32 newlen;
 
     off = ss->cur - ss->base;
+    if (PR_UINT32_MAX - len < off) {
+        /* off + len would be too big. */
+        return -1;
+    }
     if (off + len >= ss->maxlen) {
         /* Grow the buffer */
-        newlen = ss->maxlen + ((len > 32) ? len : 32);
+        PRUint32 increment = (len > 32) ? len : 32;
+        if (PR_UINT32_MAX - ss->maxlen < increment) {
+            /* ss->maxlen + increment would overflow. */
+            return -1;
+        }
+        newlen = ss->maxlen + increment;
+        if (newlen > PR_INT32_MAX) {
+            return -1;
+        }
         if (ss->base) {
             newbase = (char*) PR_REALLOC(ss->base, newlen);
         } else {
             newbase = (char*) PR_MALLOC(newlen);
         }
         if (!newbase) {
             /* Ran out of memory */
             return -1;
         }
         ss->base = newbase;
@@ skipping 82 matching lines @@
     va_end(ap);
     return rv;
 }
 
 PR_IMPLEMENT(PRUint32) PR_vsnprintf(char *out, PRUint32 outlen,const char *fmt,
                                   va_list ap)
 {
     SprintfState ss;
     PRUint32 n;
 
-    PR_ASSERT((PRInt32)outlen > 0);
-    if ((PRInt32)outlen <= 0) {
+    PR_ASSERT(outlen != 0 && outlen <= PR_INT32_MAX);
+    if (outlen == 0 || outlen > PR_INT32_MAX) {
         return 0;
     }
 
     ss.stuff = LimitStuff;
     ss.base = out;
     ss.cur = out;
     ss.maxlen = outlen;
     (void) dosprintf(&ss, fmt, ap);
 
     /* If we added chars, and we didn't append a null, do it now. */
@@ skipping 15 matching lines @@
     return rv;
 }
 
 PR_IMPLEMENT(char *) PR_vsprintf_append(char *last, const char *fmt, va_list ap)
 {
     SprintfState ss;
     int rv;
 
     ss.stuff = GrowStuff;
     if (last) {
-        int lastlen = strlen(last);
+        size_t lastlen = strlen(last);
+        if (lastlen > PR_INT32_MAX) {
+            return 0;
+        }
         ss.base = last;
         ss.cur = last + lastlen;
         ss.maxlen = lastlen;
     } else {
         ss.base = 0;
         ss.cur = 0;
         ss.maxlen = 0;
     }
     rv = dosprintf(&ss, fmt, ap);
     if (rv < 0) {
         if (ss.base) {
             PR_DELETE(ss.base);
         }
         return 0;
     }
     return ss.base;
 }