From 7d74f15a31450d27d3664ec7224c00d38d5c9f48 Mon Sep 17 00:00:00 2001
From: Jeff Walden <jwalden@mit.edu>
Date: Tue, 29 Oct 2019 16:42:15 +0000
Subject: [PATCH] Bug 1592325 - Fix an unsigned-integer underflow in
 HashTable.h that's super-easy to trigger using affirmatively wrapping
 operations.  r=froydnj

Differential Revision: https://phabricator.services.mozilla.com/D50960

--HG--
extra : moz-landing-system : lando
---
 mfbt/HashTable.h | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mfbt/HashTable.h b/mfbt/HashTable.h
index 8e2467230676..abc352c57a15 100644
--- a/mfbt/HashTable.h
+++ b/mfbt/HashTable.h
@@ -90,6 +90,7 @@
 #include "mozilla/ReentrancyGuard.h"
 #include "mozilla/TypeTraits.h"
 #include "mozilla/UniquePtr.h"
+#include "mozilla/WrappingOperations.h"
 
 namespace mozilla {
 
@@ -1700,7 +1701,7 @@ class HashTable : private AllocPolicy {
 
   static HashNumber applyDoubleHash(HashNumber aHash1,
                                     const DoubleHash& aDoubleHash) {
-    return (aHash1 - aDoubleHash.mHash2) & aDoubleHash.mSizeMask;
+    return WrappingSubtract(aHash1, aDoubleHash.mHash2) & aDoubleHash.mSizeMask;
   }
 
   static MOZ_ALWAYS_INLINE bool match(T& aEntry, const Lookup& aLookup) {