Index: /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.c
===================================================================
--- /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.c	(revision 58733)
+++ /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.c	(revision 58734)
@@ -116,4 +116,7 @@
     pool->mask = PR_BITMASK(PR_CeilingLog2(align));
     pool->first.next = NULL;
+    /* Set all three addresses in pool->first to the same dummy value.
+     * These addresses are only compared with each other, but never
+     * dereferenced. */
     pool->first.base = pool->first.avail = pool->first.limit =
         (PRUword)PL_ARENA_ALIGN(pool, &pool->first + 1);
@@ -159,8 +162,12 @@
     PLArena *a;   
     char *rp;     /* returned pointer */
+    PRUint32 nbOld;
 
     PR_ASSERT((nb & pool->mask) == 0);
     
+    nbOld = nb;
     nb = (PRUword)PL_ARENA_ALIGN(pool, nb); /* force alignment */
+    if (nb < nbOld)
+        return NULL;
 
     /* attempt to allocate from arenas at pool->current */
@@ -218,4 +225,5 @@
             rp = (char *)a->avail;
             a->avail += nb;
+            PR_ASSERT(a->avail <= a->limit);
             /* the newly allocated arena is linked after pool->current 
             *  and becomes pool->current */
@@ -240,4 +248,6 @@
     void *newp;
 
+    if (PR_UINT32_MAX - size < incr)
+        return NULL;
     PL_ARENA_ALLOCATE(newp, pool, size + incr);
     if (newp)
Index: /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.h
===================================================================
--- /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.h	(revision 58733)
+++ /trunk/src/libs/xpcom18a4/nsprpub/lib/ds/plarena.h	(revision 58734)
@@ -109,13 +109,17 @@
     PR_BEGIN_MACRO \
         PLArena *_a = (pool)->current; \
-        PRUint32 _nb = PL_ARENA_ALIGN(pool, nb); \
+        PRUint32 _nb = PL_ARENA_ALIGN(pool, (PRUint32)nb); \
         PRUword _p = _a->avail; \
-        PRUword _q = _p + _nb; \
-        if (_q > _a->limit) \
+        if (_nb < (PRUint32)nb) { \
+            _p = 0; \
+        } else if (_nb > (_a->limit - _a->avail)) { \
             _p = (PRUword)PL_ArenaAllocate(pool, _nb); \
-        else \
-            _a->avail = _q; \
+        } else { \
+            _a->avail += _nb; \
+        } \
         p = (void *)_p; \
-        PL_ArenaCountAllocation(pool, nb); \
+        if (p) { \
+            PL_ArenaCountAllocation(pool, nb); \
+        } \
     PR_END_MACRO
 
@@ -123,15 +127,17 @@
     PR_BEGIN_MACRO \
         PLArena *_a = (pool)->current; \
-        PRUint32 _incr = PL_ARENA_ALIGN(pool, incr); \
-        PRUword _p = _a->avail; \
-        PRUword _q = _p + _incr; \
-        if (_p == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
-            _q <= _a->limit) { \
-            _a->avail = _q; \
-            PL_ArenaCountInplaceGrowth(pool, size, incr); \
+        PRUint32 _incr = PL_ARENA_ALIGN(pool, (PRUint32)incr); \
+        if (_incr < (PRUint32)incr) { \
+            p = NULL; \
+        } else if (_a->avail == (PRUword)(p) + PL_ARENA_ALIGN(pool, size) && \
+            _incr <= (_a->limit - _a->avail)) { \
+            _a->avail = _incr; \
+            PL_ArenaCountInplaceGrowth(pool, size, (RTUint32)incr); \
         } else { \
-            p = PL_ArenaGrow(pool, p, size, incr); \
-        } \
-        PL_ArenaCountGrowth(pool, size, incr); \
+            p = PL_ArenaGrow(pool, p, size, (PRUint32)incr); \
+        } \
+        if (p) { \
+            PL_ArenaCountGrowth(pool, size, (PRUint32)incr); \
+        } \
     PR_END_MACRO