mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-12 14:16:55 -05:00
gnu: icecat: Fix CVE-2015-{2722,2724,2728,2733,2735,2736,2738,2739,2740,2743}.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2735.patch, gnu/packages/patches/icecat-CVE-2015-2736.patch, gnu/packages/patches/icecat-CVE-2015-2738.patch, gnu/packages/patches/icecat-CVE-2015-2739.patch, gnu/packages/patches/icecat-CVE-2015-2740.patch, gnu/packages/patches/icecat-CVE-2015-2743.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
This commit is contained in:
parent
4cd86f5d52
commit
4463c0d216
18 changed files with 1430 additions and 1 deletions
|
@ -466,6 +466,22 @@ dist_patch_DATA = \
|
||||||
gnu/packages/patches/hwloc-gather-topology-lstopo.patch \
|
gnu/packages/patches/hwloc-gather-topology-lstopo.patch \
|
||||||
gnu/packages/patches/hydra-automake-1.15.patch \
|
gnu/packages/patches/hydra-automake-1.15.patch \
|
||||||
gnu/packages/patches/hydra-disable-darcs-test.patch \
|
gnu/packages/patches/hydra-disable-darcs-test.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2735.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2736.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2738.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2739.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2740.patch \
|
||||||
|
gnu/packages/patches/icecat-CVE-2015-2743.patch \
|
||||||
gnu/packages/patches/irrlicht-mesa-10.patch \
|
gnu/packages/patches/irrlicht-mesa-10.patch \
|
||||||
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
|
||||||
gnu/packages/patches/kmod-module-directory.patch \
|
gnu/packages/patches/kmod-module-directory.patch \
|
||||||
|
|
|
@ -234,7 +234,23 @@ (define-public icecat
|
||||||
name "-" version ".tar.bz2"))
|
name "-" version ".tar.bz2"))
|
||||||
(sha256
|
(sha256
|
||||||
(base32
|
(base32
|
||||||
"0a25jp5afla2dxzj7i4cyvqpa5smsn7ns3xvpzqw6pc7naixkpap"))))
|
"0a25jp5afla2dxzj7i4cyvqpa5smsn7ns3xvpzqw6pc7naixkpap"))
|
||||||
|
(patches (map search-patch '("icecat-CVE-2015-2724-pt1.patch"
|
||||||
|
"icecat-CVE-2015-2743.patch"
|
||||||
|
"icecat-CVE-2015-2722-pt1.patch"
|
||||||
|
"icecat-CVE-2015-2722-pt2.patch"
|
||||||
|
"icecat-CVE-2015-2724-pt2.patch"
|
||||||
|
"icecat-CVE-2015-2739.patch"
|
||||||
|
"icecat-CVE-2015-2724-pt3.patch"
|
||||||
|
"icecat-CVE-2015-2735.patch"
|
||||||
|
"icecat-CVE-2015-2736.patch"
|
||||||
|
"icecat-CVE-2015-2733-pt1.patch"
|
||||||
|
"icecat-CVE-2015-2728-pt1.patch"
|
||||||
|
"icecat-CVE-2015-2728-pt2.patch"
|
||||||
|
"icecat-CVE-2015-2724-pt4.patch"
|
||||||
|
"icecat-CVE-2015-2733-pt2.patch"
|
||||||
|
"icecat-CVE-2015-2738.patch"
|
||||||
|
"icecat-CVE-2015-2740.patch")))))
|
||||||
(build-system gnu-build-system)
|
(build-system gnu-build-system)
|
||||||
(inputs
|
(inputs
|
||||||
`(("alsa-lib" ,alsa-lib)
|
`(("alsa-lib" ,alsa-lib)
|
||||||
|
|
77
gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch
Normal file
77
gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
From 7805485b75d06915bcb018b8fe5cb7de4ddebddb Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Wed, 27 May 2015 14:21:44 -0700
|
||||||
|
Subject: [PATCH] Bug 1166924 part 0 r=bent a=lizzard
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : source : 36bf5bcceb272fc9e303996f8dfe7350984a5e96
|
||||||
|
---
|
||||||
|
dom/workers/XMLHttpRequest.cpp | 18 ++++++++++++++++--
|
||||||
|
1 file changed, 16 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
index 748fd39..8e4200a 100644
|
||||||
|
--- a/dom/workers/XMLHttpRequest.cpp
|
||||||
|
+++ b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
@@ -113,6 +113,7 @@ public:
|
||||||
|
bool mLastUploadLengthComputable;
|
||||||
|
bool mSeenLoadStart;
|
||||||
|
bool mSeenUploadLoadStart;
|
||||||
|
+ bool mOpening;
|
||||||
|
|
||||||
|
// Only touched on the main thread.
|
||||||
|
bool mUploadEventListenersAttached;
|
||||||
|
@@ -127,7 +128,7 @@ public:
|
||||||
|
mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
|
||||||
|
mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
|
||||||
|
mLastLengthComputable(false), mLastUploadLengthComputable(false),
|
||||||
|
- mSeenLoadStart(false), mSeenUploadLoadStart(false),
|
||||||
|
+ mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
|
||||||
|
mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
|
||||||
|
mInOpen(false)
|
||||||
|
{ }
|
||||||
|
@@ -1498,7 +1499,11 @@ SendRunnable::MainThreadRun()
|
||||||
|
variant = wvariant;
|
||||||
|
}
|
||||||
|
|
||||||
|
- MOZ_ASSERT(!mProxy->mWorkerPrivate);
|
||||||
|
+ // Send() has been already called.
|
||||||
|
+ if (mProxy->mWorkerPrivate) {
|
||||||
|
+ return NS_ERROR_FAILURE;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
mProxy->mWorkerPrivate = mWorkerPrivate;
|
||||||
|
|
||||||
|
MOZ_ASSERT(!mProxy->mSyncLoopTarget);
|
||||||
|
@@ -1789,6 +1794,12 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
|
||||||
|
{
|
||||||
|
mWorkerPrivate->AssertIsOnWorkerThread();
|
||||||
|
|
||||||
|
+ // No send() calls when open is running.
|
||||||
|
+ if (mProxy->mOpening) {
|
||||||
|
+ aRv.Throw(NS_ERROR_FAILURE);
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
bool hasUploadListeners = mUpload ? mUpload->HasListeners() : false;
|
||||||
|
|
||||||
|
MaybePin(aRv);
|
||||||
|
@@ -1874,12 +1885,15 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
|
||||||
|
mBackgroundRequest, mWithCredentials,
|
||||||
|
mTimeout);
|
||||||
|
|
||||||
|
+ mProxy->mOpening = true;
|
||||||
|
if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
|
||||||
|
ReleaseProxy();
|
||||||
|
+ mProxy->mOpening = false;
|
||||||
|
aRv.Throw(NS_ERROR_FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ mProxy->mOpening = false;
|
||||||
|
mProxy->mIsSyncXHR = !aAsync;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
73
gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch
Normal file
73
gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
From 6eb772aa6a0c1b21aafcfa606cc3bf07659b53b9 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Wes Kocher <wkocher@mozilla.com>
|
||||||
|
Date: Wed, 27 May 2015 14:33:22 -0700
|
||||||
|
Subject: [PATCH] Bug 1166924 part 1 r=baku a=lizzard
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : source : 528d47773256bfee72e7adedc78b89c9fa573b7b
|
||||||
|
---
|
||||||
|
dom/workers/XMLHttpRequest.cpp | 20 ++++++++++++--------
|
||||||
|
1 file changed, 12 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
index 8e4200a..bf0cd3f 100644
|
||||||
|
--- a/dom/workers/XMLHttpRequest.cpp
|
||||||
|
+++ b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
@@ -140,7 +140,7 @@ public:
|
||||||
|
Init();
|
||||||
|
|
||||||
|
void
|
||||||
|
- Teardown();
|
||||||
|
+ Teardown(bool aSendUnpin);
|
||||||
|
|
||||||
|
bool
|
||||||
|
AddRemoveEventListeners(bool aUpload, bool aAdd);
|
||||||
|
@@ -308,7 +308,9 @@ private:
|
||||||
|
{
|
||||||
|
AssertIsOnMainThread();
|
||||||
|
|
||||||
|
- mProxy->Teardown();
|
||||||
|
+ // This means the XHR was GC'd, so we can't be pinned, and we don't need to
|
||||||
|
+ // try to unpin.
|
||||||
|
+ mProxy->Teardown(/* aSendUnpin */ false);
|
||||||
|
mProxy = nullptr;
|
||||||
|
|
||||||
|
return NS_OK;
|
||||||
|
@@ -563,7 +565,7 @@ private:
|
||||||
|
virtual nsresult
|
||||||
|
MainThreadRun() MOZ_OVERRIDE
|
||||||
|
{
|
||||||
|
- mProxy->Teardown();
|
||||||
|
+ mProxy->Teardown(/* aSendUnpin */ true);
|
||||||
|
MOZ_ASSERT(!mProxy->mSyncLoopTarget);
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
@@ -935,7 +937,7 @@ Proxy::Init()
|
||||||
|
}
|
||||||
|
|
||||||
|
void
|
||||||
|
-Proxy::Teardown()
|
||||||
|
+Proxy::Teardown(bool aSendUnpin)
|
||||||
|
{
|
||||||
|
AssertIsOnMainThread();
|
||||||
|
|
||||||
|
@@ -948,10 +950,12 @@ Proxy::Teardown()
|
||||||
|
mXHR->Abort();
|
||||||
|
|
||||||
|
if (mOutstandingSendCount) {
|
||||||
|
- nsRefPtr<XHRUnpinRunnable> runnable =
|
||||||
|
- new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate);
|
||||||
|
- if (!runnable->Dispatch(nullptr)) {
|
||||||
|
- NS_RUNTIMEABORT("We're going to hang at shutdown anyways.");
|
||||||
|
+ if (aSendUnpin) {
|
||||||
|
+ nsRefPtr<XHRUnpinRunnable> runnable =
|
||||||
|
+ new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate);
|
||||||
|
+ if (!runnable->Dispatch(nullptr)) {
|
||||||
|
+ NS_RUNTIMEABORT("We're going to hang at shutdown anyways.");
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
|
||||||
|
if (mSyncLoopTarget) {
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
57
gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch
Normal file
57
gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
From 6465a9f57b13fdf3d21016a41973f13d1e7f447c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Bobby Holley <bobbyholley@gmail.com>
|
||||||
|
Date: Wed, 13 May 2015 11:08:30 -0700
|
||||||
|
Subject: [PATCH] Bug 1164567 - Grab the principal when we need it in
|
||||||
|
MediaDecodeTask. r=jww, a=sledru
|
||||||
|
|
||||||
|
---
|
||||||
|
content/media/webaudio/MediaBufferDecoder.cpp | 17 ++++++++---------
|
||||||
|
1 file changed, 8 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/content/media/webaudio/MediaBufferDecoder.cpp b/content/media/webaudio/MediaBufferDecoder.cpp
|
||||||
|
index b9409ad..ee6538c 100644
|
||||||
|
--- a/content/media/webaudio/MediaBufferDecoder.cpp
|
||||||
|
+++ b/content/media/webaudio/MediaBufferDecoder.cpp
|
||||||
|
@@ -101,13 +101,6 @@ public:
|
||||||
|
{
|
||||||
|
MOZ_ASSERT(aBuffer);
|
||||||
|
MOZ_ASSERT(NS_IsMainThread());
|
||||||
|
-
|
||||||
|
- nsCOMPtr<nsPIDOMWindow> pWindow = do_QueryInterface(mDecodeJob.mContext->GetParentObject());
|
||||||
|
- nsCOMPtr<nsIScriptObjectPrincipal> scriptPrincipal =
|
||||||
|
- do_QueryInterface(pWindow);
|
||||||
|
- if (scriptPrincipal) {
|
||||||
|
- mPrincipal = scriptPrincipal->GetPrincipal();
|
||||||
|
- }
|
||||||
|
}
|
||||||
|
|
||||||
|
NS_IMETHOD Run();
|
||||||
|
@@ -150,7 +143,6 @@ private:
|
||||||
|
WebAudioDecodeJob& mDecodeJob;
|
||||||
|
PhaseEnum mPhase;
|
||||||
|
nsCOMPtr<nsIThreadPool> mThreadPool;
|
||||||
|
- nsCOMPtr<nsIPrincipal> mPrincipal;
|
||||||
|
nsRefPtr<BufferDecoder> mBufferDecoder;
|
||||||
|
nsAutoPtr<MediaDecoderReader> mDecoderReader;
|
||||||
|
};
|
||||||
|
@@ -179,9 +171,16 @@ MediaDecodeTask::CreateReader()
|
||||||
|
{
|
||||||
|
MOZ_ASSERT(NS_IsMainThread());
|
||||||
|
|
||||||
|
+
|
||||||
|
+ nsCOMPtr<nsIPrincipal> principal;
|
||||||
|
+ nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(mDecodeJob.mContext->GetParentObject());
|
||||||
|
+ if (sop) {
|
||||||
|
+ principal = sop->GetPrincipal();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nsRefPtr<BufferMediaResource> resource =
|
||||||
|
new BufferMediaResource(static_cast<uint8_t*> (mBuffer),
|
||||||
|
- mLength, mPrincipal, mContentType);
|
||||||
|
+ mLength, principal, mContentType);
|
||||||
|
|
||||||
|
MOZ_ASSERT(!mBufferDecoder);
|
||||||
|
mBufferDecoder = new BufferDecoder(resource);
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
391
gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch
Normal file
391
gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch
Normal file
|
@ -0,0 +1,391 @@
|
||||||
|
From 99641aa4446dc9df04dcfeede8b49ff03abcac42 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan de Mooij <jdemooij@mozilla.com>
|
||||||
|
Date: Thu, 28 May 2015 10:16:24 +0200
|
||||||
|
Subject: [PATCH] Bug 1160884 - Add KeepAlive instructions after elements/slots
|
||||||
|
uses. r=nbp, a=abillings
|
||||||
|
|
||||||
|
---
|
||||||
|
js/src/jit/CodeGenerator.cpp | 7 ++
|
||||||
|
js/src/jit/CodeGenerator.h | 1 +
|
||||||
|
js/src/jit/Ion.cpp | 7 ++
|
||||||
|
js/src/jit/IonAnalysis.cpp | 112 ++++++++++++++++++++++++++++++++
|
||||||
|
js/src/jit/IonAnalysis.h | 3 +
|
||||||
|
js/src/jit/LIR-Common.h | 14 ++++
|
||||||
|
js/src/jit/LOpcodes.h | 1 +
|
||||||
|
js/src/jit/Lowering.cpp | 9 +++
|
||||||
|
js/src/jit/Lowering.h | 1 +
|
||||||
|
js/src/jit/MIR.h | 26 ++++++++
|
||||||
|
js/src/jit/MOpcodes.h | 1 +
|
||||||
|
js/src/jit/ParallelSafetyAnalysis.cpp | 1 +
|
||||||
|
js/src/jit/shared/Lowering-shared-inl.h | 8 ++-
|
||||||
|
js/src/jit/shared/Lowering-shared.h | 1 +
|
||||||
|
js/src/vm/TraceLogging.h | 3 +-
|
||||||
|
15 files changed, 193 insertions(+), 2 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
|
||||||
|
index 5dff9df..7364178 100644
|
||||||
|
--- a/js/src/jit/CodeGenerator.cpp
|
||||||
|
+++ b/js/src/jit/CodeGenerator.cpp
|
||||||
|
@@ -1476,6 +1476,13 @@ CodeGenerator::visitPointer(LPointer* lir)
|
||||||
|
}
|
||||||
|
|
||||||
|
bool
|
||||||
|
+CodeGenerator::visitKeepAliveObject(LKeepAliveObject* lir)
|
||||||
|
+{
|
||||||
|
+ // No-op.
|
||||||
|
+ return true;
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+bool
|
||||||
|
CodeGenerator::visitSlots(LSlots* lir)
|
||||||
|
{
|
||||||
|
Address slots(ToRegister(lir->object()), JSObject::offsetOfSlots());
|
||||||
|
diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h
|
||||||
|
index 95fb33b..e3b4fd7 100644
|
||||||
|
--- a/js/src/jit/CodeGenerator.h
|
||||||
|
+++ b/js/src/jit/CodeGenerator.h
|
||||||
|
@@ -106,6 +106,7 @@ class CodeGenerator : public CodeGeneratorSpecific
|
||||||
|
bool visitLambdaForSingleton(LLambdaForSingleton* lir);
|
||||||
|
bool visitLambdaPar(LLambdaPar* lir);
|
||||||
|
bool visitPointer(LPointer* lir);
|
||||||
|
+ bool visitKeepAliveObject(LKeepAliveObject* lir);
|
||||||
|
bool visitSlots(LSlots* lir);
|
||||||
|
bool visitStoreSlotV(LStoreSlotV* store);
|
||||||
|
bool visitElements(LElements* lir);
|
||||||
|
diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
|
||||||
|
index 015d387..1551a80 100644
|
||||||
|
--- a/js/src/jit/Ion.cpp
|
||||||
|
+++ b/js/src/jit/Ion.cpp
|
||||||
|
@@ -1536,6 +1536,13 @@ OptimizeMIR(MIRGenerator* mir)
|
||||||
|
AssertGraphCoherency(graph);
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if (!mir->compilingAsmJS()) {
|
||||||
|
+ AutoTraceLog log(logger, TraceLogger::AddKeepAliveInstructions);
|
||||||
|
+ AddKeepAliveInstructions(graph);
|
||||||
|
+ IonSpewPass("Add KeepAlive Instructions");
|
||||||
|
+ AssertGraphCoherency(graph);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
|
||||||
|
index 8965724..af58aae 100644
|
||||||
|
--- a/js/src/jit/IonAnalysis.cpp
|
||||||
|
+++ b/js/src/jit/IonAnalysis.cpp
|
||||||
|
@@ -1971,6 +1971,118 @@ jit::UnsplitEdges(LIRGraph* lir)
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static bool
|
||||||
|
+NeedsKeepAlive(MInstruction* slotsOrElements, MInstruction* use)
|
||||||
|
+{
|
||||||
|
+ MOZ_ASSERT(slotsOrElements->type() == MIRType_Elements ||
|
||||||
|
+ slotsOrElements->type() == MIRType_Slots);
|
||||||
|
+
|
||||||
|
+ if (slotsOrElements->block() != use->block())
|
||||||
|
+ return true;
|
||||||
|
+
|
||||||
|
+ MBasicBlock* block = use->block();
|
||||||
|
+ MInstructionIterator iter(block->begin(slotsOrElements));
|
||||||
|
+ MOZ_ASSERT(*iter == slotsOrElements);
|
||||||
|
+ ++iter;
|
||||||
|
+
|
||||||
|
+ while (true) {
|
||||||
|
+ if (*iter == use)
|
||||||
|
+ return false;
|
||||||
|
+
|
||||||
|
+ switch (iter->op()) {
|
||||||
|
+ case MDefinition::Op_Nop:
|
||||||
|
+ case MDefinition::Op_Constant:
|
||||||
|
+ case MDefinition::Op_KeepAliveObject:
|
||||||
|
+ case MDefinition::Op_Unbox:
|
||||||
|
+ case MDefinition::Op_LoadSlot:
|
||||||
|
+ case MDefinition::Op_StoreSlot:
|
||||||
|
+ case MDefinition::Op_LoadFixedSlot:
|
||||||
|
+ case MDefinition::Op_StoreFixedSlot:
|
||||||
|
+ case MDefinition::Op_LoadElement:
|
||||||
|
+ case MDefinition::Op_StoreElement:
|
||||||
|
+ case MDefinition::Op_InitializedLength:
|
||||||
|
+ case MDefinition::Op_ArrayLength:
|
||||||
|
+ case MDefinition::Op_BoundsCheck:
|
||||||
|
+ iter++;
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ return true;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ MOZ_CRASH("Unreachable");
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+void
|
||||||
|
+jit::AddKeepAliveInstructions(MIRGraph& graph)
|
||||||
|
+{
|
||||||
|
+ for (MBasicBlockIterator i(graph.begin()); i != graph.end(); i++) {
|
||||||
|
+ MBasicBlock* block = *i;
|
||||||
|
+
|
||||||
|
+ for (MInstructionIterator insIter(block->begin()); insIter != block->end(); insIter++) {
|
||||||
|
+ MInstruction* ins = *insIter;
|
||||||
|
+ if (ins->type() != MIRType_Elements && ins->type() != MIRType_Slots)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ MDefinition* ownerObject;
|
||||||
|
+ switch (ins->op()) {
|
||||||
|
+ case MDefinition::Op_ConstantElements:
|
||||||
|
+ case MDefinition::Op_NewSlots:
|
||||||
|
+ continue;
|
||||||
|
+ case MDefinition::Op_ConvertElementsToDoubles:
|
||||||
|
+ // EliminateRedundantChecks should have replaced all uses.
|
||||||
|
+ MOZ_ASSERT(!ins->hasUses());
|
||||||
|
+ continue;
|
||||||
|
+ case MDefinition::Op_Elements:
|
||||||
|
+ case MDefinition::Op_TypedArrayElements:
|
||||||
|
+ case MDefinition::Op_TypedObjectElements:
|
||||||
|
+ MOZ_ASSERT(ins->numOperands() == 1);
|
||||||
|
+ ownerObject = ins->getOperand(0);
|
||||||
|
+ break;
|
||||||
|
+ case MDefinition::Op_Slots:
|
||||||
|
+ ownerObject = ins->toSlots()->object();
|
||||||
|
+ break;
|
||||||
|
+ default:
|
||||||
|
+ MOZ_CRASH("Unexpected op");
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ MOZ_ASSERT(ownerObject->type() == MIRType_Object);
|
||||||
|
+
|
||||||
|
+ if (ownerObject->isConstant()) {
|
||||||
|
+ // Constants are kept alive by other pointers, for instance
|
||||||
|
+ // ImmGCPtr in JIT code.
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ for (MUseDefIterator uses(ins); uses; uses++) {
|
||||||
|
+ MInstruction* use = uses.def()->toInstruction();
|
||||||
|
+
|
||||||
|
+ if (use->isStoreElementHole()) {
|
||||||
|
+ // StoreElementHole has an explicit object operand. If GVN
|
||||||
|
+ // is disabled, we can get different unbox instructions with
|
||||||
|
+ // the same object as input, so we check for that case.
|
||||||
|
+ MOZ_ASSERT_IF(!use->toStoreElementHole()->object()->isUnbox() && !ownerObject->isUnbox(),
|
||||||
|
+ use->toStoreElementHole()->object() == ownerObject);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (use->isInArray()) {
|
||||||
|
+ // See StoreElementHole case above.
|
||||||
|
+ MOZ_ASSERT_IF(!use->toInArray()->object()->isUnbox() && !ownerObject->isUnbox(),
|
||||||
|
+ use->toInArray()->object() == ownerObject);
|
||||||
|
+ continue;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!NeedsKeepAlive(ins, use))
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
+ MKeepAliveObject* keepAlive = MKeepAliveObject::New(graph.alloc(), ownerObject);
|
||||||
|
+ use->block()->insertAfter(use, keepAlive);
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
bool
|
||||||
|
LinearSum::multiply(int32_t scale)
|
||||||
|
{
|
||||||
|
diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h
|
||||||
|
index aabf835..a320418 100644
|
||||||
|
--- a/js/src/jit/IonAnalysis.h
|
||||||
|
+++ b/js/src/jit/IonAnalysis.h
|
||||||
|
@@ -64,6 +64,9 @@ AssertExtendedGraphCoherency(MIRGraph& graph);
|
||||||
|
bool
|
||||||
|
EliminateRedundantChecks(MIRGraph& graph);
|
||||||
|
|
||||||
|
+void
|
||||||
|
+AddKeepAliveInstructions(MIRGraph& graph);
|
||||||
|
+
|
||||||
|
bool
|
||||||
|
UnsplitEdges(LIRGraph* lir);
|
||||||
|
|
||||||
|
diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h
|
||||||
|
index 5fe0ee9..6b03a42 100644
|
||||||
|
--- a/js/src/jit/LIR-Common.h
|
||||||
|
+++ b/js/src/jit/LIR-Common.h
|
||||||
|
@@ -3591,6 +3591,20 @@ class LImplicitThis : public LInstructionHelper<BOX_PIECES, 1, 0>
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
+class LKeepAliveObject : public LInstructionHelper<0, 1, 0>
|
||||||
|
+{
|
||||||
|
+ public:
|
||||||
|
+ LIR_HEADER(KeepAliveObject)
|
||||||
|
+
|
||||||
|
+ explicit LKeepAliveObject(const LAllocation& object) {
|
||||||
|
+ setOperand(0, object);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ const LAllocation* object() {
|
||||||
|
+ return getOperand(0);
|
||||||
|
+ }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
// Load the "slots" member out of a JSObject.
|
||||||
|
// Input: JSObject pointer
|
||||||
|
// Output: slots pointer
|
||||||
|
diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h
|
||||||
|
index cd7eef8..424b22c 100644
|
||||||
|
--- a/js/src/jit/LOpcodes.h
|
||||||
|
+++ b/js/src/jit/LOpcodes.h
|
||||||
|
@@ -166,6 +166,7 @@
|
||||||
|
_(LambdaForSingleton) \
|
||||||
|
_(LambdaPar) \
|
||||||
|
_(ImplicitThis) \
|
||||||
|
+ _(KeepAliveObject) \
|
||||||
|
_(Slots) \
|
||||||
|
_(Elements) \
|
||||||
|
_(ConvertElementsToDoubles) \
|
||||||
|
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
|
||||||
|
index d671fd4..c0d434e 100644
|
||||||
|
--- a/js/src/jit/Lowering.cpp
|
||||||
|
+++ b/js/src/jit/Lowering.cpp
|
||||||
|
@@ -2110,6 +2110,15 @@ LIRGenerator::visitImplicitThis(MImplicitThis* ins)
|
||||||
|
}
|
||||||
|
|
||||||
|
bool
|
||||||
|
+LIRGenerator::visitKeepAliveObject(MKeepAliveObject* ins)
|
||||||
|
+{
|
||||||
|
+ MDefinition* obj = ins->object();
|
||||||
|
+ MOZ_ASSERT(obj->type() == MIRType_Object);
|
||||||
|
+
|
||||||
|
+ return add(new(alloc()) LKeepAliveObject(useKeepalive(obj)), ins);
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+bool
|
||||||
|
LIRGenerator::visitSlots(MSlots* ins)
|
||||||
|
{
|
||||||
|
return define(new(alloc()) LSlots(useRegisterAtStart(ins->object())), ins);
|
||||||
|
diff --git a/js/src/jit/Lowering.h b/js/src/jit/Lowering.h
|
||||||
|
index ea50cab..a60dc30 100644
|
||||||
|
--- a/js/src/jit/Lowering.h
|
||||||
|
+++ b/js/src/jit/Lowering.h
|
||||||
|
@@ -160,6 +160,7 @@ class LIRGenerator : public LIRGeneratorSpecific
|
||||||
|
bool visitLambdaArrow(MLambdaArrow* ins);
|
||||||
|
bool visitLambdaPar(MLambdaPar* ins);
|
||||||
|
bool visitImplicitThis(MImplicitThis* ins);
|
||||||
|
+ bool visitKeepAliveObject(MKeepAliveObject* ins);
|
||||||
|
bool visitSlots(MSlots* ins);
|
||||||
|
bool visitElements(MElements* ins);
|
||||||
|
bool visitConstantElements(MConstantElements* ins);
|
||||||
|
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
|
||||||
|
index 48e1dfb..a6060a2 100644
|
||||||
|
--- a/js/src/jit/MIR.h
|
||||||
|
+++ b/js/src/jit/MIR.h
|
||||||
|
@@ -5790,6 +5790,32 @@ class MSetTypedObjectOffset
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
|
+class MKeepAliveObject
|
||||||
|
+ : public MUnaryInstruction,
|
||||||
|
+ public SingleObjectPolicy
|
||||||
|
+{
|
||||||
|
+ explicit MKeepAliveObject(MDefinition* object)
|
||||||
|
+ : MUnaryInstruction(object)
|
||||||
|
+ {
|
||||||
|
+ setResultType(MIRType_None);
|
||||||
|
+ setGuard();
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ public:
|
||||||
|
+ INSTRUCTION_HEADER(KeepAliveObject)
|
||||||
|
+
|
||||||
|
+ static MKeepAliveObject* New(TempAllocator& alloc, MDefinition* object) {
|
||||||
|
+ return new(alloc) MKeepAliveObject(object);
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ MDefinition* object() const {
|
||||||
|
+ return getOperand(0);
|
||||||
|
+ }
|
||||||
|
+ TypePolicy* typePolicy() {
|
||||||
|
+ return this;
|
||||||
|
+ }
|
||||||
|
+};
|
||||||
|
+
|
||||||
|
// Perform !-operation
|
||||||
|
class MNot
|
||||||
|
: public MUnaryInstruction,
|
||||||
|
diff --git a/js/src/jit/MOpcodes.h b/js/src/jit/MOpcodes.h
|
||||||
|
index 83b9e63..cfc3895 100644
|
||||||
|
--- a/js/src/jit/MOpcodes.h
|
||||||
|
+++ b/js/src/jit/MOpcodes.h
|
||||||
|
@@ -110,6 +110,7 @@ namespace jit {
|
||||||
|
_(Lambda) \
|
||||||
|
_(LambdaArrow) \
|
||||||
|
_(ImplicitThis) \
|
||||||
|
+ _(KeepAliveObject) \
|
||||||
|
_(Slots) \
|
||||||
|
_(Elements) \
|
||||||
|
_(ConstantElements) \
|
||||||
|
diff --git a/js/src/jit/ParallelSafetyAnalysis.cpp b/js/src/jit/ParallelSafetyAnalysis.cpp
|
||||||
|
index a6a1202..13c577b 100644
|
||||||
|
--- a/js/src/jit/ParallelSafetyAnalysis.cpp
|
||||||
|
+++ b/js/src/jit/ParallelSafetyAnalysis.cpp
|
||||||
|
@@ -199,6 +199,7 @@ class ParallelSafetyVisitor : public MInstructionVisitor
|
||||||
|
CUSTOM_OP(Lambda)
|
||||||
|
UNSAFE_OP(LambdaArrow)
|
||||||
|
UNSAFE_OP(ImplicitThis)
|
||||||
|
+ SAFE_OP(KeepAliveObject)
|
||||||
|
SAFE_OP(Slots)
|
||||||
|
SAFE_OP(Elements)
|
||||||
|
SAFE_OP(ConstantElements)
|
||||||
|
diff --git a/js/src/jit/shared/Lowering-shared-inl.h b/js/src/jit/shared/Lowering-shared-inl.h
|
||||||
|
index 17bb74a..832cc61 100644
|
||||||
|
--- a/js/src/jit/shared/Lowering-shared-inl.h
|
||||||
|
+++ b/js/src/jit/shared/Lowering-shared-inl.h
|
||||||
|
@@ -372,11 +372,17 @@ LIRGeneratorShared::useStorableAtStart(MDefinition* mir)
|
||||||
|
#endif
|
||||||
|
|
||||||
|
LAllocation
|
||||||
|
+LIRGeneratorShared::useKeepalive(MDefinition* mir)
|
||||||
|
+{
|
||||||
|
+ return use(mir, LUse(LUse::KEEPALIVE));
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+LAllocation
|
||||||
|
LIRGeneratorShared::useKeepaliveOrConstant(MDefinition* mir)
|
||||||
|
{
|
||||||
|
if (mir->isConstant())
|
||||||
|
return LAllocation(mir->toConstant()->vp());
|
||||||
|
- return use(mir, LUse(LUse::KEEPALIVE));
|
||||||
|
+ return useKeepalive(mir);
|
||||||
|
}
|
||||||
|
|
||||||
|
LUse
|
||||||
|
diff --git a/js/src/jit/shared/Lowering-shared.h b/js/src/jit/shared/Lowering-shared.h
|
||||||
|
index 4bd13b0..b23d20e 100644
|
||||||
|
--- a/js/src/jit/shared/Lowering-shared.h
|
||||||
|
+++ b/js/src/jit/shared/Lowering-shared.h
|
||||||
|
@@ -85,6 +85,7 @@ class LIRGeneratorShared : public MInstructionVisitorWithDefaults
|
||||||
|
// this is a generic "things we can expect to write into memory in 1 instruction"
|
||||||
|
inline LAllocation useStorable(MDefinition* mir);
|
||||||
|
inline LAllocation useStorableAtStart(MDefinition* mir);
|
||||||
|
+ inline LAllocation useKeepalive(MDefinition* mir);
|
||||||
|
inline LAllocation useKeepaliveOrConstant(MDefinition* mir);
|
||||||
|
inline LAllocation useRegisterOrConstant(MDefinition* mir);
|
||||||
|
inline LAllocation useRegisterOrConstantAtStart(MDefinition* mir);
|
||||||
|
diff --git a/js/src/vm/TraceLogging.h b/js/src/vm/TraceLogging.h
|
||||||
|
index 4c2ebfe..8447679 100644
|
||||||
|
--- a/js/src/vm/TraceLogging.h
|
||||||
|
+++ b/js/src/vm/TraceLogging.h
|
||||||
|
@@ -145,7 +145,8 @@ namespace jit {
|
||||||
|
_(EffectiveAddressAnalysis) \
|
||||||
|
_(EliminateDeadCode) \
|
||||||
|
_(EdgeCaseAnalysis) \
|
||||||
|
- _(EliminateRedundantChecks)
|
||||||
|
+ _(EliminateRedundantChecks) \
|
||||||
|
+ _(AddKeepAliveInstructions)
|
||||||
|
|
||||||
|
class AutoTraceLog;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
90
gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch
Normal file
90
gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch
Normal file
|
@ -0,0 +1,90 @@
|
||||||
|
From 5da8e2ffd63deac27c0faca7dabee3623867dd6e Mon Sep 17 00:00:00 2001
|
||||||
|
From: Steven Michaud <smichaud@pobox.com>
|
||||||
|
Date: Wed, 3 Jun 2015 11:18:25 -0500
|
||||||
|
Subject: [PATCH] Bug 1154876 - Block calls to hooked methods off the plugin
|
||||||
|
thread. r=spohl a=abillings
|
||||||
|
|
||||||
|
---
|
||||||
|
dom/plugins/ipc/PluginInterposeOSX.mm | 17 ++++++++---------
|
||||||
|
1 file changed, 8 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/plugins/ipc/PluginInterposeOSX.mm b/dom/plugins/ipc/PluginInterposeOSX.mm
|
||||||
|
index f43192b..cfd8e57 100644
|
||||||
|
--- a/dom/plugins/ipc/PluginInterposeOSX.mm
|
||||||
|
+++ b/dom/plugins/ipc/PluginInterposeOSX.mm
|
||||||
|
@@ -38,8 +38,7 @@
|
||||||
|
#import <objc/runtime.h>
|
||||||
|
#import <Carbon/Carbon.h>
|
||||||
|
|
||||||
|
-using mozilla::plugins::PluginModuleChild;
|
||||||
|
-using mozilla::plugins::AssertPluginThread;
|
||||||
|
+using namespace mozilla::plugins;
|
||||||
|
|
||||||
|
namespace mac_plugin_interposing {
|
||||||
|
|
||||||
|
@@ -544,7 +543,7 @@ void NSCursorInfo::SetCustomImageData(uint8_t* aData, uint32_t aDataLength)
|
||||||
|
bool NSCursorInfo::GetNativeCursorsSupported()
|
||||||
|
{
|
||||||
|
if (mNativeCursorsSupported == -1) {
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD(false);
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc) {
|
||||||
|
bool result = pmc->GetNativeCursorsSupported();
|
||||||
|
@@ -689,7 +688,7 @@ void FocusPluginProcess() {
|
||||||
|
|
||||||
|
void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds,
|
||||||
|
bool modal) {
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc)
|
||||||
|
@@ -697,7 +696,7 @@ void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds,
|
||||||
|
}
|
||||||
|
|
||||||
|
void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) {
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc)
|
||||||
|
@@ -706,7 +705,7 @@ void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) {
|
||||||
|
|
||||||
|
void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo)
|
||||||
|
{
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc) {
|
||||||
|
pmc->SetCursor(aCursorInfo);
|
||||||
|
@@ -715,7 +714,7 @@ void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo)
|
||||||
|
|
||||||
|
void NotifyBrowserOfShowCursor(bool show)
|
||||||
|
{
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc) {
|
||||||
|
pmc->ShowCursor(show);
|
||||||
|
@@ -724,7 +723,7 @@ void NotifyBrowserOfShowCursor(bool show)
|
||||||
|
|
||||||
|
void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo)
|
||||||
|
{
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc) {
|
||||||
|
pmc->PushCursor(aCursorInfo);
|
||||||
|
@@ -733,7 +732,7 @@ void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo)
|
||||||
|
|
||||||
|
void NotifyBrowserOfPopCursor()
|
||||||
|
{
|
||||||
|
- AssertPluginThread();
|
||||||
|
+ ENSURE_PLUGIN_THREAD_VOID();
|
||||||
|
PluginModuleChild *pmc = PluginModuleChild::current();
|
||||||
|
if (pmc) {
|
||||||
|
pmc->PopCursor();
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
65
gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch
Normal file
65
gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch
Normal file
|
@ -0,0 +1,65 @@
|
||||||
|
From 96dc9518fab0929293a8fc388f6a4a64d05b0f6f Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan de Mooij <jdemooij@mozilla.com>
|
||||||
|
Date: Wed, 10 Jun 2015 18:01:09 +0200
|
||||||
|
Subject: [PATCH] Bug 1143679 - Make TryNoteIterIon behave more like
|
||||||
|
Baseline/interpreter iterators. r=shu, a=lizzard
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : W%D0%1FGe%29%2A%E2%BC%0C%09%3BH%92%2A%A0%5CO%FD%89
|
||||||
|
---
|
||||||
|
js/src/jit/IonFrames.cpp | 20 +++++++++++++++++---
|
||||||
|
1 file changed, 17 insertions(+), 3 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp
|
||||||
|
index 51f4301..3e41c0a 100644
|
||||||
|
--- a/js/src/jit/IonFrames.cpp
|
||||||
|
+++ b/js/src/jit/IonFrames.cpp
|
||||||
|
@@ -356,14 +356,20 @@ JitFrameIterator::machineState() const
|
||||||
|
return machine;
|
||||||
|
}
|
||||||
|
|
||||||
|
+static uint32_t
|
||||||
|
+NumArgAndLocalSlots(const InlineFrameIterator& frame)
|
||||||
|
+{
|
||||||
|
+ JSScript* script = frame.script();
|
||||||
|
+ return CountArgSlots(script, frame.maybeCallee()) + script->nfixed();
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
static void
|
||||||
|
-CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t localSlot)
|
||||||
|
+CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t stackSlot)
|
||||||
|
{
|
||||||
|
SnapshotIterator si = frame.snapshotIterator();
|
||||||
|
|
||||||
|
// Skip stack slots until we reach the iterator object.
|
||||||
|
- uint32_t base = CountArgSlots(frame.script(), frame.maybeCallee()) + frame.script()->nfixed();
|
||||||
|
- uint32_t skipSlots = base + localSlot - 1;
|
||||||
|
+ uint32_t skipSlots = NumArgAndLocalSlots(frame) + stackSlot - 1;
|
||||||
|
|
||||||
|
for (unsigned i = 0; i < skipSlots; i++)
|
||||||
|
si.skip();
|
||||||
|
@@ -407,6 +413,11 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx
|
||||||
|
if (!script->hasTrynotes())
|
||||||
|
return;
|
||||||
|
|
||||||
|
+ uint32_t base = NumArgAndLocalSlots(frame);
|
||||||
|
+ SnapshotIterator si = frame.snapshotIterator();
|
||||||
|
+ JS_ASSERT(si.numAllocations() >= base);
|
||||||
|
+ const uint32_t stackDepth = si.numAllocations() - base;
|
||||||
|
+
|
||||||
|
JSTryNote* tn = script->trynotes()->vector;
|
||||||
|
JSTryNote* tnEnd = tn + script->trynotes()->length;
|
||||||
|
|
||||||
|
@@ -417,6 +428,9 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx
|
||||||
|
if (pcOffset >= tn->start + tn->length)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
+ if (tn->stackDepth > stackDepth)
|
||||||
|
+ continue;
|
||||||
|
+
|
||||||
|
switch (tn->kind) {
|
||||||
|
case JSTRY_ITER: {
|
||||||
|
JS_ASSERT(JSOp(*(script->main() + tn->start + tn->length)) == JSOP_ENDITER);
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
95
gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch
Normal file
95
gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch
Normal file
|
@ -0,0 +1,95 @@
|
||||||
|
From 81ce99255a0ef65c98eaac300d90c1dc161efc54 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ben Turner <bent.mozilla@gmail.com>
|
||||||
|
Date: Tue, 9 Jun 2015 09:46:58 -0400
|
||||||
|
Subject: [PATCH] Bug 1142210. r=khuey, a=dveditz CLOSED TREE
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : amend_source : 5626188ba4b79f7c25286d4f29c63dc387e63c75
|
||||||
|
extra : transplant_source : %F0%A1%D6F%E6%1B%1FJO%BFH%29%FFo%97%2A%89%03%ECm
|
||||||
|
---
|
||||||
|
dom/indexedDB/IDBRequest.cpp | 5 +++++
|
||||||
|
dom/indexedDB/IDBRequest.h | 3 +++
|
||||||
|
dom/indexedDB/IndexedDatabaseManager.cpp | 22 +++++++++++++++++-----
|
||||||
|
3 files changed, 25 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp
|
||||||
|
index 36e8a96..695f2ee 100644
|
||||||
|
--- a/dom/indexedDB/IDBRequest.cpp
|
||||||
|
+++ b/dom/indexedDB/IDBRequest.cpp
|
||||||
|
@@ -35,6 +35,8 @@
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
|
||||||
|
+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID);
|
||||||
|
+
|
||||||
|
#ifdef MOZ_ENABLE_PROFILER_SPS
|
||||||
|
uint64_t gNextRequestSerialNumber = 1;
|
||||||
|
#endif
|
||||||
|
@@ -382,6 +384,9 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache)
|
||||||
|
NS_IMPL_CYCLE_COLLECTION_TRACE_END
|
||||||
|
|
||||||
|
NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(IDBRequest)
|
||||||
|
+ if (aIID.Equals(kIDBRequestIID)) {
|
||||||
|
+ foundInterface = this;
|
||||||
|
+ } else
|
||||||
|
NS_INTERFACE_MAP_END_INHERITING(IDBWrapperCache)
|
||||||
|
|
||||||
|
NS_IMPL_ADDREF_INHERITED(IDBRequest, IDBWrapperCache)
|
||||||
|
diff --git a/dom/indexedDB/IDBRequest.h b/dom/indexedDB/IDBRequest.h
|
||||||
|
index c835ae8..c8d1081 100644
|
||||||
|
--- a/dom/indexedDB/IDBRequest.h
|
||||||
|
+++ b/dom/indexedDB/IDBRequest.h
|
||||||
|
@@ -19,6 +19,9 @@
|
||||||
|
|
||||||
|
#include "mozilla/dom/indexedDB/IDBWrapperCache.h"
|
||||||
|
|
||||||
|
+#define PRIVATE_IDBREQUEST_IID \
|
||||||
|
+ {0xe68901e5, 0x1d50, 0x4ee9, {0xaf, 0x49, 0x90, 0x99, 0x4a, 0xff, 0xc8, 0x39}}
|
||||||
|
+
|
||||||
|
class nsIScriptContext;
|
||||||
|
class nsPIDOMWindow;
|
||||||
|
|
||||||
|
diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
index 466d0ff..820dfa6 100644
|
||||||
|
--- a/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
+++ b/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
@@ -318,19 +318,31 @@ IndexedDatabaseManager::FireWindowOnError(nsPIDOMWindow* aOwner,
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ Event* internalEvent = aVisitor.mDOMEvent->InternalDOMEvent();
|
||||||
|
+ MOZ_ASSERT(internalEvent);
|
||||||
|
+
|
||||||
|
+ if (!internalEvent->IsTrusted()) {
|
||||||
|
+ return NS_OK;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
nsString type;
|
||||||
|
- nsresult rv = aVisitor.mDOMEvent->GetType(type);
|
||||||
|
+ nsresult rv = internalEvent->GetType(type);
|
||||||
|
NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
|
||||||
|
if (!type.EqualsLiteral(ERROR_EVT_STR)) {
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
- nsCOMPtr<EventTarget> eventTarget =
|
||||||
|
- aVisitor.mDOMEvent->InternalDOMEvent()->GetTarget();
|
||||||
|
+ nsCOMPtr<EventTarget> eventTarget = internalEvent->GetTarget();
|
||||||
|
+ MOZ_ASSERT(eventTarget);
|
||||||
|
|
||||||
|
- IDBRequest* request = static_cast<IDBRequest*>(eventTarget.get());
|
||||||
|
- NS_ENSURE_TRUE(request, NS_ERROR_UNEXPECTED);
|
||||||
|
+ // Only mess with events that were originally targeted to an IDBRequest.
|
||||||
|
+ nsRefPtr<IDBRequest> request;
|
||||||
|
+ if (NS_FAILED(eventTarget->QueryInterface(kIDBRequestIID,
|
||||||
|
+ getter_AddRefs(request))) ||
|
||||||
|
+ !request) {
|
||||||
|
+ return NS_OK;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
ErrorResult ret;
|
||||||
|
nsRefPtr<DOMError> error = request->GetError(ret);
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
27
gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch
Normal file
27
gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch
Normal file
|
@ -0,0 +1,27 @@
|
||||||
|
From ecb3805b4425165d35b82874d4f9c55b75fb5390 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ryan VanderMeulen <ryanvm@gmail.com>
|
||||||
|
Date: Tue, 9 Jun 2015 12:12:13 -0400
|
||||||
|
Subject: [PATCH] Bug 1142210 - Bustage follow-up on a CLOSED TREE.
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : %06B%8EGN%40%985%DC%D5%0E%DD%13%29%8AC%BF%1A%BA%B6
|
||||||
|
---
|
||||||
|
dom/indexedDB/IndexedDatabaseManager.cpp | 2 ++
|
||||||
|
1 file changed, 2 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
index 820dfa6..eabfe09 100644
|
||||||
|
--- a/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
+++ b/dom/indexedDB/IndexedDatabaseManager.cpp
|
||||||
|
@@ -108,6 +108,8 @@ END_INDEXEDDB_NAMESPACE
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
|
||||||
|
+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID);
|
||||||
|
+
|
||||||
|
mozilla::StaticRefPtr<IndexedDatabaseManager> gDBManager;
|
||||||
|
|
||||||
|
mozilla::Atomic<bool> gInitialized(false);
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
29
gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch
Normal file
29
gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
From bfad3fb6fc3ab05819be144567ad99921c0c87be Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Thu, 4 Jun 2015 15:04:09 +0100
|
||||||
|
Subject: [PATCH] Bug 1169867 - nsXMLHttpRequest should use and free mProxy
|
||||||
|
correctly. r=ehsan, a=abillings
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : 7%D0%8A%F8G%3E%E3%D5%07%5B%7F%D4%2Ct%A6v%CCk%A1%F5
|
||||||
|
---
|
||||||
|
dom/workers/XMLHttpRequest.cpp | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
index bf0cd3f..5690af5 100644
|
||||||
|
--- a/dom/workers/XMLHttpRequest.cpp
|
||||||
|
+++ b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
@@ -1891,8 +1891,8 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
|
||||||
|
|
||||||
|
mProxy->mOpening = true;
|
||||||
|
if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
|
||||||
|
- ReleaseProxy();
|
||||||
|
mProxy->mOpening = false;
|
||||||
|
+ ReleaseProxy();
|
||||||
|
aRv.Throw(NS_ERROR_FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
31
gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch
Normal file
31
gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch
Normal file
|
@ -0,0 +1,31 @@
|
||||||
|
From 72cd6e97ae12b89659cd59788bad08cd2f514eff Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Fri, 12 Jun 2015 10:06:19 -0400
|
||||||
|
Subject: [PATCH] Bug 1169867 - XMLHttpRequest::SendInternal should not unpin
|
||||||
|
itself when the worker goes away. r=bent, a=abillings
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : %28%B3%BD%9D%E2p%F3%BE%94S%CCD%08%8B%07%8A%CC%17%B0%7B
|
||||||
|
---
|
||||||
|
dom/workers/XMLHttpRequest.cpp | 5 +++++
|
||||||
|
1 file changed, 5 insertions(+)
|
||||||
|
|
||||||
|
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
index 5690af5..d425eac 100644
|
||||||
|
--- a/dom/workers/XMLHttpRequest.cpp
|
||||||
|
+++ b/dom/workers/XMLHttpRequest.cpp
|
||||||
|
@@ -1829,6 +1829,11 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
|
||||||
|
new SendRunnable(mWorkerPrivate, mProxy, aStringBody, Move(aBody),
|
||||||
|
aClonedObjects, syncLoopTarget, hasUploadListeners);
|
||||||
|
if (!runnable->Dispatch(cx)) {
|
||||||
|
+ // Dispatch() may have spun the event loop and we may have already unrooted.
|
||||||
|
+ // If so we don't want autoUnpin to try again.
|
||||||
|
+ if (!mRooted) {
|
||||||
|
+ autoUnpin.Clear();
|
||||||
|
+ }
|
||||||
|
aRv.Throw(NS_ERROR_FAILURE);
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
86
gnu/packages/patches/icecat-CVE-2015-2735.patch
Normal file
86
gnu/packages/patches/icecat-CVE-2015-2735.patch
Normal file
|
@ -0,0 +1,86 @@
|
||||||
|
From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Thu, 4 Jun 2015 15:04:10 +0100
|
||||||
|
Subject: [PATCH] Bug 1166900 - Better string length check in
|
||||||
|
nsZipArchive::GetDataOffset. r+a=dveditz
|
||||||
|
|
||||||
|
---
|
||||||
|
dom/file/ArchiveZipFile.cpp | 6 ++++--
|
||||||
|
modules/libjar/nsZipArchive.cpp | 15 +++++++++------
|
||||||
|
2 files changed, 13 insertions(+), 8 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
|
||||||
|
index c206b64..d28b5ba 100644
|
||||||
|
--- a/dom/file/ArchiveZipFile.cpp
|
||||||
|
+++ b/dom/file/ArchiveZipFile.cpp
|
||||||
|
@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
|
||||||
|
uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
|
||||||
|
|
||||||
|
// The file is corrupt
|
||||||
|
- if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
|
||||||
|
+ if (mData.parentSize < ZIPLOCAL_SIZE ||
|
||||||
|
+ offset > mData.parentSize - ZIPLOCAL_SIZE) {
|
||||||
|
return NS_ERROR_UNEXPECTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
|
||||||
|
ArchiveZipItem::StrToInt16(local.extrafield_len);
|
||||||
|
|
||||||
|
// The file is corrupt if there is not enough data
|
||||||
|
- if (offset + mData.sizeToBeRead > mData.parentSize) {
|
||||||
|
+ if (mData.parentSize < mData.sizeToBeRead ||
|
||||||
|
+ offset > mData.parentSize - mData.sizeToBeRead) {
|
||||||
|
return NS_ERROR_UNEXPECTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
|
||||||
|
index f8af715..5ec8225 100644
|
||||||
|
--- a/modules/libjar/nsZipArchive.cpp
|
||||||
|
+++ b/modules/libjar/nsZipArchive.cpp
|
||||||
|
@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
|
||||||
|
uint16_t namelen = xtoint(central->filename_len);
|
||||||
|
uint16_t extralen = xtoint(central->extrafield_len);
|
||||||
|
uint16_t commentlen = xtoint(central->commentfield_len);
|
||||||
|
-
|
||||||
|
- // Point to the next item at the top of loop
|
||||||
|
- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
|
||||||
|
+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
|
||||||
|
|
||||||
|
// Sanity check variable sizes and refuse to deal with
|
||||||
|
// anything too big: it's likely a corrupt archive.
|
||||||
|
if (namelen < 1 ||
|
||||||
|
namelen > kMaxNameLength ||
|
||||||
|
- buf >= endp) {
|
||||||
|
+ buf >= buf + diff || // No overflow
|
||||||
|
+ buf >= endp - diff) {
|
||||||
|
return NS_ERROR_FILE_CORRUPTED;
|
||||||
|
}
|
||||||
|
|
||||||
|
+ // Point to the next item at the top of loop
|
||||||
|
+ buf += diff;
|
||||||
|
+
|
||||||
|
nsZipItem* item = CreateZipItem();
|
||||||
|
if (!item)
|
||||||
|
return NS_ERROR_OUT_OF_MEMORY;
|
||||||
|
@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
|
||||||
|
uint32_t len = mFd->mLen;
|
||||||
|
const uint8_t* data = mFd->mFileData;
|
||||||
|
uint32_t offset = aItem->LocalOffset();
|
||||||
|
- if (offset + ZIPLOCAL_SIZE > len)
|
||||||
|
+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
|
||||||
|
return nullptr;
|
||||||
|
|
||||||
|
// -- check signature before using the structure, in case the zip file is corrupt
|
||||||
|
@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
|
||||||
|
xtoint(Local->extrafield_len);
|
||||||
|
|
||||||
|
// -- check if there is enough source data in the file
|
||||||
|
- if (offset + aItem->Size() > len)
|
||||||
|
+ if (len < aItem->Size() ||
|
||||||
|
+ offset > len - aItem->Size())
|
||||||
|
return nullptr;
|
||||||
|
|
||||||
|
return data + offset;
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
34
gnu/packages/patches/icecat-CVE-2015-2736.patch
Normal file
34
gnu/packages/patches/icecat-CVE-2015-2736.patch
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
From 6daa986c7fdf27835a0f5d897c88f6b8dc42b8db Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Thu, 4 Jun 2015 15:04:10 +0100
|
||||||
|
Subject: [PATCH] Bug 1167888 - Better string length check in
|
||||||
|
nsZipArchive::BuildFileList. r=smaug, a=dveditz
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : %5E6%3E%84%B6a%7F%1F%D21zGc%BD%E1%80%EF%0C%B5%F0
|
||||||
|
---
|
||||||
|
modules/libjar/nsZipArchive.cpp | 7 ++++++-
|
||||||
|
1 file changed, 6 insertions(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
|
||||||
|
index cb3e5d0..f8af715 100644
|
||||||
|
--- a/modules/libjar/nsZipArchive.cpp
|
||||||
|
+++ b/modules/libjar/nsZipArchive.cpp
|
||||||
|
@@ -617,8 +617,13 @@ MOZ_WIN_MEM_TRY_BEGIN
|
||||||
|
if (!centralOffset)
|
||||||
|
return NS_ERROR_FILE_CORRUPTED;
|
||||||
|
|
||||||
|
- //-- Read the central directory headers
|
||||||
|
buf = startp + centralOffset;
|
||||||
|
+
|
||||||
|
+ // avoid overflow of startp + centralOffset.
|
||||||
|
+ if (buf < startp)
|
||||||
|
+ return NS_ERROR_FILE_CORRUPTED;
|
||||||
|
+
|
||||||
|
+ //-- Read the central directory headers
|
||||||
|
uint32_t sig = 0;
|
||||||
|
while (buf + int32_t(sizeof(uint32_t)) <= endp &&
|
||||||
|
(sig = xtolong(buf)) == CENTRALSIG) {
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
151
gnu/packages/patches/icecat-CVE-2015-2738.patch
Normal file
151
gnu/packages/patches/icecat-CVE-2015-2738.patch
Normal file
|
@ -0,0 +1,151 @@
|
||||||
|
From cda807c21650d0678761d6af8fd324ce622962d6 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrew Comminos <acomminos@mozilla.com>
|
||||||
|
Date: Fri, 19 Jun 2015 11:32:17 -0400
|
||||||
|
Subject: [PATCH] Bug 1167356 - Handle return value of DataSourceSurface::Map
|
||||||
|
wherever possible. r=Bas, a=abillings CLOSED TREE
|
||||||
|
|
||||||
|
---
|
||||||
|
gfx/2d/SourceSurfaceD2D1.cpp | 11 +++++++++--
|
||||||
|
gfx/gl/GLScreenBuffer.cpp | 5 ++++-
|
||||||
|
gfx/gl/SharedSurfaceGL.cpp | 5 ++++-
|
||||||
|
gfx/layers/YCbCrImageDataSerializer.cpp | 4 +++-
|
||||||
|
gfx/layers/opengl/CompositorOGL.cpp | 6 +++++-
|
||||||
|
gfx/thebes/gfxPlatform.cpp | 6 ++++--
|
||||||
|
widget/gtk/nsImageToPixbuf.cpp | 4 +++-
|
||||||
|
7 files changed, 32 insertions(+), 9 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/gfx/2d/SourceSurfaceD2D1.cpp b/gfx/2d/SourceSurfaceD2D1.cpp
|
||||||
|
index fc64327..01f3a67 100644
|
||||||
|
--- a/gfx/2d/SourceSurfaceD2D1.cpp
|
||||||
|
+++ b/gfx/2d/SourceSurfaceD2D1.cpp
|
||||||
|
@@ -5,6 +5,7 @@
|
||||||
|
|
||||||
|
#include "SourceSurfaceD2D1.h"
|
||||||
|
#include "DrawTargetD2D1.h"
|
||||||
|
+#include "Logging.h"
|
||||||
|
#include "Tools.h"
|
||||||
|
|
||||||
|
namespace mozilla {
|
||||||
|
@@ -156,7 +157,10 @@ DataSourceSurfaceD2D1::Map(MapType aMapType, MappedSurface *aMappedSurface)
|
||||||
|
}
|
||||||
|
|
||||||
|
D2D1_MAPPED_RECT map;
|
||||||
|
- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map);
|
||||||
|
+ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map))) {
|
||||||
|
+ gfxCriticalError() << "Failed to map bitmap.";
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
aMappedSurface->mData = map.bits;
|
||||||
|
aMappedSurface->mStride = map.pitch;
|
||||||
|
|
||||||
|
@@ -189,7 +193,10 @@ DataSourceSurfaceD2D1::EnsureMapped()
|
||||||
|
if (mMapped) {
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap);
|
||||||
|
+ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap))) {
|
||||||
|
+ gfxCriticalError() << "Failed to map bitmap.";
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
mMapped = true;
|
||||||
|
}
|
||||||
|
|
||||||
|
diff --git a/gfx/gl/GLScreenBuffer.cpp b/gfx/gl/GLScreenBuffer.cpp
|
||||||
|
index 432bdbc..d31e848 100755
|
||||||
|
--- a/gfx/gl/GLScreenBuffer.cpp
|
||||||
|
+++ b/gfx/gl/GLScreenBuffer.cpp
|
||||||
|
@@ -483,7 +483,10 @@ GLScreenBuffer::Readback(SharedSurface_GL* src, DataSourceSurface* dest)
|
||||||
|
{
|
||||||
|
MOZ_ASSERT(src && dest);
|
||||||
|
DataSourceSurface::MappedSurface ms;
|
||||||
|
- dest->Map(DataSourceSurface::MapType::READ, &ms);
|
||||||
|
+ if (!dest->Map(DataSourceSurface::MapType::READ, &ms)) {
|
||||||
|
+ NS_ERROR("Failed to map surface for reading.");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
nsRefPtr<gfxImageSurface> wrappedDest =
|
||||||
|
new gfxImageSurface(ms.mData,
|
||||||
|
ThebesIntSize(dest->GetSize()),
|
||||||
|
diff --git a/gfx/gl/SharedSurfaceGL.cpp b/gfx/gl/SharedSurfaceGL.cpp
|
||||||
|
index 1aab56f..1f80c28 100644
|
||||||
|
--- a/gfx/gl/SharedSurfaceGL.cpp
|
||||||
|
+++ b/gfx/gl/SharedSurfaceGL.cpp
|
||||||
|
@@ -326,7 +326,10 @@ SharedSurface_Basic::Fence()
|
||||||
|
ScopedBindFramebuffer autoFB(mGL, mFB);
|
||||||
|
|
||||||
|
DataSourceSurface::MappedSurface map;
|
||||||
|
- mData->Map(DataSourceSurface::MapType::WRITE, &map);
|
||||||
|
+ if (!mData->Map(DataSourceSurface::MapType::WRITE, &map)) {
|
||||||
|
+ NS_ERROR("Failed to map surface for writing.");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
nsRefPtr<gfxImageSurface> wrappedData =
|
||||||
|
new gfxImageSurface(map.mData,
|
||||||
|
ThebesIntSize(mData->GetSize()),
|
||||||
|
diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
|
||||||
|
index e16db18..6e7a908 100644
|
||||||
|
--- a/gfx/layers/YCbCrImageDataSerializer.cpp
|
||||||
|
+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
|
||||||
|
@@ -278,7 +278,9 @@ YCbCrImageDataDeserializer::ToDataSourceSurface()
|
||||||
|
Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::B8G8R8X8);
|
||||||
|
|
||||||
|
DataSourceSurface::MappedSurface map;
|
||||||
|
- result->Map(DataSourceSurface::MapType::WRITE, &map);
|
||||||
|
+ if (NS_WARN_IF(!result->Map(DataSourceSurface::MapType::WRITE, &map))) {
|
||||||
|
+ return nullptr;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
gfx::ConvertYCbCrToRGB32(GetYData(), GetCbData(), GetCrData(),
|
||||||
|
map.mData,
|
||||||
|
diff --git a/gfx/layers/opengl/CompositorOGL.cpp b/gfx/layers/opengl/CompositorOGL.cpp
|
||||||
|
index 92432c3..2e0b51e 100644
|
||||||
|
--- a/gfx/layers/opengl/CompositorOGL.cpp
|
||||||
|
+++ b/gfx/layers/opengl/CompositorOGL.cpp
|
||||||
|
@@ -1346,7 +1346,11 @@ CompositorOGL::CopyToTarget(DrawTarget *aTarget, const gfx::Matrix& aTransform)
|
||||||
|
Factory::CreateDataSourceSurface(rect.Size(), gfx::SurfaceFormat::B8G8R8A8);
|
||||||
|
|
||||||
|
DataSourceSurface::MappedSurface map;
|
||||||
|
- source->Map(DataSourceSurface::MapType::WRITE, &map);
|
||||||
|
+ if (!source->Map(DataSourceSurface::MapType::WRITE, &map)) {
|
||||||
|
+ NS_ERROR("Failed to map surface for writing!");
|
||||||
|
+ return;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
// XXX we should do this properly one day without using the gfxImageSurface
|
||||||
|
nsRefPtr<gfxImageSurface> surf =
|
||||||
|
new gfxImageSurface(map.mData,
|
||||||
|
diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
|
||||||
|
index c869e53..8a2122c 100644
|
||||||
|
--- a/gfx/thebes/gfxPlatform.cpp
|
||||||
|
+++ b/gfx/thebes/gfxPlatform.cpp
|
||||||
|
@@ -662,8 +662,10 @@ CopySurface(gfxASurface* aSurface)
|
||||||
|
}
|
||||||
|
|
||||||
|
DataSourceSurface::MappedSurface map;
|
||||||
|
- DebugOnly<bool> result = data->Map(DataSourceSurface::WRITE, &map);
|
||||||
|
- MOZ_ASSERT(result, "Should always succeed mapping raw data surfaces!");
|
||||||
|
+ if (!data->Map(DataSourceSurface::WRITE, &map)) {
|
||||||
|
+ NS_ERROR("Failed to map surface for reading!");
|
||||||
|
+ return nullptr;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
nsRefPtr<gfxImageSurface> image = new gfxImageSurface(map.mData, size, map.mStride, format);
|
||||||
|
nsRefPtr<gfxContext> ctx = new gfxContext(image);
|
||||||
|
diff --git a/widget/gtk/nsImageToPixbuf.cpp b/widget/gtk/nsImageToPixbuf.cpp
|
||||||
|
index ca05b3b..a83a570 100644
|
||||||
|
--- a/widget/gtk/nsImageToPixbuf.cpp
|
||||||
|
+++ b/widget/gtk/nsImageToPixbuf.cpp
|
||||||
|
@@ -75,7 +75,9 @@ nsImageToPixbuf::SourceSurfaceToPixbuf(SourceSurface* aSurface,
|
||||||
|
|
||||||
|
RefPtr<DataSourceSurface> dataSurface = aSurface->GetDataSurface();
|
||||||
|
DataSourceSurface::MappedSurface map;
|
||||||
|
- dataSurface->Map(DataSourceSurface::MapType::READ, &map);
|
||||||
|
+ if (!dataSurface->Map(DataSourceSurface::MapType::READ, &map))
|
||||||
|
+ return nullptr;
|
||||||
|
+
|
||||||
|
uint8_t* srcData = map.mData;
|
||||||
|
int32_t srcStride = map.mStride;
|
||||||
|
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
66
gnu/packages/patches/icecat-CVE-2015-2739.patch
Normal file
66
gnu/packages/patches/icecat-CVE-2015-2739.patch
Normal file
|
@ -0,0 +1,66 @@
|
||||||
|
From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Boris Zbarsky <bzbarsky@mit.edu>
|
||||||
|
Date: Mon, 1 Jun 2015 16:59:26 -0700
|
||||||
|
Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
|
||||||
|
XHR. r=baku a=lizzard
|
||||||
|
|
||||||
|
---
|
||||||
|
content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
|
||||||
|
1 file changed, 15 insertions(+), 10 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
index 58a9ee0..56d1aa3 100644
|
||||||
|
--- a/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
+++ b/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
@@ -7,6 +7,7 @@
|
||||||
|
#include "nsXMLHttpRequest.h"
|
||||||
|
|
||||||
|
#include "mozilla/ArrayUtils.h"
|
||||||
|
+#include "mozilla/CheckedInt.h"
|
||||||
|
#include "mozilla/dom/XMLHttpRequestUploadBinding.h"
|
||||||
|
#include "mozilla/EventDispatcher.h"
|
||||||
|
#include "mozilla/EventListenerManager.h"
|
||||||
|
@@ -3897,26 +3898,30 @@ bool
|
||||||
|
ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
|
||||||
|
uint32_t aMaxGrowth)
|
||||||
|
{
|
||||||
|
+ CheckedUint32 neededCapacity = mLength;
|
||||||
|
+ neededCapacity += aDataLen;
|
||||||
|
+ if (!neededCapacity.isValid()) {
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
if (mLength + aDataLen > mCapacity) {
|
||||||
|
- uint32_t newcap;
|
||||||
|
+ CheckedUint32 newcap = mCapacity;
|
||||||
|
// Double while under aMaxGrowth or if not specified.
|
||||||
|
if (!aMaxGrowth || mCapacity < aMaxGrowth) {
|
||||||
|
- newcap = mCapacity * 2;
|
||||||
|
+ newcap *= 2;
|
||||||
|
} else {
|
||||||
|
- newcap = mCapacity + aMaxGrowth;
|
||||||
|
+ newcap += aMaxGrowth;
|
||||||
|
}
|
||||||
|
|
||||||
|
- // But make sure there's always enough to satisfy our request.
|
||||||
|
- if (newcap < mLength + aDataLen) {
|
||||||
|
- newcap = mLength + aDataLen;
|
||||||
|
+ if (!newcap.isValid()) {
|
||||||
|
+ return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
- // Did we overflow?
|
||||||
|
- if (newcap < mCapacity) {
|
||||||
|
- return false;
|
||||||
|
+ // But make sure there's always enough to satisfy our request.
|
||||||
|
+ if (newcap.value() < neededCapacity.value()) {
|
||||||
|
+ newcap = neededCapacity;
|
||||||
|
}
|
||||||
|
|
||||||
|
- if (!setCapacity(newcap)) {
|
||||||
|
+ if (!setCapacity(newcap.value())) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
52
gnu/packages/patches/icecat-CVE-2015-2740.patch
Normal file
52
gnu/packages/patches/icecat-CVE-2015-2740.patch
Normal file
|
@ -0,0 +1,52 @@
|
||||||
|
From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
||||||
|
Date: Tue, 23 Jun 2015 10:47:38 -0400
|
||||||
|
Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
|
||||||
|
nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
|
||||||
|
|
||||||
|
---
|
||||||
|
content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
|
||||||
|
1 file changed, 11 insertions(+), 4 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
index 56d1aa3..86425d7 100644
|
||||||
|
--- a/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
+++ b/content/base/src/nsXMLHttpRequest.cpp
|
||||||
|
@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
|
||||||
|
&destBufferLen);
|
||||||
|
NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
|
||||||
|
- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
|
||||||
|
+ uint32_t size = mResponseText.Length() + destBufferLen;
|
||||||
|
+ if (size < (uint32_t)destBufferLen) {
|
||||||
|
+ return NS_ERROR_OUT_OF_MEMORY;
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
+ if (!mResponseText.SetCapacity(size, fallible_t())) {
|
||||||
|
return NS_ERROR_OUT_OF_MEMORY;
|
||||||
|
}
|
||||||
|
|
||||||
|
char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
|
||||||
|
|
||||||
|
- int32_t totalChars = mResponseText.Length();
|
||||||
|
+ CheckedInt32 totalChars = mResponseText.Length();
|
||||||
|
|
||||||
|
// This code here is basically a copy of a similar thing in
|
||||||
|
// nsScanner::Append(const char* aBuffer, uint32_t aLen).
|
||||||
|
@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
|
||||||
|
MOZ_ASSERT(NS_SUCCEEDED(rv));
|
||||||
|
|
||||||
|
totalChars += destlen;
|
||||||
|
+ if (!totalChars.isValid()) {
|
||||||
|
+ return NS_ERROR_OUT_OF_MEMORY;
|
||||||
|
+ }
|
||||||
|
|
||||||
|
- mResponseText.SetLength(totalChars);
|
||||||
|
-
|
||||||
|
+ mResponseText.SetLength(totalChars.value());
|
||||||
|
return NS_OK;
|
||||||
|
}
|
||||||
|
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
73
gnu/packages/patches/icecat-CVE-2015-2743.patch
Normal file
73
gnu/packages/patches/icecat-CVE-2015-2743.patch
Normal file
|
@ -0,0 +1,73 @@
|
||||||
|
From 9ed97d606aaaf79776b0e19a73ba30d8ad0685b5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Ben Turner <bent.mozilla@gmail.com>
|
||||||
|
Date: Tue, 26 May 2015 17:27:01 -0400
|
||||||
|
Subject: [PATCH] Bug 1163109 - Restrict the resource:// weirdness in workers
|
||||||
|
to loads from a system principal. r=bzbarsky, a=lizzard
|
||||||
|
|
||||||
|
--HG--
|
||||||
|
extra : transplant_source : sQUdu%7C%ED%84%CA%5B%91%89/%1B2%25%CFY%B0%C3
|
||||||
|
---
|
||||||
|
dom/workers/ScriptLoader.cpp | 37 ++++++++++++++++---------------------
|
||||||
|
1 file changed, 16 insertions(+), 21 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp
|
||||||
|
index 0dfe625..3335c3e 100644
|
||||||
|
--- a/dom/workers/ScriptLoader.cpp
|
||||||
|
+++ b/dom/workers/ScriptLoader.cpp
|
||||||
|
@@ -509,22 +509,6 @@ private:
|
||||||
|
rv = ssm->GetChannelPrincipal(channel, getter_AddRefs(channelPrincipal));
|
||||||
|
NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
|
||||||
|
- // See if this is a resource URI. Since JSMs usually come from resource://
|
||||||
|
- // URIs we're currently considering all URIs with the URI_IS_UI_RESOURCE
|
||||||
|
- // flag as valid for creating privileged workers.
|
||||||
|
- if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) {
|
||||||
|
- bool isResource;
|
||||||
|
- rv = NS_URIChainHasFlags(finalURI,
|
||||||
|
- nsIProtocolHandler::URI_IS_UI_RESOURCE,
|
||||||
|
- &isResource);
|
||||||
|
- NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
-
|
||||||
|
- if (isResource) {
|
||||||
|
- rv = ssm->GetSystemPrincipal(getter_AddRefs(channelPrincipal));
|
||||||
|
- NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
- }
|
||||||
|
- }
|
||||||
|
-
|
||||||
|
// If the load principal is the system principal then the channel
|
||||||
|
// principal must also be the system principal (we do not allow chrome
|
||||||
|
// code to create workers with non-chrome scripts). Otherwise this channel
|
||||||
|
@@ -532,14 +516,25 @@ private:
|
||||||
|
// here in case redirects changed the location of the script).
|
||||||
|
if (nsContentUtils::IsSystemPrincipal(loadPrincipal)) {
|
||||||
|
if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) {
|
||||||
|
- return NS_ERROR_DOM_BAD_URI;
|
||||||
|
+ // See if this is a resource URI. Since JSMs usually come from
|
||||||
|
+ // resource:// URIs we're currently considering all URIs with the
|
||||||
|
+ // URI_IS_UI_RESOURCE flag as valid for creating privileged workers.
|
||||||
|
+ bool isResource;
|
||||||
|
+ rv = NS_URIChainHasFlags(finalURI,
|
||||||
|
+ nsIProtocolHandler::URI_IS_UI_RESOURCE,
|
||||||
|
+ &isResource);
|
||||||
|
+ NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
+
|
||||||
|
+ if (isResource) {
|
||||||
|
+ // Assign the system principal to the resource:// worker only if it
|
||||||
|
+ // was loaded from code using the system principal.
|
||||||
|
+ channelPrincipal = loadPrincipal;
|
||||||
|
+ } else {
|
||||||
|
+ return NS_ERROR_DOM_BAD_URI;
|
||||||
|
+ }
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- nsCString scheme;
|
||||||
|
- rv = finalURI->GetScheme(scheme);
|
||||||
|
- NS_ENSURE_SUCCESS(rv, rv);
|
||||||
|
-
|
||||||
|
// We exempt data urls and other URI's that inherit their
|
||||||
|
// principal again.
|
||||||
|
if (NS_FAILED(loadPrincipal->CheckMayLoad(finalURI, false, true))) {
|
||||||
|
--
|
||||||
|
2.4.3
|
||||||
|
|
Loading…
Reference in a new issue