mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2025-01-12 14:16:55 -05:00
gnu: icecat: Add fixes for CVE-2016-{2805,2807,2808,2814} etc.
* gnu/packages/patches/icecat-CVE-2016-2805.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch, gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch, gnu/packages/patches/icecat-CVE-2016-2808.patch, gnu/packages/patches/icecat-CVE-2016-2814.patch, gnu/packages/patches/icecat-update-bundled-graphite2: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. icecat fixup
This commit is contained in:
parent
3161f6a4ec
commit
dde2a94c09
11 changed files with 3215 additions and 1 deletions
|
@ -530,6 +530,15 @@ dist_patch_DATA = \
|
|||
gnu/packages/patches/hydra-disable-darcs-test.patch \
|
||||
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
|
||||
gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch \
|
||||
gnu/packages/patches/icecat-update-bundled-graphite2.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2805.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2808.patch \
|
||||
gnu/packages/patches/icecat-CVE-2016-2814.patch \
|
||||
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
|
||||
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
|
||||
gnu/packages/patches/icu4c-CVE-2015-4760.patch \
|
||||
|
|
|
@ -299,7 +299,16 @@ (define-public icecat
|
|||
"1wdmd6hasra36g86ha1dw8sl7a5mvr7c4jbjx4zyg9629y5gqr8g"))
|
||||
(patches (search-patches
|
||||
"icecat-avoid-bundled-includes.patch"
|
||||
"icecat-re-enable-DHE-cipher-suites.patch"))
|
||||
"icecat-re-enable-DHE-cipher-suites.patch"
|
||||
"icecat-update-bundled-graphite2.patch"
|
||||
"icecat-CVE-2016-2805.patch"
|
||||
"icecat-CVE-2016-2807-pt1.patch"
|
||||
"icecat-CVE-2016-2807-pt2.patch"
|
||||
"icecat-CVE-2016-2807-pt3.patch"
|
||||
"icecat-CVE-2016-2807-pt4.patch"
|
||||
"icecat-CVE-2016-2807-pt5.patch"
|
||||
"icecat-CVE-2016-2808.patch"
|
||||
"icecat-CVE-2016-2814.patch"))
|
||||
(modules '((guix build utils)))
|
||||
(snippet
|
||||
'(begin
|
||||
|
|
75
gnu/packages/patches/icecat-CVE-2016-2805.patch
Normal file
75
gnu/packages/patches/icecat-CVE-2016-2805.patch
Normal file
|
@ -0,0 +1,75 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/bf34b97757b3
|
||||
|
||||
# HG changeset patch
|
||||
# User Jon Coppeard <jcoppeard@mozilla.com>
|
||||
# Date 1453890675 0
|
||||
# Node ID bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
|
||||
# Parent 228ca3f46cabaf3f388f6c6640690772aa13c1a5
|
||||
Bug 1241731 - Handle incomplete buffer in DiscardTransferables r=sfink a=abillings a=sylvestre
|
||||
|
||||
diff --git a/js/src/jit-test/tests/gc/bug-1241731.js b/js/src/jit-test/tests/gc/bug-1241731.js
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/js/src/jit-test/tests/gc/bug-1241731.js
|
||||
@@ -0,0 +1,4 @@
|
||||
+if (!('oomTest' in this))
|
||||
+ quit();
|
||||
+
|
||||
+oomTest(() => serialize(0, [{}]));
|
||||
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
|
||||
--- a/js/src/vm/StructuredClone.cpp
|
||||
+++ b/js/src/vm/StructuredClone.cpp
|
||||
@@ -379,39 +379,50 @@ ReadStructuredClone(JSContext* cx, uint6
|
||||
|
||||
// If the given buffer contains Transferables, free them. Note that custom
|
||||
// Transferables will use the JSStructuredCloneCallbacks::freeTransfer() to
|
||||
// delete their transferables.
|
||||
static void
|
||||
Discard(uint64_t* buffer, size_t nbytes, const JSStructuredCloneCallbacks* cb, void* cbClosure)
|
||||
{
|
||||
MOZ_ASSERT(nbytes % sizeof(uint64_t) == 0);
|
||||
- if (nbytes < sizeof(uint64_t))
|
||||
+ uint64_t* end = buffer + nbytes / sizeof(uint64_t);
|
||||
+ uint64_t* point = buffer;
|
||||
+ if (point == end)
|
||||
return; // Empty buffer
|
||||
|
||||
- uint64_t* point = buffer;
|
||||
uint32_t tag, data;
|
||||
SCInput::getPair(point++, &tag, &data);
|
||||
if (tag != SCTAG_TRANSFER_MAP_HEADER)
|
||||
return;
|
||||
|
||||
if (TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
|
||||
return;
|
||||
|
||||
// freeTransfer should not GC
|
||||
JS::AutoSuppressGCAnalysis nogc;
|
||||
|
||||
+ if (point == end)
|
||||
+ return;
|
||||
+
|
||||
uint64_t numTransferables = LittleEndian::readUint64(point++);
|
||||
while (numTransferables--) {
|
||||
+ if (point == end)
|
||||
+ return;
|
||||
+
|
||||
uint32_t ownership;
|
||||
SCInput::getPair(point++, &tag, &ownership);
|
||||
MOZ_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
|
||||
+ if (point == end)
|
||||
+ return;
|
||||
|
||||
void* content;
|
||||
SCInput::getPtr(point++, &content);
|
||||
+ if (point == end)
|
||||
+ return;
|
||||
|
||||
uint64_t extraData = LittleEndian::readUint64(point++);
|
||||
|
||||
if (ownership < JS::SCTAG_TMO_FIRST_OWNED)
|
||||
continue;
|
||||
|
||||
if (ownership == JS::SCTAG_TMO_ALLOC_DATA) {
|
||||
js_free(content);
|
||||
|
35
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch
Normal file
35
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch
Normal file
|
@ -0,0 +1,35 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/e7c23c08bf84
|
||||
|
||||
# HG changeset patch
|
||||
# User Randell Jesup <rjesup@jesup.org>
|
||||
# Date 1458543433 14400
|
||||
# Node ID e7c23c08bf84a02d9154f31e0c5d121a45884a69
|
||||
# Parent a6de1f453712edabff597879398606708c191098
|
||||
Bug 1254876: assert windows recording is shut down r=pkerr a=ritu
|
||||
|
||||
MozReview-Commit-ID: JRqxBb5TgrE
|
||||
|
||||
diff --git a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
|
||||
--- a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
|
||||
+++ b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
|
||||
@@ -567,16 +567,19 @@ AudioDeviceWindowsCore::AudioDeviceWindo
|
||||
// ----------------------------------------------------------------------------
|
||||
|
||||
AudioDeviceWindowsCore::~AudioDeviceWindowsCore()
|
||||
{
|
||||
WEBRTC_TRACE(kTraceMemory, kTraceAudioDevice, _id, "%s destroyed", __FUNCTION__);
|
||||
|
||||
Terminate();
|
||||
|
||||
+ // Recording thread should be shut down before this!
|
||||
+ assert(_hRecThread == NULL);
|
||||
+
|
||||
// The IMMDeviceEnumerator is created during construction. Must release
|
||||
// it here and not in Terminate() since we don't recreate it in Init().
|
||||
SAFE_RELEASE(_ptrEnumerator);
|
||||
|
||||
_ptrAudioBuffer = NULL;
|
||||
|
||||
if (NULL != _hRenderSamplesReadyEvent)
|
||||
{
|
||||
|
69
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
Normal file
69
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
Normal file
|
@ -0,0 +1,69 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
|
||||
|
||||
# HG changeset patch
|
||||
# User Shu-yu Guo <shu@rfrn.org>
|
||||
# Date 1459741387 -7200
|
||||
# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
|
||||
# Parent 9d4364f6b55c6ee65c13c491292c3abe1ee2c993
|
||||
Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
|
||||
|
||||
diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
|
||||
@@ -0,0 +1,6 @@
|
||||
+// |jit-test| slow;
|
||||
+
|
||||
+var s = '';
|
||||
+for (var i = 0; i < 70000; i++)
|
||||
+ s += 'function x' + i + '() { x' + i + '(); }\n';
|
||||
+eval("(function() { " + s + " })();");
|
||||
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
|
||||
--- a/js/src/jsscript.cpp
|
||||
+++ b/js/src/jsscript.cpp
|
||||
@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
|
||||
// JITs when interpreting/compiling aliasedvar ops.)
|
||||
|
||||
// Since unaliased variables are, by definition, only accessed by local
|
||||
// operations and never through the scope chain, only give shapes to
|
||||
// aliased variables. While the debugger may observe any scope object at
|
||||
// any time, such accesses are mediated by DebugScopeProxy (see
|
||||
// DebugScopeProxy::handleUnaliasedAccess).
|
||||
uint32_t nslots = CallObject::RESERVED_SLOTS;
|
||||
- uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
|
||||
+
|
||||
+ // Unless there are aliased body-level lexical bindings at all, set the
|
||||
+ // begin index to an impossible slot number.
|
||||
+ uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
|
||||
for (BindingIter bi(self); bi; bi++) {
|
||||
if (bi->aliased()) {
|
||||
// Per ES6, lexical bindings cannot be accessed until
|
||||
// initialized. Remember the first aliased slot that is a
|
||||
// body-level lexical, so that they may be initialized to sentinel
|
||||
// magic values.
|
||||
if (numBodyLevelLexicals > 0 &&
|
||||
nslots < aliasedBodyLevelLexicalBegin &&
|
||||
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
|
||||
--- a/js/src/jsscript.h
|
||||
+++ b/js/src/jsscript.h
|
||||
@@ -201,18 +201,18 @@ class Bindings
|
||||
friend class BindingIter;
|
||||
friend class AliasedFormalIter;
|
||||
|
||||
RelocatablePtrShape callObjShape_;
|
||||
uintptr_t bindingArrayAndFlag_;
|
||||
uint16_t numArgs_;
|
||||
uint16_t numBlockScoped_;
|
||||
uint16_t numBodyLevelLexicals_;
|
||||
- uint16_t aliasedBodyLevelLexicalBegin_;
|
||||
uint16_t numUnaliasedBodyLevelLexicals_;
|
||||
+ uint32_t aliasedBodyLevelLexicalBegin_;
|
||||
uint32_t numVars_;
|
||||
uint32_t numUnaliasedVars_;
|
||||
|
||||
#if JS_BITS_PER_WORD == 32
|
||||
// Bindings is allocated inline inside JSScript, which needs to be
|
||||
// gc::Cell aligned.
|
||||
uint32_t padding_;
|
||||
#endif
|
||||
|
33
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch
Normal file
33
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch
Normal file
|
@ -0,0 +1,33 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/88f1eb2c3f4b
|
||||
|
||||
# HG changeset patch
|
||||
# User Timothy Nikkel <tnikkel@gmail.com>
|
||||
# Date 1457637807 21600
|
||||
# Node ID 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
|
||||
# Parent bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
|
||||
Bug 1187420. r=drc r=jmuizelaar a=sylvestre
|
||||
|
||||
MozReview-Commit-ID: Hh0Khqfj8Bf
|
||||
|
||||
diff --git a/media/libjpeg/jstdhuff.c b/media/libjpeg/jstdhuff.c
|
||||
--- a/media/libjpeg/jstdhuff.c
|
||||
+++ b/media/libjpeg/jstdhuff.c
|
||||
@@ -36,16 +36,17 @@ add_huff_table (j_common_ptr cinfo,
|
||||
*/
|
||||
nsymbols = 0;
|
||||
for (len = 1; len <= 16; len++)
|
||||
nsymbols += bits[len];
|
||||
if (nsymbols < 1 || nsymbols > 256)
|
||||
ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
|
||||
|
||||
MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8));
|
||||
+ MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8));
|
||||
|
||||
/* Initialize sent_table FALSE so table will be written to JPEG file. */
|
||||
(*htblptr)->sent_table = FALSE;
|
||||
}
|
||||
|
||||
|
||||
LOCAL(void)
|
||||
std_huff_tables (j_common_ptr cinfo)
|
||||
|
37
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
Normal file
37
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
Normal file
|
@ -0,0 +1,37 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/5c312182da90
|
||||
|
||||
# HG changeset patch
|
||||
# User Jan de Mooij <jdemooij@mozilla.com>
|
||||
# Date 1458828581 -3600
|
||||
# Node ID 5c312182da9020504103aa329360abaffa7e232d
|
||||
# Parent fa4efccde9b7efde8763a178a6cf422b6d37a0e9
|
||||
Bug 1254622 - Relookup group->newScript in CreateThisForFunctionWithGroup. r=bhackett a=sylvestre
|
||||
|
||||
MozReview-Commit-ID: KXd7kB70f1Z
|
||||
|
||||
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
|
||||
--- a/js/src/jsobj.cpp
|
||||
+++ b/js/src/jsobj.cpp
|
||||
@@ -1574,18 +1574,19 @@ CreateThisForFunctionWithGroup(JSContext
|
||||
// Not enough objects with this group have been created yet, so make a
|
||||
// plain object and register it with the group. Use the maximum number
|
||||
// of fixed slots, as is also required by the TypeNewScript.
|
||||
gc::AllocKind allocKind = GuessObjectGCKind(NativeObject::MAX_FIXED_SLOTS);
|
||||
PlainObject* res = NewObjectWithGroup<PlainObject>(cx, group, parent, allocKind, newKind);
|
||||
if (!res)
|
||||
return nullptr;
|
||||
|
||||
- if (newKind != SingletonObject)
|
||||
- newScript->registerNewObject(res);
|
||||
+ // Make sure group->newScript is still there.
|
||||
+ if (newKind != SingletonObject && group->newScript())
|
||||
+ group->newScript()->registerNewObject(res);
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
gc::AllocKind allocKind = NewObjectGCKind(&PlainObject::class_);
|
||||
|
||||
if (newKind == SingletonObject) {
|
||||
Rooted<TaggedProto> protoRoot(cx, group->proto());
|
||||
|
35
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
Normal file
35
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
Normal file
|
@ -0,0 +1,35 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099
|
||||
|
||||
# HG changeset patch
|
||||
# User Carsten "Tomcat" Book <cbook@mozilla.com>
|
||||
# Date 1461123938 -7200
|
||||
# Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24
|
||||
# Parent 52dfdd37150d62f708dc5bf61dd28f3967596788
|
||||
Bug 1252707 - a=sylvestre
|
||||
|
||||
diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
|
||||
--- a/js/src/vm/Shape.cpp
|
||||
+++ b/js/src/vm/Shape.cpp
|
||||
@@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona
|
||||
|
||||
if (obj->inDictionaryMode()) {
|
||||
MOZ_ASSERT(parent == obj->lastProperty());
|
||||
RootedGeneric<StackShape*> childRoot(cx, &child);
|
||||
shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx);
|
||||
if (!shape)
|
||||
return nullptr;
|
||||
if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) {
|
||||
- if (!obj->setSlotSpan(cx, childRoot->slot() + 1))
|
||||
+ if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) {
|
||||
+ new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
|
||||
return nullptr;
|
||||
+ }
|
||||
}
|
||||
shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_);
|
||||
}
|
||||
|
||||
return shape;
|
||||
}
|
||||
|
||||
/* static */ Shape*
|
||||
|
389
gnu/packages/patches/icecat-CVE-2016-2808.patch
Normal file
389
gnu/packages/patches/icecat-CVE-2016-2808.patch
Normal file
|
@ -0,0 +1,389 @@
|
|||
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/71f611fd27c7
|
||||
|
||||
# HG changeset patch
|
||||
# User Jeff Walden <jwalden@mit.edu>
|
||||
# Date 1458941573 25200
|
||||
# Node ID 71f611fd27c7d6cb7d6dab9895c2922948042543
|
||||
# Parent 861f6b83ce1deade2a976cabe059776ad51ce370
|
||||
Bug 1246061. r=luke, r=froydnj, a=sylvestre
|
||||
|
||||
diff --git a/js/public/HashTable.h b/js/public/HashTable.h
|
||||
--- a/js/public/HashTable.h
|
||||
+++ b/js/public/HashTable.h
|
||||
@@ -8,16 +8,17 @@
|
||||
#define js_HashTable_h
|
||||
|
||||
#include "mozilla/Alignment.h"
|
||||
#include "mozilla/Assertions.h"
|
||||
#include "mozilla/Attributes.h"
|
||||
#include "mozilla/Casting.h"
|
||||
#include "mozilla/MemoryReporting.h"
|
||||
#include "mozilla/Move.h"
|
||||
+#include "mozilla/Opaque.h"
|
||||
#include "mozilla/PodOperations.h"
|
||||
#include "mozilla/ReentrancyGuard.h"
|
||||
#include "mozilla/TemplateLib.h"
|
||||
#include "mozilla/TypeTraits.h"
|
||||
|
||||
#include "js/Utility.h"
|
||||
|
||||
namespace js {
|
||||
@@ -27,16 +28,18 @@ template <class> struct DefaultHasher;
|
||||
template <class, class> class HashMapEntry;
|
||||
namespace detail {
|
||||
template <class T> class HashTableEntry;
|
||||
template <class T, class HashPolicy, class AllocPolicy> class HashTable;
|
||||
}
|
||||
|
||||
/*****************************************************************************/
|
||||
|
||||
+using Generation = mozilla::Opaque<uint64_t>;
|
||||
+
|
||||
// A JS-friendly, STL-like container providing a hash-based map from keys to
|
||||
// values. In particular, HashMap calls constructors and destructors of all
|
||||
// objects added so non-PODs may be used safely.
|
||||
//
|
||||
// Key/Value requirements:
|
||||
// - movable, destructible, assignable
|
||||
// HashPolicy requirements:
|
||||
// - see Hash Policy section below
|
||||
@@ -200,17 +203,19 @@ class HashMap
|
||||
return impl.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
|
||||
// If |generation()| is the same before and after a HashMap operation,
|
||||
// pointers into the table remain valid.
|
||||
- uint32_t generation() const { return impl.generation(); }
|
||||
+ Generation generation() const {
|
||||
+ return impl.generation();
|
||||
+ }
|
||||
|
||||
/************************************************** Shorthand operations */
|
||||
|
||||
bool has(const Lookup& l) const {
|
||||
return impl.lookup(l).found();
|
||||
}
|
||||
|
||||
// Overwrite existing value with v. Return false on oom.
|
||||
@@ -431,17 +436,19 @@ class HashSet
|
||||
return impl.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
|
||||
// If |generation()| is the same before and after a HashSet operation,
|
||||
// pointers into the table remain valid.
|
||||
- uint32_t generation() const { return impl.generation(); }
|
||||
+ Generation generation() const {
|
||||
+ return impl.generation();
|
||||
+ }
|
||||
|
||||
/************************************************** Shorthand operations */
|
||||
|
||||
bool has(const Lookup& l) const {
|
||||
return impl.lookup(l).found();
|
||||
}
|
||||
|
||||
// Add |u| if it is not present already. Return false on oom.
|
||||
@@ -766,17 +773,17 @@ class HashTable : private AllocPolicy
|
||||
// table operations unless |generation()| is tested.
|
||||
class Ptr
|
||||
{
|
||||
friend class HashTable;
|
||||
|
||||
Entry* entry_;
|
||||
#ifdef JS_DEBUG
|
||||
const HashTable* table_;
|
||||
- uint32_t generation;
|
||||
+ Generation generation;
|
||||
#endif
|
||||
|
||||
protected:
|
||||
Ptr(Entry& entry, const HashTable& tableArg)
|
||||
: entry_(&entry)
|
||||
#ifdef JS_DEBUG
|
||||
, table_(&tableArg)
|
||||
, generation(tableArg.generation())
|
||||
@@ -873,17 +880,17 @@ class HashTable : private AllocPolicy
|
||||
while (cur < end && !cur->isLive())
|
||||
++cur;
|
||||
}
|
||||
|
||||
Entry* cur, *end;
|
||||
#ifdef JS_DEBUG
|
||||
const HashTable* table_;
|
||||
uint64_t mutationCount;
|
||||
- uint32_t generation;
|
||||
+ Generation generation;
|
||||
bool validEntry;
|
||||
#endif
|
||||
|
||||
public:
|
||||
Range()
|
||||
: cur(nullptr)
|
||||
, end(nullptr)
|
||||
#ifdef JS_DEBUG
|
||||
@@ -1012,18 +1019,18 @@ class HashTable : private AllocPolicy
|
||||
// HashTable is not copyable or assignable
|
||||
HashTable(const HashTable&) = delete;
|
||||
void operator=(const HashTable&) = delete;
|
||||
|
||||
private:
|
||||
static const size_t CAP_BITS = 24;
|
||||
|
||||
public:
|
||||
- Entry* table; // entry storage
|
||||
- uint32_t gen; // entry storage generation number
|
||||
+ uint64_t gen; // entry storage generation number
|
||||
+ Entry* table; // entry storage
|
||||
uint32_t entryCount; // number of entries in table
|
||||
uint32_t removedCount:CAP_BITS; // removed entry sentinels in table
|
||||
uint32_t hashShift:8; // multiplicative hash shift
|
||||
|
||||
#ifdef JS_DEBUG
|
||||
uint64_t mutationCount;
|
||||
mutable bool mEntered;
|
||||
mutable struct Stats
|
||||
@@ -1097,18 +1104,18 @@ class HashTable : private AllocPolicy
|
||||
for (Entry* e = oldTable, *end = e + capacity; e < end; ++e)
|
||||
e->destroyIfLive();
|
||||
alloc.free_(oldTable);
|
||||
}
|
||||
|
||||
public:
|
||||
explicit HashTable(AllocPolicy ap)
|
||||
: AllocPolicy(ap)
|
||||
+ , gen(0)
|
||||
, table(nullptr)
|
||||
- , gen(0)
|
||||
, entryCount(0)
|
||||
, removedCount(0)
|
||||
, hashShift(sHashBits)
|
||||
#ifdef JS_DEBUG
|
||||
, mutationCount(0)
|
||||
, mEntered(false)
|
||||
#endif
|
||||
{}
|
||||
@@ -1524,20 +1531,20 @@ class HashTable : private AllocPolicy
|
||||
}
|
||||
|
||||
uint32_t capacity() const
|
||||
{
|
||||
MOZ_ASSERT(table);
|
||||
return JS_BIT(sHashBits - hashShift);
|
||||
}
|
||||
|
||||
- uint32_t generation() const
|
||||
+ Generation generation() const
|
||||
{
|
||||
MOZ_ASSERT(table);
|
||||
- return gen;
|
||||
+ return Generation(gen);
|
||||
}
|
||||
|
||||
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const
|
||||
{
|
||||
return mallocSizeOf(table);
|
||||
}
|
||||
|
||||
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const
|
||||
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
|
||||
--- a/js/src/jsapi.h
|
||||
+++ b/js/src/jsapi.h
|
||||
@@ -270,20 +270,16 @@ class AutoHashMapRooter : protected Auto
|
||||
|
||||
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return map.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return map.sizeOfIncludingThis(mallocSizeOf);
|
||||
}
|
||||
|
||||
- uint32_t generation() const {
|
||||
- return map.generation();
|
||||
- }
|
||||
-
|
||||
/************************************************** Shorthand operations */
|
||||
|
||||
bool has(const Lookup& l) const {
|
||||
return map.has(l);
|
||||
}
|
||||
|
||||
template<typename KeyInput, typename ValueInput>
|
||||
bool put(const KeyInput& k, const ValueInput& v) {
|
||||
@@ -385,20 +381,16 @@ class AutoHashSetRooter : protected Auto
|
||||
|
||||
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return set.sizeOfExcludingThis(mallocSizeOf);
|
||||
}
|
||||
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
|
||||
return set.sizeOfIncludingThis(mallocSizeOf);
|
||||
}
|
||||
|
||||
- uint32_t generation() const {
|
||||
- return set.generation();
|
||||
- }
|
||||
-
|
||||
/************************************************** Shorthand operations */
|
||||
|
||||
bool has(const Lookup& l) const {
|
||||
return set.has(l);
|
||||
}
|
||||
|
||||
bool put(const T& t) {
|
||||
return set.put(t);
|
||||
diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
|
||||
--- a/js/src/jscntxt.h
|
||||
+++ b/js/src/jscntxt.h
|
||||
@@ -30,21 +30,21 @@ class DebugModeOSRVolatileJitFrameIterat
|
||||
}
|
||||
|
||||
typedef HashSet<JSObject*> ObjectSet;
|
||||
typedef HashSet<Shape*> ShapeSet;
|
||||
|
||||
/* Detects cycles when traversing an object graph. */
|
||||
class AutoCycleDetector
|
||||
{
|
||||
+ Generation hashsetGenerationAtInit;
|
||||
JSContext* cx;
|
||||
RootedObject obj;
|
||||
+ ObjectSet::AddPtr hashsetAddPointer;
|
||||
bool cyclic;
|
||||
- uint32_t hashsetGenerationAtInit;
|
||||
- ObjectSet::AddPtr hashsetAddPointer;
|
||||
MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
|
||||
|
||||
public:
|
||||
AutoCycleDetector(JSContext* cx, HandleObject objArg
|
||||
MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
|
||||
: cx(cx), obj(cx, objArg), cyclic(true)
|
||||
{
|
||||
MOZ_GUARD_OBJECT_NOTIFIER_INIT;
|
||||
diff --git a/js/src/jswatchpoint.cpp b/js/src/jswatchpoint.cpp
|
||||
--- a/js/src/jswatchpoint.cpp
|
||||
+++ b/js/src/jswatchpoint.cpp
|
||||
@@ -22,25 +22,25 @@ DefaultHasher<WatchKey>::hash(const Look
|
||||
{
|
||||
return DefaultHasher<JSObject*>::hash(key.object.get()) ^ HashId(key.id.get());
|
||||
}
|
||||
|
||||
namespace {
|
||||
|
||||
class AutoEntryHolder {
|
||||
typedef WatchpointMap::Map Map;
|
||||
+ Generation gen;
|
||||
Map& map;
|
||||
Map::Ptr p;
|
||||
- uint32_t gen;
|
||||
RootedObject obj;
|
||||
RootedId id;
|
||||
|
||||
public:
|
||||
AutoEntryHolder(JSContext* cx, Map& map, Map::Ptr p)
|
||||
- : map(map), p(p), gen(map.generation()), obj(cx, p->key().object), id(cx, p->key().id)
|
||||
+ : gen(map.generation()), map(map), p(p), obj(cx, p->key().object), id(cx, p->key().id)
|
||||
{
|
||||
MOZ_ASSERT(!p->value().held);
|
||||
p->value().held = true;
|
||||
}
|
||||
|
||||
~AutoEntryHolder() {
|
||||
if (gen != map.generation())
|
||||
p = map.lookup(WatchKey(obj, id));
|
||||
diff --git a/js/src/shell/jsheaptools.cpp b/js/src/shell/jsheaptools.cpp
|
||||
--- a/js/src/shell/jsheaptools.cpp
|
||||
+++ b/js/src/shell/jsheaptools.cpp
|
||||
@@ -267,17 +267,17 @@ HeapReverser::traverseEdge(void* cell, J
|
||||
Map::AddPtr a = map.lookupForAdd(cell);
|
||||
if (!a) {
|
||||
/*
|
||||
* We've never visited this cell before. Add it to the map (thus
|
||||
* marking it as visited), and put it on the work stack, to be
|
||||
* visited from the main loop.
|
||||
*/
|
||||
Node n(kind);
|
||||
- uint32_t generation = map.generation();
|
||||
+ Generation generation = map.generation();
|
||||
if (!map.add(a, cell, Move(n)) ||
|
||||
!work.append(Child(cell, kind)))
|
||||
return false;
|
||||
/* If the map has been resized, re-check the pointer. */
|
||||
if (map.generation() != generation)
|
||||
a = map.lookupForAdd(cell);
|
||||
}
|
||||
|
||||
diff --git a/mfbt/Opaque.h b/mfbt/Opaque.h
|
||||
new file mode 100644
|
||||
--- /dev/null
|
||||
+++ b/mfbt/Opaque.h
|
||||
@@ -0,0 +1,44 @@
|
||||
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
|
||||
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
|
||||
+/* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
||||
+
|
||||
+/* An opaque integral type supporting only comparison operators. */
|
||||
+
|
||||
+#ifndef mozilla_Opaque_h
|
||||
+#define mozilla_Opaque_h
|
||||
+
|
||||
+#include "mozilla/TypeTraits.h"
|
||||
+
|
||||
+namespace mozilla {
|
||||
+
|
||||
+/**
|
||||
+ * Opaque<T> is a replacement for integral T in cases where only comparisons
|
||||
+ * must be supported, and it's desirable to prevent accidental dependency on
|
||||
+ * exact values.
|
||||
+ */
|
||||
+template<typename T>
|
||||
+class Opaque final
|
||||
+{
|
||||
+ static_assert(mozilla::IsIntegral<T>::value,
|
||||
+ "mozilla::Opaque only supports integral types");
|
||||
+
|
||||
+ T mValue;
|
||||
+
|
||||
+public:
|
||||
+ Opaque() {}
|
||||
+ explicit Opaque(T aValue) : mValue(aValue) {}
|
||||
+
|
||||
+ bool operator==(const Opaque& aOther) const {
|
||||
+ return mValue == aOther.mValue;
|
||||
+ }
|
||||
+
|
||||
+ bool operator!=(const Opaque& aOther) const {
|
||||
+ return !(*this == aOther);
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+} // namespace mozilla
|
||||
+
|
||||
+#endif /* mozilla_Opaque_h */
|
||||
diff --git a/mfbt/moz.build b/mfbt/moz.build
|
||||
--- a/mfbt/moz.build
|
||||
+++ b/mfbt/moz.build
|
||||
@@ -48,16 +48,17 @@ EXPORTS.mozilla = [
|
||||
'MathAlgorithms.h',
|
||||
'Maybe.h',
|
||||
'MaybeOneOf.h',
|
||||
'MemoryChecking.h',
|
||||
'MemoryReporting.h',
|
||||
'Move.h',
|
||||
'NullPtr.h',
|
||||
'NumericLimits.h',
|
||||
+ 'Opaque.h',
|
||||
'Pair.h',
|
||||
'PodOperations.h',
|
||||
'Poison.h',
|
||||
'Range.h',
|
||||
'RangedPtr.h',
|
||||
'RefCountType.h',
|
||||
'ReentrancyGuard.h',
|
||||
'RefPtr.h',
|
||||
|
35
gnu/packages/patches/icecat-CVE-2016-2814.patch
Normal file
35
gnu/packages/patches/icecat-CVE-2016-2814.patch
Normal file
|
@ -0,0 +1,35 @@
|
|||
|
||||
# HG changeset patch
|
||||
# User Jean-Yves Avenard <jyavenard@mozilla.com>
|
||||
# Date 1460655260 25200
|
||||
# Node ID a13c0bc84d6eb132f4199f563fbe228d2d3b3a51
|
||||
# Parent 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
|
||||
Bug 1254721: Ensure consistency between Cenc offsets and sizes table. r=gerald a=sylvestre
|
||||
|
||||
MozReview-Commit-ID: E1KbKIIBR87
|
||||
|
||||
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
|
||||
--- a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
|
||||
+++ b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
|
||||
@@ -612,18 +612,18 @@ status_t
|
||||
SampleTable::parseSampleCencInfo() {
|
||||
if ((!mCencDefaultSize && !mCencInfoCount) || mCencOffsets.isEmpty()) {
|
||||
// We don't have all the cenc information we need yet. Quietly fail and
|
||||
// hope we get the data we need later in the track header.
|
||||
ALOGV("Got half of cenc saio/saiz pair. Deferring parse until we get the other half.");
|
||||
return OK;
|
||||
}
|
||||
|
||||
- if (!mCencSizes.isEmpty() && mCencOffsets.size() > 1 &&
|
||||
- mCencSizes.size() != mCencOffsets.size()) {
|
||||
+ if ((mCencOffsets.size() > 1 && mCencOffsets.size() < mCencInfoCount) ||
|
||||
+ (!mCencDefaultSize && mCencSizes.size() < mCencInfoCount)) {
|
||||
return ERROR_MALFORMED;
|
||||
}
|
||||
|
||||
if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
|
||||
// Avoid future OOM.
|
||||
return ERROR_MALFORMED;
|
||||
}
|
||||
|
||||
|
2488
gnu/packages/patches/icecat-update-bundled-graphite2.patch
Normal file
2488
gnu/packages/patches/icecat-update-bundled-graphite2.patch
Normal file
File diff suppressed because it is too large
Load diff
Loading…
Reference in a new issue