guix/gnu/packages/patches/icecat-CVE-2015-2739.patch
Mark H Weaver 4463c0d216 gnu: icecat: Fix CVE-2015-{2722,2724,2728,2733,2735,2736,2738,2739,2740,2743}.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2735.patch,
  gnu/packages/patches/icecat-CVE-2015-2736.patch,
  gnu/packages/patches/icecat-CVE-2015-2738.patch,
  gnu/packages/patches/icecat-CVE-2015-2739.patch,
  gnu/packages/patches/icecat-CVE-2015-2740.patch,
  gnu/packages/patches/icecat-CVE-2015-2743.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
2015-07-04 05:44:10 -04:00

66 lines
2 KiB
Diff

From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Mon, 1 Jun 2015 16:59:26 -0700
Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
XHR. r=baku a=lizzard
---
content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
1 file changed, 15 insertions(+), 10 deletions(-)
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
index 58a9ee0..56d1aa3 100644
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -7,6 +7,7 @@
#include "nsXMLHttpRequest.h"
#include "mozilla/ArrayUtils.h"
+#include "mozilla/CheckedInt.h"
#include "mozilla/dom/XMLHttpRequestUploadBinding.h"
#include "mozilla/EventDispatcher.h"
#include "mozilla/EventListenerManager.h"
@@ -3897,26 +3898,30 @@ bool
ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
uint32_t aMaxGrowth)
{
+ CheckedUint32 neededCapacity = mLength;
+ neededCapacity += aDataLen;
+ if (!neededCapacity.isValid()) {
+ return false;
+ }
if (mLength + aDataLen > mCapacity) {
- uint32_t newcap;
+ CheckedUint32 newcap = mCapacity;
// Double while under aMaxGrowth or if not specified.
if (!aMaxGrowth || mCapacity < aMaxGrowth) {
- newcap = mCapacity * 2;
+ newcap *= 2;
} else {
- newcap = mCapacity + aMaxGrowth;
+ newcap += aMaxGrowth;
}
- // But make sure there's always enough to satisfy our request.
- if (newcap < mLength + aDataLen) {
- newcap = mLength + aDataLen;
+ if (!newcap.isValid()) {
+ return false;
}
- // Did we overflow?
- if (newcap < mCapacity) {
- return false;
+ // But make sure there's always enough to satisfy our request.
+ if (newcap.value() < neededCapacity.value()) {
+ newcap = neededCapacity;
}
- if (!setCapacity(newcap)) {
+ if (!setCapacity(newcap.value())) {
return false;
}
}
--
2.4.3