guix/gnu/packages/patches/icecat-CVE-2015-2740.patch
Mark H Weaver 4463c0d216 gnu: icecat: Fix CVE-2015-{2722,2724,2728,2733,2735,2736,2738,2739,2740,2743}.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2735.patch,
  gnu/packages/patches/icecat-CVE-2015-2736.patch,
  gnu/packages/patches/icecat-CVE-2015-2738.patch,
  gnu/packages/patches/icecat-CVE-2015-2739.patch,
  gnu/packages/patches/icecat-CVE-2015-2740.patch,
  gnu/packages/patches/icecat-CVE-2015-2743.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
2015-07-04 05:44:10 -04:00

52 lines
1.7 KiB
Diff

From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
From: Andrea Marchesini <amarchesini@mozilla.com>
Date: Tue, 23 Jun 2015 10:47:38 -0400
Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
---
content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
index 56d1aa3..86425d7 100644
--- a/content/base/src/nsXMLHttpRequest.cpp
+++ b/content/base/src/nsXMLHttpRequest.cpp
@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
&destBufferLen);
NS_ENSURE_SUCCESS(rv, rv);
- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
+ uint32_t size = mResponseText.Length() + destBufferLen;
+ if (size < (uint32_t)destBufferLen) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ if (!mResponseText.SetCapacity(size, fallible_t())) {
return NS_ERROR_OUT_OF_MEMORY;
}
char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
- int32_t totalChars = mResponseText.Length();
+ CheckedInt32 totalChars = mResponseText.Length();
// This code here is basically a copy of a similar thing in
// nsScanner::Append(const char* aBuffer, uint32_t aLen).
@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
MOZ_ASSERT(NS_SUCCEEDED(rv));
totalChars += destlen;
+ if (!totalChars.isValid()) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
- mResponseText.SetLength(totalChars);
-
+ mResponseText.SetLength(totalChars.value());
return NS_OK;
}
--
2.4.3