mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-31 16:42:38 -05:00
29a780147d
* gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch, gnu/packages/patches/icecat-CVE-2016-1935.patch, gnu/packages/patches/icecat-bug-1146335-pt1.patch, gnu/packages/patches/icecat-bug-1146335-pt2.patch, gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
73 lines
2.6 KiB
Diff
73 lines
2.6 KiB
Diff
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac
|
|
|
|
# HG changeset patch
|
|
# User Jeff Gilbert <jdashg@gmail.com>
|
|
# Date 1453320785 28800
|
|
# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5
|
|
# Parent ee68c3dae5f639fdd439f69ef2f724067fce0ea6
|
|
Limit max buffers size for ANGLE. r=jrmuizel a=lizzard
|
|
|
|
diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
|
|
--- a/dom/canvas/WebGLContextBuffers.cpp
|
|
+++ b/dom/canvas/WebGLContextBuffers.cpp
|
|
@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target,
|
|
|
|
if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
|
|
return;
|
|
|
|
// careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
|
|
if (!CheckedInt<GLsizeiptr>(size).isValid())
|
|
return ErrorOutOfMemory("bufferData: bad size");
|
|
|
|
+ if (gl->IsANGLE() && size > UINT32_MAX)
|
|
+ return ErrorOutOfMemory("bufferData: size too large");
|
|
+
|
|
WebGLBuffer* boundBuffer = bufferSlot.get();
|
|
|
|
if (!boundBuffer)
|
|
return ErrorInvalidOperation("bufferData: no buffer bound!");
|
|
|
|
UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1));
|
|
if (!zeroBuffer)
|
|
return ErrorOutOfMemory("bufferData: out of memory");
|
|
@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target,
|
|
const dom::ArrayBuffer& data = maybeData.Value();
|
|
data.ComputeLengthAndData();
|
|
|
|
// Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
|
|
// is like intptr_t.
|
|
if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
|
|
return ErrorOutOfMemory("bufferData: bad size");
|
|
|
|
+ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
|
|
+ return ErrorOutOfMemory("bufferData: size too large");
|
|
+
|
|
if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
|
|
return;
|
|
|
|
WebGLBuffer* boundBuffer = bufferSlot.get();
|
|
|
|
if (!boundBuffer)
|
|
return ErrorInvalidOperation("bufferData: no buffer bound!");
|
|
|
|
@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target,
|
|
|
|
data.ComputeLengthAndData();
|
|
|
|
// Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
|
|
// is like intptr_t.
|
|
if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
|
|
return ErrorOutOfMemory("bufferData: bad size");
|
|
|
|
+ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
|
|
+ return ErrorOutOfMemory("bufferData: size too large");
|
|
+
|
|
InvalidateBufferFetching();
|
|
MakeContextCurrent();
|
|
|
|
GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
|
|
if (error) {
|
|
GenerateWarning("bufferData generated error %s", ErrorName(error));
|
|
return;
|
|
}
|
|
|