diff options
author | Mark H Weaver <mhw@netris.org> | 2015-07-04 05:22:49 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-07-04 05:44:10 -0400 |
commit | 4463c0d2161f66c4ff0d52c50ff0a3a030686f1b (patch) | |
tree | 3f1aba42fd040420a2ee6964d6a5ec134adeb8be | |
parent | 4cd86f5d52d6faac6668dc9853a5e5ecc9236ba9 (diff) |
gnu: icecat: Fix CVE-2015-{2722,2724,2728,2733,2735,2736,2738,2739,2740,2743}.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch,
gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch,
gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch,
gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch,
gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch,
gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch,
gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch,
gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch,
gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch,
gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch,
gnu/packages/patches/icecat-CVE-2015-2735.patch,
gnu/packages/patches/icecat-CVE-2015-2736.patch,
gnu/packages/patches/icecat-CVE-2015-2738.patch,
gnu/packages/patches/icecat-CVE-2015-2739.patch,
gnu/packages/patches/icecat-CVE-2015-2740.patch,
gnu/packages/patches/icecat-CVE-2015-2743.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
18 files changed, 1430 insertions, 1 deletions
diff --git a/gnu-system.am b/gnu-system.am index 35e94b7dea..e6256fdd3f 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -466,6 +466,22 @@ dist_patch_DATA = \ gnu/packages/patches/hwloc-gather-topology-lstopo.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch \ + gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch \ + gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-2735.patch \ + gnu/packages/patches/icecat-CVE-2015-2736.patch \ + gnu/packages/patches/icecat-CVE-2015-2738.patch \ + gnu/packages/patches/icecat-CVE-2015-2739.patch \ + gnu/packages/patches/icecat-CVE-2015-2740.patch \ + gnu/packages/patches/icecat-CVE-2015-2743.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ gnu/packages/patches/kmod-module-directory.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 7caa7314a9..12e8a5fb05 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -234,7 +234,23 @@ standards.") name "-" version ".tar.bz2")) (sha256 (base32 - "0a25jp5afla2dxzj7i4cyvqpa5smsn7ns3xvpzqw6pc7naixkpap")))) + "0a25jp5afla2dxzj7i4cyvqpa5smsn7ns3xvpzqw6pc7naixkpap")) + (patches (map search-patch '("icecat-CVE-2015-2724-pt1.patch" + "icecat-CVE-2015-2743.patch" + "icecat-CVE-2015-2722-pt1.patch" + "icecat-CVE-2015-2722-pt2.patch" + "icecat-CVE-2015-2724-pt2.patch" + "icecat-CVE-2015-2739.patch" + "icecat-CVE-2015-2724-pt3.patch" + "icecat-CVE-2015-2735.patch" + "icecat-CVE-2015-2736.patch" + "icecat-CVE-2015-2733-pt1.patch" + "icecat-CVE-2015-2728-pt1.patch" + "icecat-CVE-2015-2728-pt2.patch" + "icecat-CVE-2015-2724-pt4.patch" + "icecat-CVE-2015-2733-pt2.patch" + "icecat-CVE-2015-2738.patch" + "icecat-CVE-2015-2740.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch new file mode 100644 index 0000000000..e2c44ccaf8 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch @@ -0,0 +1,77 @@ +From 7805485b75d06915bcb018b8fe5cb7de4ddebddb Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Wed, 27 May 2015 14:21:44 -0700 +Subject: [PATCH] Bug 1166924 part 0 r=bent a=lizzard + +--HG-- +extra : source : 36bf5bcceb272fc9e303996f8dfe7350984a5e96 +--- + dom/workers/XMLHttpRequest.cpp | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp +index 748fd39..8e4200a 100644 +--- a/dom/workers/XMLHttpRequest.cpp ++++ b/dom/workers/XMLHttpRequest.cpp +@@ -113,6 +113,7 @@ public: + bool mLastUploadLengthComputable; + bool mSeenLoadStart; + bool mSeenUploadLoadStart; ++ bool mOpening; + + // Only touched on the main thread. + bool mUploadEventListenersAttached; +@@ -127,7 +128,7 @@ public: + mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0), + mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false), + mLastLengthComputable(false), mLastUploadLengthComputable(false), +- mSeenLoadStart(false), mSeenUploadLoadStart(false), ++ mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false), + mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false), + mInOpen(false) + { } +@@ -1498,7 +1499,11 @@ SendRunnable::MainThreadRun() + variant = wvariant; + } + +- MOZ_ASSERT(!mProxy->mWorkerPrivate); ++ // Send() has been already called. ++ if (mProxy->mWorkerPrivate) { ++ return NS_ERROR_FAILURE; ++ } ++ + mProxy->mWorkerPrivate = mWorkerPrivate; + + MOZ_ASSERT(!mProxy->mSyncLoopTarget); +@@ -1789,6 +1794,12 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody, + { + mWorkerPrivate->AssertIsOnWorkerThread(); + ++ // No send() calls when open is running. ++ if (mProxy->mOpening) { ++ aRv.Throw(NS_ERROR_FAILURE); ++ return; ++ } ++ + bool hasUploadListeners = mUpload ? mUpload->HasListeners() : false; + + MaybePin(aRv); +@@ -1874,12 +1885,15 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl, + mBackgroundRequest, mWithCredentials, + mTimeout); + ++ mProxy->mOpening = true; + if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) { + ReleaseProxy(); ++ mProxy->mOpening = false; + aRv.Throw(NS_ERROR_FAILURE); + return; + } + ++ mProxy->mOpening = false; + mProxy->mIsSyncXHR = !aAsync; + } + +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch new file mode 100644 index 0000000000..c82d0f7e6f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch @@ -0,0 +1,73 @@ +From 6eb772aa6a0c1b21aafcfa606cc3bf07659b53b9 Mon Sep 17 00:00:00 2001 +From: Wes Kocher <wkocher@mozilla.com> +Date: Wed, 27 May 2015 14:33:22 -0700 +Subject: [PATCH] Bug 1166924 part 1 r=baku a=lizzard + +--HG-- +extra : source : 528d47773256bfee72e7adedc78b89c9fa573b7b +--- + dom/workers/XMLHttpRequest.cpp | 20 ++++++++++++-------- + 1 file changed, 12 insertions(+), 8 deletions(-) + +diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp +index 8e4200a..bf0cd3f 100644 +--- a/dom/workers/XMLHttpRequest.cpp ++++ b/dom/workers/XMLHttpRequest.cpp +@@ -140,7 +140,7 @@ public: + Init(); + + void +- Teardown(); ++ Teardown(bool aSendUnpin); + + bool + AddRemoveEventListeners(bool aUpload, bool aAdd); +@@ -308,7 +308,9 @@ private: + { + AssertIsOnMainThread(); + +- mProxy->Teardown(); ++ // This means the XHR was GC'd, so we can't be pinned, and we don't need to ++ // try to unpin. ++ mProxy->Teardown(/* aSendUnpin */ false); + mProxy = nullptr; + + return NS_OK; +@@ -563,7 +565,7 @@ private: + virtual nsresult + MainThreadRun() MOZ_OVERRIDE + { +- mProxy->Teardown(); ++ mProxy->Teardown(/* aSendUnpin */ true); + MOZ_ASSERT(!mProxy->mSyncLoopTarget); + return NS_OK; + } +@@ -935,7 +937,7 @@ Proxy::Init() + } + + void +-Proxy::Teardown() ++Proxy::Teardown(bool aSendUnpin) + { + AssertIsOnMainThread(); + +@@ -948,10 +950,12 @@ Proxy::Teardown() + mXHR->Abort(); + + if (mOutstandingSendCount) { +- nsRefPtr<XHRUnpinRunnable> runnable = +- new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate); +- if (!runnable->Dispatch(nullptr)) { +- NS_RUNTIMEABORT("We're going to hang at shutdown anyways."); ++ if (aSendUnpin) { ++ nsRefPtr<XHRUnpinRunnable> runnable = ++ new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate); ++ if (!runnable->Dispatch(nullptr)) { ++ NS_RUNTIMEABORT("We're going to hang at shutdown anyways."); ++ } + } + + if (mSyncLoopTarget) { +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch new file mode 100644 index 0000000000..0b91b1ec86 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch @@ -0,0 +1,57 @@ +From 6465a9f57b13fdf3d21016a41973f13d1e7f447c Mon Sep 17 00:00:00 2001 +From: Bobby Holley <bobbyholley@gmail.com> +Date: Wed, 13 May 2015 11:08:30 -0700 +Subject: [PATCH] Bug 1164567 - Grab the principal when we need it in + MediaDecodeTask. r=jww, a=sledru + +--- + content/media/webaudio/MediaBufferDecoder.cpp | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/content/media/webaudio/MediaBufferDecoder.cpp b/content/media/webaudio/MediaBufferDecoder.cpp +index b9409ad..ee6538c 100644 +--- a/content/media/webaudio/MediaBufferDecoder.cpp ++++ b/content/media/webaudio/MediaBufferDecoder.cpp +@@ -101,13 +101,6 @@ public: + { + MOZ_ASSERT(aBuffer); + MOZ_ASSERT(NS_IsMainThread()); +- +- nsCOMPtr<nsPIDOMWindow> pWindow = do_QueryInterface(mDecodeJob.mContext->GetParentObject()); +- nsCOMPtr<nsIScriptObjectPrincipal> scriptPrincipal = +- do_QueryInterface(pWindow); +- if (scriptPrincipal) { +- mPrincipal = scriptPrincipal->GetPrincipal(); +- } + } + + NS_IMETHOD Run(); +@@ -150,7 +143,6 @@ private: + WebAudioDecodeJob& mDecodeJob; + PhaseEnum mPhase; + nsCOMPtr<nsIThreadPool> mThreadPool; +- nsCOMPtr<nsIPrincipal> mPrincipal; + nsRefPtr<BufferDecoder> mBufferDecoder; + nsAutoPtr<MediaDecoderReader> mDecoderReader; + }; +@@ -179,9 +171,16 @@ MediaDecodeTask::CreateReader() + { + MOZ_ASSERT(NS_IsMainThread()); + ++ ++ nsCOMPtr<nsIPrincipal> principal; ++ nsCOMPtr<nsIScriptObjectPrincipal> sop = do_QueryInterface(mDecodeJob.mContext->GetParentObject()); ++ if (sop) { ++ principal = sop->GetPrincipal(); ++ } ++ + nsRefPtr<BufferMediaResource> resource = + new BufferMediaResource(static_cast<uint8_t*> (mBuffer), +- mLength, mPrincipal, mContentType); ++ mLength, principal, mContentType); + + MOZ_ASSERT(!mBufferDecoder); + mBufferDecoder = new BufferDecoder(resource); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch new file mode 100644 index 0000000000..486e92c66d --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch @@ -0,0 +1,391 @@ +From 99641aa4446dc9df04dcfeede8b49ff03abcac42 Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Thu, 28 May 2015 10:16:24 +0200 +Subject: [PATCH] Bug 1160884 - Add KeepAlive instructions after elements/slots + uses. r=nbp, a=abillings + +--- + js/src/jit/CodeGenerator.cpp | 7 ++ + js/src/jit/CodeGenerator.h | 1 + + js/src/jit/Ion.cpp | 7 ++ + js/src/jit/IonAnalysis.cpp | 112 ++++++++++++++++++++++++++++++++ + js/src/jit/IonAnalysis.h | 3 + + js/src/jit/LIR-Common.h | 14 ++++ + js/src/jit/LOpcodes.h | 1 + + js/src/jit/Lowering.cpp | 9 +++ + js/src/jit/Lowering.h | 1 + + js/src/jit/MIR.h | 26 ++++++++ + js/src/jit/MOpcodes.h | 1 + + js/src/jit/ParallelSafetyAnalysis.cpp | 1 + + js/src/jit/shared/Lowering-shared-inl.h | 8 ++- + js/src/jit/shared/Lowering-shared.h | 1 + + js/src/vm/TraceLogging.h | 3 +- + 15 files changed, 193 insertions(+), 2 deletions(-) + +diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp +index 5dff9df..7364178 100644 +--- a/js/src/jit/CodeGenerator.cpp ++++ b/js/src/jit/CodeGenerator.cpp +@@ -1476,6 +1476,13 @@ CodeGenerator::visitPointer(LPointer* lir) + } + + bool ++CodeGenerator::visitKeepAliveObject(LKeepAliveObject* lir) ++{ ++ // No-op. ++ return true; ++} ++ ++bool + CodeGenerator::visitSlots(LSlots* lir) + { + Address slots(ToRegister(lir->object()), JSObject::offsetOfSlots()); +diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h +index 95fb33b..e3b4fd7 100644 +--- a/js/src/jit/CodeGenerator.h ++++ b/js/src/jit/CodeGenerator.h +@@ -106,6 +106,7 @@ class CodeGenerator : public CodeGeneratorSpecific + bool visitLambdaForSingleton(LLambdaForSingleton* lir); + bool visitLambdaPar(LLambdaPar* lir); + bool visitPointer(LPointer* lir); ++ bool visitKeepAliveObject(LKeepAliveObject* lir); + bool visitSlots(LSlots* lir); + bool visitStoreSlotV(LStoreSlotV* store); + bool visitElements(LElements* lir); +diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp +index 015d387..1551a80 100644 +--- a/js/src/jit/Ion.cpp ++++ b/js/src/jit/Ion.cpp +@@ -1536,6 +1536,13 @@ OptimizeMIR(MIRGenerator* mir) + AssertGraphCoherency(graph); + } + ++ if (!mir->compilingAsmJS()) { ++ AutoTraceLog log(logger, TraceLogger::AddKeepAliveInstructions); ++ AddKeepAliveInstructions(graph); ++ IonSpewPass("Add KeepAlive Instructions"); ++ AssertGraphCoherency(graph); ++ } ++ + return true; + } + +diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp +index 8965724..af58aae 100644 +--- a/js/src/jit/IonAnalysis.cpp ++++ b/js/src/jit/IonAnalysis.cpp +@@ -1971,6 +1971,118 @@ jit::UnsplitEdges(LIRGraph* lir) + return true; + } + ++static bool ++NeedsKeepAlive(MInstruction* slotsOrElements, MInstruction* use) ++{ ++ MOZ_ASSERT(slotsOrElements->type() == MIRType_Elements || ++ slotsOrElements->type() == MIRType_Slots); ++ ++ if (slotsOrElements->block() != use->block()) ++ return true; ++ ++ MBasicBlock* block = use->block(); ++ MInstructionIterator iter(block->begin(slotsOrElements)); ++ MOZ_ASSERT(*iter == slotsOrElements); ++ ++iter; ++ ++ while (true) { ++ if (*iter == use) ++ return false; ++ ++ switch (iter->op()) { ++ case MDefinition::Op_Nop: ++ case MDefinition::Op_Constant: ++ case MDefinition::Op_KeepAliveObject: ++ case MDefinition::Op_Unbox: ++ case MDefinition::Op_LoadSlot: ++ case MDefinition::Op_StoreSlot: ++ case MDefinition::Op_LoadFixedSlot: ++ case MDefinition::Op_StoreFixedSlot: ++ case MDefinition::Op_LoadElement: ++ case MDefinition::Op_StoreElement: ++ case MDefinition::Op_InitializedLength: ++ case MDefinition::Op_ArrayLength: ++ case MDefinition::Op_BoundsCheck: ++ iter++; ++ break; ++ default: ++ return true; ++ } ++ } ++ ++ MOZ_CRASH("Unreachable"); ++} ++ ++void ++jit::AddKeepAliveInstructions(MIRGraph& graph) ++{ ++ for (MBasicBlockIterator i(graph.begin()); i != graph.end(); i++) { ++ MBasicBlock* block = *i; ++ ++ for (MInstructionIterator insIter(block->begin()); insIter != block->end(); insIter++) { ++ MInstruction* ins = *insIter; ++ if (ins->type() != MIRType_Elements && ins->type() != MIRType_Slots) ++ continue; ++ ++ MDefinition* ownerObject; ++ switch (ins->op()) { ++ case MDefinition::Op_ConstantElements: ++ case MDefinition::Op_NewSlots: ++ continue; ++ case MDefinition::Op_ConvertElementsToDoubles: ++ // EliminateRedundantChecks should have replaced all uses. ++ MOZ_ASSERT(!ins->hasUses()); ++ continue; ++ case MDefinition::Op_Elements: ++ case MDefinition::Op_TypedArrayElements: ++ case MDefinition::Op_TypedObjectElements: ++ MOZ_ASSERT(ins->numOperands() == 1); ++ ownerObject = ins->getOperand(0); ++ break; ++ case MDefinition::Op_Slots: ++ ownerObject = ins->toSlots()->object(); ++ break; ++ default: ++ MOZ_CRASH("Unexpected op"); ++ } ++ ++ MOZ_ASSERT(ownerObject->type() == MIRType_Object); ++ ++ if (ownerObject->isConstant()) { ++ // Constants are kept alive by other pointers, for instance ++ // ImmGCPtr in JIT code. ++ continue; ++ } ++ ++ for (MUseDefIterator uses(ins); uses; uses++) { ++ MInstruction* use = uses.def()->toInstruction(); ++ ++ if (use->isStoreElementHole()) { ++ // StoreElementHole has an explicit object operand. If GVN ++ // is disabled, we can get different unbox instructions with ++ // the same object as input, so we check for that case. ++ MOZ_ASSERT_IF(!use->toStoreElementHole()->object()->isUnbox() && !ownerObject->isUnbox(), ++ use->toStoreElementHole()->object() == ownerObject); ++ continue; ++ } ++ ++ if (use->isInArray()) { ++ // See StoreElementHole case above. ++ MOZ_ASSERT_IF(!use->toInArray()->object()->isUnbox() && !ownerObject->isUnbox(), ++ use->toInArray()->object() == ownerObject); ++ continue; ++ } ++ ++ if (!NeedsKeepAlive(ins, use)) ++ continue; ++ ++ MKeepAliveObject* keepAlive = MKeepAliveObject::New(graph.alloc(), ownerObject); ++ use->block()->insertAfter(use, keepAlive); ++ } ++ } ++ } ++} ++ + bool + LinearSum::multiply(int32_t scale) + { +diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h +index aabf835..a320418 100644 +--- a/js/src/jit/IonAnalysis.h ++++ b/js/src/jit/IonAnalysis.h +@@ -64,6 +64,9 @@ AssertExtendedGraphCoherency(MIRGraph& graph); + bool + EliminateRedundantChecks(MIRGraph& graph); + ++void ++AddKeepAliveInstructions(MIRGraph& graph); ++ + bool + UnsplitEdges(LIRGraph* lir); + +diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h +index 5fe0ee9..6b03a42 100644 +--- a/js/src/jit/LIR-Common.h ++++ b/js/src/jit/LIR-Common.h +@@ -3591,6 +3591,20 @@ class LImplicitThis : public LInstructionHelper<BOX_PIECES, 1, 0> + } + }; + ++class LKeepAliveObject : public LInstructionHelper<0, 1, 0> ++{ ++ public: ++ LIR_HEADER(KeepAliveObject) ++ ++ explicit LKeepAliveObject(const LAllocation& object) { ++ setOperand(0, object); ++ } ++ ++ const LAllocation* object() { ++ return getOperand(0); ++ } ++}; ++ + // Load the "slots" member out of a JSObject. + // Input: JSObject pointer + // Output: slots pointer +diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h +index cd7eef8..424b22c 100644 +--- a/js/src/jit/LOpcodes.h ++++ b/js/src/jit/LOpcodes.h +@@ -166,6 +166,7 @@ + _(LambdaForSingleton) \ + _(LambdaPar) \ + _(ImplicitThis) \ ++ _(KeepAliveObject) \ + _(Slots) \ + _(Elements) \ + _(ConvertElementsToDoubles) \ +diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp +index d671fd4..c0d434e 100644 +--- a/js/src/jit/Lowering.cpp ++++ b/js/src/jit/Lowering.cpp +@@ -2110,6 +2110,15 @@ LIRGenerator::visitImplicitThis(MImplicitThis* ins) + } + + bool ++LIRGenerator::visitKeepAliveObject(MKeepAliveObject* ins) ++{ ++ MDefinition* obj = ins->object(); ++ MOZ_ASSERT(obj->type() == MIRType_Object); ++ ++ return add(new(alloc()) LKeepAliveObject(useKeepalive(obj)), ins); ++} ++ ++bool + LIRGenerator::visitSlots(MSlots* ins) + { + return define(new(alloc()) LSlots(useRegisterAtStart(ins->object())), ins); +diff --git a/js/src/jit/Lowering.h b/js/src/jit/Lowering.h +index ea50cab..a60dc30 100644 +--- a/js/src/jit/Lowering.h ++++ b/js/src/jit/Lowering.h +@@ -160,6 +160,7 @@ class LIRGenerator : public LIRGeneratorSpecific + bool visitLambdaArrow(MLambdaArrow* ins); + bool visitLambdaPar(MLambdaPar* ins); + bool visitImplicitThis(MImplicitThis* ins); ++ bool visitKeepAliveObject(MKeepAliveObject* ins); + bool visitSlots(MSlots* ins); + bool visitElements(MElements* ins); + bool visitConstantElements(MConstantElements* ins); +diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h +index 48e1dfb..a6060a2 100644 +--- a/js/src/jit/MIR.h ++++ b/js/src/jit/MIR.h +@@ -5790,6 +5790,32 @@ class MSetTypedObjectOffset + } + }; + ++class MKeepAliveObject ++ : public MUnaryInstruction, ++ public SingleObjectPolicy ++{ ++ explicit MKeepAliveObject(MDefinition* object) ++ : MUnaryInstruction(object) ++ { ++ setResultType(MIRType_None); ++ setGuard(); ++ } ++ ++ public: ++ INSTRUCTION_HEADER(KeepAliveObject) ++ ++ static MKeepAliveObject* New(TempAllocator& alloc, MDefinition* object) { ++ return new(alloc) MKeepAliveObject(object); ++ } ++ ++ MDefinition* object() const { ++ return getOperand(0); ++ } ++ TypePolicy* typePolicy() { ++ return this; ++ } ++}; ++ + // Perform !-operation + class MNot + : public MUnaryInstruction, +diff --git a/js/src/jit/MOpcodes.h b/js/src/jit/MOpcodes.h +index 83b9e63..cfc3895 100644 +--- a/js/src/jit/MOpcodes.h ++++ b/js/src/jit/MOpcodes.h +@@ -110,6 +110,7 @@ namespace jit { + _(Lambda) \ + _(LambdaArrow) \ + _(ImplicitThis) \ ++ _(KeepAliveObject) \ + _(Slots) \ + _(Elements) \ + _(ConstantElements) \ +diff --git a/js/src/jit/ParallelSafetyAnalysis.cpp b/js/src/jit/ParallelSafetyAnalysis.cpp +index a6a1202..13c577b 100644 +--- a/js/src/jit/ParallelSafetyAnalysis.cpp ++++ b/js/src/jit/ParallelSafetyAnalysis.cpp +@@ -199,6 +199,7 @@ class ParallelSafetyVisitor : public MInstructionVisitor + CUSTOM_OP(Lambda) + UNSAFE_OP(LambdaArrow) + UNSAFE_OP(ImplicitThis) ++ SAFE_OP(KeepAliveObject) + SAFE_OP(Slots) + SAFE_OP(Elements) + SAFE_OP(ConstantElements) +diff --git a/js/src/jit/shared/Lowering-shared-inl.h b/js/src/jit/shared/Lowering-shared-inl.h +index 17bb74a..832cc61 100644 +--- a/js/src/jit/shared/Lowering-shared-inl.h ++++ b/js/src/jit/shared/Lowering-shared-inl.h +@@ -372,11 +372,17 @@ LIRGeneratorShared::useStorableAtStart(MDefinition* mir) + #endif + + LAllocation ++LIRGeneratorShared::useKeepalive(MDefinition* mir) ++{ ++ return use(mir, LUse(LUse::KEEPALIVE)); ++} ++ ++LAllocation + LIRGeneratorShared::useKeepaliveOrConstant(MDefinition* mir) + { + if (mir->isConstant()) + return LAllocation(mir->toConstant()->vp()); +- return use(mir, LUse(LUse::KEEPALIVE)); ++ return useKeepalive(mir); + } + + LUse +diff --git a/js/src/jit/shared/Lowering-shared.h b/js/src/jit/shared/Lowering-shared.h +index 4bd13b0..b23d20e 100644 +--- a/js/src/jit/shared/Lowering-shared.h ++++ b/js/src/jit/shared/Lowering-shared.h +@@ -85,6 +85,7 @@ class LIRGeneratorShared : public MInstructionVisitorWithDefaults + // this is a generic "things we can expect to write into memory in 1 instruction" + inline LAllocation useStorable(MDefinition* mir); + inline LAllocation useStorableAtStart(MDefinition* mir); ++ inline LAllocation useKeepalive(MDefinition* mir); + inline LAllocation useKeepaliveOrConstant(MDefinition* mir); + inline LAllocation useRegisterOrConstant(MDefinition* mir); + inline LAllocation useRegisterOrConstantAtStart(MDefinition* mir); +diff --git a/js/src/vm/TraceLogging.h b/js/src/vm/TraceLogging.h +index 4c2ebfe..8447679 100644 +--- a/js/src/vm/TraceLogging.h ++++ b/js/src/vm/TraceLogging.h +@@ -145,7 +145,8 @@ namespace jit { + _(EffectiveAddressAnalysis) \ + _(EliminateDeadCode) \ + _(EdgeCaseAnalysis) \ +- _(EliminateRedundantChecks) ++ _(EliminateRedundantChecks) \ ++ _(AddKeepAliveInstructions) + + class AutoTraceLog; + +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch new file mode 100644 index 0000000000..4b31bf1c6e --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch @@ -0,0 +1,90 @@ +From 5da8e2ffd63deac27c0faca7dabee3623867dd6e Mon Sep 17 00:00:00 2001 +From: Steven Michaud <smichaud@pobox.com> +Date: Wed, 3 Jun 2015 11:18:25 -0500 +Subject: [PATCH] Bug 1154876 - Block calls to hooked methods off the plugin + thread. r=spohl a=abillings + +--- + dom/plugins/ipc/PluginInterposeOSX.mm | 17 ++++++++--------- + 1 file changed, 8 insertions(+), 9 deletions(-) + +diff --git a/dom/plugins/ipc/PluginInterposeOSX.mm b/dom/plugins/ipc/PluginInterposeOSX.mm +index f43192b..cfd8e57 100644 +--- a/dom/plugins/ipc/PluginInterposeOSX.mm ++++ b/dom/plugins/ipc/PluginInterposeOSX.mm +@@ -38,8 +38,7 @@ + #import <objc/runtime.h> + #import <Carbon/Carbon.h> + +-using mozilla::plugins::PluginModuleChild; +-using mozilla::plugins::AssertPluginThread; ++using namespace mozilla::plugins; + + namespace mac_plugin_interposing { + +@@ -544,7 +543,7 @@ void NSCursorInfo::SetCustomImageData(uint8_t* aData, uint32_t aDataLength) + bool NSCursorInfo::GetNativeCursorsSupported() + { + if (mNativeCursorsSupported == -1) { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD(false); + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) { + bool result = pmc->GetNativeCursorsSupported(); +@@ -689,7 +688,7 @@ void FocusPluginProcess() { + + void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds, + bool modal) { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) +@@ -697,7 +696,7 @@ void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds, + } + + void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) +@@ -706,7 +705,7 @@ void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) { + + void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo) + { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) { + pmc->SetCursor(aCursorInfo); +@@ -715,7 +714,7 @@ void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo) + + void NotifyBrowserOfShowCursor(bool show) + { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) { + pmc->ShowCursor(show); +@@ -724,7 +723,7 @@ void NotifyBrowserOfShowCursor(bool show) + + void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo) + { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) { + pmc->PushCursor(aCursorInfo); +@@ -733,7 +732,7 @@ void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo) + + void NotifyBrowserOfPopCursor() + { +- AssertPluginThread(); ++ ENSURE_PLUGIN_THREAD_VOID(); + PluginModuleChild *pmc = PluginModuleChild::current(); + if (pmc) { + pmc->PopCursor(); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch new file mode 100644 index 0000000000..90c15e663e --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch @@ -0,0 +1,65 @@ +From 96dc9518fab0929293a8fc388f6a4a64d05b0f6f Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Wed, 10 Jun 2015 18:01:09 +0200 +Subject: [PATCH] Bug 1143679 - Make TryNoteIterIon behave more like + Baseline/interpreter iterators. r=shu, a=lizzard + +--HG-- +extra : transplant_source : W%D0%1FGe%29%2A%E2%BC%0C%09%3BH%92%2A%A0%5CO%FD%89 +--- + js/src/jit/IonFrames.cpp | 20 +++++++++++++++++--- + 1 file changed, 17 insertions(+), 3 deletions(-) + +diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp +index 51f4301..3e41c0a 100644 +--- a/js/src/jit/IonFrames.cpp ++++ b/js/src/jit/IonFrames.cpp +@@ -356,14 +356,20 @@ JitFrameIterator::machineState() const + return machine; + } + ++static uint32_t ++NumArgAndLocalSlots(const InlineFrameIterator& frame) ++{ ++ JSScript* script = frame.script(); ++ return CountArgSlots(script, frame.maybeCallee()) + script->nfixed(); ++} ++ + static void +-CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t localSlot) ++CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t stackSlot) + { + SnapshotIterator si = frame.snapshotIterator(); + + // Skip stack slots until we reach the iterator object. +- uint32_t base = CountArgSlots(frame.script(), frame.maybeCallee()) + frame.script()->nfixed(); +- uint32_t skipSlots = base + localSlot - 1; ++ uint32_t skipSlots = NumArgAndLocalSlots(frame) + stackSlot - 1; + + for (unsigned i = 0; i < skipSlots; i++) + si.skip(); +@@ -407,6 +413,11 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx + if (!script->hasTrynotes()) + return; + ++ uint32_t base = NumArgAndLocalSlots(frame); ++ SnapshotIterator si = frame.snapshotIterator(); ++ JS_ASSERT(si.numAllocations() >= base); ++ const uint32_t stackDepth = si.numAllocations() - base; ++ + JSTryNote* tn = script->trynotes()->vector; + JSTryNote* tnEnd = tn + script->trynotes()->length; + +@@ -417,6 +428,9 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx + if (pcOffset >= tn->start + tn->length) + continue; + ++ if (tn->stackDepth > stackDepth) ++ continue; ++ + switch (tn->kind) { + case JSTRY_ITER: { + JS_ASSERT(JSOp(*(script->main() + tn->start + tn->length)) == JSOP_ENDITER); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch new file mode 100644 index 0000000000..8bcae6177a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch @@ -0,0 +1,95 @@ +From 81ce99255a0ef65c98eaac300d90c1dc161efc54 Mon Sep 17 00:00:00 2001 +From: Ben Turner <bent.mozilla@gmail.com> +Date: Tue, 9 Jun 2015 09:46:58 -0400 +Subject: [PATCH] Bug 1142210. r=khuey, a=dveditz CLOSED TREE + +--HG-- +extra : amend_source : 5626188ba4b79f7c25286d4f29c63dc387e63c75 +extra : transplant_source : %F0%A1%D6F%E6%1B%1FJO%BFH%29%FFo%97%2A%89%03%ECm +--- + dom/indexedDB/IDBRequest.cpp | 5 +++++ + dom/indexedDB/IDBRequest.h | 3 +++ + dom/indexedDB/IndexedDatabaseManager.cpp | 22 +++++++++++++++++----- + 3 files changed, 25 insertions(+), 5 deletions(-) + +diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp +index 36e8a96..695f2ee 100644 +--- a/dom/indexedDB/IDBRequest.cpp ++++ b/dom/indexedDB/IDBRequest.cpp +@@ -35,6 +35,8 @@ + + namespace { + ++NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID); ++ + #ifdef MOZ_ENABLE_PROFILER_SPS + uint64_t gNextRequestSerialNumber = 1; + #endif +@@ -382,6 +384,9 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache) + NS_IMPL_CYCLE_COLLECTION_TRACE_END + + NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(IDBRequest) ++ if (aIID.Equals(kIDBRequestIID)) { ++ foundInterface = this; ++ } else + NS_INTERFACE_MAP_END_INHERITING(IDBWrapperCache) + + NS_IMPL_ADDREF_INHERITED(IDBRequest, IDBWrapperCache) +diff --git a/dom/indexedDB/IDBRequest.h b/dom/indexedDB/IDBRequest.h +index c835ae8..c8d1081 100644 +--- a/dom/indexedDB/IDBRequest.h ++++ b/dom/indexedDB/IDBRequest.h +@@ -19,6 +19,9 @@ + + #include "mozilla/dom/indexedDB/IDBWrapperCache.h" + ++#define PRIVATE_IDBREQUEST_IID \ ++ {0xe68901e5, 0x1d50, 0x4ee9, {0xaf, 0x49, 0x90, 0x99, 0x4a, 0xff, 0xc8, 0x39}} ++ + class nsIScriptContext; + class nsPIDOMWindow; + +diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp +index 466d0ff..820dfa6 100644 +--- a/dom/indexedDB/IndexedDatabaseManager.cpp ++++ b/dom/indexedDB/IndexedDatabaseManager.cpp +@@ -318,19 +318,31 @@ IndexedDatabaseManager::FireWindowOnError(nsPIDOMWindow* aOwner, + return NS_OK; + } + ++ Event* internalEvent = aVisitor.mDOMEvent->InternalDOMEvent(); ++ MOZ_ASSERT(internalEvent); ++ ++ if (!internalEvent->IsTrusted()) { ++ return NS_OK; ++ } ++ + nsString type; +- nsresult rv = aVisitor.mDOMEvent->GetType(type); ++ nsresult rv = internalEvent->GetType(type); + NS_ENSURE_SUCCESS(rv, rv); + + if (!type.EqualsLiteral(ERROR_EVT_STR)) { + return NS_OK; + } + +- nsCOMPtr<EventTarget> eventTarget = +- aVisitor.mDOMEvent->InternalDOMEvent()->GetTarget(); ++ nsCOMPtr<EventTarget> eventTarget = internalEvent->GetTarget(); ++ MOZ_ASSERT(eventTarget); + +- IDBRequest* request = static_cast<IDBRequest*>(eventTarget.get()); +- NS_ENSURE_TRUE(request, NS_ERROR_UNEXPECTED); ++ // Only mess with events that were originally targeted to an IDBRequest. ++ nsRefPtr<IDBRequest> request; ++ if (NS_FAILED(eventTarget->QueryInterface(kIDBRequestIID, ++ getter_AddRefs(request))) || ++ !request) { ++ return NS_OK; ++ } + + ErrorResult ret; + nsRefPtr<DOMError> error = request->GetError(ret); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch new file mode 100644 index 0000000000..5097cd0aef --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch @@ -0,0 +1,27 @@ +From ecb3805b4425165d35b82874d4f9c55b75fb5390 Mon Sep 17 00:00:00 2001 +From: Ryan VanderMeulen <ryanvm@gmail.com> +Date: Tue, 9 Jun 2015 12:12:13 -0400 +Subject: [PATCH] Bug 1142210 - Bustage follow-up on a CLOSED TREE. + +--HG-- +extra : transplant_source : %06B%8EGN%40%985%DC%D5%0E%DD%13%29%8AC%BF%1A%BA%B6 +--- + dom/indexedDB/IndexedDatabaseManager.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp +index 820dfa6..eabfe09 100644 +--- a/dom/indexedDB/IndexedDatabaseManager.cpp ++++ b/dom/indexedDB/IndexedDatabaseManager.cpp +@@ -108,6 +108,8 @@ END_INDEXEDDB_NAMESPACE + + namespace { + ++NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID); ++ + mozilla::StaticRefPtr<IndexedDatabaseManager> gDBManager; + + mozilla::Atomic<bool> gInitialized(false); +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch new file mode 100644 index 0000000000..261d3e0e2c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch @@ -0,0 +1,29 @@ +From bfad3fb6fc3ab05819be144567ad99921c0c87be Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Thu, 4 Jun 2015 15:04:09 +0100 +Subject: [PATCH] Bug 1169867 - nsXMLHttpRequest should use and free mProxy + correctly. r=ehsan, a=abillings + +--HG-- +extra : transplant_source : 7%D0%8A%F8G%3E%E3%D5%07%5B%7F%D4%2Ct%A6v%CCk%A1%F5 +--- + dom/workers/XMLHttpRequest.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp +index bf0cd3f..5690af5 100644 +--- a/dom/workers/XMLHttpRequest.cpp ++++ b/dom/workers/XMLHttpRequest.cpp +@@ -1891,8 +1891,8 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl, + + mProxy->mOpening = true; + if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) { +- ReleaseProxy(); + mProxy->mOpening = false; ++ ReleaseProxy(); + aRv.Throw(NS_ERROR_FAILURE); + return; + } +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch new file mode 100644 index 0000000000..cc74a33871 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch @@ -0,0 +1,31 @@ +From 72cd6e97ae12b89659cd59788bad08cd2f514eff Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Fri, 12 Jun 2015 10:06:19 -0400 +Subject: [PATCH] Bug 1169867 - XMLHttpRequest::SendInternal should not unpin + itself when the worker goes away. r=bent, a=abillings + +--HG-- +extra : transplant_source : %28%B3%BD%9D%E2p%F3%BE%94S%CCD%08%8B%07%8A%CC%17%B0%7B +--- + dom/workers/XMLHttpRequest.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp +index 5690af5..d425eac 100644 +--- a/dom/workers/XMLHttpRequest.cpp ++++ b/dom/workers/XMLHttpRequest.cpp +@@ -1829,6 +1829,11 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody, + new SendRunnable(mWorkerPrivate, mProxy, aStringBody, Move(aBody), + aClonedObjects, syncLoopTarget, hasUploadListeners); + if (!runnable->Dispatch(cx)) { ++ // Dispatch() may have spun the event loop and we may have already unrooted. ++ // If so we don't want autoUnpin to try again. ++ if (!mRooted) { ++ autoUnpin.Clear(); ++ } + aRv.Throw(NS_ERROR_FAILURE); + return; + } +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch new file mode 100644 index 0000000000..fd39bde113 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2735.patch @@ -0,0 +1,86 @@ +From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Thu, 4 Jun 2015 15:04:10 +0100 +Subject: [PATCH] Bug 1166900 - Better string length check in + nsZipArchive::GetDataOffset. r+a=dveditz + +--- + dom/file/ArchiveZipFile.cpp | 6 ++++-- + modules/libjar/nsZipArchive.cpp | 15 +++++++++------ + 2 files changed, 13 insertions(+), 8 deletions(-) + +diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp +index c206b64..d28b5ba 100644 +--- a/dom/file/ArchiveZipFile.cpp ++++ b/dom/file/ArchiveZipFile.cpp +@@ -102,7 +102,8 @@ ArchiveInputStream::Init() + uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset); + + // The file is corrupt +- if (offset + ZIPLOCAL_SIZE > mData.parentSize) { ++ if (mData.parentSize < ZIPLOCAL_SIZE || ++ offset > mData.parentSize - ZIPLOCAL_SIZE) { + return NS_ERROR_UNEXPECTED; + } + +@@ -137,7 +138,8 @@ ArchiveInputStream::Init() + ArchiveZipItem::StrToInt16(local.extrafield_len); + + // The file is corrupt if there is not enough data +- if (offset + mData.sizeToBeRead > mData.parentSize) { ++ if (mData.parentSize < mData.sizeToBeRead || ++ offset > mData.parentSize - mData.sizeToBeRead) { + return NS_ERROR_UNEXPECTED; + } + +diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp +index f8af715..5ec8225 100644 +--- a/modules/libjar/nsZipArchive.cpp ++++ b/modules/libjar/nsZipArchive.cpp +@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN + uint16_t namelen = xtoint(central->filename_len); + uint16_t extralen = xtoint(central->extrafield_len); + uint16_t commentlen = xtoint(central->commentfield_len); +- +- // Point to the next item at the top of loop +- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen; ++ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen; + + // Sanity check variable sizes and refuse to deal with + // anything too big: it's likely a corrupt archive. + if (namelen < 1 || + namelen > kMaxNameLength || +- buf >= endp) { ++ buf >= buf + diff || // No overflow ++ buf >= endp - diff) { + return NS_ERROR_FILE_CORRUPTED; + } + ++ // Point to the next item at the top of loop ++ buf += diff; ++ + nsZipItem* item = CreateZipItem(); + if (!item) + return NS_ERROR_OUT_OF_MEMORY; +@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN + uint32_t len = mFd->mLen; + const uint8_t* data = mFd->mFileData; + uint32_t offset = aItem->LocalOffset(); +- if (offset + ZIPLOCAL_SIZE > len) ++ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) + return nullptr; + + // -- check signature before using the structure, in case the zip file is corrupt +@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN + xtoint(Local->extrafield_len); + + // -- check if there is enough source data in the file +- if (offset + aItem->Size() > len) ++ if (len < aItem->Size() || ++ offset > len - aItem->Size()) + return nullptr; + + return data + offset; +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2736.patch b/gnu/packages/patches/icecat-CVE-2015-2736.patch new file mode 100644 index 0000000000..a59cc64d10 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2736.patch @@ -0,0 +1,34 @@ +From 6daa986c7fdf27835a0f5d897c88f6b8dc42b8db Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Thu, 4 Jun 2015 15:04:10 +0100 +Subject: [PATCH] Bug 1167888 - Better string length check in + nsZipArchive::BuildFileList. r=smaug, a=dveditz + +--HG-- +extra : transplant_source : %5E6%3E%84%B6a%7F%1F%D21zGc%BD%E1%80%EF%0C%B5%F0 +--- + modules/libjar/nsZipArchive.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp +index cb3e5d0..f8af715 100644 +--- a/modules/libjar/nsZipArchive.cpp ++++ b/modules/libjar/nsZipArchive.cpp +@@ -617,8 +617,13 @@ MOZ_WIN_MEM_TRY_BEGIN + if (!centralOffset) + return NS_ERROR_FILE_CORRUPTED; + +- //-- Read the central directory headers + buf = startp + centralOffset; ++ ++ // avoid overflow of startp + centralOffset. ++ if (buf < startp) ++ return NS_ERROR_FILE_CORRUPTED; ++ ++ //-- Read the central directory headers + uint32_t sig = 0; + while (buf + int32_t(sizeof(uint32_t)) <= endp && + (sig = xtolong(buf)) == CENTRALSIG) { +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2738.patch b/gnu/packages/patches/icecat-CVE-2015-2738.patch new file mode 100644 index 0000000000..beb784c615 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2738.patch @@ -0,0 +1,151 @@ +From cda807c21650d0678761d6af8fd324ce622962d6 Mon Sep 17 00:00:00 2001 +From: Andrew Comminos <acomminos@mozilla.com> +Date: Fri, 19 Jun 2015 11:32:17 -0400 +Subject: [PATCH] Bug 1167356 - Handle return value of DataSourceSurface::Map + wherever possible. r=Bas, a=abillings CLOSED TREE + +--- + gfx/2d/SourceSurfaceD2D1.cpp | 11 +++++++++-- + gfx/gl/GLScreenBuffer.cpp | 5 ++++- + gfx/gl/SharedSurfaceGL.cpp | 5 ++++- + gfx/layers/YCbCrImageDataSerializer.cpp | 4 +++- + gfx/layers/opengl/CompositorOGL.cpp | 6 +++++- + gfx/thebes/gfxPlatform.cpp | 6 ++++-- + widget/gtk/nsImageToPixbuf.cpp | 4 +++- + 7 files changed, 32 insertions(+), 9 deletions(-) + +diff --git a/gfx/2d/SourceSurfaceD2D1.cpp b/gfx/2d/SourceSurfaceD2D1.cpp +index fc64327..01f3a67 100644 +--- a/gfx/2d/SourceSurfaceD2D1.cpp ++++ b/gfx/2d/SourceSurfaceD2D1.cpp +@@ -5,6 +5,7 @@ + + #include "SourceSurfaceD2D1.h" + #include "DrawTargetD2D1.h" ++#include "Logging.h" + #include "Tools.h" + + namespace mozilla { +@@ -156,7 +157,10 @@ DataSourceSurfaceD2D1::Map(MapType aMapType, MappedSurface *aMappedSurface) + } + + D2D1_MAPPED_RECT map; +- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map); ++ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map))) { ++ gfxCriticalError() << "Failed to map bitmap."; ++ return false; ++ } + aMappedSurface->mData = map.bits; + aMappedSurface->mStride = map.pitch; + +@@ -189,7 +193,10 @@ DataSourceSurfaceD2D1::EnsureMapped() + if (mMapped) { + return; + } +- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap); ++ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap))) { ++ gfxCriticalError() << "Failed to map bitmap."; ++ return; ++ } + mMapped = true; + } + +diff --git a/gfx/gl/GLScreenBuffer.cpp b/gfx/gl/GLScreenBuffer.cpp +index 432bdbc..d31e848 100755 +--- a/gfx/gl/GLScreenBuffer.cpp ++++ b/gfx/gl/GLScreenBuffer.cpp +@@ -483,7 +483,10 @@ GLScreenBuffer::Readback(SharedSurface_GL* src, DataSourceSurface* dest) + { + MOZ_ASSERT(src && dest); + DataSourceSurface::MappedSurface ms; +- dest->Map(DataSourceSurface::MapType::READ, &ms); ++ if (!dest->Map(DataSourceSurface::MapType::READ, &ms)) { ++ NS_ERROR("Failed to map surface for reading."); ++ return; ++ } + nsRefPtr<gfxImageSurface> wrappedDest = + new gfxImageSurface(ms.mData, + ThebesIntSize(dest->GetSize()), +diff --git a/gfx/gl/SharedSurfaceGL.cpp b/gfx/gl/SharedSurfaceGL.cpp +index 1aab56f..1f80c28 100644 +--- a/gfx/gl/SharedSurfaceGL.cpp ++++ b/gfx/gl/SharedSurfaceGL.cpp +@@ -326,7 +326,10 @@ SharedSurface_Basic::Fence() + ScopedBindFramebuffer autoFB(mGL, mFB); + + DataSourceSurface::MappedSurface map; +- mData->Map(DataSourceSurface::MapType::WRITE, &map); ++ if (!mData->Map(DataSourceSurface::MapType::WRITE, &map)) { ++ NS_ERROR("Failed to map surface for writing."); ++ return; ++ } + nsRefPtr<gfxImageSurface> wrappedData = + new gfxImageSurface(map.mData, + ThebesIntSize(mData->GetSize()), +diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp +index e16db18..6e7a908 100644 +--- a/gfx/layers/YCbCrImageDataSerializer.cpp ++++ b/gfx/layers/YCbCrImageDataSerializer.cpp +@@ -278,7 +278,9 @@ YCbCrImageDataDeserializer::ToDataSourceSurface() + Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::B8G8R8X8); + + DataSourceSurface::MappedSurface map; +- result->Map(DataSourceSurface::MapType::WRITE, &map); ++ if (NS_WARN_IF(!result->Map(DataSourceSurface::MapType::WRITE, &map))) { ++ return nullptr; ++ } + + gfx::ConvertYCbCrToRGB32(GetYData(), GetCbData(), GetCrData(), + map.mData, +diff --git a/gfx/layers/opengl/CompositorOGL.cpp b/gfx/layers/opengl/CompositorOGL.cpp +index 92432c3..2e0b51e 100644 +--- a/gfx/layers/opengl/CompositorOGL.cpp ++++ b/gfx/layers/opengl/CompositorOGL.cpp +@@ -1346,7 +1346,11 @@ CompositorOGL::CopyToTarget(DrawTarget *aTarget, const gfx::Matrix& aTransform) + Factory::CreateDataSourceSurface(rect.Size(), gfx::SurfaceFormat::B8G8R8A8); + + DataSourceSurface::MappedSurface map; +- source->Map(DataSourceSurface::MapType::WRITE, &map); ++ if (!source->Map(DataSourceSurface::MapType::WRITE, &map)) { ++ NS_ERROR("Failed to map surface for writing!"); ++ return; ++ } ++ + // XXX we should do this properly one day without using the gfxImageSurface + nsRefPtr<gfxImageSurface> surf = + new gfxImageSurface(map.mData, +diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp +index c869e53..8a2122c 100644 +--- a/gfx/thebes/gfxPlatform.cpp ++++ b/gfx/thebes/gfxPlatform.cpp +@@ -662,8 +662,10 @@ CopySurface(gfxASurface* aSurface) + } + + DataSourceSurface::MappedSurface map; +- DebugOnly<bool> result = data->Map(DataSourceSurface::WRITE, &map); +- MOZ_ASSERT(result, "Should always succeed mapping raw data surfaces!"); ++ if (!data->Map(DataSourceSurface::WRITE, &map)) { ++ NS_ERROR("Failed to map surface for reading!"); ++ return nullptr; ++ } + + nsRefPtr<gfxImageSurface> image = new gfxImageSurface(map.mData, size, map.mStride, format); + nsRefPtr<gfxContext> ctx = new gfxContext(image); +diff --git a/widget/gtk/nsImageToPixbuf.cpp b/widget/gtk/nsImageToPixbuf.cpp +index ca05b3b..a83a570 100644 +--- a/widget/gtk/nsImageToPixbuf.cpp ++++ b/widget/gtk/nsImageToPixbuf.cpp +@@ -75,7 +75,9 @@ nsImageToPixbuf::SourceSurfaceToPixbuf(SourceSurface* aSurface, + + RefPtr<DataSourceSurface> dataSurface = aSurface->GetDataSurface(); + DataSourceSurface::MappedSurface map; +- dataSurface->Map(DataSourceSurface::MapType::READ, &map); ++ if (!dataSurface->Map(DataSourceSurface::MapType::READ, &map)) ++ return nullptr; ++ + uint8_t* srcData = map.mData; + int32_t srcStride = map.mStride; + +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch new file mode 100644 index 0000000000..9f70db8cf9 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2739.patch @@ -0,0 +1,66 @@ +From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky <bzbarsky@mit.edu> +Date: Mon, 1 Jun 2015 16:59:26 -0700 +Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in + XHR. r=baku a=lizzard + +--- + content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp +index 58a9ee0..56d1aa3 100644 +--- a/content/base/src/nsXMLHttpRequest.cpp ++++ b/content/base/src/nsXMLHttpRequest.cpp +@@ -7,6 +7,7 @@ + #include "nsXMLHttpRequest.h" + + #include "mozilla/ArrayUtils.h" ++#include "mozilla/CheckedInt.h" + #include "mozilla/dom/XMLHttpRequestUploadBinding.h" + #include "mozilla/EventDispatcher.h" + #include "mozilla/EventListenerManager.h" +@@ -3897,26 +3898,30 @@ bool + ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen, + uint32_t aMaxGrowth) + { ++ CheckedUint32 neededCapacity = mLength; ++ neededCapacity += aDataLen; ++ if (!neededCapacity.isValid()) { ++ return false; ++ } + if (mLength + aDataLen > mCapacity) { +- uint32_t newcap; ++ CheckedUint32 newcap = mCapacity; + // Double while under aMaxGrowth or if not specified. + if (!aMaxGrowth || mCapacity < aMaxGrowth) { +- newcap = mCapacity * 2; ++ newcap *= 2; + } else { +- newcap = mCapacity + aMaxGrowth; ++ newcap += aMaxGrowth; + } + +- // But make sure there's always enough to satisfy our request. +- if (newcap < mLength + aDataLen) { +- newcap = mLength + aDataLen; ++ if (!newcap.isValid()) { ++ return false; + } + +- // Did we overflow? +- if (newcap < mCapacity) { +- return false; ++ // But make sure there's always enough to satisfy our request. ++ if (newcap.value() < neededCapacity.value()) { ++ newcap = neededCapacity; + } + +- if (!setCapacity(newcap)) { ++ if (!setCapacity(newcap.value())) { + return false; + } + } +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2740.patch b/gnu/packages/patches/icecat-CVE-2015-2740.patch new file mode 100644 index 0000000000..caafa52a23 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2740.patch @@ -0,0 +1,52 @@ +From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001 +From: Andrea Marchesini <amarchesini@mozilla.com> +Date: Tue, 23 Jun 2015 10:47:38 -0400 +Subject: [PATCH] Bug 1170809 - Improve the buffer size check in + nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings + +--- + content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp +index 56d1aa3..86425d7 100644 +--- a/content/base/src/nsXMLHttpRequest.cpp ++++ b/content/base/src/nsXMLHttpRequest.cpp +@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer, + &destBufferLen); + NS_ENSURE_SUCCESS(rv, rv); + +- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) { ++ uint32_t size = mResponseText.Length() + destBufferLen; ++ if (size < (uint32_t)destBufferLen) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } ++ ++ if (!mResponseText.SetCapacity(size, fallible_t())) { + return NS_ERROR_OUT_OF_MEMORY; + } + + char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length(); + +- int32_t totalChars = mResponseText.Length(); ++ CheckedInt32 totalChars = mResponseText.Length(); + + // This code here is basically a copy of a similar thing in + // nsScanner::Append(const char* aBuffer, uint32_t aLen). +@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer, + MOZ_ASSERT(NS_SUCCEEDED(rv)); + + totalChars += destlen; ++ if (!totalChars.isValid()) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + +- mResponseText.SetLength(totalChars); +- ++ mResponseText.SetLength(totalChars.value()); + return NS_OK; + } + +-- +2.4.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-2743.patch b/gnu/packages/patches/icecat-CVE-2015-2743.patch new file mode 100644 index 0000000000..a74fe7b270 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2743.patch @@ -0,0 +1,73 @@ +From 9ed97d606aaaf79776b0e19a73ba30d8ad0685b5 Mon Sep 17 00:00:00 2001 +From: Ben Turner <bent.mozilla@gmail.com> +Date: Tue, 26 May 2015 17:27:01 -0400 +Subject: [PATCH] Bug 1163109 - Restrict the resource:// weirdness in workers + to loads from a system principal. r=bzbarsky, a=lizzard + +--HG-- +extra : transplant_source : sQUdu%7C%ED%84%CA%5B%91%89/%1B2%25%CFY%B0%C3 +--- + dom/workers/ScriptLoader.cpp | 37 ++++++++++++++++--------------------- + 1 file changed, 16 insertions(+), 21 deletions(-) + +diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp +index 0dfe625..3335c3e 100644 +--- a/dom/workers/ScriptLoader.cpp ++++ b/dom/workers/ScriptLoader.cpp +@@ -509,22 +509,6 @@ private: + rv = ssm->GetChannelPrincipal(channel, getter_AddRefs(channelPrincipal)); + NS_ENSURE_SUCCESS(rv, rv); + +- // See if this is a resource URI. Since JSMs usually come from resource:// +- // URIs we're currently considering all URIs with the URI_IS_UI_RESOURCE +- // flag as valid for creating privileged workers. +- if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) { +- bool isResource; +- rv = NS_URIChainHasFlags(finalURI, +- nsIProtocolHandler::URI_IS_UI_RESOURCE, +- &isResource); +- NS_ENSURE_SUCCESS(rv, rv); +- +- if (isResource) { +- rv = ssm->GetSystemPrincipal(getter_AddRefs(channelPrincipal)); +- NS_ENSURE_SUCCESS(rv, rv); +- } +- } +- + // If the load principal is the system principal then the channel + // principal must also be the system principal (we do not allow chrome + // code to create workers with non-chrome scripts). Otherwise this channel +@@ -532,14 +516,25 @@ private: + // here in case redirects changed the location of the script). + if (nsContentUtils::IsSystemPrincipal(loadPrincipal)) { + if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) { +- return NS_ERROR_DOM_BAD_URI; ++ // See if this is a resource URI. Since JSMs usually come from ++ // resource:// URIs we're currently considering all URIs with the ++ // URI_IS_UI_RESOURCE flag as valid for creating privileged workers. ++ bool isResource; ++ rv = NS_URIChainHasFlags(finalURI, ++ nsIProtocolHandler::URI_IS_UI_RESOURCE, ++ &isResource); ++ NS_ENSURE_SUCCESS(rv, rv); ++ ++ if (isResource) { ++ // Assign the system principal to the resource:// worker only if it ++ // was loaded from code using the system principal. ++ channelPrincipal = loadPrincipal; ++ } else { ++ return NS_ERROR_DOM_BAD_URI; ++ } + } + } + else { +- nsCString scheme; +- rv = finalURI->GetScheme(scheme); +- NS_ENSURE_SUCCESS(rv, rv); +- + // We exempt data urls and other URI's that inherit their + // principal again. + if (NS_FAILED(loadPrincipal->CheckMayLoad(finalURI, false, true))) { +-- +2.4.3 + |