summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2016-1974.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-03-10 02:57:05 -0500
committerMark H Weaver <mhw@netris.org>2016-03-10 10:52:41 -0500
commitc3499ad6b8cfdf1c6b09aa51f9f681a5be6c8962 (patch)
tree5013ce433bb697afc6086c4c4b1532cf57ea8bd5 /gnu/packages/patches/icecat-CVE-2016-1974.patch
parentec278439f3ff5dcd3d02c05099ba1724cc2459f1 (diff)
gnu: icecat: Add several security fixes.
* gnu/packages/patches/icecat-CVE-2015-4477.patch, gnu/packages/patches/icecat-CVE-2015-7207.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch, gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch, gnu/packages/patches/icecat-CVE-2016-1954.patch, gnu/packages/patches/icecat-CVE-2016-1960.patch, gnu/packages/patches/icecat-CVE-2016-1961.patch, gnu/packages/patches/icecat-CVE-2016-1962.patch, gnu/packages/patches/icecat-CVE-2016-1964.patch, gnu/packages/patches/icecat-CVE-2016-1965.patch, gnu/packages/patches/icecat-CVE-2016-1966.patch, gnu/packages/patches/icecat-CVE-2016-1974.patch, gnu/packages/patches/icecat-bug-1248851.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-1974.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1974.patch530
1 files changed, 530 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1974.patch b/gnu/packages/patches/icecat-CVE-2016-1974.patch
new file mode 100644
index 0000000000..70fc23b8f3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1974.patch
@@ -0,0 +1,530 @@
+Copied from upstream:
+https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/271e3a5a53d9
+
+# HG changeset patch
+# User Henri Sivonen <hsivonen@hsivonen.fi>
+# Date 1455014759 -7200
+# Node ID 271e3a5a53d96871141e89271f611033b512e3e4
+# Parent 9719b71d72dd2a3c5ee12ace156af2a63d9595ac
+Bug 1228103. r=smaug. a=sylvestre
+
+diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp
+--- a/parser/htmlparser/nsExpatDriver.cpp
++++ b/parser/htmlparser/nsExpatDriver.cpp
+@@ -1127,22 +1127,28 @@ nsExpatDriver::ConsumeToken(nsScanner& a
+ XML_Size lastLineLength = XML_GetCurrentColumnNumber(mExpatParser);
+
+ if (lastLineLength <= consumed) {
+ // The length of the last line was less than what expat consumed, so
+ // there was at least one line break in the consumed data. Store the
+ // last line until the point where we stopped parsing.
+ nsScannerIterator startLastLine = currentExpatPosition;
+ startLastLine.advance(-((ptrdiff_t)lastLineLength));
+- CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine);
++ if (!CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine)) {
++ return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
++ }
+ }
+ else {
+ // There was no line break in the consumed data, append the consumed
+ // data.
+- AppendUnicodeTo(oldExpatPosition, currentExpatPosition, mLastLine);
++ if (!AppendUnicodeTo(oldExpatPosition,
++ currentExpatPosition,
++ mLastLine)) {
++ return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
++ }
+ }
+ }
+
+ mExpatBuffered += length - consumed;
+
+ if (BlockedOrInterrupted()) {
+ PR_LOG(GetExpatDriverLog(), PR_LOG_DEBUG,
+ ("Blocked or interrupted parser (probably for loading linked "
+diff --git a/parser/htmlparser/nsParser.cpp b/parser/htmlparser/nsParser.cpp
+--- a/parser/htmlparser/nsParser.cpp
++++ b/parser/htmlparser/nsParser.cpp
+@@ -1508,17 +1508,19 @@ nsParser::ResumeParse(bool allowIteratio
+ DidBuildModel(mStreamStatus);
+ return NS_OK;
+ }
+ } else {
+ CParserContext* theContext = PopContext();
+ if (theContext) {
+ theIterationIsOk = allowIteration && theContextIsStringBased;
+ if (theContext->mCopyUnused) {
+- theContext->mScanner->CopyUnusedData(mUnusedInput);
++ if (!theContext->mScanner->CopyUnusedData(mUnusedInput)) {
++ mInternalState = NS_ERROR_OUT_OF_MEMORY;
++ }
+ }
+
+ delete theContext;
+ }
+
+ result = mInternalState;
+ aIsFinalChunk = mParserContext &&
+ mParserContext->mStreamListenerState == eOnStop;
+diff --git a/parser/htmlparser/nsScanner.cpp b/parser/htmlparser/nsScanner.cpp
+--- a/parser/htmlparser/nsScanner.cpp
++++ b/parser/htmlparser/nsScanner.cpp
+@@ -379,17 +379,19 @@ nsresult nsScanner::Peek(nsAString& aStr
+ if (mCountRemaining < uint32_t(aNumChars + aOffset)) {
+ end = mEndPosition;
+ }
+ else {
+ end = start;
+ end.advance(aNumChars);
+ }
+
+- CopyUnicodeTo(start, end, aStr);
++ if (!CopyUnicodeTo(start, end, aStr)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+
+ return NS_OK;
+ }
+
+
+ /**
+ * Skip whitespace on scanner input stream
+ *
+@@ -542,17 +544,19 @@ nsresult nsScanner::ReadTagIdentifier(ns
+
+ if (!found) {
+ ++current;
+ }
+ }
+
+ // Don't bother appending nothing.
+ if (current != mCurrentPosition) {
+- AppendUnicodeTo(mCurrentPosition, current, aString);
++ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ }
+
+ SetPosition(current);
+ if (current == end) {
+ result = kEOF;
+ }
+
+ //DoErrTest(aString);
+@@ -597,26 +601,30 @@ nsresult nsScanner::ReadEntityIdentifier
+ default:
+ found = ('a'<=theChar && theChar<='z') ||
+ ('A'<=theChar && theChar<='Z') ||
+ ('0'<=theChar && theChar<='9');
+ break;
+ }
+
+ if(!found) {
+- AppendUnicodeTo(mCurrentPosition, current, aString);
++ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ break;
+ }
+ }
+ ++current;
+ }
+
+ SetPosition(current);
+ if (current == end) {
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ return kEOF;
+ }
+
+ //DoErrTest(aString);
+
+ return result;
+ }
+
+@@ -646,26 +654,30 @@ nsresult nsScanner::ReadNumber(nsString&
+ while(current != end) {
+ theChar=*current;
+ if(theChar) {
+ done = (theChar < '0' || theChar > '9') &&
+ ((aBase == 16)? (theChar < 'A' || theChar > 'F') &&
+ (theChar < 'a' || theChar > 'f')
+ :true);
+ if(done) {
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ break;
+ }
+ }
+ ++current;
+ }
+
+ SetPosition(current);
+ if (current == end) {
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ return kEOF;
+ }
+
+ //DoErrTest(aString);
+
+ return result;
+ }
+
+@@ -712,37 +724,43 @@ nsresult nsScanner::ReadWhitespace(nsSca
+ char16_t thePrevChar = theChar;
+ theChar = (++current != end) ? *current : '\0';
+ if ((thePrevChar == '\r' && theChar == '\n') ||
+ (thePrevChar == '\n' && theChar == '\r')) {
+ theChar = (++current != end) ? *current : '\0'; // CRLF == LFCR => LF
+ haveCR = true;
+ } else if (thePrevChar == '\r') {
+ // Lone CR becomes CRLF; callers should know to remove extra CRs
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ aString.writable().Append(char16_t('\n'));
+ origin = current;
+ haveCR = true;
+ }
+ }
+ break;
+ case ' ' :
+ case '\t':
+ theChar = (++current != end) ? *current : '\0';
+ break;
+ default:
+ done = true;
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ break;
+ }
+ }
+
+ SetPosition(current);
+ if (current == end) {
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ result = kEOF;
+ }
+
+ aHaveCR = haveCR;
+ return result;
+ }
+
+ //XXXbz callers of this have to manage their lone '\r' themselves if they want
+@@ -846,34 +864,38 @@ nsresult nsScanner::ReadUntil(nsAString&
+ if(!(theChar & aEndCondition.mFilter)) {
+ // They were. Do a thorough check.
+
+ setcurrent = setstart;
+ while (*setcurrent) {
+ if (*setcurrent == theChar) {
+ if(addTerminal)
+ ++current;
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ SetPosition(current);
+
+ //DoErrTest(aString);
+
+ return NS_OK;
+ }
+ ++setcurrent;
+ }
+ }
+
+ ++current;
+ }
+
+ // If we are here, we didn't find any terminator in the string and
+ // current = mEndPosition
+ SetPosition(current);
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ return kEOF;
+ }
+
+ nsresult nsScanner::ReadUntil(nsScannerSharedSubstring& aString,
+ const nsReadEndCondition& aEndCondition,
+ bool addTerminal)
+ {
+ if (!mSlidingBuffer) {
+@@ -906,34 +928,38 @@ nsresult nsScanner::ReadUntil(nsScannerS
+ if(!(theChar & aEndCondition.mFilter)) {
+ // They were. Do a thorough check.
+
+ setcurrent = setstart;
+ while (*setcurrent) {
+ if (*setcurrent == theChar) {
+ if(addTerminal)
+ ++current;
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ SetPosition(current);
+
+ //DoErrTest(aString);
+
+ return NS_OK;
+ }
+ ++setcurrent;
+ }
+ }
+
+ ++current;
+ }
+
+ // If we are here, we didn't find any terminator in the string and
+ // current = mEndPosition
+ SetPosition(current);
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ return kEOF;
+ }
+
+ nsresult nsScanner::ReadUntil(nsScannerIterator& aStart,
+ nsScannerIterator& aEnd,
+ const nsReadEndCondition &aEndCondition,
+ bool addTerminal)
+ {
+@@ -1025,26 +1051,30 @@ nsresult nsScanner::ReadUntil(nsAString&
+ if (theChar == '\0') {
+ ReplaceCharacter(current, sInvalid);
+ theChar = sInvalid;
+ }
+
+ if (aTerminalChar == theChar) {
+ if(addTerminal)
+ ++current;
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ SetPosition(current);
+ return NS_OK;
+ }
+ ++current;
+ }
+
+ // If we are here, we didn't find any terminator in the string and
+ // current = mEndPosition
+- AppendUnicodeTo(origin, current, aString);
++ if (!AppendUnicodeTo(origin, current, aString)) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+ SetPosition(current);
+ return kEOF;
+
+ }
+
+ void nsScanner::BindSubstring(nsScannerSubstring& aSubstring, const nsScannerIterator& aStart, const nsScannerIterator& aEnd)
+ {
+ aSubstring.Rebind(*mSlidingBuffer, aStart, aEnd);
+@@ -1142,29 +1172,29 @@ bool nsScanner::AppendToBuffer(nsScanner
+ }
+
+ /**
+ * call this to copy bytes out of the scanner that have not yet been consumed
+ * by the tokenization process.
+ *
+ * @update gess 5/12/98
+ * @param aCopyBuffer is where the scanner buffer will be copied to
+- * @return nada
++ * @return true if OK or false on OOM
+ */
+-void nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
++bool nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
+ if (!mSlidingBuffer) {
+ aCopyBuffer.Truncate();
+- return;
++ return true;
+ }
+
+ nsScannerIterator start, end;
+ start = mCurrentPosition;
+ end = mEndPosition;
+
+- CopyUnicodeTo(start, end, aCopyBuffer);
++ return CopyUnicodeTo(start, end, aCopyBuffer);
+ }
+
+ /**
+ * Retrieve the name of the file that the scanner is reading from.
+ * In some cases, it's just a given name, because the scanner isn't
+ * really reading from a file.
+ *
+ * @update gess 5/12/98
+diff --git a/parser/htmlparser/nsScanner.h b/parser/htmlparser/nsScanner.h
+--- a/parser/htmlparser/nsScanner.h
++++ b/parser/htmlparser/nsScanner.h
+@@ -204,19 +204,19 @@ class nsScanner {
+ nsIRequest *aRequest);
+
+ /**
+ * Call this to copy bytes out of the scanner that have not yet been consumed
+ * by the tokenization process.
+ *
+ * @update gess 5/12/98
+ * @param aCopyBuffer is where the scanner buffer will be copied to
+- * @return nada
++ * @return true if OK or false on OOM
+ */
+- void CopyUnusedData(nsString& aCopyBuffer);
++ bool CopyUnusedData(nsString& aCopyBuffer);
+
+ /**
+ * Retrieve the name of the file that the scanner is reading from.
+ * In some cases, it's just a given name, because the scanner isn't
+ * really reading from a file.
+ *
+ * @update gess 5/12/98
+ * @return
+diff --git a/parser/htmlparser/nsScannerString.cpp b/parser/htmlparser/nsScannerString.cpp
+--- a/parser/htmlparser/nsScannerString.cpp
++++ b/parser/htmlparser/nsScannerString.cpp
+@@ -461,61 +461,63 @@ copy_multifragment_string( nsScannerIter
+ sink_traits::write(result, source_traits::read(first), distance);
+ NS_ASSERTION(distance > 0, "|copy_multifragment_string| will never terminate");
+ source_traits::advance(first, distance);
+ }
+
+ return result;
+ }
+
+-void
++bool
+ CopyUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsAString& aDest )
+ {
+ nsAString::iterator writer;
+ if (!aDest.SetLength(Distance(aSrcStart, aSrcEnd), mozilla::fallible)) {
+ aDest.Truncate();
+- return; // out of memory
++ return false; // out of memory
+ }
+ aDest.BeginWriting(writer);
+ nsScannerIterator fromBegin(aSrcStart);
+
+ copy_multifragment_string(fromBegin, aSrcEnd, writer);
++ return true;
+ }
+
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsScannerSharedSubstring& aDest )
+ {
+ // Check whether we can just create a dependent string.
+ if (aDest.str().IsEmpty()) {
+ // We can just make |aDest| point to the buffer.
+ // This will take care of copying if the buffer spans fragments.
+ aDest.Rebind(aSrcStart, aSrcEnd);
+- } else {
+- // The dest string is not empty, so it can't be a dependent substring.
+- AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
++ return true;
+ }
++ // The dest string is not empty, so it can't be a dependent substring.
++ return AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
+ }
+
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsAString& aDest )
+ {
+ nsAString::iterator writer;
+ uint32_t oldLength = aDest.Length();
+ if (!aDest.SetLength(oldLength + Distance(aSrcStart, aSrcEnd), mozilla::fallible))
+- return; // out of memory
++ return false; // out of memory
+ aDest.BeginWriting(writer).advance(oldLength);
+ nsScannerIterator fromBegin(aSrcStart);
+
+ copy_multifragment_string(fromBegin, aSrcEnd, writer);
++ return true;
+ }
+
+ bool
+ FindCharInReadable( char16_t aChar,
+ nsScannerIterator& aSearchStart,
+ const nsScannerIterator& aSearchEnd )
+ {
+ while ( aSearchStart != aSearchEnd )
+diff --git a/parser/htmlparser/nsScannerString.h b/parser/htmlparser/nsScannerString.h
+--- a/parser/htmlparser/nsScannerString.h
++++ b/parser/htmlparser/nsScannerString.h
+@@ -539,43 +539,43 @@ nsScannerBufferList::Position::operator=
+ inline
+ size_t
+ Distance( const nsScannerIterator& aStart, const nsScannerIterator& aEnd )
+ {
+ typedef nsScannerBufferList::Position Position;
+ return Position::Distance(Position(aStart), Position(aEnd));
+ }
+
+-void
++bool
+ CopyUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsAString& aDest );
+
+ inline
+-void
++bool
+ CopyUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
+ {
+ nsScannerIterator begin, end;
+- CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
++ return CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+ }
+
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsAString& aDest );
+
+ inline
+-void
++bool
+ AppendUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
+ {
+ nsScannerIterator begin, end;
+- AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
++ return AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+ }
+
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+ const nsScannerIterator& aSrcEnd,
+ nsScannerSharedSubstring& aDest );
+
+ bool
+ FindCharInReadable( char16_t aChar,
+ nsScannerIterator& aStart,
+ const nsScannerIterator& aEnd );
+