diff options
author | Mark H Weaver <mhw@netris.org> | 2016-03-10 02:57:05 -0500 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2016-03-10 10:52:41 -0500 |
commit | c3499ad6b8cfdf1c6b09aa51f9f681a5be6c8962 (patch) | |
tree | 5013ce433bb697afc6086c4c4b1532cf57ea8bd5 /gnu/packages/patches/icecat-CVE-2016-1974.patch | |
parent | ec278439f3ff5dcd3d02c05099ba1724cc2459f1 (diff) |
gnu: icecat: Add several security fixes.
* gnu/packages/patches/icecat-CVE-2015-4477.patch,
gnu/packages/patches/icecat-CVE-2015-7207.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch,
gnu/packages/patches/icecat-CVE-2016-1954.patch,
gnu/packages/patches/icecat-CVE-2016-1960.patch,
gnu/packages/patches/icecat-CVE-2016-1961.patch,
gnu/packages/patches/icecat-CVE-2016-1962.patch,
gnu/packages/patches/icecat-CVE-2016-1964.patch,
gnu/packages/patches/icecat-CVE-2016-1965.patch,
gnu/packages/patches/icecat-CVE-2016-1966.patch,
gnu/packages/patches/icecat-CVE-2016-1974.patch,
gnu/packages/patches/icecat-bug-1248851.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-1974.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2016-1974.patch | 530 |
1 files changed, 530 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1974.patch b/gnu/packages/patches/icecat-CVE-2016-1974.patch new file mode 100644 index 0000000000..70fc23b8f3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1974.patch @@ -0,0 +1,530 @@ +Copied from upstream: +https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/271e3a5a53d9 + +# HG changeset patch +# User Henri Sivonen <hsivonen@hsivonen.fi> +# Date 1455014759 -7200 +# Node ID 271e3a5a53d96871141e89271f611033b512e3e4 +# Parent 9719b71d72dd2a3c5ee12ace156af2a63d9595ac +Bug 1228103. r=smaug. a=sylvestre + +diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp +--- a/parser/htmlparser/nsExpatDriver.cpp ++++ b/parser/htmlparser/nsExpatDriver.cpp +@@ -1127,22 +1127,28 @@ nsExpatDriver::ConsumeToken(nsScanner& a + XML_Size lastLineLength = XML_GetCurrentColumnNumber(mExpatParser); + + if (lastLineLength <= consumed) { + // The length of the last line was less than what expat consumed, so + // there was at least one line break in the consumed data. Store the + // last line until the point where we stopped parsing. + nsScannerIterator startLastLine = currentExpatPosition; + startLastLine.advance(-((ptrdiff_t)lastLineLength)); +- CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine); ++ if (!CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine)) { ++ return (mInternalState = NS_ERROR_OUT_OF_MEMORY); ++ } + } + else { + // There was no line break in the consumed data, append the consumed + // data. +- AppendUnicodeTo(oldExpatPosition, currentExpatPosition, mLastLine); ++ if (!AppendUnicodeTo(oldExpatPosition, ++ currentExpatPosition, ++ mLastLine)) { ++ return (mInternalState = NS_ERROR_OUT_OF_MEMORY); ++ } + } + } + + mExpatBuffered += length - consumed; + + if (BlockedOrInterrupted()) { + PR_LOG(GetExpatDriverLog(), PR_LOG_DEBUG, + ("Blocked or interrupted parser (probably for loading linked " +diff --git a/parser/htmlparser/nsParser.cpp b/parser/htmlparser/nsParser.cpp +--- a/parser/htmlparser/nsParser.cpp ++++ b/parser/htmlparser/nsParser.cpp +@@ -1508,17 +1508,19 @@ nsParser::ResumeParse(bool allowIteratio + DidBuildModel(mStreamStatus); + return NS_OK; + } + } else { + CParserContext* theContext = PopContext(); + if (theContext) { + theIterationIsOk = allowIteration && theContextIsStringBased; + if (theContext->mCopyUnused) { +- theContext->mScanner->CopyUnusedData(mUnusedInput); ++ if (!theContext->mScanner->CopyUnusedData(mUnusedInput)) { ++ mInternalState = NS_ERROR_OUT_OF_MEMORY; ++ } + } + + delete theContext; + } + + result = mInternalState; + aIsFinalChunk = mParserContext && + mParserContext->mStreamListenerState == eOnStop; +diff --git a/parser/htmlparser/nsScanner.cpp b/parser/htmlparser/nsScanner.cpp +--- a/parser/htmlparser/nsScanner.cpp ++++ b/parser/htmlparser/nsScanner.cpp +@@ -379,17 +379,19 @@ nsresult nsScanner::Peek(nsAString& aStr + if (mCountRemaining < uint32_t(aNumChars + aOffset)) { + end = mEndPosition; + } + else { + end = start; + end.advance(aNumChars); + } + +- CopyUnicodeTo(start, end, aStr); ++ if (!CopyUnicodeTo(start, end, aStr)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + + return NS_OK; + } + + + /** + * Skip whitespace on scanner input stream + * +@@ -542,17 +544,19 @@ nsresult nsScanner::ReadTagIdentifier(ns + + if (!found) { + ++current; + } + } + + // Don't bother appending nothing. + if (current != mCurrentPosition) { +- AppendUnicodeTo(mCurrentPosition, current, aString); ++ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + } + + SetPosition(current); + if (current == end) { + result = kEOF; + } + + //DoErrTest(aString); +@@ -597,26 +601,30 @@ nsresult nsScanner::ReadEntityIdentifier + default: + found = ('a'<=theChar && theChar<='z') || + ('A'<=theChar && theChar<='Z') || + ('0'<=theChar && theChar<='9'); + break; + } + + if(!found) { +- AppendUnicodeTo(mCurrentPosition, current, aString); ++ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + break; + } + } + ++current; + } + + SetPosition(current); + if (current == end) { +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + return kEOF; + } + + //DoErrTest(aString); + + return result; + } + +@@ -646,26 +654,30 @@ nsresult nsScanner::ReadNumber(nsString& + while(current != end) { + theChar=*current; + if(theChar) { + done = (theChar < '0' || theChar > '9') && + ((aBase == 16)? (theChar < 'A' || theChar > 'F') && + (theChar < 'a' || theChar > 'f') + :true); + if(done) { +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + break; + } + } + ++current; + } + + SetPosition(current); + if (current == end) { +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + return kEOF; + } + + //DoErrTest(aString); + + return result; + } + +@@ -712,37 +724,43 @@ nsresult nsScanner::ReadWhitespace(nsSca + char16_t thePrevChar = theChar; + theChar = (++current != end) ? *current : '\0'; + if ((thePrevChar == '\r' && theChar == '\n') || + (thePrevChar == '\n' && theChar == '\r')) { + theChar = (++current != end) ? *current : '\0'; // CRLF == LFCR => LF + haveCR = true; + } else if (thePrevChar == '\r') { + // Lone CR becomes CRLF; callers should know to remove extra CRs +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + aString.writable().Append(char16_t('\n')); + origin = current; + haveCR = true; + } + } + break; + case ' ' : + case '\t': + theChar = (++current != end) ? *current : '\0'; + break; + default: + done = true; +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + break; + } + } + + SetPosition(current); + if (current == end) { +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + result = kEOF; + } + + aHaveCR = haveCR; + return result; + } + + //XXXbz callers of this have to manage their lone '\r' themselves if they want +@@ -846,34 +864,38 @@ nsresult nsScanner::ReadUntil(nsAString& + if(!(theChar & aEndCondition.mFilter)) { + // They were. Do a thorough check. + + setcurrent = setstart; + while (*setcurrent) { + if (*setcurrent == theChar) { + if(addTerminal) + ++current; +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + SetPosition(current); + + //DoErrTest(aString); + + return NS_OK; + } + ++setcurrent; + } + } + + ++current; + } + + // If we are here, we didn't find any terminator in the string and + // current = mEndPosition + SetPosition(current); +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + return kEOF; + } + + nsresult nsScanner::ReadUntil(nsScannerSharedSubstring& aString, + const nsReadEndCondition& aEndCondition, + bool addTerminal) + { + if (!mSlidingBuffer) { +@@ -906,34 +928,38 @@ nsresult nsScanner::ReadUntil(nsScannerS + if(!(theChar & aEndCondition.mFilter)) { + // They were. Do a thorough check. + + setcurrent = setstart; + while (*setcurrent) { + if (*setcurrent == theChar) { + if(addTerminal) + ++current; +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + SetPosition(current); + + //DoErrTest(aString); + + return NS_OK; + } + ++setcurrent; + } + } + + ++current; + } + + // If we are here, we didn't find any terminator in the string and + // current = mEndPosition + SetPosition(current); +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + return kEOF; + } + + nsresult nsScanner::ReadUntil(nsScannerIterator& aStart, + nsScannerIterator& aEnd, + const nsReadEndCondition &aEndCondition, + bool addTerminal) + { +@@ -1025,26 +1051,30 @@ nsresult nsScanner::ReadUntil(nsAString& + if (theChar == '\0') { + ReplaceCharacter(current, sInvalid); + theChar = sInvalid; + } + + if (aTerminalChar == theChar) { + if(addTerminal) + ++current; +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + SetPosition(current); + return NS_OK; + } + ++current; + } + + // If we are here, we didn't find any terminator in the string and + // current = mEndPosition +- AppendUnicodeTo(origin, current, aString); ++ if (!AppendUnicodeTo(origin, current, aString)) { ++ return NS_ERROR_OUT_OF_MEMORY; ++ } + SetPosition(current); + return kEOF; + + } + + void nsScanner::BindSubstring(nsScannerSubstring& aSubstring, const nsScannerIterator& aStart, const nsScannerIterator& aEnd) + { + aSubstring.Rebind(*mSlidingBuffer, aStart, aEnd); +@@ -1142,29 +1172,29 @@ bool nsScanner::AppendToBuffer(nsScanner + } + + /** + * call this to copy bytes out of the scanner that have not yet been consumed + * by the tokenization process. + * + * @update gess 5/12/98 + * @param aCopyBuffer is where the scanner buffer will be copied to +- * @return nada ++ * @return true if OK or false on OOM + */ +-void nsScanner::CopyUnusedData(nsString& aCopyBuffer) { ++bool nsScanner::CopyUnusedData(nsString& aCopyBuffer) { + if (!mSlidingBuffer) { + aCopyBuffer.Truncate(); +- return; ++ return true; + } + + nsScannerIterator start, end; + start = mCurrentPosition; + end = mEndPosition; + +- CopyUnicodeTo(start, end, aCopyBuffer); ++ return CopyUnicodeTo(start, end, aCopyBuffer); + } + + /** + * Retrieve the name of the file that the scanner is reading from. + * In some cases, it's just a given name, because the scanner isn't + * really reading from a file. + * + * @update gess 5/12/98 +diff --git a/parser/htmlparser/nsScanner.h b/parser/htmlparser/nsScanner.h +--- a/parser/htmlparser/nsScanner.h ++++ b/parser/htmlparser/nsScanner.h +@@ -204,19 +204,19 @@ class nsScanner { + nsIRequest *aRequest); + + /** + * Call this to copy bytes out of the scanner that have not yet been consumed + * by the tokenization process. + * + * @update gess 5/12/98 + * @param aCopyBuffer is where the scanner buffer will be copied to +- * @return nada ++ * @return true if OK or false on OOM + */ +- void CopyUnusedData(nsString& aCopyBuffer); ++ bool CopyUnusedData(nsString& aCopyBuffer); + + /** + * Retrieve the name of the file that the scanner is reading from. + * In some cases, it's just a given name, because the scanner isn't + * really reading from a file. + * + * @update gess 5/12/98 + * @return +diff --git a/parser/htmlparser/nsScannerString.cpp b/parser/htmlparser/nsScannerString.cpp +--- a/parser/htmlparser/nsScannerString.cpp ++++ b/parser/htmlparser/nsScannerString.cpp +@@ -461,61 +461,63 @@ copy_multifragment_string( nsScannerIter + sink_traits::write(result, source_traits::read(first), distance); + NS_ASSERTION(distance > 0, "|copy_multifragment_string| will never terminate"); + source_traits::advance(first, distance); + } + + return result; + } + +-void ++bool + CopyUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsAString& aDest ) + { + nsAString::iterator writer; + if (!aDest.SetLength(Distance(aSrcStart, aSrcEnd), mozilla::fallible)) { + aDest.Truncate(); +- return; // out of memory ++ return false; // out of memory + } + aDest.BeginWriting(writer); + nsScannerIterator fromBegin(aSrcStart); + + copy_multifragment_string(fromBegin, aSrcEnd, writer); ++ return true; + } + +-void ++bool + AppendUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsScannerSharedSubstring& aDest ) + { + // Check whether we can just create a dependent string. + if (aDest.str().IsEmpty()) { + // We can just make |aDest| point to the buffer. + // This will take care of copying if the buffer spans fragments. + aDest.Rebind(aSrcStart, aSrcEnd); +- } else { +- // The dest string is not empty, so it can't be a dependent substring. +- AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable()); ++ return true; + } ++ // The dest string is not empty, so it can't be a dependent substring. ++ return AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable()); + } + +-void ++bool + AppendUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsAString& aDest ) + { + nsAString::iterator writer; + uint32_t oldLength = aDest.Length(); + if (!aDest.SetLength(oldLength + Distance(aSrcStart, aSrcEnd), mozilla::fallible)) +- return; // out of memory ++ return false; // out of memory + aDest.BeginWriting(writer).advance(oldLength); + nsScannerIterator fromBegin(aSrcStart); + + copy_multifragment_string(fromBegin, aSrcEnd, writer); ++ return true; + } + + bool + FindCharInReadable( char16_t aChar, + nsScannerIterator& aSearchStart, + const nsScannerIterator& aSearchEnd ) + { + while ( aSearchStart != aSearchEnd ) +diff --git a/parser/htmlparser/nsScannerString.h b/parser/htmlparser/nsScannerString.h +--- a/parser/htmlparser/nsScannerString.h ++++ b/parser/htmlparser/nsScannerString.h +@@ -539,43 +539,43 @@ nsScannerBufferList::Position::operator= + inline + size_t + Distance( const nsScannerIterator& aStart, const nsScannerIterator& aEnd ) + { + typedef nsScannerBufferList::Position Position; + return Position::Distance(Position(aStart), Position(aEnd)); + } + +-void ++bool + CopyUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsAString& aDest ); + + inline +-void ++bool + CopyUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest ) + { + nsScannerIterator begin, end; +- CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest); ++ return CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest); + } + +-void ++bool + AppendUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsAString& aDest ); + + inline +-void ++bool + AppendUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest ) + { + nsScannerIterator begin, end; +- AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest); ++ return AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest); + } + +-void ++bool + AppendUnicodeTo( const nsScannerIterator& aSrcStart, + const nsScannerIterator& aSrcEnd, + nsScannerSharedSubstring& aDest ); + + bool + FindCharInReadable( char16_t aChar, + nsScannerIterator& aStart, + const nsScannerIterator& aEnd ); + |