summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2016-1935.patch
blob: a6db4b9b6a14f8dec0eeb5dbbdb418e1886218ad (about) (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450

# HG changeset patch
# User Jeff Gilbert <jgilbert@mozilla.com>
# Date 1452570660 28800
# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
# Parent  c47640f24251b48c0bba9d2f0f6ee059eca58362
Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu

diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
--- a/dom/canvas/WebGLContextBuffers.cpp
+++ b/dom/canvas/WebGLContextBuffers.cpp
@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target, 
 
     if (error) {
         GenerateWarning("bufferData generated error %s", ErrorName(error));
         return;
     }
 
     boundBuffer->SetByteLength(size);
     if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
+        boundBuffer->SetByteLength(0);
         return ErrorOutOfMemory("bufferData: out of memory");
     }
 }
 
 void
 WebGLContext::BufferData(GLenum target,
                          const dom::Nullable<dom::ArrayBuffer>& maybeData,
                          GLenum usage)
@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
 
     if (error) {
         GenerateWarning("bufferData generated error %s", ErrorName(error));
         return;
     }
 
     boundBuffer->SetByteLength(data.Length());
-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
+    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
+        boundBuffer->SetByteLength(0);
         return ErrorOutOfMemory("bufferData: out of memory");
+    }
 }
 
 void
 WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
                          GLenum usage)
 {
     if (IsContextLost())
         return;
@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target, 
 
     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
     if (error) {
         GenerateWarning("bufferData generated error %s", ErrorName(error));
         return;
     }
 
     boundBuffer->SetByteLength(data.Length());
-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
+    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
+        boundBuffer->SetByteLength(0);
         return ErrorOutOfMemory("bufferData: out of memory");
+    }
 }
 
 void
 WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
                             const dom::Nullable<dom::ArrayBuffer>& maybeData)
 {
     if (IsContextLost())
         return;