diff options
author | Mark H Weaver <mhw@netris.org> | 2015-07-15 15:28:36 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-07-15 15:43:23 -0400 |
commit | b76c4152530b81d7ecc1c958202a3f06d407587d (patch) | |
tree | 842d7c190d0b21b4f8ca0d5594151a2efbf18a8a /gnu/packages/patches/icecat-CVE-2015-2735.patch | |
parent | e03f6d5e956b348c142d0ffd9f89af845f05eb86 (diff) | |
download | guix-b76c4152530b81d7ecc1c958202a3f06d407587d.tar.gz |
gnu: icecat: Update to 31.8.0-gnu1.
* gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch: New file. * gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2735.patch, gnu/packages/patches/icecat-CVE-2015-2736.patch, gnu/packages/patches/icecat-CVE-2015-2738.patch, gnu/packages/patches/icecat-CVE-2015-2739.patch, gnu/packages/patches/icecat-CVE-2015-2740.patch, gnu/packages/patches/icecat-CVE-2015-2743.patch: Remove files. * gnu-system.am (dist_patch_DATA): Remove them, and add the new file. * gnu/packages/gnuzilla.scm (icecat): Update to 31.8.0-gnu1. Remove the outdated patches and add the new one.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2735.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2735.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch deleted file mode 100644 index fd39bde113..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2735.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini <amarchesini@mozilla.com> -Date: Thu, 4 Jun 2015 15:04:10 +0100 -Subject: [PATCH] Bug 1166900 - Better string length check in - nsZipArchive::GetDataOffset. r+a=dveditz - ---- - dom/file/ArchiveZipFile.cpp | 6 ++++-- - modules/libjar/nsZipArchive.cpp | 15 +++++++++------ - 2 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp -index c206b64..d28b5ba 100644 ---- a/dom/file/ArchiveZipFile.cpp -+++ b/dom/file/ArchiveZipFile.cpp -@@ -102,7 +102,8 @@ ArchiveInputStream::Init() - uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset); - - // The file is corrupt -- if (offset + ZIPLOCAL_SIZE > mData.parentSize) { -+ if (mData.parentSize < ZIPLOCAL_SIZE || -+ offset > mData.parentSize - ZIPLOCAL_SIZE) { - return NS_ERROR_UNEXPECTED; - } - -@@ -137,7 +138,8 @@ ArchiveInputStream::Init() - ArchiveZipItem::StrToInt16(local.extrafield_len); - - // The file is corrupt if there is not enough data -- if (offset + mData.sizeToBeRead > mData.parentSize) { -+ if (mData.parentSize < mData.sizeToBeRead || -+ offset > mData.parentSize - mData.sizeToBeRead) { - return NS_ERROR_UNEXPECTED; - } - -diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp -index f8af715..5ec8225 100644 ---- a/modules/libjar/nsZipArchive.cpp -+++ b/modules/libjar/nsZipArchive.cpp -@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN - uint16_t namelen = xtoint(central->filename_len); - uint16_t extralen = xtoint(central->extrafield_len); - uint16_t commentlen = xtoint(central->commentfield_len); -- -- // Point to the next item at the top of loop -- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen; -+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen; - - // Sanity check variable sizes and refuse to deal with - // anything too big: it's likely a corrupt archive. - if (namelen < 1 || - namelen > kMaxNameLength || -- buf >= endp) { -+ buf >= buf + diff || // No overflow -+ buf >= endp - diff) { - return NS_ERROR_FILE_CORRUPTED; - } - -+ // Point to the next item at the top of loop -+ buf += diff; -+ - nsZipItem* item = CreateZipItem(); - if (!item) - return NS_ERROR_OUT_OF_MEMORY; -@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN - uint32_t len = mFd->mLen; - const uint8_t* data = mFd->mFileData; - uint32_t offset = aItem->LocalOffset(); -- if (offset + ZIPLOCAL_SIZE > len) -+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) - return nullptr; - - // -- check signature before using the structure, in case the zip file is corrupt -@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN - xtoint(Local->extrafield_len); - - // -- check if there is enough source data in the file -- if (offset + aItem->Size() > len) -+ if (len < aItem->Size() || -+ offset > len - aItem->Size()) - return nullptr; - - return data + offset; --- -2.4.3 - |