summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2735.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-07-15 15:28:36 -0400
committerMark H Weaver <mhw@netris.org>2015-07-15 15:43:23 -0400
commitb76c4152530b81d7ecc1c958202a3f06d407587d (patch)
tree842d7c190d0b21b4f8ca0d5594151a2efbf18a8a /gnu/packages/patches/icecat-CVE-2015-2735.patch
parente03f6d5e956b348c142d0ffd9f89af845f05eb86 (diff)
downloadguix-b76c4152530b81d7ecc1c958202a3f06d407587d.tar.gz
gnu: icecat: Update to 31.8.0-gnu1.
* gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch: New file.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-2735.patch,
  gnu/packages/patches/icecat-CVE-2015-2736.patch,
  gnu/packages/patches/icecat-CVE-2015-2738.patch,
  gnu/packages/patches/icecat-CVE-2015-2739.patch,
  gnu/packages/patches/icecat-CVE-2015-2740.patch,
  gnu/packages/patches/icecat-CVE-2015-2743.patch: Remove files.
* gnu-system.am (dist_patch_DATA): Remove them, and add the new file.
* gnu/packages/gnuzilla.scm (icecat): Update to 31.8.0-gnu1.  Remove the
  outdated patches and add the new one.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2735.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2735.patch86
1 files changed, 0 insertions, 86 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch
deleted file mode 100644
index fd39bde113..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-2735.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001
-From: Andrea Marchesini <amarchesini@mozilla.com>
-Date: Thu, 4 Jun 2015 15:04:10 +0100
-Subject: [PATCH] Bug 1166900 - Better string length check in
- nsZipArchive::GetDataOffset. r+a=dveditz
-
----
- dom/file/ArchiveZipFile.cpp     |  6 ++++--
- modules/libjar/nsZipArchive.cpp | 15 +++++++++------
- 2 files changed, 13 insertions(+), 8 deletions(-)
-
-diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp
-index c206b64..d28b5ba 100644
---- a/dom/file/ArchiveZipFile.cpp
-+++ b/dom/file/ArchiveZipFile.cpp
-@@ -102,7 +102,8 @@ ArchiveInputStream::Init()
-   uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset);
- 
-   // The file is corrupt
--  if (offset + ZIPLOCAL_SIZE > mData.parentSize) {
-+  if (mData.parentSize < ZIPLOCAL_SIZE ||
-+      offset > mData.parentSize - ZIPLOCAL_SIZE) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-@@ -137,7 +138,8 @@ ArchiveInputStream::Init()
-             ArchiveZipItem::StrToInt16(local.extrafield_len);
- 
-   // The file is corrupt if there is not enough data
--  if (offset + mData.sizeToBeRead > mData.parentSize) {
-+  if (mData.parentSize < mData.sizeToBeRead ||
-+      offset > mData.parentSize - mData.sizeToBeRead) {
-     return NS_ERROR_UNEXPECTED;
-   }
- 
-diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
-index f8af715..5ec8225 100644
---- a/modules/libjar/nsZipArchive.cpp
-+++ b/modules/libjar/nsZipArchive.cpp
-@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN
-     uint16_t namelen = xtoint(central->filename_len);
-     uint16_t extralen = xtoint(central->extrafield_len);
-     uint16_t commentlen = xtoint(central->commentfield_len);
--
--    // Point to the next item at the top of loop
--    buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
-+    uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen;
- 
-     // Sanity check variable sizes and refuse to deal with
-     // anything too big: it's likely a corrupt archive.
-     if (namelen < 1 ||
-         namelen > kMaxNameLength ||
--        buf >= endp) {
-+        buf >= buf + diff || // No overflow
-+        buf >= endp - diff) {
-       return NS_ERROR_FILE_CORRUPTED;
-     }
- 
-+    // Point to the next item at the top of loop
-+    buf += diff;
-+
-     nsZipItem* item = CreateZipItem();
-     if (!item)
-       return NS_ERROR_OUT_OF_MEMORY;
-@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN
-   uint32_t len = mFd->mLen;
-   const uint8_t* data = mFd->mFileData;
-   uint32_t offset = aItem->LocalOffset();
--  if (offset + ZIPLOCAL_SIZE > len)
-+  if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
-     return nullptr;
- 
-   // -- check signature before using the structure, in case the zip file is corrupt
-@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN
-             xtoint(Local->extrafield_len);
- 
-   // -- check if there is enough source data in the file
--  if (offset + aItem->Size() > len)
-+  if (len < aItem->Size() ||
-+      offset > len - aItem->Size())
-     return nullptr;
- 
-   return data + offset;
--- 
-2.4.3
-