diff options
| author | Mark H Weaver <mhw@netris.org> | 2015-07-04 05:22:49 -0400 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2015-07-04 05:44:10 -0400 |
| commit | 4463c0d2161f66c4ff0d52c50ff0a3a030686f1b (patch) | |
| tree | 3f1aba42fd040420a2ee6964d6a5ec134adeb8be /gnu/packages/patches/icecat-CVE-2015-2739.patch | |
| parent | 4cd86f5d52d6faac6668dc9853a5e5ecc9236ba9 (diff) | |
| download | guix-4463c0d2161f66c4ff0d52c50ff0a3a030686f1b.tar.gz | |
gnu: icecat: Fix CVE-2015-{2722,2724,2728,2733,2735,2736,2738,2739,2740,2743}.
* gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch, gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch, gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch, gnu/packages/patches/icecat-CVE-2015-2735.patch, gnu/packages/patches/icecat-CVE-2015-2736.patch, gnu/packages/patches/icecat-CVE-2015-2738.patch, gnu/packages/patches/icecat-CVE-2015-2739.patch, gnu/packages/patches/icecat-CVE-2015-2740.patch, gnu/packages/patches/icecat-CVE-2015-2743.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2739.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2739.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch new file mode 100644 index 0000000000..9f70db8cf9 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2739.patch @@ -0,0 +1,66 @@ +From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky <bzbarsky@mit.edu> +Date: Mon, 1 Jun 2015 16:59:26 -0700 +Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in + XHR. r=baku a=lizzard + +--- + content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp +index 58a9ee0..56d1aa3 100644 +--- a/content/base/src/nsXMLHttpRequest.cpp ++++ b/content/base/src/nsXMLHttpRequest.cpp +@@ -7,6 +7,7 @@ + #include "nsXMLHttpRequest.h" + + #include "mozilla/ArrayUtils.h" ++#include "mozilla/CheckedInt.h" + #include "mozilla/dom/XMLHttpRequestUploadBinding.h" + #include "mozilla/EventDispatcher.h" + #include "mozilla/EventListenerManager.h" +@@ -3897,26 +3898,30 @@ bool + ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen, + uint32_t aMaxGrowth) + { ++ CheckedUint32 neededCapacity = mLength; ++ neededCapacity += aDataLen; ++ if (!neededCapacity.isValid()) { ++ return false; ++ } + if (mLength + aDataLen > mCapacity) { +- uint32_t newcap; ++ CheckedUint32 newcap = mCapacity; + // Double while under aMaxGrowth or if not specified. + if (!aMaxGrowth || mCapacity < aMaxGrowth) { +- newcap = mCapacity * 2; ++ newcap *= 2; + } else { +- newcap = mCapacity + aMaxGrowth; ++ newcap += aMaxGrowth; + } + +- // But make sure there's always enough to satisfy our request. +- if (newcap < mLength + aDataLen) { +- newcap = mLength + aDataLen; ++ if (!newcap.isValid()) { ++ return false; + } + +- // Did we overflow? +- if (newcap < mCapacity) { +- return false; ++ // But make sure there's always enough to satisfy our request. ++ if (newcap.value() < neededCapacity.value()) { ++ newcap = neededCapacity; + } + +- if (!setCapacity(newcap)) { ++ if (!setCapacity(newcap.value())) { + return false; + } + } +-- +2.4.3 + |