summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2805.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-04-27 22:33:02 -0400
committerMark H Weaver <mhw@netris.org>2016-04-28 10:25:19 -0400
commitdde2a94c095f840578c307ebf23cd7c3ba5ec858 (patch)
tree214642e8d3e7ece66e548072144193d1ed17efe1 /gnu/packages/patches/icecat-CVE-2016-2805.patch
parent3161f6a4eca3225778a76eb5c21cfc150e6dce0a (diff)
downloadguix-dde2a94c095f840578c307ebf23cd7c3ba5ec858.tar.gz
gnu: icecat: Add fixes for CVE-2016-{2805,2807,2808,2814} etc.
* gnu/packages/patches/icecat-CVE-2016-2805.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2808.patch,
gnu/packages/patches/icecat-CVE-2016-2814.patch,
gnu/packages/patches/icecat-update-bundled-graphite2: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

icecat fixup
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2805.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2805.patch75
1 files changed, 75 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2805.patch b/gnu/packages/patches/icecat-CVE-2016-2805.patch
new file mode 100644
index 0000000000..5e4150f00c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2805.patch
@@ -0,0 +1,75 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/bf34b97757b3
+
+# HG changeset patch
+# User Jon Coppeard <jcoppeard@mozilla.com>
+# Date 1453890675 0
+# Node ID bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
+# Parent  228ca3f46cabaf3f388f6c6640690772aa13c1a5
+Bug 1241731 - Handle incomplete buffer in DiscardTransferables r=sfink a=abillings a=sylvestre
+
+diff --git a/js/src/jit-test/tests/gc/bug-1241731.js b/js/src/jit-test/tests/gc/bug-1241731.js
+new file mode 100644
+--- /dev/null
++++ b/js/src/jit-test/tests/gc/bug-1241731.js
+@@ -0,0 +1,4 @@
++if (!('oomTest' in this))
++    quit();
++
++oomTest(() => serialize(0, [{}]));
+diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
+--- a/js/src/vm/StructuredClone.cpp
++++ b/js/src/vm/StructuredClone.cpp
+@@ -379,39 +379,50 @@ ReadStructuredClone(JSContext* cx, uint6
+ 
+ // If the given buffer contains Transferables, free them. Note that custom
+ // Transferables will use the JSStructuredCloneCallbacks::freeTransfer() to
+ // delete their transferables.
+ static void
+ Discard(uint64_t* buffer, size_t nbytes, const JSStructuredCloneCallbacks* cb, void* cbClosure)
+ {
+     MOZ_ASSERT(nbytes % sizeof(uint64_t) == 0);
+-    if (nbytes < sizeof(uint64_t))
++    uint64_t* end = buffer + nbytes / sizeof(uint64_t);
++    uint64_t* point = buffer;
++    if (point == end)
+         return; // Empty buffer
+ 
+-    uint64_t* point = buffer;
+     uint32_t tag, data;
+     SCInput::getPair(point++, &tag, &data);
+     if (tag != SCTAG_TRANSFER_MAP_HEADER)
+         return;
+ 
+     if (TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
+         return;
+ 
+     // freeTransfer should not GC
+     JS::AutoSuppressGCAnalysis nogc;
+ 
++    if (point == end)
++        return;
++
+     uint64_t numTransferables = LittleEndian::readUint64(point++);
+     while (numTransferables--) {
++        if (point == end)
++            return;
++
+         uint32_t ownership;
+         SCInput::getPair(point++, &tag, &ownership);
+         MOZ_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
++        if (point == end)
++            return;
+ 
+         void* content;
+         SCInput::getPtr(point++, &content);
++        if (point == end)
++            return;
+ 
+         uint64_t extraData = LittleEndian::readUint64(point++);
+ 
+         if (ownership < JS::SCTAG_TMO_FIRST_OWNED)
+             continue;
+ 
+         if (ownership == JS::SCTAG_TMO_ALLOC_DATA) {
+             js_free(content);
+