summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-06-08 09:54:54 -0400
committerMark H Weaver <mhw@netris.org>2016-06-08 14:26:54 -0400
commit98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa (patch)
treed834031fb13adc817f0b4227cb3e54d3ce5493b0 /gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
parentc7c49446ebcc48c2b2136f4475ab66aecb63d18e (diff)
downloadguix-98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa.tar.gz
gnu: icecat: Add fixes for CVE-2016-{2818,2819,2821,2824,2828,2831}.
* gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch,
gnu/packages/patches/icecat-CVE-2016-2819.patch,
gnu/packages/patches/icecat-CVE-2016-2821.patch,
gnu/packages/patches/icecat-CVE-2016-2824.patch,
gnu/packages/patches/icecat-CVE-2016-2828.patch,
gnu/packages/patches/icecat-CVE-2016-2831.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch188
1 files changed, 188 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
new file mode 100644
index 0000000000..a72698cc0b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
@@ -0,0 +1,188 @@
+  changeset:   312075:ee870911fabb
+  user:        Timothy Nikkel <tnikkel@gmail.com>
+  Date:        Wed May 04 16:12:48 2016 -0500
+  summary:     Bug 1265577. r=mats, a=lizzard
+
+diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp
+--- a/dom/base/nsFrameLoader.cpp	Thu May 26 17:07:49 2016 -0400
++++ b/dom/base/nsFrameLoader.cpp	Wed May 04 16:12:48 2016 -0500
+@@ -155,7 +155,7 @@
+ nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated)
+   : mOwnerContent(aOwner)
+   , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID)
+-  , mDetachedSubdocViews(nullptr)
++  , mDetachedSubdocFrame(nullptr)
+   , mIsPrerendered(false)
+   , mDepthTooGreat(false)
+   , mIsTopLevelContent(false)
+@@ -2507,18 +2507,18 @@
+ }
+ 
+ void
+-nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews,
+-                                     nsIDocument* aContainerDoc)
++nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
++                                      nsIDocument* aContainerDoc)
+ {
+-  mDetachedSubdocViews = aDetachedViews;
++  mDetachedSubdocFrame = aDetachedFrame;
+   mContainerDocWhileDetached = aContainerDoc;
+ }
+ 
+-nsView*
+-nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const
++nsIFrame*
++nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const
+ {
+   NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached);
+-  return mDetachedSubdocViews;
++  return mDetachedSubdocFrame.GetFrame();
+ }
+ 
+ void
+diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h
+--- a/dom/base/nsFrameLoader.h	Thu May 26 17:07:49 2016 -0400
++++ b/dom/base/nsFrameLoader.h	Wed May 04 16:12:48 2016 -0500
+@@ -23,6 +23,7 @@
+ #include "mozilla/Attributes.h"
+ #include "FrameMetrics.h"
+ #include "nsStubMutationObserver.h"
++#include "nsIFrame.h"
+ 
+ class nsIURI;
+ class nsSubDocumentFrame;
+@@ -197,23 +198,23 @@
+   void SetRemoteBrowser(nsITabParent* aTabParent);
+ 
+   /**
+-   * Stashes a detached view on the frame loader. We do this when we're
++   * Stashes a detached nsIFrame on the frame loader. We do this when we're
+    * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is
+-   * being reframed we'll restore the detached view when it's recreated,
++   * being reframed we'll restore the detached nsIFrame when it's recreated,
+    * otherwise we'll discard the old presentation and set the detached
+-   * subdoc view to null. aContainerDoc is the document containing the
++   * subdoc nsIFrame to null. aContainerDoc is the document containing the
+    * the subdoc frame. This enables us to detect when the containing
+    * document has changed during reframe, so we can discard the presentation 
+    * in that case.
+    */
+-  void SetDetachedSubdocView(nsView* aDetachedView,
+-                             nsIDocument* aContainerDoc);
++  void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
++                              nsIDocument* aContainerDoc);
+ 
+   /**
+-   * Retrieves the detached view and the document containing the view,
+-   * as set by SetDetachedSubdocView().
++   * Retrieves the detached nsIFrame and the document containing the nsIFrame,
++   * as set by SetDetachedSubdocFrame().
+    */
+-  nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const;
++  nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const;
+ 
+   /**
+    * Applies a new set of sandbox flags. These are merged with the sandbox
+@@ -326,12 +327,12 @@
+   nsRefPtr<nsFrameMessageManager> mMessageManager;
+   nsCOMPtr<nsIInProcessContentFrameMessageManager> mChildMessageManager;
+ private:
+-  // Stores the root view of the subdocument while the subdocument is being
++  // Stores the root frame of the subdocument while the subdocument is being
+   // reframed. Used to restore the presentation after reframing.
+-  nsView* mDetachedSubdocViews;
++  nsWeakFrame mDetachedSubdocFrame;
+   // Stores the containing document of the frame corresponding to this
+   // frame loader. This is reference is kept valid while the subframe's
+-  // presentation is detached and stored in mDetachedSubdocViews. This
++  // presentation is detached and stored in mDetachedSubdocFrame. This
+   // enables us to detect whether the frame has moved documents during
+   // a reframe, so that we know not to restore the presentation.
+   nsCOMPtr<nsIDocument> mContainerDocWhileDetached;
+diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp
+--- a/layout/generic/nsSubDocumentFrame.cpp	Thu May 26 17:07:49 2016 -0400
++++ b/layout/generic/nsSubDocumentFrame.cpp	Wed May 04 16:12:48 2016 -0500
+@@ -130,13 +130,16 @@
+   nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
+   if (frameloader) {
+     nsCOMPtr<nsIDocument> oldContainerDoc;
+-    nsView* detachedViews =
+-      frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
+-    frameloader->SetDetachedSubdocView(nullptr, nullptr);
+-    if (detachedViews) {
+-      if (oldContainerDoc == aContent->OwnerDoc()) {
++    nsIFrame* detachedFrame =
++      frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
++    frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
++    MOZ_ASSERT(oldContainerDoc || !detachedFrame);
++    if (oldContainerDoc) {
++      nsView* detachedView =
++        detachedFrame ? detachedFrame->GetView() : nullptr;
++      if (detachedView && oldContainerDoc == aContent->OwnerDoc()) {
+         // Restore stashed presentation.
+-        ::InsertViewsInReverseOrder(detachedViews, mInnerView);
++        ::InsertViewsInReverseOrder(detachedView, mInnerView);
+         ::EndSwapDocShellsForViews(mInnerView->GetFirstChild());
+       } else {
+         // Presentation is for a different document, don't restore it.
+@@ -252,11 +255,12 @@
+     nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
+     if (frameloader) {
+       nsCOMPtr<nsIDocument> oldContainerDoc;
+-      nsView* detachedViews =
+-        frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
+-      if (detachedViews) {
+-        nsSize size = detachedViews->GetBounds().Size();
+-        nsPresContext* presContext = detachedViews->GetFrame()->PresContext();
++      nsIFrame* detachedFrame =
++        frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
++      nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr;
++      if (view) {
++        nsSize size = view->GetBounds().Size();
++        nsPresContext* presContext = detachedFrame->PresContext();
+         return nsIntSize(presContext->AppUnitsToDevPixels(size.width),
+                          presContext->AppUnitsToDevPixels(size.height));
+       }
+@@ -939,7 +943,7 @@
+ 
+     // Either the frame has been constructed by now, or it never will be,
+     // either way we want to clear the stashed views.
+-    mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
++    mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr);
+ 
+     nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
+     if ((!frame && mHideViewerIfFrameless) ||
+@@ -974,15 +978,25 @@
+   RefPtr<nsFrameLoader> frameloader = FrameLoader();
+   if (frameloader) {
+     nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
+-    frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
+ 
+-    // We call nsFrameLoader::HideViewer() in a script runner so that we can
+-    // safely determine whether the frame is being reframed or destroyed.
+-    nsContentUtils::AddScriptRunner(
+-      new nsHideViewer(mContent,
+-                       frameloader,
+-                       PresContext()->PresShell(),
+-                       (mDidCreateDoc || mCallingShow)));
++    if (detachedViews && detachedViews->GetFrame()) {
++      MOZ_ASSERT(mContent->OwnerDoc());
++      frameloader->SetDetachedSubdocFrame(
++        detachedViews->GetFrame(), mContent->OwnerDoc());
++
++      // We call nsFrameLoader::HideViewer() in a script runner so that we can
++      // safely determine whether the frame is being reframed or destroyed.
++      nsContentUtils::AddScriptRunner(
++        new nsHideViewer(mContent,
++                         frameloader,
++                         PresContext()->PresShell(),
++                         (mDidCreateDoc || mCallingShow)));
++    } else {
++      frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
++      if (mDidCreateDoc || mCallingShow) {
++        frameloader->Hide();
++      }
++    }
+   }
+ 
+   nsLeafFrame::DestroyFrom(aDestructRoot);