summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch102
1 files changed, 102 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch
new file mode 100644
index 0000000000..9e52759ae8
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2713-pt1.patch
@@ -0,0 +1,102 @@
+From 2b1c90da3e849e1c9d7457658290aa8eb01d0fa9 Mon Sep 17 00:00:00 2001
+From: Mats Palmgren <mats@mozilla.com>
+Date: Thu, 16 Apr 2015 09:04:19 +0000
+Subject: [PATCH] Bug 1153478 - Part 1: Add nsInlineFrame::StealFrame and make
+ it deal with being called on the wrong parent for aChild (due to lazy
+ reparenting). r=roc, a=sledru
+
+---
+ layout/generic/nsContainerFrame.cpp |  7 +++----
+ layout/generic/nsInlineFrame.cpp    | 39 +++++++++++++++++++++++++++++++++++++
+ layout/generic/nsInlineFrame.h      |  4 +++-
+ 3 files changed, 45 insertions(+), 5 deletions(-)
+
+diff --git a/layout/generic/nsContainerFrame.cpp b/layout/generic/nsContainerFrame.cpp
+index 3ffcba7..34878af 100644
+--- a/layout/generic/nsContainerFrame.cpp
++++ b/layout/generic/nsContainerFrame.cpp
+@@ -172,13 +172,12 @@ nsContainerFrame::RemoveFrame(ChildListID aListID,
+   nsIPresShell* shell = PresContext()->PresShell();
+   nsContainerFrame* lastParent = nullptr;
+   while (aOldFrame) {
+-    //XXXfr probably should use StealFrame here. I'm not sure if we need to
+-    //      check the overflow lists atm, but we'll need a prescontext lookup
+-    //      for overflow containers once we can split abspos elements with
+-    //      inline containing blocks.
+     nsIFrame* oldFrameNextContinuation = aOldFrame->GetNextContinuation();
+     nsContainerFrame* parent =
+       static_cast<nsContainerFrame*>(aOldFrame->GetParent());
++    // Please note that 'parent' may not actually be where 'aOldFrame' lives.
++    // We really MUST use StealFrame() and nothing else here.
++    // @see nsInlineFrame::StealFrame for details.
+     parent->StealFrame(aOldFrame, true);
+     aOldFrame->Destroy();
+     aOldFrame = oldFrameNextContinuation;
+diff --git a/layout/generic/nsInlineFrame.cpp b/layout/generic/nsInlineFrame.cpp
+index 526041e..a392a15 100644
+--- a/layout/generic/nsInlineFrame.cpp
++++ b/layout/generic/nsInlineFrame.cpp
+@@ -172,6 +172,45 @@ nsInlineFrame::PeekOffsetCharacter(bool aForward, int32_t* aOffset,
+   return CONTINUE;
+ }
+ 
++nsresult
++nsInlineFrame::StealFrame(nsIFrame* aChild,
++                          bool      aForceNormal)
++{
++  if (aChild->HasAnyStateBits(NS_FRAME_IS_OVERFLOW_CONTAINER) &&
++      !aForceNormal) {
++    return nsContainerFrame::StealFrame(aChild, aForceNormal);
++  }
++
++  nsInlineFrame* parent = this;
++  bool removed = false;
++  do {
++    removed = parent->mFrames.StartRemoveFrame(aChild);
++    if (removed) {
++      break;
++    }
++
++    // We didn't find the child in our principal child list.
++    // Maybe it's on the overflow list?
++    nsFrameList* frameList = parent->GetOverflowFrames();
++    if (frameList) {
++      removed = frameList->ContinueRemoveFrame(aChild);
++      if (frameList->IsEmpty()) {
++        parent->DestroyOverflowList();
++      }
++      if (removed) {
++        break;
++      }
++    }
++
++    // Due to our "lazy reparenting" optimization 'aChild' might not actually
++    // be on any of our child lists, but instead in one of our next-in-flows.
++    parent = static_cast<nsInlineFrame*>(parent->GetNextInFlow());
++  } while (parent);
++
++  MOZ_ASSERT(removed, "nsInlineFrame::StealFrame: can't find aChild");
++  return removed ? NS_OK : NS_ERROR_UNEXPECTED;
++}
++
+ void
+ nsInlineFrame::BuildDisplayList(nsDisplayListBuilder*   aBuilder,
+                                 const nsRect&           aDirtyRect,
+diff --git a/layout/generic/nsInlineFrame.h b/layout/generic/nsInlineFrame.h
+index 1a9899e..3e49241 100644
+--- a/layout/generic/nsInlineFrame.h
++++ b/layout/generic/nsInlineFrame.h
+@@ -61,7 +61,9 @@ public:
+ 
+   virtual FrameSearchResult PeekOffsetCharacter(bool aForward, int32_t* aOffset,
+                                      bool aRespectClusters = true) MOZ_OVERRIDE;
+-  
++
++  virtual nsresult StealFrame(nsIFrame* aChild, bool aForceNormal) MOZ_OVERRIDE;
++
+   // nsIHTMLReflow overrides
+   virtual void AddInlineMinWidth(nsRenderingContext *aRenderingContext,
+                                  InlineMinWidthData *aData) MOZ_OVERRIDE;
+-- 
+2.2.1
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-12-17 00:39:10 +0000