diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2739.patch')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-2739.patch | 66 |
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch new file mode 100644 index 0000000000..9f70db8cf9 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-2739.patch @@ -0,0 +1,66 @@ +From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001 +From: Boris Zbarsky <bzbarsky@mit.edu> +Date: Mon, 1 Jun 2015 16:59:26 -0700 +Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in + XHR. r=baku a=lizzard + +--- + content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp +index 58a9ee0..56d1aa3 100644 +--- a/content/base/src/nsXMLHttpRequest.cpp ++++ b/content/base/src/nsXMLHttpRequest.cpp +@@ -7,6 +7,7 @@ + #include "nsXMLHttpRequest.h" + + #include "mozilla/ArrayUtils.h" ++#include "mozilla/CheckedInt.h" + #include "mozilla/dom/XMLHttpRequestUploadBinding.h" + #include "mozilla/EventDispatcher.h" + #include "mozilla/EventListenerManager.h" +@@ -3897,26 +3898,30 @@ bool + ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen, + uint32_t aMaxGrowth) + { ++ CheckedUint32 neededCapacity = mLength; ++ neededCapacity += aDataLen; ++ if (!neededCapacity.isValid()) { ++ return false; ++ } + if (mLength + aDataLen > mCapacity) { +- uint32_t newcap; ++ CheckedUint32 newcap = mCapacity; + // Double while under aMaxGrowth or if not specified. + if (!aMaxGrowth || mCapacity < aMaxGrowth) { +- newcap = mCapacity * 2; ++ newcap *= 2; + } else { +- newcap = mCapacity + aMaxGrowth; ++ newcap += aMaxGrowth; + } + +- // But make sure there's always enough to satisfy our request. +- if (newcap < mLength + aDataLen) { +- newcap = mLength + aDataLen; ++ if (!newcap.isValid()) { ++ return false; + } + +- // Did we overflow? +- if (newcap < mCapacity) { +- return false; ++ // But make sure there's always enough to satisfy our request. ++ if (newcap.value() < neededCapacity.value()) { ++ newcap = neededCapacity; + } + +- if (!setCapacity(newcap)) { ++ if (!setCapacity(newcap.value())) { + return false; + } + } +-- +2.4.3 + |