summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2739.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2739.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2739.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch
new file mode 100644
index 0000000000..9f70db8cf9
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2739.patch
@@ -0,0 +1,66 @@
+From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
+From: Boris Zbarsky <bzbarsky@mit.edu>
+Date: Mon, 1 Jun 2015 16:59:26 -0700
+Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
+ XHR. r=baku a=lizzard
+
+---
+ content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
+index 58a9ee0..56d1aa3 100644
+--- a/content/base/src/nsXMLHttpRequest.cpp
++++ b/content/base/src/nsXMLHttpRequest.cpp
+@@ -7,6 +7,7 @@
+ #include "nsXMLHttpRequest.h"
+ 
+ #include "mozilla/ArrayUtils.h"
++#include "mozilla/CheckedInt.h"
+ #include "mozilla/dom/XMLHttpRequestUploadBinding.h"
+ #include "mozilla/EventDispatcher.h"
+ #include "mozilla/EventListenerManager.h"
+@@ -3897,26 +3898,30 @@ bool
+ ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
+                            uint32_t aMaxGrowth)
+ {
++  CheckedUint32 neededCapacity = mLength;
++  neededCapacity += aDataLen;
++  if (!neededCapacity.isValid()) {
++    return false;
++  }
+   if (mLength + aDataLen > mCapacity) {
+-    uint32_t newcap;
++    CheckedUint32 newcap = mCapacity;
+     // Double while under aMaxGrowth or if not specified.
+     if (!aMaxGrowth || mCapacity < aMaxGrowth) {
+-      newcap = mCapacity * 2;
++      newcap *= 2;
+     } else {
+-      newcap = mCapacity + aMaxGrowth;
++      newcap += aMaxGrowth;
+     }
+ 
+-    // But make sure there's always enough to satisfy our request.
+-    if (newcap < mLength + aDataLen) {
+-      newcap = mLength + aDataLen;
++    if (!newcap.isValid()) {
++      return false;
+     }
+ 
+-    // Did we overflow?
+-    if (newcap < mCapacity) {
+-      return false;
++    // But make sure there's always enough to satisfy our request.
++    if (newcap.value() < neededCapacity.value()) {
++      newcap = neededCapacity;
+     }
+ 
+-    if (!setCapacity(newcap)) {
++    if (!setCapacity(newcap.value())) {
+       return false;
+     }
+   }
+-- 
+2.4.3
+