summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2808.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2808.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2808.patch389
1 files changed, 389 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2808.patch b/gnu/packages/patches/icecat-CVE-2016-2808.patch
new file mode 100644
index 0000000000..ae190b8b4c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2808.patch
@@ -0,0 +1,389 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/71f611fd27c7
+
+# HG changeset patch
+# User Jeff Walden <jwalden@mit.edu>
+# Date 1458941573 25200
+# Node ID 71f611fd27c7d6cb7d6dab9895c2922948042543
+# Parent  861f6b83ce1deade2a976cabe059776ad51ce370
+Bug 1246061.  r=luke, r=froydnj, a=sylvestre
+
+diff --git a/js/public/HashTable.h b/js/public/HashTable.h
+--- a/js/public/HashTable.h
++++ b/js/public/HashTable.h
+@@ -8,16 +8,17 @@
+ #define js_HashTable_h
+ 
+ #include "mozilla/Alignment.h"
+ #include "mozilla/Assertions.h"
+ #include "mozilla/Attributes.h"
+ #include "mozilla/Casting.h"
+ #include "mozilla/MemoryReporting.h"
+ #include "mozilla/Move.h"
++#include "mozilla/Opaque.h"
+ #include "mozilla/PodOperations.h"
+ #include "mozilla/ReentrancyGuard.h"
+ #include "mozilla/TemplateLib.h"
+ #include "mozilla/TypeTraits.h"
+ 
+ #include "js/Utility.h"
+ 
+ namespace js {
+@@ -27,16 +28,18 @@ template <class> struct DefaultHasher;
+ template <class, class> class HashMapEntry;
+ namespace detail {
+     template <class T> class HashTableEntry;
+     template <class T, class HashPolicy, class AllocPolicy> class HashTable;
+ }
+ 
+ /*****************************************************************************/
+ 
++using Generation = mozilla::Opaque<uint64_t>;
++
+ // A JS-friendly, STL-like container providing a hash-based map from keys to
+ // values. In particular, HashMap calls constructors and destructors of all
+ // objects added so non-PODs may be used safely.
+ //
+ // Key/Value requirements:
+ //  - movable, destructible, assignable
+ // HashPolicy requirements:
+ //  - see Hash Policy section below
+@@ -200,17 +203,19 @@ class HashMap
+         return impl.sizeOfExcludingThis(mallocSizeOf);
+     }
+     size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
+     }
+ 
+     // If |generation()| is the same before and after a HashMap operation,
+     // pointers into the table remain valid.
+-    uint32_t generation() const                       { return impl.generation(); }
++    Generation generation() const {
++        return impl.generation();
++    }
+ 
+     /************************************************** Shorthand operations */
+ 
+     bool has(const Lookup& l) const {
+         return impl.lookup(l).found();
+     }
+ 
+     // Overwrite existing value with v. Return false on oom.
+@@ -431,17 +436,19 @@ class HashSet
+         return impl.sizeOfExcludingThis(mallocSizeOf);
+     }
+     size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
+     }
+ 
+     // If |generation()| is the same before and after a HashSet operation,
+     // pointers into the table remain valid.
+-    uint32_t generation() const                       { return impl.generation(); }
++    Generation generation() const {
++        return impl.generation();
++    }
+ 
+     /************************************************** Shorthand operations */
+ 
+     bool has(const Lookup& l) const {
+         return impl.lookup(l).found();
+     }
+ 
+     // Add |u| if it is not present already. Return false on oom.
+@@ -766,17 +773,17 @@ class HashTable : private AllocPolicy
+     // table operations unless |generation()| is tested.
+     class Ptr
+     {
+         friend class HashTable;
+ 
+         Entry* entry_;
+ #ifdef JS_DEBUG
+         const HashTable* table_;
+-        uint32_t generation;
++        Generation generation;
+ #endif
+ 
+       protected:
+         Ptr(Entry& entry, const HashTable& tableArg)
+           : entry_(&entry)
+ #ifdef JS_DEBUG
+           , table_(&tableArg)
+           , generation(tableArg.generation())
+@@ -873,17 +880,17 @@ class HashTable : private AllocPolicy
+             while (cur < end && !cur->isLive())
+                 ++cur;
+         }
+ 
+         Entry* cur, *end;
+ #ifdef JS_DEBUG
+         const HashTable* table_;
+         uint64_t mutationCount;
+-        uint32_t generation;
++        Generation generation;
+         bool validEntry;
+ #endif
+ 
+       public:
+         Range()
+           : cur(nullptr)
+           , end(nullptr)
+ #ifdef JS_DEBUG
+@@ -1012,18 +1019,18 @@ class HashTable : private AllocPolicy
+     // HashTable is not copyable or assignable
+     HashTable(const HashTable&) = delete;
+     void operator=(const HashTable&) = delete;
+ 
+   private:
+     static const size_t CAP_BITS = 24;
+ 
+   public:
+-    Entry*      table;                 // entry storage
+-    uint32_t    gen;                    // entry storage generation number
++    uint64_t    gen;                    // entry storage generation number
++    Entry*      table;                  // entry storage
+     uint32_t    entryCount;             // number of entries in table
+     uint32_t    removedCount:CAP_BITS;  // removed entry sentinels in table
+     uint32_t    hashShift:8;            // multiplicative hash shift
+ 
+ #ifdef JS_DEBUG
+     uint64_t     mutationCount;
+     mutable bool mEntered;
+     mutable struct Stats
+@@ -1097,18 +1104,18 @@ class HashTable : private AllocPolicy
+         for (Entry* e = oldTable, *end = e + capacity; e < end; ++e)
+             e->destroyIfLive();
+         alloc.free_(oldTable);
+     }
+ 
+   public:
+     explicit HashTable(AllocPolicy ap)
+       : AllocPolicy(ap)
++      , gen(0)
+       , table(nullptr)
+-      , gen(0)
+       , entryCount(0)
+       , removedCount(0)
+       , hashShift(sHashBits)
+ #ifdef JS_DEBUG
+       , mutationCount(0)
+       , mEntered(false)
+ #endif
+     {}
+@@ -1524,20 +1531,20 @@ class HashTable : private AllocPolicy
+     }
+ 
+     uint32_t capacity() const
+     {
+         MOZ_ASSERT(table);
+         return JS_BIT(sHashBits - hashShift);
+     }
+ 
+-    uint32_t generation() const
++    Generation generation() const
+     {
+         MOZ_ASSERT(table);
+-        return gen;
++        return Generation(gen);
+     }
+ 
+     size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const
+     {
+         return mallocSizeOf(table);
+     }
+ 
+     size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const
+diff --git a/js/src/jsapi.h b/js/src/jsapi.h
+--- a/js/src/jsapi.h
++++ b/js/src/jsapi.h
+@@ -270,20 +270,16 @@ class AutoHashMapRooter : protected Auto
+ 
+     size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return map.sizeOfExcludingThis(mallocSizeOf);
+     }
+     size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return map.sizeOfIncludingThis(mallocSizeOf);
+     }
+ 
+-    uint32_t generation() const {
+-        return map.generation();
+-    }
+-
+     /************************************************** Shorthand operations */
+ 
+     bool has(const Lookup& l) const {
+         return map.has(l);
+     }
+ 
+     template<typename KeyInput, typename ValueInput>
+     bool put(const KeyInput& k, const ValueInput& v) {
+@@ -385,20 +381,16 @@ class AutoHashSetRooter : protected Auto
+ 
+     size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return set.sizeOfExcludingThis(mallocSizeOf);
+     }
+     size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
+         return set.sizeOfIncludingThis(mallocSizeOf);
+     }
+ 
+-    uint32_t generation() const {
+-        return set.generation();
+-    }
+-
+     /************************************************** Shorthand operations */
+ 
+     bool has(const Lookup& l) const {
+         return set.has(l);
+     }
+ 
+     bool put(const T& t) {
+         return set.put(t);
+diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
+--- a/js/src/jscntxt.h
++++ b/js/src/jscntxt.h
+@@ -30,21 +30,21 @@ class DebugModeOSRVolatileJitFrameIterat
+ }
+ 
+ typedef HashSet<JSObject*> ObjectSet;
+ typedef HashSet<Shape*> ShapeSet;
+ 
+ /* Detects cycles when traversing an object graph. */
+ class AutoCycleDetector
+ {
++    Generation hashsetGenerationAtInit;
+     JSContext* cx;
+     RootedObject obj;
++    ObjectSet::AddPtr hashsetAddPointer;
+     bool cyclic;
+-    uint32_t hashsetGenerationAtInit;
+-    ObjectSet::AddPtr hashsetAddPointer;
+     MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
+ 
+   public:
+     AutoCycleDetector(JSContext* cx, HandleObject objArg
+                       MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
+       : cx(cx), obj(cx, objArg), cyclic(true)
+     {
+         MOZ_GUARD_OBJECT_NOTIFIER_INIT;
+diff --git a/js/src/jswatchpoint.cpp b/js/src/jswatchpoint.cpp
+--- a/js/src/jswatchpoint.cpp
++++ b/js/src/jswatchpoint.cpp
+@@ -22,25 +22,25 @@ DefaultHasher<WatchKey>::hash(const Look
+ {
+     return DefaultHasher<JSObject*>::hash(key.object.get()) ^ HashId(key.id.get());
+ }
+ 
+ namespace {
+ 
+ class AutoEntryHolder {
+     typedef WatchpointMap::Map Map;
++    Generation gen;
+     Map& map;
+     Map::Ptr p;
+-    uint32_t gen;
+     RootedObject obj;
+     RootedId id;
+ 
+   public:
+     AutoEntryHolder(JSContext* cx, Map& map, Map::Ptr p)
+-      : map(map), p(p), gen(map.generation()), obj(cx, p->key().object), id(cx, p->key().id)
++      : gen(map.generation()), map(map), p(p), obj(cx, p->key().object), id(cx, p->key().id)
+     {
+         MOZ_ASSERT(!p->value().held);
+         p->value().held = true;
+     }
+ 
+     ~AutoEntryHolder() {
+         if (gen != map.generation())
+             p = map.lookup(WatchKey(obj, id));
+diff --git a/js/src/shell/jsheaptools.cpp b/js/src/shell/jsheaptools.cpp
+--- a/js/src/shell/jsheaptools.cpp
++++ b/js/src/shell/jsheaptools.cpp
+@@ -267,17 +267,17 @@ HeapReverser::traverseEdge(void* cell, J
+     Map::AddPtr a = map.lookupForAdd(cell);
+     if (!a) {
+         /*
+          * We've never visited this cell before. Add it to the map (thus
+          * marking it as visited), and put it on the work stack, to be
+          * visited from the main loop.
+          */
+         Node n(kind);
+-        uint32_t generation = map.generation();
++        Generation generation = map.generation();
+         if (!map.add(a, cell, Move(n)) ||
+             !work.append(Child(cell, kind)))
+             return false;
+         /* If the map has been resized, re-check the pointer. */
+         if (map.generation() != generation)
+             a = map.lookupForAdd(cell);
+     }
+ 
+diff --git a/mfbt/Opaque.h b/mfbt/Opaque.h
+new file mode 100644
+--- /dev/null
++++ b/mfbt/Opaque.h
+@@ -0,0 +1,44 @@
++/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
++/* vim: set ts=8 sts=2 et sw=2 tw=80: */
++/* This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
++
++/* An opaque integral type supporting only comparison operators. */
++
++#ifndef mozilla_Opaque_h
++#define mozilla_Opaque_h
++
++#include "mozilla/TypeTraits.h"
++
++namespace mozilla {
++
++/**
++ * Opaque<T> is a replacement for integral T in cases where only comparisons
++ * must be supported, and it's desirable to prevent accidental dependency on
++ * exact values.
++ */
++template<typename T>
++class Opaque final
++{
++  static_assert(mozilla::IsIntegral<T>::value,
++                "mozilla::Opaque only supports integral types");
++
++  T mValue;
++
++public:
++  Opaque() {}
++  explicit Opaque(T aValue) : mValue(aValue) {}
++
++  bool operator==(const Opaque& aOther) const {
++    return mValue == aOther.mValue;
++  }
++
++  bool operator!=(const Opaque& aOther) const {
++    return !(*this == aOther);
++  }
++};
++
++} // namespace mozilla
++
++#endif /* mozilla_Opaque_h */
+diff --git a/mfbt/moz.build b/mfbt/moz.build
+--- a/mfbt/moz.build
++++ b/mfbt/moz.build
+@@ -48,16 +48,17 @@ EXPORTS.mozilla = [
+     'MathAlgorithms.h',
+     'Maybe.h',
+     'MaybeOneOf.h',
+     'MemoryChecking.h',
+     'MemoryReporting.h',
+     'Move.h',
+     'NullPtr.h',
+     'NumericLimits.h',
++    'Opaque.h',
+     'Pair.h',
+     'PodOperations.h',
+     'Poison.h',
+     'Range.h',
+     'RangedPtr.h',
+     'RefCountType.h',
+     'ReentrancyGuard.h',
+     'RefPtr.h',
+