diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch new file mode 100644 index 0000000000..57bc45f3c2 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch @@ -0,0 +1,62 @@ + changeset: 312039:4290826b078c + user: Timothy Nikkel <tnikkel@gmail.com> + Date: Fri May 13 06:09:38 2016 +0200 + summary: Bug 1261230. r=mats, a=ritu + +diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp +--- a/layout/generic/nsSubDocumentFrame.cpp Tue May 10 14:12:20 2016 +0200 ++++ b/layout/generic/nsSubDocumentFrame.cpp Fri May 13 06:09:38 2016 +0200 +@@ -132,6 +132,7 @@ + nsCOMPtr<nsIDocument> oldContainerDoc; + nsView* detachedViews = + frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); ++ frameloader->SetDetachedSubdocView(nullptr, nullptr); + if (detachedViews) { + if (oldContainerDoc == aContent->OwnerDoc()) { + // Restore stashed presentation. +@@ -142,7 +143,6 @@ + frameloader->Hide(); + } + } +- frameloader->SetDetachedSubdocView(nullptr, nullptr); + } + + nsContentUtils::AddScriptRunner(new AsyncFrameInit(this)); +@@ -936,13 +936,16 @@ + if (!mPresShell->IsDestroying()) { + mPresShell->FlushPendingNotifications(Flush_Frames); + } ++ ++ // Either the frame has been constructed by now, or it never will be, ++ // either way we want to clear the stashed views. ++ mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ + nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); + if ((!frame && mHideViewerIfFrameless) || + mPresShell->IsDestroying()) { + // Either the frame element has no nsIFrame or the presshell is being +- // destroyed. Hide the nsFrameLoader, which destroys the presentation, +- // and clear our references to the stashed presentation. +- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ // destroyed. Hide the nsFrameLoader, which destroys the presentation. + mFrameLoader->Hide(); + } + return NS_OK; +@@ -968,7 +971,7 @@ + // Detach the subdocument's views and stash them in the frame loader. + // We can then reattach them if we're being reframed (for example if + // the frame has been made position:fixed). +- nsFrameLoader* frameloader = FrameLoader(); ++ RefPtr<nsFrameLoader> frameloader = FrameLoader(); + if (frameloader) { + nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); + frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); +@@ -977,7 +980,7 @@ + // safely determine whether the frame is being reframed or destroyed. + nsContentUtils::AddScriptRunner( + new nsHideViewer(mContent, +- mFrameLoader, ++ frameloader, + PresContext()->PresShell(), + (mDidCreateDoc || mCallingShow))); + } |