diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch | 188 |
1 files changed, 188 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch new file mode 100644 index 0000000000..a72698cc0b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch @@ -0,0 +1,188 @@ + changeset: 312075:ee870911fabb + user: Timothy Nikkel <tnikkel@gmail.com> + Date: Wed May 04 16:12:48 2016 -0500 + summary: Bug 1265577. r=mats, a=lizzard + +diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp +--- a/dom/base/nsFrameLoader.cpp Thu May 26 17:07:49 2016 -0400 ++++ b/dom/base/nsFrameLoader.cpp Wed May 04 16:12:48 2016 -0500 +@@ -155,7 +155,7 @@ + nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated) + : mOwnerContent(aOwner) + , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID) +- , mDetachedSubdocViews(nullptr) ++ , mDetachedSubdocFrame(nullptr) + , mIsPrerendered(false) + , mDepthTooGreat(false) + , mIsTopLevelContent(false) +@@ -2507,18 +2507,18 @@ + } + + void +-nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews, +- nsIDocument* aContainerDoc) ++nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, ++ nsIDocument* aContainerDoc) + { +- mDetachedSubdocViews = aDetachedViews; ++ mDetachedSubdocFrame = aDetachedFrame; + mContainerDocWhileDetached = aContainerDoc; + } + +-nsView* +-nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const ++nsIFrame* ++nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const + { + NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached); +- return mDetachedSubdocViews; ++ return mDetachedSubdocFrame.GetFrame(); + } + + void +diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h +--- a/dom/base/nsFrameLoader.h Thu May 26 17:07:49 2016 -0400 ++++ b/dom/base/nsFrameLoader.h Wed May 04 16:12:48 2016 -0500 +@@ -23,6 +23,7 @@ + #include "mozilla/Attributes.h" + #include "FrameMetrics.h" + #include "nsStubMutationObserver.h" ++#include "nsIFrame.h" + + class nsIURI; + class nsSubDocumentFrame; +@@ -197,23 +198,23 @@ + void SetRemoteBrowser(nsITabParent* aTabParent); + + /** +- * Stashes a detached view on the frame loader. We do this when we're ++ * Stashes a detached nsIFrame on the frame loader. We do this when we're + * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is +- * being reframed we'll restore the detached view when it's recreated, ++ * being reframed we'll restore the detached nsIFrame when it's recreated, + * otherwise we'll discard the old presentation and set the detached +- * subdoc view to null. aContainerDoc is the document containing the ++ * subdoc nsIFrame to null. aContainerDoc is the document containing the + * the subdoc frame. This enables us to detect when the containing + * document has changed during reframe, so we can discard the presentation + * in that case. + */ +- void SetDetachedSubdocView(nsView* aDetachedView, +- nsIDocument* aContainerDoc); ++ void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, ++ nsIDocument* aContainerDoc); + + /** +- * Retrieves the detached view and the document containing the view, +- * as set by SetDetachedSubdocView(). ++ * Retrieves the detached nsIFrame and the document containing the nsIFrame, ++ * as set by SetDetachedSubdocFrame(). + */ +- nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const; ++ nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const; + + /** + * Applies a new set of sandbox flags. These are merged with the sandbox +@@ -326,12 +327,12 @@ + nsRefPtr<nsFrameMessageManager> mMessageManager; + nsCOMPtr<nsIInProcessContentFrameMessageManager> mChildMessageManager; + private: +- // Stores the root view of the subdocument while the subdocument is being ++ // Stores the root frame of the subdocument while the subdocument is being + // reframed. Used to restore the presentation after reframing. +- nsView* mDetachedSubdocViews; ++ nsWeakFrame mDetachedSubdocFrame; + // Stores the containing document of the frame corresponding to this + // frame loader. This is reference is kept valid while the subframe's +- // presentation is detached and stored in mDetachedSubdocViews. This ++ // presentation is detached and stored in mDetachedSubdocFrame. This + // enables us to detect whether the frame has moved documents during + // a reframe, so that we know not to restore the presentation. + nsCOMPtr<nsIDocument> mContainerDocWhileDetached; +diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp +--- a/layout/generic/nsSubDocumentFrame.cpp Thu May 26 17:07:49 2016 -0400 ++++ b/layout/generic/nsSubDocumentFrame.cpp Wed May 04 16:12:48 2016 -0500 +@@ -130,13 +130,16 @@ + nsRefPtr<nsFrameLoader> frameloader = FrameLoader(); + if (frameloader) { + nsCOMPtr<nsIDocument> oldContainerDoc; +- nsView* detachedViews = +- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); +- frameloader->SetDetachedSubdocView(nullptr, nullptr); +- if (detachedViews) { +- if (oldContainerDoc == aContent->OwnerDoc()) { ++ nsIFrame* detachedFrame = ++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); ++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); ++ MOZ_ASSERT(oldContainerDoc || !detachedFrame); ++ if (oldContainerDoc) { ++ nsView* detachedView = ++ detachedFrame ? detachedFrame->GetView() : nullptr; ++ if (detachedView && oldContainerDoc == aContent->OwnerDoc()) { + // Restore stashed presentation. +- ::InsertViewsInReverseOrder(detachedViews, mInnerView); ++ ::InsertViewsInReverseOrder(detachedView, mInnerView); + ::EndSwapDocShellsForViews(mInnerView->GetFirstChild()); + } else { + // Presentation is for a different document, don't restore it. +@@ -252,11 +255,12 @@ + nsRefPtr<nsFrameLoader> frameloader = FrameLoader(); + if (frameloader) { + nsCOMPtr<nsIDocument> oldContainerDoc; +- nsView* detachedViews = +- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); +- if (detachedViews) { +- nsSize size = detachedViews->GetBounds().Size(); +- nsPresContext* presContext = detachedViews->GetFrame()->PresContext(); ++ nsIFrame* detachedFrame = ++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); ++ nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr; ++ if (view) { ++ nsSize size = view->GetBounds().Size(); ++ nsPresContext* presContext = detachedFrame->PresContext(); + return nsIntSize(presContext->AppUnitsToDevPixels(size.width), + presContext->AppUnitsToDevPixels(size.height)); + } +@@ -939,7 +943,7 @@ + + // Either the frame has been constructed by now, or it never will be, + // either way we want to clear the stashed views. +- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); ++ mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr); + + nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); + if ((!frame && mHideViewerIfFrameless) || +@@ -974,15 +978,25 @@ + RefPtr<nsFrameLoader> frameloader = FrameLoader(); + if (frameloader) { + nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); +- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); + +- // We call nsFrameLoader::HideViewer() in a script runner so that we can +- // safely determine whether the frame is being reframed or destroyed. +- nsContentUtils::AddScriptRunner( +- new nsHideViewer(mContent, +- frameloader, +- PresContext()->PresShell(), +- (mDidCreateDoc || mCallingShow))); ++ if (detachedViews && detachedViews->GetFrame()) { ++ MOZ_ASSERT(mContent->OwnerDoc()); ++ frameloader->SetDetachedSubdocFrame( ++ detachedViews->GetFrame(), mContent->OwnerDoc()); ++ ++ // We call nsFrameLoader::HideViewer() in a script runner so that we can ++ // safely determine whether the frame is being reframed or destroyed. ++ nsContentUtils::AddScriptRunner( ++ new nsHideViewer(mContent, ++ frameloader, ++ PresContext()->PresShell(), ++ (mDidCreateDoc || mCallingShow))); ++ } else { ++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); ++ if (mDidCreateDoc || mCallingShow) { ++ frameloader->Hide(); ++ } ++ } + } + + nsLeafFrame::DestroyFrom(aDestructRoot); |