From 9c1c2a7f8d11fd90df6c7176bc38684e7ebe0e4f Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Mon, 14 Dec 2015 10:50:55 +0200 Subject: gnu: bluez: Update to 5.36. * gnu/packages/linux.scm (bluez): Update to 5.36. [source]: Remove patch. * gnu/packages/patches/bluez-tests.patch: Remove file. * gnu-system.am (dist_patch_DATA): Remove it. --- gnu/packages/patches/bluez-tests.patch | 25 ------------------------- 1 file changed, 25 deletions(-) delete mode 100644 gnu/packages/patches/bluez-tests.patch (limited to 'gnu/packages/patches') diff --git a/gnu/packages/patches/bluez-tests.patch b/gnu/packages/patches/bluez-tests.patch deleted file mode 100644 index 608ded9be2..0000000000 --- a/gnu/packages/patches/bluez-tests.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 484ad8c9263bb524051a999ce19a994960e69572 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?=E5=AE=8B=E6=96=87=E6=AD=A6?= -Date: Fri, 23 Oct 2015 20:48:57 +0800 -Subject: [PATCH] unit/test-gobex-header: Fix duplicate test names - ---- - unit/test-gobex-header.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/unit/test-gobex-header.c b/unit/test-gobex-header.c -index 6f49312..8705892 100644 ---- a/unit/test-gobex-header.c -+++ b/unit/test-gobex-header.c -@@ -554,7 +554,7 @@ int main(int argc, char *argv[]) - test_header_encode_name_umlaut); - g_test_add_func("/gobex/test_header_encode_body", - test_header_encode_body); -- g_test_add_func("/gobex/test_header_encode_connid", -+ g_test_add_func("/gobex/test_header_encode_actionid", - test_header_encode_actionid); - g_test_add_func("/gobex/test_header_encode_apparam", - test_header_encode_apparam); --- -2.5.0 - -- cgit 1.4.1 From fceac8803966dd7988b56e1e26b909c7fede0e05 Mon Sep 17 00:00:00 2001 From: Federico Beffa Date: Tue, 15 Dec 2015 17:59:15 +0100 Subject: gnu: python-ipython: Patch 'ctypes' bug. * gnu/packages/patches/python-ipython-inputhook-ctype.patch: New patch. * gnu/packages/python.scm (python-ipython): Use it. * gnu-system.am (dist_patch_DATA): Add it. --- gnu-system.am | 1 + .../patches/python-ipython-inputhook-ctype.patch | 41 ++++++++++++++++++++++ gnu/packages/python.scm | 11 +++--- 3 files changed, 48 insertions(+), 5 deletions(-) create mode 100644 gnu/packages/patches/python-ipython-inputhook-ctype.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 77a8b2e1c5..0039246e4d 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -640,6 +640,7 @@ dist_patch_DATA = \ gnu/packages/patches/python-3-search-paths.patch \ gnu/packages/patches/python-disable-ssl-test.patch \ gnu/packages/patches/python-fix-tests.patch \ + gnu/packages/patches/python-ipython-inputhook-ctype.patch \ gnu/packages/patches/python2-rdflib-drop-sparqlwrapper.patch \ gnu/packages/patches/python-configobj-setuptools.patch \ gnu/packages/patches/python2-pygobject-2-gi-info-type-error-domain.patch \ diff --git a/gnu/packages/patches/python-ipython-inputhook-ctype.patch b/gnu/packages/patches/python-ipython-inputhook-ctype.patch new file mode 100644 index 0000000000..c77e310542 --- /dev/null +++ b/gnu/packages/patches/python-ipython-inputhook-ctype.patch @@ -0,0 +1,41 @@ +From 04c5d358c7ab74d3ddab4f7662e539393d8604c6 Mon Sep 17 00:00:00 2001 +From: Lucretiel +Date: Wed, 13 May 2015 13:12:43 -0400 +Subject: [PATCH] register now checks for missing ctypes + +If ctypes is None, then no input hooks may be registered; `InputHookManager.register` skips registration of input hook classes. Also updated `__init__` to no longer skip creating the instance attributes, to prevent AttributeError exceptions at load time. +--- + IPython/lib/inputhook.py | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +diff --git a/IPython/lib/inputhook.py b/IPython/lib/inputhook.py +index 4ae2cb3..6578365 100644 +--- a/IPython/lib/inputhook.py ++++ b/IPython/lib/inputhook.py +@@ -107,8 +107,8 @@ class InputHookManager(object): + def __init__(self): + if ctypes is None: + warn("IPython GUI event loop requires ctypes, %gui will not be available") +- return +- self.PYFUNC = ctypes.PYFUNCTYPE(ctypes.c_int) ++ else: ++ self.PYFUNC = ctypes.PYFUNCTYPE(ctypes.c_int) + self.guihooks = {} + self.aliases = {} + self.apps = {} +@@ -197,10 +197,11 @@ def enable(self, app=None): + ... + """ + def decorator(cls): +- inst = cls(self) +- self.guihooks[toolkitname] = inst +- for a in aliases: +- self.aliases[a] = toolkitname ++ if ctypes is not None: ++ inst = cls(self) ++ self.guihooks[toolkitname] = inst ++ for a in aliases: ++ self.aliases[a] = toolkitname + return cls + return decorator + diff --git a/gnu/packages/python.scm b/gnu/packages/python.scm index 6a051014f9..95c24a6a43 100644 --- a/gnu/packages/python.scm +++ b/gnu/packages/python.scm @@ -4194,11 +4194,12 @@ without using the configuration machinery.") (version "3.2.1") (source (origin - (method url-fetch) - (uri (string-append "https://pypi.python.org/packages/source/i/" - "ipython/ipython-" version ".tar.gz")) - (sha256 - (base32 "0xwin0sa9n0cabx4cq1ibf5ldsiw5dyimibla82kicz5gbpas4y9")))) + (method url-fetch) + (patches (list (search-patch "python-ipython-inputhook-ctype.patch"))) + (uri (string-append "https://pypi.python.org/packages/source/i/" + "ipython/ipython-" version ".tar.gz")) + (sha256 + (base32 "0xwin0sa9n0cabx4cq1ibf5ldsiw5dyimibla82kicz5gbpas4y9")))) (build-system python-build-system) (outputs '("out" "doc")) (propagated-inputs -- cgit 1.4.1 From 3faf214a0b58c10e9838fcbf59f139172fe4a871 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 17 Dec 2015 12:07:13 -0500 Subject: gnu: icecat: Add fixes for several security flaws. * gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch, gnu/packages/patches/icecat-CVE-2015-7205.patch, gnu/packages/patches/icecat-CVE-2015-7210.patch, gnu/packages/patches/icecat-CVE-2015-7212.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7214.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu-system.am | 12 + gnu/packages/gnuzilla.scm | 14 +- .../patches/icecat-CVE-2015-7201-pt1.patch | 123 +++++++ .../patches/icecat-CVE-2015-7201-pt2.patch | 29 ++ .../patches/icecat-CVE-2015-7201-pt3.patch | 35 ++ gnu/packages/patches/icecat-CVE-2015-7205.patch | 84 +++++ gnu/packages/patches/icecat-CVE-2015-7210.patch | 47 +++ gnu/packages/patches/icecat-CVE-2015-7212.patch | 364 +++++++++++++++++++++ .../patches/icecat-CVE-2015-7213-pt1.patch | 32 ++ .../patches/icecat-CVE-2015-7213-pt2.patch | 27 ++ gnu/packages/patches/icecat-CVE-2015-7214.patch | 47 +++ .../patches/icecat-CVE-2015-7222-pt1.patch | 112 +++++++ .../patches/icecat-CVE-2015-7222-pt2.patch | 34 ++ .../patches/icecat-CVE-2015-7222-pt3.patch | 37 +++ 14 files changed, 996 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7205.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7210.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7212.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7214.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch create mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 0039246e4d..09525da28f 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -510,6 +510,18 @@ dist_patch_DATA = \ gnu/packages/patches/hop-linker-flags.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch \ + gnu/packages/patches/icecat-CVE-2015-7205.patch \ + gnu/packages/patches/icecat-CVE-2015-7210.patch \ + gnu/packages/patches/icecat-CVE-2015-7212.patch \ + gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-7214.patch \ + gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch \ + gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch \ + gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ gnu/packages/patches/icecat-freetype-2.6.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 6d134a89c7..8125a262aa 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -276,7 +276,19 @@ standards.") (sha256 (base32 "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp")) - (patches (map search-patch '("icecat-avoid-bundled-includes.patch" + (patches (map search-patch '("icecat-CVE-2015-7210.patch" + "icecat-CVE-2015-7205.patch" + "icecat-CVE-2015-7201-pt1.patch" + "icecat-CVE-2015-7201-pt2.patch" + "icecat-CVE-2015-7212.patch" + "icecat-CVE-2015-7213-pt1.patch" + "icecat-CVE-2015-7213-pt2.patch" + "icecat-CVE-2015-7222-pt1.patch" + "icecat-CVE-2015-7222-pt2.patch" + "icecat-CVE-2015-7222-pt3.patch" + "icecat-CVE-2015-7214.patch" + "icecat-CVE-2015-7201-pt3.patch" + "icecat-avoid-bundled-includes.patch" "icecat-freetype-2.6.patch"))) (modules '((guix build utils))) (snippet diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch new file mode 100644 index 0000000000..0fcfe9b409 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch @@ -0,0 +1,123 @@ +From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001 +From: Andrew Comminos +Date: Fri, 23 Oct 2015 21:35:16 -0700 +Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute + count is exceeded on Mesa. r=jgilbert, a=ritu + +--HG-- +extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0 +extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536 +--- + dom/canvas/WebGLProgram.cpp | 28 ++++++++++++++++++---------- + dom/canvas/WebGLShader.cpp | 10 ++++++++++ + dom/canvas/WebGLShader.h | 1 + + dom/canvas/WebGLShaderValidator.cpp | 6 ++++++ + dom/canvas/WebGLShaderValidator.h | 1 + + 5 files changed, 36 insertions(+), 10 deletions(-) + +diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp +index 78f7413..0e056e8 100644 +--- a/dom/canvas/WebGLProgram.cpp ++++ b/dom/canvas/WebGLProgram.cpp +@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram() + gl::GLContext* gl = mContext->gl; + gl->MakeCurrent(); + +- // Bug 777028: Mesa can't handle more than 16 samplers per program, +- // counting each array entry. +- size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + +- mFragShader->CalcNumSamplerUniforms(); + if (gl->WorkAroundDriverBugs() && +- mContext->mIsMesa && +- numSamplerUniforms_upperBound > 16) ++ mContext->mIsMesa) + { +- mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" +- " Mesa drivers to avoid crashing."); +- mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); +- return false; ++ // Bug 777028: Mesa can't handle more than 16 samplers per program, ++ // counting each array entry. ++ size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + ++ mFragShader->CalcNumSamplerUniforms(); ++ if (numSamplerUniforms_upperBound > 16) { ++ mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" ++ " Mesa drivers to avoid crashing."); ++ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); ++ return false; ++ } ++ ++ // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count. ++ if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) { ++ mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count."); ++ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); ++ return false; ++ } + } + + // Bind the attrib locations. +diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp +index 85a3809..bab4157 100644 +--- a/dom/canvas/WebGLShader.cpp ++++ b/dom/canvas/WebGLShader.cpp +@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const + return 0; + } + ++size_t ++WebGLShader::NumAttributes() const ++{ ++ if (mValidator) ++ return mValidator->NumAttributes(); ++ ++ // TODO ++ return 0; ++} ++ + void + WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName, + GLuint index) const +diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h +index 698e30c..2c80b16a 100644 +--- a/dom/canvas/WebGLShader.h ++++ b/dom/canvas/WebGLShader.h +@@ -45,6 +45,7 @@ public: + // Util funcs + bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const; + size_t CalcNumSamplerUniforms() const; ++ size_t NumAttributes() const; + void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const; + bool FindAttribUserNameByMappedName(const nsACString& mappedName, + nsDependentCString* const out_userName) const; +diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp +index 80005e2..8bedf88 100644 +--- a/dom/canvas/WebGLShaderValidator.cpp ++++ b/dom/canvas/WebGLShaderValidator.cpp +@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const + return accum; + } + ++size_t ++ShaderValidator::NumAttributes() const ++{ ++ return ShGetAttributes(mHandle)->size(); ++} ++ + // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3. + // Therefore, attrib names are always simple. + bool +diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h +index 35db2f1..1f794bf0 100644 +--- a/dom/canvas/WebGLShaderValidator.h ++++ b/dom/canvas/WebGLShaderValidator.h +@@ -41,6 +41,7 @@ public: + void GetOutput(nsACString* out) const; + bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const; + size_t CalcNumSamplerUniforms() const; ++ size_t NumAttributes() const; + + bool FindAttribUserNameByMappedName(const std::string& mappedName, + const std::string** const out_userName) const; +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch new file mode 100644 index 0000000000..3764371a11 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch @@ -0,0 +1,29 @@ +From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001 +From: "Carsten \"Tomcat\" Book" +Date: Tue, 8 Dec 2015 12:38:15 +0100 +Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when + initialized from GPU texture. r=jmuizelaar, a=lizzard + +--- + gfx/2d/SourceSurfaceSkia.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp +index 4b95bc2..d7e0714 100644 +--- a/gfx/2d/SourceSurfaceSkia.cpp ++++ b/gfx/2d/SourceSurfaceSkia.cpp +@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner, + GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue); + SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType); + SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false); +- mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4); ++ mBitmap.setInfo(imgInfo); + mBitmap.setPixelRef(texRef); ++ mFormat = aFormat; ++ mStride = mBitmap.rowBytes(); + + mDrawTarget = aOwner; + return true; +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch new file mode 100644 index 0000000000..022ab5cc16 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch @@ -0,0 +1,35 @@ +From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001 +From: Edwin Flores +Date: Wed, 2 Dec 2015 16:15:29 +0100 +Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth, + a=sledru + +--- + image/src/Downscaler.cpp | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp +index 24ecfda..2a7acfd 100644 +--- a/image/src/Downscaler.cpp ++++ b/image/src/Downscaler.cpp +@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize, + mTargetSize.height, mYFilter.get()); + + // Allocate the buffer, which contains scanlines of the original image. +- mRowBuffer = MakeUnique(mOriginalSize.width * sizeof(uint32_t)); ++ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t); ++ mRowBuffer = MakeUnique(bufferLen); + if (MOZ_UNLIKELY(!mRowBuffer)) { + return NS_ERROR_OUT_OF_MEMORY; + } + ++ // Zero buffer to keep valgrind happy. ++ memset(mRowBuffer.get(), 0, bufferLen); ++ ++ + // Allocate the window, which contains horizontally downscaled scanlines. (We + // can store scanlines which are already downscale because our downscaling + // filter is separable.) +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch new file mode 100644 index 0000000000..620fa0d6bd --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7205.patch @@ -0,0 +1,84 @@ +From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001 +From: Randell Jesup +Date: Thu, 5 Nov 2015 10:17:29 -0500 +Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows. + r=pkerr a=sylvestre + +--HG-- +extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb +extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997 +--- + .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 26 ++++++++++++---------- + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc +index 9334b23..80cf55a 100644 +--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc ++++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc +@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header, + return false; + } + +- const uint8_t CSRCocts = CC * 4; +- +- if ((ptr + CSRCocts) > _ptrRTPDataEnd) { +- return false; +- } +- + header.markerBit = M; + header.payloadType = PT; + header.sequenceNumber = sequenceNumber; +@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header, + header.numCSRCs = CC; + header.paddingLength = P ? *(_ptrRTPDataEnd - 1) : 0; + ++ // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes ++ header.headerLength = 12 + (CC * 4); ++ // not a full validation, just safety against underflow. Padding must ++ // start after the header. We can have 0 payload bytes left, note. ++ if (header.paddingLength + header.headerLength > length) { ++ return false; ++ } ++ + for (unsigned int i = 0; i < CC; ++i) { + uint32_t CSRC = *ptr++ << 24; + CSRC += *ptr++ << 16; +@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header, + CSRC += *ptr++; + header.arrOfCSRCs[i] = CSRC; + } +- +- header.headerLength = 12 + CSRCocts; ++ assert((ptr - _ptrRTPDataBegin) == header.headerLength); + + // If in effect, MAY be omitted for those packets for which the offset + // is zero. +@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header, + | header extension | + | .... | + */ +- const ptrdiff_t remain = _ptrRTPDataEnd - ptr; +- if (remain < 4) { ++ // earlier test ensures we have at least paddingLength bytes left ++ const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength; ++ if (remain < 4) { // minimum header extension length = 32 bits + return false; + } + +@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header, + uint16_t definedByProfile = *ptr++ << 8; + definedByProfile += *ptr++; + +- uint16_t XLen = *ptr++ << 8; ++ size_t XLen = *ptr++ << 8; + XLen += *ptr++; // in 32 bit words + XLen *= 4; // in octs + +- if (remain < (4 + XLen)) { ++ if (remain < (4 + XLen)) { // we already accounted for padding + return false; + } + if (definedByProfile == kRtpOneByteHeaderExtensionId) { +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch new file mode 100644 index 0000000000..eab57021db --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7210.patch @@ -0,0 +1,47 @@ +From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001 +From: "Byron Campen [:bwc]" +Date: Wed, 28 Oct 2015 12:48:17 -0500 +Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed + PeerConnections. r=jesup a=sylvestre + +--HG-- +extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826 +extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6 +--- + media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp +index c3d8d26..fe86ff7 100644 +--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp ++++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp +@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const + NS_IMETHODIMP + PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams) + { +- PC_AUTO_ENTER_API_CALL_NO_CHECK(); ++ PC_AUTO_ENTER_API_CALL(false); + + #ifdef MOZILLA_INTERNAL_API + if (mDataConnection) { +@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters( + nsresult + PeerConnectionImpl::InitializeDataChannel() + { +- PC_AUTO_ENTER_API_CALL_NO_CHECK(); ++ PC_AUTO_ENTER_API_CALL(false); + CSFLogDebug(logTag, "%s", __FUNCTION__); + + const JsepApplicationCodecDescription* codec; +@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel, + uint16_t aStream, + nsDOMDataChannel** aRetval) + { +- PC_AUTO_ENTER_API_CALL_NO_CHECK(); ++ PC_AUTO_ENTER_API_CALL(false); + MOZ_ASSERT(aRetval); + + #ifdef MOZILLA_INTERNAL_API +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch new file mode 100644 index 0000000000..7bda486ff7 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7212.patch @@ -0,0 +1,364 @@ +From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001 +From: Nicolas Silva +Date: Wed, 18 Nov 2015 16:59:11 +0100 +Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large + textures. r=Bas, a=sylvestre + +--- + gfx/2d/2D.h | 25 ++++++++++-- + gfx/2d/Factory.cpp | 67 ++++++++++++++++++++++++++++----- + gfx/layers/ImageDataSerializer.cpp | 21 ++++++----- + gfx/layers/YCbCrImageDataSerializer.cpp | 7 ++++ + gfx/layers/client/TextureClient.cpp | 12 ++++++ + gfx/thebes/gfxPlatform.cpp | 15 ++++++-- + gfx/thebes/gfxPrefs.h | 3 ++ + 7 files changed, 124 insertions(+), 26 deletions(-) + +diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h +index cf35bb2..b1e0e3e 100644 +--- a/gfx/2d/2D.h ++++ b/gfx/2d/2D.h +@@ -1082,22 +1082,41 @@ struct TileSet + size_t mTileCount; + }; + ++struct Config { ++ LogForwarder* mLogForwarder; ++ int32_t mMaxTextureSize; ++ int32_t mMaxAllocSize; ++ ++ Config() ++ : mLogForwarder(nullptr) ++ , mMaxTextureSize(8192) ++ , mMaxAllocSize(52000000) ++ {} ++}; ++ + class GFX2D_API Factory + { + public: ++ static void Init(const Config& aConfig); ++ static void ShutDown(); ++ + static bool HasSSE2(); + + /** Make sure that the given dimensions don't overflow a 32-bit signed int + * using 4 bytes per pixel; optionally, make sure that either dimension + * doesn't exceed the given limit. + */ +- static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0); ++ static bool CheckSurfaceSize(const IntSize &sz, ++ int32_t limit = 0, ++ int32_t allocLimit = 0); + + /** Make sure the given dimension satisfies the CheckSurfaceSize and is + * within 8k limit. The 8k value is chosen a bit randomly. + */ + static bool ReasonableSurfaceSize(const IntSize &aSize); + ++ static bool AllowedSurfaceSize(const IntSize &aSize); ++ + static TemporaryRef CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr); + + static TemporaryRef +@@ -1171,10 +1190,10 @@ public: + + static uint32_t GetMaxSurfaceSize(BackendType aType); + +- static LogForwarder* GetLogForwarder() { return mLogForwarder; } ++ static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; } + + private: +- static LogForwarder* mLogForwarder; ++ static Config* sConfig; + public: + + #ifdef USE_SKIA_GPU +diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp +index 948d3c3..6750c28 100644 +--- a/gfx/2d/Factory.cpp ++++ b/gfx/2d/Factory.cpp +@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device; + + DrawEventRecorder *Factory::mRecorder; + ++mozilla::gfx::Config* Factory::sConfig = nullptr; ++ ++void ++Factory::Init(const Config& aConfig) ++{ ++ MOZ_ASSERT(!sConfig); ++ sConfig = new Config(aConfig); ++ ++ // Make sure we don't completely break rendering because of a typo in the ++ // pref or whatnot. ++ const int32_t kMinAllocPref = 10000000; ++ const int32_t kMinSizePref = 2048; ++ if (sConfig->mMaxAllocSize < kMinAllocPref) { ++ sConfig->mMaxAllocSize = kMinAllocPref; ++ } ++ if (sConfig->mMaxTextureSize < kMinSizePref) { ++ sConfig->mMaxTextureSize = kMinSizePref; ++ } ++} ++ ++void ++Factory::ShutDown() ++{ ++ if (sConfig) { ++ delete sConfig; ++ sConfig = nullptr; ++ } ++} ++ + bool + Factory::HasSSE2() + { +@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize) + bool + Factory::ReasonableSurfaceSize(const IntSize &aSize) + { +- return Factory::CheckSurfaceSize(aSize,8192); ++ return Factory::CheckSurfaceSize(aSize, 8192); ++} ++ ++bool ++Factory::AllowedSurfaceSize(const IntSize &aSize) ++{ ++ if (sConfig) { ++ return Factory::CheckSurfaceSize(aSize, ++ sConfig->mMaxTextureSize, ++ sConfig->mMaxAllocSize); ++ } ++ ++ return CheckSurfaceSize(aSize); + } + + bool +-Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) ++Factory::CheckSurfaceSize(const IntSize &sz, ++ int32_t extentLimit, ++ int32_t allocLimit) + { + if (sz.width <= 0 || sz.height <= 0) { + gfxDebug() << "Surface width or height <= 0!"; +@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) + } + + // reject images with sides bigger than limit +- if (limit && (sz.width > limit || sz.height > limit)) { +- gfxDebug() << "Surface size too large (exceeds caller's limit)!"; ++ if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) { ++ gfxDebug() << "Surface size too large (exceeds extent limit)!"; + return false; + } + +@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) + return false; + } + ++ if (allocLimit && allocLimit < numBytes.value()) { ++ gfxDebug() << "Surface size too large (exceeds allocation limit)!"; ++ return false; ++ } ++ + return true; + } + + TemporaryRef + Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat) + { +- if (!CheckSurfaceSize(aSize)) { ++ if (!AllowedSurfaceSize(aSize)) { + gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; + return nullptr; + } +@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend, + SurfaceFormat aFormat) + { + MOZ_ASSERT(aData); +- if (!CheckSurfaceSize(aSize)) { ++ if (!AllowedSurfaceSize(aSize)) { + gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; + return nullptr; + } +@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize, + SurfaceFormat aFormat, + bool aZero) + { +- if (!CheckSurfaceSize(aSize)) { ++ if (!AllowedSurfaceSize(aSize)) { + gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; + return nullptr; + } +@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder) + mRecorder = aRecorder; + } + +-LogForwarder* Factory::mLogForwarder = nullptr; +- + // static + void + Factory::SetLogForwarder(LogForwarder* aLogFwd) { +- mLogForwarder = aLogFwd; ++ sConfig->mLogForwarder = aLogFwd; + } + ++ + // static + void + CriticalLogger::OutputMessage(const std::string &aString, +diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp +index 5dd6aca..331dd04 100644 +--- a/gfx/layers/ImageDataSerializer.cpp ++++ b/gfx/layers/ImageDataSerializer.cpp +@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize, + SurfaceFormat aFormat) + { + MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0); +- if (aSize.height <= 0 || aSize.width <= 0) { +- gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height; ++ ++ // This takes care of checking whether there could be overflow ++ // with enough margin for the metadata. ++ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { + return 0; + } + +- CheckedInt bufsize = ComputeStride(aFormat, aSize.width); +- bufsize *= aSize.height; ++ int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width) ++ * aSize.height) ++ + SurfaceBufferInfo::GetOffset(); + +- if (!bufsize.isValid() || bufsize.value() <= 0) { +- gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height; ++ if (bufsize < 0) { ++ // This should not be possible thanks to Factory::AllowedSurfaceSize + return 0; + } + +- return SurfaceBufferInfo::GetOffset() +- + GetAlignedStride<16>(bufsize.value()); ++ return bufsize; + } + + void +@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate() + } + size_t requiredSize = + ComputeMinBufferSize(IntSize(info->width, info->height), info->format); +- mIsValid = requiredSize <= mDataSize; ++ ++ mIsValid = !!requiredSize && requiredSize <= mDataSize; + } + + uint8_t* +diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp +index c8e148d..05f5ab2 100644 +--- a/gfx/layers/YCbCrImageDataSerializer.cpp ++++ b/gfx/layers/YCbCrImageDataSerializer.cpp +@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize, + gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width; + return 0; + } ++ ++ if (!gfx::Factory::AllowedSurfaceSize(aYSize) || ++ aCbCrSize.width > aYSize.width || ++ aCbCrSize.height > aYSize.height) { ++ return 0; ++ } ++ + return ComputeOffset(aYSize.height, aYStride) + + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride) + + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo)); +diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp +index 9b45ca0..6ae7cbf 100644 +--- a/gfx/layers/client/TextureClient.cpp ++++ b/gfx/layers/client/TextureClient.cpp +@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator, + aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend(); + } + ++ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { ++ return nullptr; ++ } ++ + RefPtr texture; + + #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN) +@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator, + TextureFlags aTextureFlags, + TextureAllocationFlags aAllocFlags) + { ++ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { ++ return nullptr; ++ } ++ + RefPtr texture = + CreateBufferTextureClient(aAllocator, aFormat, + aTextureFlags, aMoz2DBackend); +@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator, + StereoMode aStereoMode, + TextureFlags aTextureFlags) + { ++ if (!gfx::Factory::AllowedSurfaceSize(aYSize)) { ++ return nullptr; ++ } ++ + RefPtr texture; + if (aAllocator->IsSameProcess()) { + texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV, +diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp +index 41e4b0c..209a0a8 100644 +--- a/gfx/thebes/gfxPlatform.cpp ++++ b/gfx/thebes/gfxPlatform.cpp +@@ -458,13 +458,18 @@ gfxPlatform::Init() + } + gEverInitialized = true; + +- CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError"); +- mozilla::gfx::Factory::SetLogForwarder(logForwarder); +- + // Initialize the preferences by creating the singleton. + gfxPrefs::GetSingleton(); + +- logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); ++ auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError"); ++ fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); ++ ++ mozilla::gfx::Config cfg; ++ cfg.mLogForwarder = fwd; ++ cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize(); ++ cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize(); ++ ++ gfx::Factory::Init(cfg); + + gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock"); + +@@ -641,6 +646,8 @@ gfxPlatform::Shutdown() + delete mozilla::gfx::Factory::GetLogForwarder(); + mozilla::gfx::Factory::SetLogForwarder(nullptr); + ++ gfx::Factory::ShutDown(); ++ + delete gGfxPlatformPrefsLock; + + gfxPrefs::DestroySingleton(); +diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h +index b7a5fb9..038e1ff 100644 +--- a/gfx/thebes/gfxPrefs.h ++++ b/gfx/thebes/gfxPrefs.h +@@ -209,6 +209,9 @@ private: + DECL_GFX_PREF(Live, "gfx.layerscope.port", LayerScopePort, int32_t, 23456); + // Note that "gfx.logging.level" is defined in Logging.h + DECL_GFX_PREF(Once, "gfx.logging.crash.length", GfxLoggingCrashLength, uint32_t, 6); ++ // The maximums here are quite conservative, we can tighten them if problems show up. ++ DECL_GFX_PREF(Once, "gfx.max-alloc-size", MaxAllocSize, int32_t, (int32_t)500000000); ++ DECL_GFX_PREF(Once, "gfx.max-texture-size", MaxTextureSize, int32_t, (int32_t)32767); + DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled", PerfWarnings, bool, false); + DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs", WorkAroundDriverBugs, bool, true); + +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch new file mode 100644 index 0000000000..854c91b8aa --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch @@ -0,0 +1,32 @@ +From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001 +From: Jean-Yves Avenard +Date: Wed, 9 Dec 2015 09:54:58 +0100 +Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow. + r=kentuckyfriedtakahe, a=sylvestre + +--- + .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +index 22163fa..318152a 100644 +--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp ++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() { + CHECK_NE(err, (status_t)NO_INIT); + + // copy pssh data into file metadata +- int psshsize = 0; ++ uint64_t psshsize = 0; + for (size_t i = 0; i < mPssh.size(); i++) { + psshsize += 20 + mPssh[i].datalen; + } ++ if (psshsize > kMAX_ALLOCATION) { ++ return ERROR_MALFORMED; ++ } + if (psshsize) { + char *buf = (char*)malloc(psshsize); + char *ptr = buf; +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch new file mode 100644 index 0000000000..20bbd36281 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch @@ -0,0 +1,27 @@ +From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001 +From: Jean-Yves Avenard +Date: Wed, 9 Dec 2015 09:55:16 +0100 +Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe, + a=sylvestre + +--- + .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +index 318152a..c6aaf1d 100644 +--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp ++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() { + } + if (psshsize) { + char *buf = (char*)malloc(psshsize); ++ if (!buf) { ++ return ERROR_MALFORMED; ++ } + char *ptr = buf; + for (size_t i = 0; i < mPssh.size(); i++) { + memcpy(ptr, mPssh[i].uuid, 20); // uuid + length +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch new file mode 100644 index 0000000000..3a56d3d2cd --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7214.patch @@ -0,0 +1,47 @@ +From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001 +From: Bobby Holley +Date: Mon, 14 Dec 2015 15:36:20 -0500 +Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz, + a=lizzard + +--- + dom/base/nsHostObjectURI.cpp | 9 +++++++++ + dom/base/nsHostObjectURI.h | 2 ++ + 2 files changed, 11 insertions(+) + +diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp +index 94b02ff..57b0209 100644 +--- a/dom/base/nsHostObjectURI.cpp ++++ b/dom/base/nsHostObjectURI.cpp +@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream) + true); + } + ++NS_IMETHODIMP ++nsHostObjectURI::SetScheme(const nsACString& aScheme) ++{ ++ // Disallow setting the scheme, since that could cause us to be associated ++ // with a different protocol handler that doesn't expect us to be carrying ++ // around a principal with nsIURIWithPrincipal. ++ return NS_ERROR_FAILURE; ++} ++ + // nsIURI methods: + nsresult + nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode, +diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h +index b468d5d..23ff7ab 100644 +--- a/dom/base/nsHostObjectURI.h ++++ b/dom/base/nsHostObjectURI.h +@@ -34,6 +34,8 @@ public: + NS_DECL_NSISERIALIZABLE + NS_DECL_NSICLASSINFO + ++ NS_IMETHOD SetScheme(const nsACString &aProtocol) override; ++ + // Override CloneInternal() and EqualsInternal() + virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode, + nsIURI** aClone) override; +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch new file mode 100644 index 0000000000..c5d0e4ad60 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch @@ -0,0 +1,112 @@ +From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001 +From: Gerald Squelart +Date: Wed, 9 Dec 2015 09:59:37 +0100 +Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage - + r=rillian, a=sylvestre + +--- + .../av/include/media/stagefright/MetaData.h | 2 +- + .../av/media/libstagefright/MetaData.cpp | 35 ++++++++++++++-------- + 2 files changed, 24 insertions(+), 13 deletions(-) + +diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h +index 30d969d..0a8ff77 100644 +--- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h ++++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h +@@ -248,7 +248,7 @@ private: + return mSize <= sizeof(u.reservoir); + } + +- void allocateStorage(size_t size); ++ bool allocateStorage(size_t size); + void freeStorage(); + + void *storage() { +diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp +index c832c96..cba324d 100644 +--- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp ++++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp +@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type, + } + + MetaData::typed_data::typed_data() +- : mType(0), ++ : mType(TYPE_NONE), + mSize(0) { + } + +@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() { + MetaData::typed_data::typed_data(const typed_data &from) + : mType(from.mType), + mSize(0) { +- allocateStorage(from.mSize); +- memcpy(storage(), from.storage(), mSize); ++ if (allocateStorage(from.mSize)) { ++ memcpy(storage(), from.storage(), mSize); ++ } + } + + MetaData::typed_data &MetaData::typed_data::operator=( + const MetaData::typed_data &from) { + if (this != &from) { + clear(); +- mType = from.mType; +- allocateStorage(from.mSize); +- memcpy(storage(), from.storage(), mSize); ++ if (allocateStorage(from.mSize)) { ++ mType = from.mType; ++ memcpy(storage(), from.storage(), mSize); ++ } + } + + return *this; +@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=( + void MetaData::typed_data::clear() { + freeStorage(); + +- mType = 0; ++ mType = TYPE_NONE; + } + + void MetaData::typed_data::setData( + uint32_t type, const void *data, size_t size) { + clear(); + +- mType = type; +- allocateStorage(size); +- memcpy(storage(), data, size); ++ if (allocateStorage(size)) { ++ mType = type; ++ memcpy(storage(), data, size); ++ } + } + + void MetaData::typed_data::getData( +@@ -269,14 +272,22 @@ void MetaData::typed_data::getData( + *data = storage(); + } + +-void MetaData::typed_data::allocateStorage(size_t size) { ++bool MetaData::typed_data::allocateStorage(size_t size) { ++ // Update mSize now, as it is needed by usesReservoir() below. ++ // (mSize will be reset if the allocation fails further below.) + mSize = size; + + if (usesReservoir()) { +- return; ++ return true; + } + + u.ext_data = malloc(mSize); ++ if (!u.ext_data) { ++ mType = TYPE_NONE; ++ mSize = 0; ++ return false; ++ } ++ return true; + } + + void MetaData::typed_data::freeStorage() { +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch new file mode 100644 index 0000000000..688d7f903f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch @@ -0,0 +1,34 @@ +From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001 +From: Gerald Squelart +Date: Wed, 9 Dec 2015 10:00:13 +0100 +Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create + underflow - r=rillian, a=sylvestre + +--- + .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +index c6aaf1d..a69fc14 100644 +--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp ++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { + if (mFileMetaData != NULL) { + ALOGV("chunk_data_size = %lld and data_offset = %lld", + chunk_data_size, data_offset); ++ const int kSkipBytesOfDataBox = 16; ++ if (chunk_data_size <= kSkipBytesOfDataBox) { ++ return ERROR_MALFORMED; ++ } + sp buffer = new ABuffer(chunk_data_size + 1); + if (mDataSource->readAt( + data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) { + return ERROR_IO; + } +- const int kSkipBytesOfDataBox = 16; + mFileMetaData->setData( + kKeyAlbumArt, MetaData::TYPE_NONE, + buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox); +-- +2.6.3 + diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch new file mode 100644 index 0000000000..2f3c95623d --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch @@ -0,0 +1,37 @@ +From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001 +From: Gerald Squelart +Date: Wed, 9 Dec 2015 10:00:32 +0100 +Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses - + r=rillian, a=sylvestre + +Found only one other use that needed better checks: the size of the pssh +data was only checked after all items were added up; so it would be +possible to create a set of big items such that they create an overflow, +but the final sum looks reasonable. +Instead each item size should be checked, and the sum should also be +checked at each step. +--- + .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +index a69fc14..413a495 100644 +--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp ++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp +@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() { + uint64_t psshsize = 0; + for (size_t i = 0; i < mPssh.size(); i++) { + psshsize += 20 + mPssh[i].datalen; +- } +- if (psshsize > kMAX_ALLOCATION) { +- return ERROR_MALFORMED; ++ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 || ++ psshsize > kMAX_ALLOCATION) { ++ return ERROR_MALFORMED; ++ } + } + if (psshsize) { + char *buf = (char*)malloc(psshsize); +-- +2.6.3 + -- cgit 1.4.1 From f0150f8724f09fa650a0cbb66d3ef5a8a99804c4 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 19 Dec 2015 18:18:43 -0500 Subject: gnu: grub: Add fix for CVE-2015-8730. * gnu/packages/patches/grub-CVE-2015-8370.patch: New file. * gnu-system.am (dist_patch_DATA): Register patch. * gnu/packages/grub.scm: Apply patch. --- gnu-system.am | 1 + gnu/packages/grub.scm | 4 ++- gnu/packages/patches/grub-CVE-2015-8370.patch | 45 +++++++++++++++++++++++++++ 3 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 gnu/packages/patches/grub-CVE-2015-8370.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index 3c8f402fa6..df177b62d5 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -497,6 +497,7 @@ dist_patch_DATA = \ gnu/packages/patches/gobject-introspection-cc.patch \ gnu/packages/patches/gobject-introspection-girepository.patch \ gnu/packages/patches/grep-CVE-2015-1345.patch \ + gnu/packages/patches/grub-CVE-2015-8370.patch \ gnu/packages/patches/grub-gets-undeclared.patch \ gnu/packages/patches/grub-freetype.patch \ gnu/packages/patches/guile-1.8-cpp-4.5.patch \ diff --git a/gnu/packages/grub.scm b/gnu/packages/grub.scm index 79fc2f0aca..96d284c108 100644 --- a/gnu/packages/grub.scm +++ b/gnu/packages/grub.scm @@ -1,6 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès ;;; Copyright © 2015 Mark H Weaver +;;; Copyright © 2015 Leo Famulari ;;; ;;; This file is part of GNU Guix. ;;; @@ -83,7 +84,8 @@ (base32 "0n64hpmsccvicagvr0c6v0kgp2yw0kgnd3jvsyd26cnwgs7c6kkq")) (patches (list (search-patch "grub-gets-undeclared.patch") - (search-patch "grub-freetype.patch"))))) + (search-patch "grub-freetype.patch") + (search-patch "grub-CVE-2015-8370.patch"))))) (build-system gnu-build-system) (arguments '(#:configure-flags '("--disable-werror") diff --git a/gnu/packages/patches/grub-CVE-2015-8370.patch b/gnu/packages/patches/grub-CVE-2015-8370.patch new file mode 100644 index 0000000000..5701b54759 --- /dev/null +++ b/gnu/packages/patches/grub-CVE-2015-8370.patch @@ -0,0 +1,45 @@ +From 88c9657960a6c5d3673a25c266781e876c181add Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert +Date: Fri, 13 Nov 2015 16:21:09 +0100 +Subject: [PATCH] Fix security issue when reading username and password + + This patch fixes two integer underflows at: + * grub-core/lib/crypto.c + * grub-core/normal/auth.c + +Signed-off-by: Hector Marco-Gisbert +Signed-off-by: Ismael Ripoll-Ripoll +--- + grub-core/lib/crypto.c | 2 +- + grub-core/normal/auth.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/grub-core/lib/crypto.c b/grub-core/lib/crypto.c +index 010e550..524a3d8 100644 +--- a/grub-core/lib/crypto.c ++++ b/grub-core/lib/crypto.c +@@ -468,7 +468,7 @@ grub_password_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + continue; +diff --git a/grub-core/normal/auth.c b/grub-core/normal/auth.c +index c6bd96e..5782ec5 100644 +--- a/grub-core/normal/auth.c ++++ b/grub-core/normal/auth.c +@@ -172,7 +172,7 @@ grub_username_get (char buf[], unsigned buf_size) + break; + } + +- if (key == '\b') ++ if (key == '\b' && cur_len) + { + cur_len--; + grub_printf ("\b"); +-- +1.9.1 + -- cgit 1.4.1 From 097190417f7eadbb02370970acfe8b05da4a619d Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Wed, 23 Dec 2015 10:46:23 -0500 Subject: gnu: icecat: Update to 38.5.0-gnu1. * gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch, gnu/packages/patches/icecat-CVE-2015-7205.patch, gnu/packages/patches/icecat-CVE-2015-7210.patch, gnu/packages/patches/icecat-CVE-2015-7212.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7214.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch, gnu/packages/patches/icecat-freetype-2.6.patch: Delete files. * gnu-system.am (dist_patch_DATA): Remove them. * gnu/packages/gnuzilla.scm (icecat): Update to 38.5.0-gnu1. [source]: Remove patches. --- gnu-system.am | 13 - gnu/packages/gnuzilla.scm | 19 +- .../patches/icecat-CVE-2015-7201-pt1.patch | 123 ------- .../patches/icecat-CVE-2015-7201-pt2.patch | 29 -- .../patches/icecat-CVE-2015-7201-pt3.patch | 35 -- gnu/packages/patches/icecat-CVE-2015-7205.patch | 84 ----- gnu/packages/patches/icecat-CVE-2015-7210.patch | 47 --- gnu/packages/patches/icecat-CVE-2015-7212.patch | 364 --------------------- .../patches/icecat-CVE-2015-7213-pt1.patch | 32 -- .../patches/icecat-CVE-2015-7213-pt2.patch | 27 -- gnu/packages/patches/icecat-CVE-2015-7214.patch | 47 --- .../patches/icecat-CVE-2015-7222-pt1.patch | 112 ------- .../patches/icecat-CVE-2015-7222-pt2.patch | 34 -- .../patches/icecat-CVE-2015-7222-pt3.patch | 37 --- gnu/packages/patches/icecat-freetype-2.6.patch | 14 - 15 files changed, 3 insertions(+), 1014 deletions(-) delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7205.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7210.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7212.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7214.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch delete mode 100644 gnu/packages/patches/icecat-freetype-2.6.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index df177b62d5..e1874fa6c1 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -512,20 +512,7 @@ dist_patch_DATA = \ gnu/packages/patches/hop-linker-flags.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ - gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch \ - gnu/packages/patches/icecat-CVE-2015-7205.patch \ - gnu/packages/patches/icecat-CVE-2015-7210.patch \ - gnu/packages/patches/icecat-CVE-2015-7212.patch \ - gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-7214.patch \ - gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ - gnu/packages/patches/icecat-freetype-2.6.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ gnu/packages/patches/icu4c-CVE-2015-1270.patch \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 3172bc8c45..40a13e7939 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -266,7 +266,7 @@ standards.") (define-public icecat (package (name "icecat") - (version "38.4.0-gnu1") + (version "38.5.0-gnu1") (source (origin (method url-fetch) @@ -275,21 +275,8 @@ standards.") name "-" version ".tar.bz2")) (sha256 (base32 - "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp")) - (patches (map search-patch '("icecat-CVE-2015-7210.patch" - "icecat-CVE-2015-7205.patch" - "icecat-CVE-2015-7201-pt1.patch" - "icecat-CVE-2015-7201-pt2.patch" - "icecat-CVE-2015-7212.patch" - "icecat-CVE-2015-7213-pt1.patch" - "icecat-CVE-2015-7213-pt2.patch" - "icecat-CVE-2015-7222-pt1.patch" - "icecat-CVE-2015-7222-pt2.patch" - "icecat-CVE-2015-7222-pt3.patch" - "icecat-CVE-2015-7214.patch" - "icecat-CVE-2015-7201-pt3.patch" - "icecat-avoid-bundled-includes.patch" - "icecat-freetype-2.6.patch"))) + "1bf20mpvx84jsa0dan2hhfc49f30v0wasikv7sh3cg8mwp62faj6")) + (patches (map search-patch '("icecat-avoid-bundled-includes.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch deleted file mode 100644 index 0fcfe9b409..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch +++ /dev/null @@ -1,123 +0,0 @@ -From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001 -From: Andrew Comminos -Date: Fri, 23 Oct 2015 21:35:16 -0700 -Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute - count is exceeded on Mesa. r=jgilbert, a=ritu - ---HG-- -extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0 -extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536 ---- - dom/canvas/WebGLProgram.cpp | 28 ++++++++++++++++++---------- - dom/canvas/WebGLShader.cpp | 10 ++++++++++ - dom/canvas/WebGLShader.h | 1 + - dom/canvas/WebGLShaderValidator.cpp | 6 ++++++ - dom/canvas/WebGLShaderValidator.h | 1 + - 5 files changed, 36 insertions(+), 10 deletions(-) - -diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp -index 78f7413..0e056e8 100644 ---- a/dom/canvas/WebGLProgram.cpp -+++ b/dom/canvas/WebGLProgram.cpp -@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram() - gl::GLContext* gl = mContext->gl; - gl->MakeCurrent(); - -- // Bug 777028: Mesa can't handle more than 16 samplers per program, -- // counting each array entry. -- size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + -- mFragShader->CalcNumSamplerUniforms(); - if (gl->WorkAroundDriverBugs() && -- mContext->mIsMesa && -- numSamplerUniforms_upperBound > 16) -+ mContext->mIsMesa) - { -- mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" -- " Mesa drivers to avoid crashing."); -- mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -- return false; -+ // Bug 777028: Mesa can't handle more than 16 samplers per program, -+ // counting each array entry. -+ size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + -+ mFragShader->CalcNumSamplerUniforms(); -+ if (numSamplerUniforms_upperBound > 16) { -+ mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" -+ " Mesa drivers to avoid crashing."); -+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -+ return false; -+ } -+ -+ // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count. -+ if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) { -+ mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count."); -+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -+ return false; -+ } - } - - // Bind the attrib locations. -diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp -index 85a3809..bab4157 100644 ---- a/dom/canvas/WebGLShader.cpp -+++ b/dom/canvas/WebGLShader.cpp -@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const - return 0; - } - -+size_t -+WebGLShader::NumAttributes() const -+{ -+ if (mValidator) -+ return mValidator->NumAttributes(); -+ -+ // TODO -+ return 0; -+} -+ - void - WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName, - GLuint index) const -diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h -index 698e30c..2c80b16a 100644 ---- a/dom/canvas/WebGLShader.h -+++ b/dom/canvas/WebGLShader.h -@@ -45,6 +45,7 @@ public: - // Util funcs - bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const; - size_t CalcNumSamplerUniforms() const; -+ size_t NumAttributes() const; - void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const; - bool FindAttribUserNameByMappedName(const nsACString& mappedName, - nsDependentCString* const out_userName) const; -diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp -index 80005e2..8bedf88 100644 ---- a/dom/canvas/WebGLShaderValidator.cpp -+++ b/dom/canvas/WebGLShaderValidator.cpp -@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const - return accum; - } - -+size_t -+ShaderValidator::NumAttributes() const -+{ -+ return ShGetAttributes(mHandle)->size(); -+} -+ - // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3. - // Therefore, attrib names are always simple. - bool -diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h -index 35db2f1..1f794bf0 100644 ---- a/dom/canvas/WebGLShaderValidator.h -+++ b/dom/canvas/WebGLShaderValidator.h -@@ -41,6 +41,7 @@ public: - void GetOutput(nsACString* out) const; - bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const; - size_t CalcNumSamplerUniforms() const; -+ size_t NumAttributes() const; - - bool FindAttribUserNameByMappedName(const std::string& mappedName, - const std::string** const out_userName) const; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch deleted file mode 100644 index 3764371a11..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001 -From: "Carsten \"Tomcat\" Book" -Date: Tue, 8 Dec 2015 12:38:15 +0100 -Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when - initialized from GPU texture. r=jmuizelaar, a=lizzard - ---- - gfx/2d/SourceSurfaceSkia.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp -index 4b95bc2..d7e0714 100644 ---- a/gfx/2d/SourceSurfaceSkia.cpp -+++ b/gfx/2d/SourceSurfaceSkia.cpp -@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner, - GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue); - SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType); - SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false); -- mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4); -+ mBitmap.setInfo(imgInfo); - mBitmap.setPixelRef(texRef); -+ mFormat = aFormat; -+ mStride = mBitmap.rowBytes(); - - mDrawTarget = aOwner; - return true; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch deleted file mode 100644 index 022ab5cc16..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001 -From: Edwin Flores -Date: Wed, 2 Dec 2015 16:15:29 +0100 -Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth, - a=sledru - ---- - image/src/Downscaler.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp -index 24ecfda..2a7acfd 100644 ---- a/image/src/Downscaler.cpp -+++ b/image/src/Downscaler.cpp -@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize, - mTargetSize.height, mYFilter.get()); - - // Allocate the buffer, which contains scanlines of the original image. -- mRowBuffer = MakeUnique(mOriginalSize.width * sizeof(uint32_t)); -+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t); -+ mRowBuffer = MakeUnique(bufferLen); - if (MOZ_UNLIKELY(!mRowBuffer)) { - return NS_ERROR_OUT_OF_MEMORY; - } - -+ // Zero buffer to keep valgrind happy. -+ memset(mRowBuffer.get(), 0, bufferLen); -+ -+ - // Allocate the window, which contains horizontally downscaled scanlines. (We - // can store scanlines which are already downscale because our downscaling - // filter is separable.) --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch deleted file mode 100644 index 620fa0d6bd..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7205.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001 -From: Randell Jesup -Date: Thu, 5 Nov 2015 10:17:29 -0500 -Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows. - r=pkerr a=sylvestre - ---HG-- -extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb -extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997 ---- - .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 26 ++++++++++++---------- - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -index 9334b23..80cf55a 100644 ---- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - return false; - } - -- const uint8_t CSRCocts = CC * 4; -- -- if ((ptr + CSRCocts) > _ptrRTPDataEnd) { -- return false; -- } -- - header.markerBit = M; - header.payloadType = PT; - header.sequenceNumber = sequenceNumber; -@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - header.numCSRCs = CC; - header.paddingLength = P ? *(_ptrRTPDataEnd - 1) : 0; - -+ // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes -+ header.headerLength = 12 + (CC * 4); -+ // not a full validation, just safety against underflow. Padding must -+ // start after the header. We can have 0 payload bytes left, note. -+ if (header.paddingLength + header.headerLength > length) { -+ return false; -+ } -+ - for (unsigned int i = 0; i < CC; ++i) { - uint32_t CSRC = *ptr++ << 24; - CSRC += *ptr++ << 16; -@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - CSRC += *ptr++; - header.arrOfCSRCs[i] = CSRC; - } -- -- header.headerLength = 12 + CSRCocts; -+ assert((ptr - _ptrRTPDataBegin) == header.headerLength); - - // If in effect, MAY be omitted for those packets for which the offset - // is zero. -@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - | header extension | - | .... | - */ -- const ptrdiff_t remain = _ptrRTPDataEnd - ptr; -- if (remain < 4) { -+ // earlier test ensures we have at least paddingLength bytes left -+ const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength; -+ if (remain < 4) { // minimum header extension length = 32 bits - return false; - } - -@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - uint16_t definedByProfile = *ptr++ << 8; - definedByProfile += *ptr++; - -- uint16_t XLen = *ptr++ << 8; -+ size_t XLen = *ptr++ << 8; - XLen += *ptr++; // in 32 bit words - XLen *= 4; // in octs - -- if (remain < (4 + XLen)) { -+ if (remain < (4 + XLen)) { // we already accounted for padding - return false; - } - if (definedByProfile == kRtpOneByteHeaderExtensionId) { --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch deleted file mode 100644 index eab57021db..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7210.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001 -From: "Byron Campen [:bwc]" -Date: Wed, 28 Oct 2015 12:48:17 -0500 -Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed - PeerConnections. r=jesup a=sylvestre - ---HG-- -extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826 -extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6 ---- - media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -index c3d8d26..fe86ff7 100644 ---- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const - NS_IMETHODIMP - PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams) - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - - #ifdef MOZILLA_INTERNAL_API - if (mDataConnection) { -@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters( - nsresult - PeerConnectionImpl::InitializeDataChannel() - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - CSFLogDebug(logTag, "%s", __FUNCTION__); - - const JsepApplicationCodecDescription* codec; -@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel, - uint16_t aStream, - nsDOMDataChannel** aRetval) - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - MOZ_ASSERT(aRetval); - - #ifdef MOZILLA_INTERNAL_API --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch deleted file mode 100644 index 7bda486ff7..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7212.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001 -From: Nicolas Silva -Date: Wed, 18 Nov 2015 16:59:11 +0100 -Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large - textures. r=Bas, a=sylvestre - ---- - gfx/2d/2D.h | 25 ++++++++++-- - gfx/2d/Factory.cpp | 67 ++++++++++++++++++++++++++++----- - gfx/layers/ImageDataSerializer.cpp | 21 ++++++----- - gfx/layers/YCbCrImageDataSerializer.cpp | 7 ++++ - gfx/layers/client/TextureClient.cpp | 12 ++++++ - gfx/thebes/gfxPlatform.cpp | 15 ++++++-- - gfx/thebes/gfxPrefs.h | 3 ++ - 7 files changed, 124 insertions(+), 26 deletions(-) - -diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h -index cf35bb2..b1e0e3e 100644 ---- a/gfx/2d/2D.h -+++ b/gfx/2d/2D.h -@@ -1082,22 +1082,41 @@ struct TileSet - size_t mTileCount; - }; - -+struct Config { -+ LogForwarder* mLogForwarder; -+ int32_t mMaxTextureSize; -+ int32_t mMaxAllocSize; -+ -+ Config() -+ : mLogForwarder(nullptr) -+ , mMaxTextureSize(8192) -+ , mMaxAllocSize(52000000) -+ {} -+}; -+ - class GFX2D_API Factory - { - public: -+ static void Init(const Config& aConfig); -+ static void ShutDown(); -+ - static bool HasSSE2(); - - /** Make sure that the given dimensions don't overflow a 32-bit signed int - * using 4 bytes per pixel; optionally, make sure that either dimension - * doesn't exceed the given limit. - */ -- static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0); -+ static bool CheckSurfaceSize(const IntSize &sz, -+ int32_t limit = 0, -+ int32_t allocLimit = 0); - - /** Make sure the given dimension satisfies the CheckSurfaceSize and is - * within 8k limit. The 8k value is chosen a bit randomly. - */ - static bool ReasonableSurfaceSize(const IntSize &aSize); - -+ static bool AllowedSurfaceSize(const IntSize &aSize); -+ - static TemporaryRef CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr); - - static TemporaryRef -@@ -1171,10 +1190,10 @@ public: - - static uint32_t GetMaxSurfaceSize(BackendType aType); - -- static LogForwarder* GetLogForwarder() { return mLogForwarder; } -+ static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; } - - private: -- static LogForwarder* mLogForwarder; -+ static Config* sConfig; - public: - - #ifdef USE_SKIA_GPU -diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp -index 948d3c3..6750c28 100644 ---- a/gfx/2d/Factory.cpp -+++ b/gfx/2d/Factory.cpp -@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device; - - DrawEventRecorder *Factory::mRecorder; - -+mozilla::gfx::Config* Factory::sConfig = nullptr; -+ -+void -+Factory::Init(const Config& aConfig) -+{ -+ MOZ_ASSERT(!sConfig); -+ sConfig = new Config(aConfig); -+ -+ // Make sure we don't completely break rendering because of a typo in the -+ // pref or whatnot. -+ const int32_t kMinAllocPref = 10000000; -+ const int32_t kMinSizePref = 2048; -+ if (sConfig->mMaxAllocSize < kMinAllocPref) { -+ sConfig->mMaxAllocSize = kMinAllocPref; -+ } -+ if (sConfig->mMaxTextureSize < kMinSizePref) { -+ sConfig->mMaxTextureSize = kMinSizePref; -+ } -+} -+ -+void -+Factory::ShutDown() -+{ -+ if (sConfig) { -+ delete sConfig; -+ sConfig = nullptr; -+ } -+} -+ - bool - Factory::HasSSE2() - { -@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize) - bool - Factory::ReasonableSurfaceSize(const IntSize &aSize) - { -- return Factory::CheckSurfaceSize(aSize,8192); -+ return Factory::CheckSurfaceSize(aSize, 8192); -+} -+ -+bool -+Factory::AllowedSurfaceSize(const IntSize &aSize) -+{ -+ if (sConfig) { -+ return Factory::CheckSurfaceSize(aSize, -+ sConfig->mMaxTextureSize, -+ sConfig->mMaxAllocSize); -+ } -+ -+ return CheckSurfaceSize(aSize); - } - - bool --Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) -+Factory::CheckSurfaceSize(const IntSize &sz, -+ int32_t extentLimit, -+ int32_t allocLimit) - { - if (sz.width <= 0 || sz.height <= 0) { - gfxDebug() << "Surface width or height <= 0!"; -@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) - } - - // reject images with sides bigger than limit -- if (limit && (sz.width > limit || sz.height > limit)) { -- gfxDebug() << "Surface size too large (exceeds caller's limit)!"; -+ if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) { -+ gfxDebug() << "Surface size too large (exceeds extent limit)!"; - return false; - } - -@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) - return false; - } - -+ if (allocLimit && allocLimit < numBytes.value()) { -+ gfxDebug() << "Surface size too large (exceeds allocation limit)!"; -+ return false; -+ } -+ - return true; - } - - TemporaryRef - Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat) - { -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend, - SurfaceFormat aFormat) - { - MOZ_ASSERT(aData); -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize, - SurfaceFormat aFormat, - bool aZero) - { -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder) - mRecorder = aRecorder; - } - --LogForwarder* Factory::mLogForwarder = nullptr; -- - // static - void - Factory::SetLogForwarder(LogForwarder* aLogFwd) { -- mLogForwarder = aLogFwd; -+ sConfig->mLogForwarder = aLogFwd; - } - -+ - // static - void - CriticalLogger::OutputMessage(const std::string &aString, -diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp -index 5dd6aca..331dd04 100644 ---- a/gfx/layers/ImageDataSerializer.cpp -+++ b/gfx/layers/ImageDataSerializer.cpp -@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize, - SurfaceFormat aFormat) - { - MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0); -- if (aSize.height <= 0 || aSize.width <= 0) { -- gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height; -+ -+ // This takes care of checking whether there could be overflow -+ // with enough margin for the metadata. -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { - return 0; - } - -- CheckedInt bufsize = ComputeStride(aFormat, aSize.width); -- bufsize *= aSize.height; -+ int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width) -+ * aSize.height) -+ + SurfaceBufferInfo::GetOffset(); - -- if (!bufsize.isValid() || bufsize.value() <= 0) { -- gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height; -+ if (bufsize < 0) { -+ // This should not be possible thanks to Factory::AllowedSurfaceSize - return 0; - } - -- return SurfaceBufferInfo::GetOffset() -- + GetAlignedStride<16>(bufsize.value()); -+ return bufsize; - } - - void -@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate() - } - size_t requiredSize = - ComputeMinBufferSize(IntSize(info->width, info->height), info->format); -- mIsValid = requiredSize <= mDataSize; -+ -+ mIsValid = !!requiredSize && requiredSize <= mDataSize; - } - - uint8_t* -diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp -index c8e148d..05f5ab2 100644 ---- a/gfx/layers/YCbCrImageDataSerializer.cpp -+++ b/gfx/layers/YCbCrImageDataSerializer.cpp -@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize, - gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width; - return 0; - } -+ -+ if (!gfx::Factory::AllowedSurfaceSize(aYSize) || -+ aCbCrSize.width > aYSize.width || -+ aCbCrSize.height > aYSize.height) { -+ return 0; -+ } -+ - return ComputeOffset(aYSize.height, aYStride) - + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride) - + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo)); -diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp -index 9b45ca0..6ae7cbf 100644 ---- a/gfx/layers/client/TextureClient.cpp -+++ b/gfx/layers/client/TextureClient.cpp -@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator, - aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend(); - } - -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { -+ return nullptr; -+ } -+ - RefPtr texture; - - #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN) -@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator, - TextureFlags aTextureFlags, - TextureAllocationFlags aAllocFlags) - { -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { -+ return nullptr; -+ } -+ - RefPtr texture = - CreateBufferTextureClient(aAllocator, aFormat, - aTextureFlags, aMoz2DBackend); -@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator, - StereoMode aStereoMode, - TextureFlags aTextureFlags) - { -+ if (!gfx::Factory::AllowedSurfaceSize(aYSize)) { -+ return nullptr; -+ } -+ - RefPtr texture; - if (aAllocator->IsSameProcess()) { - texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV, -diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp -index 41e4b0c..209a0a8 100644 ---- a/gfx/thebes/gfxPlatform.cpp -+++ b/gfx/thebes/gfxPlatform.cpp -@@ -458,13 +458,18 @@ gfxPlatform::Init() - } - gEverInitialized = true; - -- CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError"); -- mozilla::gfx::Factory::SetLogForwarder(logForwarder); -- - // Initialize the preferences by creating the singleton. - gfxPrefs::GetSingleton(); - -- logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); -+ auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError"); -+ fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); -+ -+ mozilla::gfx::Config cfg; -+ cfg.mLogForwarder = fwd; -+ cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize(); -+ cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize(); -+ -+ gfx::Factory::Init(cfg); - - gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock"); - -@@ -641,6 +646,8 @@ gfxPlatform::Shutdown() - delete mozilla::gfx::Factory::GetLogForwarder(); - mozilla::gfx::Factory::SetLogForwarder(nullptr); - -+ gfx::Factory::ShutDown(); -+ - delete gGfxPlatformPrefsLock; - - gfxPrefs::DestroySingleton(); -diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h -index b7a5fb9..038e1ff 100644 ---- a/gfx/thebes/gfxPrefs.h -+++ b/gfx/thebes/gfxPrefs.h -@@ -209,6 +209,9 @@ private: - DECL_GFX_PREF(Live, "gfx.layerscope.port", LayerScopePort, int32_t, 23456); - // Note that "gfx.logging.level" is defined in Logging.h - DECL_GFX_PREF(Once, "gfx.logging.crash.length", GfxLoggingCrashLength, uint32_t, 6); -+ // The maximums here are quite conservative, we can tighten them if problems show up. -+ DECL_GFX_PREF(Once, "gfx.max-alloc-size", MaxAllocSize, int32_t, (int32_t)500000000); -+ DECL_GFX_PREF(Once, "gfx.max-texture-size", MaxTextureSize, int32_t, (int32_t)32767); - DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled", PerfWarnings, bool, false); - DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs", WorkAroundDriverBugs, bool, true); - --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch deleted file mode 100644 index 854c91b8aa..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001 -From: Jean-Yves Avenard -Date: Wed, 9 Dec 2015 09:54:58 +0100 -Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow. - r=kentuckyfriedtakahe, a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index 22163fa..318152a 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() { - CHECK_NE(err, (status_t)NO_INIT); - - // copy pssh data into file metadata -- int psshsize = 0; -+ uint64_t psshsize = 0; - for (size_t i = 0; i < mPssh.size(); i++) { - psshsize += 20 + mPssh[i].datalen; - } -+ if (psshsize > kMAX_ALLOCATION) { -+ return ERROR_MALFORMED; -+ } - if (psshsize) { - char *buf = (char*)malloc(psshsize); - char *ptr = buf; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch deleted file mode 100644 index 20bbd36281..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001 -From: Jean-Yves Avenard -Date: Wed, 9 Dec 2015 09:55:16 +0100 -Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe, - a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index 318152a..c6aaf1d 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() { - } - if (psshsize) { - char *buf = (char*)malloc(psshsize); -+ if (!buf) { -+ return ERROR_MALFORMED; -+ } - char *ptr = buf; - for (size_t i = 0; i < mPssh.size(); i++) { - memcpy(ptr, mPssh[i].uuid, 20); // uuid + length --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch deleted file mode 100644 index 3a56d3d2cd..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7214.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001 -From: Bobby Holley -Date: Mon, 14 Dec 2015 15:36:20 -0500 -Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz, - a=lizzard - ---- - dom/base/nsHostObjectURI.cpp | 9 +++++++++ - dom/base/nsHostObjectURI.h | 2 ++ - 2 files changed, 11 insertions(+) - -diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp -index 94b02ff..57b0209 100644 ---- a/dom/base/nsHostObjectURI.cpp -+++ b/dom/base/nsHostObjectURI.cpp -@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream) - true); - } - -+NS_IMETHODIMP -+nsHostObjectURI::SetScheme(const nsACString& aScheme) -+{ -+ // Disallow setting the scheme, since that could cause us to be associated -+ // with a different protocol handler that doesn't expect us to be carrying -+ // around a principal with nsIURIWithPrincipal. -+ return NS_ERROR_FAILURE; -+} -+ - // nsIURI methods: - nsresult - nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode, -diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h -index b468d5d..23ff7ab 100644 ---- a/dom/base/nsHostObjectURI.h -+++ b/dom/base/nsHostObjectURI.h -@@ -34,6 +34,8 @@ public: - NS_DECL_NSISERIALIZABLE - NS_DECL_NSICLASSINFO - -+ NS_IMETHOD SetScheme(const nsACString &aProtocol) override; -+ - // Override CloneInternal() and EqualsInternal() - virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode, - nsIURI** aClone) override; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch deleted file mode 100644 index c5d0e4ad60..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart -Date: Wed, 9 Dec 2015 09:59:37 +0100 -Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage - - r=rillian, a=sylvestre - ---- - .../av/include/media/stagefright/MetaData.h | 2 +- - .../av/media/libstagefright/MetaData.cpp | 35 ++++++++++++++-------- - 2 files changed, 24 insertions(+), 13 deletions(-) - -diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -index 30d969d..0a8ff77 100644 ---- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -@@ -248,7 +248,7 @@ private: - return mSize <= sizeof(u.reservoir); - } - -- void allocateStorage(size_t size); -+ bool allocateStorage(size_t size); - void freeStorage(); - - void *storage() { -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -index c832c96..cba324d 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type, - } - - MetaData::typed_data::typed_data() -- : mType(0), -+ : mType(TYPE_NONE), - mSize(0) { - } - -@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() { - MetaData::typed_data::typed_data(const typed_data &from) - : mType(from.mType), - mSize(0) { -- allocateStorage(from.mSize); -- memcpy(storage(), from.storage(), mSize); -+ if (allocateStorage(from.mSize)) { -+ memcpy(storage(), from.storage(), mSize); -+ } - } - - MetaData::typed_data &MetaData::typed_data::operator=( - const MetaData::typed_data &from) { - if (this != &from) { - clear(); -- mType = from.mType; -- allocateStorage(from.mSize); -- memcpy(storage(), from.storage(), mSize); -+ if (allocateStorage(from.mSize)) { -+ mType = from.mType; -+ memcpy(storage(), from.storage(), mSize); -+ } - } - - return *this; -@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=( - void MetaData::typed_data::clear() { - freeStorage(); - -- mType = 0; -+ mType = TYPE_NONE; - } - - void MetaData::typed_data::setData( - uint32_t type, const void *data, size_t size) { - clear(); - -- mType = type; -- allocateStorage(size); -- memcpy(storage(), data, size); -+ if (allocateStorage(size)) { -+ mType = type; -+ memcpy(storage(), data, size); -+ } - } - - void MetaData::typed_data::getData( -@@ -269,14 +272,22 @@ void MetaData::typed_data::getData( - *data = storage(); - } - --void MetaData::typed_data::allocateStorage(size_t size) { -+bool MetaData::typed_data::allocateStorage(size_t size) { -+ // Update mSize now, as it is needed by usesReservoir() below. -+ // (mSize will be reset if the allocation fails further below.) - mSize = size; - - if (usesReservoir()) { -- return; -+ return true; - } - - u.ext_data = malloc(mSize); -+ if (!u.ext_data) { -+ mType = TYPE_NONE; -+ mSize = 0; -+ return false; -+ } -+ return true; - } - - void MetaData::typed_data::freeStorage() { --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch deleted file mode 100644 index 688d7f903f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart -Date: Wed, 9 Dec 2015 10:00:13 +0100 -Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create - underflow - r=rillian, a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index c6aaf1d..a69fc14 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { - if (mFileMetaData != NULL) { - ALOGV("chunk_data_size = %lld and data_offset = %lld", - chunk_data_size, data_offset); -+ const int kSkipBytesOfDataBox = 16; -+ if (chunk_data_size <= kSkipBytesOfDataBox) { -+ return ERROR_MALFORMED; -+ } - sp buffer = new ABuffer(chunk_data_size + 1); - if (mDataSource->readAt( - data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) { - return ERROR_IO; - } -- const int kSkipBytesOfDataBox = 16; - mFileMetaData->setData( - kKeyAlbumArt, MetaData::TYPE_NONE, - buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox); --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch deleted file mode 100644 index 2f3c95623d..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart -Date: Wed, 9 Dec 2015 10:00:32 +0100 -Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses - - r=rillian, a=sylvestre - -Found only one other use that needed better checks: the size of the pssh -data was only checked after all items were added up; so it would be -possible to create a set of big items such that they create an overflow, -but the final sum looks reasonable. -Instead each item size should be checked, and the sum should also be -checked at each step. ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index a69fc14..413a495 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() { - uint64_t psshsize = 0; - for (size_t i = 0; i < mPssh.size(); i++) { - psshsize += 20 + mPssh[i].datalen; -- } -- if (psshsize > kMAX_ALLOCATION) { -- return ERROR_MALFORMED; -+ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 || -+ psshsize > kMAX_ALLOCATION) { -+ return ERROR_MALFORMED; -+ } - } - if (psshsize) { - char *buf = (char*)malloc(psshsize); --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-freetype-2.6.patch b/gnu/packages/patches/icecat-freetype-2.6.patch deleted file mode 100644 index ef69f2f715..0000000000 --- a/gnu/packages/patches/icecat-freetype-2.6.patch +++ /dev/null @@ -1,14 +0,0 @@ -Adapt to freetype 2.6. This patch copied from upstream, see: -https://bugzilla.mozilla.org/show_bug.cgi?id=1143411 -https://hg.mozilla.org/mozilla-central/rev/afd840d66e6a - ---- a/config/system-headers -+++ b/config/system-headers -@@ -415,6 +415,7 @@ freetype/ftbitmap.h - freetype/ftxf86.h - freetype.h - ftcache.h -+ftfntfmt.h - ftglyph.h - ftsynth.h - ftoutln.h -- cgit 1.4.1 From b7e7d1b9d3121f057e71e17e1ead645d123ee335 Mon Sep 17 00:00:00 2001 From: Leo Famulari Date: Sat, 26 Dec 2015 01:29:21 -0500 Subject: gnu: fuse: Update to 2.9.4. * gnu/packages/patches/fuse-CVE-2015-3202.patch: Delete file. * gnu-system.am (dist_patch_DATA): Remove it. * gnu/packages/linux.scm (fuse): Update to 2.9.4. [source]: Remove patch. --- gnu-system.am | 1 - gnu/packages/linux.scm | 13 +++--- gnu/packages/patches/fuse-CVE-2015-3202.patch | 65 --------------------------- 3 files changed, 8 insertions(+), 71 deletions(-) delete mode 100644 gnu/packages/patches/fuse-CVE-2015-3202.patch (limited to 'gnu/packages/patches') diff --git a/gnu-system.am b/gnu-system.am index e1874fa6c1..78669bd0d3 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -467,7 +467,6 @@ dist_patch_DATA = \ gnu/packages/patches/flint-ldconfig.patch \ gnu/packages/patches/fltk-shared-lib-defines.patch \ gnu/packages/patches/freeimage-CVE-2015-0852.patch \ - gnu/packages/patches/fuse-CVE-2015-3202.patch \ gnu/packages/patches/gawk-shell.patch \ gnu/packages/patches/gcc-arm-link-spec-fix.patch \ gnu/packages/patches/gcc-cross-environment-variables.patch \ diff --git a/gnu/packages/linux.scm b/gnu/packages/linux.scm index 1fc3c4e45f..fcae17b609 100644 --- a/gnu/packages/linux.scm +++ b/gnu/packages/linux.scm @@ -1242,15 +1242,18 @@ processes currently causing I/O.") (define-public fuse (package (name "fuse") - (version "2.9.3") + (version "2.9.4") (source (origin (method url-fetch) - (uri (string-append "mirror://sourceforge/fuse/fuse-" - version ".tar.gz")) + (uri (let ((version-with-underscores + (string-join (string-split version #\.) "_"))) + (string-append + "https://github.com/libfuse/libfuse/" + "releases/download/" version-with-underscores + "/fuse-" version ".tar.gz"))) (sha256 (base32 - "071r6xjgssy8vwdn6m28qq1bqxsd2bphcd2mzhq0grf5ybm87sqb")) - (patches (list (search-patch "fuse-CVE-2015-3202.patch"))))) + "1qbwp63a2bp0bchabkwiyzszi9x5krlk2pwk2is6g35gyszw1sbb")))) (build-system gnu-build-system) (inputs `(("util-linux" ,util-linux))) (arguments diff --git a/gnu/packages/patches/fuse-CVE-2015-3202.patch b/gnu/packages/patches/fuse-CVE-2015-3202.patch deleted file mode 100644 index 7c64de7683..0000000000 --- a/gnu/packages/patches/fuse-CVE-2015-3202.patch +++ /dev/null @@ -1,65 +0,0 @@ -The following patch was copied from Debian. - -Description: Fix CVE-2015-3202 - Missing scrubbing of the environment before executing a mount or umount - of a filesystem. -Origin: upstream -Author: Miklos Szeredi -Last-Update: 2015-05-19 - ---- - lib/mount_util.c | 23 +++++++++++++++++------ - 1 file changed, 17 insertions(+), 6 deletions(-) - ---- a/lib/mount_util.c -+++ b/lib/mount_util.c -@@ -95,10 +95,12 @@ static int add_mount(const char *prognam - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", -- "-f", "-t", type, "-o", opts, fsname, mnt, NULL); -+ execle("/bin/mount", "/bin/mount", "--no-canonicalize", "-i", -+ "-f", "-t", type, "-o", opts, fsname, mnt, NULL, &env); - fprintf(stderr, "%s: failed to execute /bin/mount: %s\n", - progname, strerror(errno)); - exit(1); -@@ -146,10 +148,17 @@ static int exec_umount(const char *progn - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/umount", "/bin/umount", "-i", rel_mnt, -- lazy ? "-l" : NULL, NULL); -+ if (lazy) { -+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt, -+ "-l", NULL, &env); -+ } else { -+ execle("/bin/umount", "/bin/umount", "-i", rel_mnt, -+ NULL, &env); -+ } - fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", - progname, strerror(errno)); - exit(1); -@@ -205,10 +214,12 @@ static int remove_mount(const char *prog - goto out_restore; - } - if (res == 0) { -+ char *env = NULL; -+ - sigprocmask(SIG_SETMASK, &oldmask, NULL); - setuid(geteuid()); -- execl("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", -- "--fake", mnt, NULL); -+ execle("/bin/umount", "/bin/umount", "--no-canonicalize", "-i", -+ "--fake", mnt, NULL, &env); - fprintf(stderr, "%s: failed to execute /bin/umount: %s\n", - progname, strerror(errno)); - exit(1); -- cgit 1.4.1