summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch
blob: 8bcae6177aab28d9f3addd908579b0ff58ea81db (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
From 81ce99255a0ef65c98eaac300d90c1dc161efc54 Mon Sep 17 00:00:00 2001
From: Ben Turner <bent.mozilla@gmail.com>
Date: Tue, 9 Jun 2015 09:46:58 -0400
Subject: [PATCH] Bug 1142210. r=khuey, a=dveditz CLOSED TREE

--HG--
extra : amend_source : 5626188ba4b79f7c25286d4f29c63dc387e63c75
extra : transplant_source : %F0%A1%D6F%E6%1B%1FJO%BFH%29%FFo%97%2A%89%03%ECm
---
 dom/indexedDB/IDBRequest.cpp             |  5 +++++
 dom/indexedDB/IDBRequest.h               |  3 +++
 dom/indexedDB/IndexedDatabaseManager.cpp | 22 +++++++++++++++++-----
 3 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp
index 36e8a96..695f2ee 100644
--- a/dom/indexedDB/IDBRequest.cpp
+++ b/dom/indexedDB/IDBRequest.cpp
@@ -35,6 +35,8 @@
 
 namespace {
 
+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID);
+
 #ifdef MOZ_ENABLE_PROFILER_SPS
 uint64_t gNextRequestSerialNumber = 1;
 #endif
@@ -382,6 +384,9 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache)
 NS_IMPL_CYCLE_COLLECTION_TRACE_END
 
 NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(IDBRequest)
+  if (aIID.Equals(kIDBRequestIID)) {
+    foundInterface = this;
+  } else
 NS_INTERFACE_MAP_END_INHERITING(IDBWrapperCache)
 
 NS_IMPL_ADDREF_INHERITED(IDBRequest, IDBWrapperCache)
diff --git a/dom/indexedDB/IDBRequest.h b/dom/indexedDB/IDBRequest.h
index c835ae8..c8d1081 100644
--- a/dom/indexedDB/IDBRequest.h
+++ b/dom/indexedDB/IDBRequest.h
@@ -19,6 +19,9 @@
 
 #include "mozilla/dom/indexedDB/IDBWrapperCache.h"
 
+#define PRIVATE_IDBREQUEST_IID \
+  {0xe68901e5, 0x1d50, 0x4ee9, {0xaf, 0x49, 0x90, 0x99, 0x4a, 0xff, 0xc8, 0x39}}
+
 class nsIScriptContext;
 class nsPIDOMWindow;
 
diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp
index 466d0ff..820dfa6 100644
--- a/dom/indexedDB/IndexedDatabaseManager.cpp
+++ b/dom/indexedDB/IndexedDatabaseManager.cpp
@@ -318,19 +318,31 @@ IndexedDatabaseManager::FireWindowOnError(nsPIDOMWindow* aOwner,
     return NS_OK;
   }
 
+  Event* internalEvent = aVisitor.mDOMEvent->InternalDOMEvent();
+  MOZ_ASSERT(internalEvent);
+
+  if (!internalEvent->IsTrusted()) {
+    return NS_OK;
+  }
+
   nsString type;
-  nsresult rv = aVisitor.mDOMEvent->GetType(type);
+  nsresult rv = internalEvent->GetType(type);
   NS_ENSURE_SUCCESS(rv, rv);
 
   if (!type.EqualsLiteral(ERROR_EVT_STR)) {
     return NS_OK;
   }
 
-  nsCOMPtr<EventTarget> eventTarget =
-    aVisitor.mDOMEvent->InternalDOMEvent()->GetTarget();
+  nsCOMPtr<EventTarget> eventTarget = internalEvent->GetTarget();
+  MOZ_ASSERT(eventTarget);
 
-  IDBRequest* request = static_cast<IDBRequest*>(eventTarget.get());
-  NS_ENSURE_TRUE(request, NS_ERROR_UNEXPECTED);
+  // Only mess with events that were originally targeted to an IDBRequest.
+  nsRefPtr<IDBRequest> request;
+  if (NS_FAILED(eventTarget->QueryInterface(kIDBRequestIID,
+                                            getter_AddRefs(request))) ||
+      !request) {
+    return NS_OK;
+  }
 
   ErrorResult ret;
   nsRefPtr<DOMError> error = request->GetError(ret);
-- 
2.4.3