Browse Source

gnu: icecat: Apply fixes for CVE-2015-{0822,0827,0831,0836}.

* gnu/packages/patches/icecat-CVE-2015-0822.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch,
  gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch,
  gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
version-0.8.3
Mark H Weaver 7 years ago
parent
commit
8830740643
  1. 17
      gnu-system.am
  2. 20
      gnu/packages/gnuzilla.scm
  3. 154
      gnu/packages/patches/icecat-CVE-2015-0822.patch
  4. 33
      gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch
  5. 35
      gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch
  6. 56
      gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch
  7. 32
      gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch
  8. 26
      gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch
  9. 26
      gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch
  10. 27
      gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch
  11. 220
      gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
  12. 89
      gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch
  13. 25
      gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch
  14. 41
      gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch
  15. 54
      gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
  16. 53
      gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch
  17. 52
      gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch
  18. 219
      gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch
  19. 104
      gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch

17
gnu-system.am

@ -421,6 +421,23 @@ dist_patch_DATA = \
gnu/packages/patches/guix-test-networking.patch \
gnu/packages/patches/gtkglext-disable-disable-deprecated.patch \
gnu/packages/patches/hop-bigloo-4.0b.patch \
gnu/packages/patches/icecat-CVE-2015-0822.patch \
gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch \
gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch \
gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch \
gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch \
gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch \
gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch \
gnu/packages/patches/irrlicht-mesa-10.patch \
gnu/packages/patches/jbig2dec-ignore-testtest.patch \
gnu/packages/patches/kmod-module-directory.patch \

20
gnu/packages/gnuzilla.scm

@ -224,7 +224,25 @@ standards.")
version "/" name "-" version ".tar.bz2"))
(sha256
(base32
"0q5ilgfybcrbwf9hq9zc1cpnlhq1pddnnjmdrxrcrrg8lgx5kkc2"))))
"0q5ilgfybcrbwf9hq9zc1cpnlhq1pddnnjmdrxrcrrg8lgx5kkc2"))
(patches (map search-patch
'("icecat-CVE-2015-0822.patch"
"icecat-CVE-2015-0827-pt-1.patch"
"icecat-CVE-2015-0827-pt-2.patch"
"icecat-CVE-2015-0827-pt-3.patch"
"icecat-CVE-2015-0831-pt-1.patch"
"icecat-CVE-2015-0831-pt-2.patch"
"icecat-CVE-2015-0836-pt-01.patch"
"icecat-CVE-2015-0836-pt-02.patch"
"icecat-CVE-2015-0836-pt-03.patch"
"icecat-CVE-2015-0836-pt-04.patch"
"icecat-CVE-2015-0836-pt-05.patch"
"icecat-CVE-2015-0836-pt-06.patch"
"icecat-CVE-2015-0836-pt-07.patch"
"icecat-CVE-2015-0836-pt-08.patch"
"icecat-CVE-2015-0836-pt-09.patch"
"icecat-CVE-2015-0836-pt-10.patch"
"icecat-CVE-2015-0836-pt-11.patch")))))
(build-system gnu-build-system)
(inputs
`(("alsa-lib" ,alsa-lib)

154
gnu/packages/patches/icecat-CVE-2015-0822.patch

@ -0,0 +1,154 @@
From 0922145c255bf2503d3b2dd5f8f1e813338ba990 Mon Sep 17 00:00:00 2001
From: Mats Palmgren <mats@mozilla.com>
Date: Sat, 24 Jan 2015 12:37:47 -0500
Subject: [PATCH] Bug 1110557. r=mak, r=gavin, a=bkerensa
---
.../components/satchel/nsFormFillController.cpp | 67 +++++++++++++++-------
toolkit/components/satchel/nsFormFillController.h | 5 ++
2 files changed, 52 insertions(+), 20 deletions(-)
diff --git a/toolkit/components/satchel/nsFormFillController.cpp b/toolkit/components/satchel/nsFormFillController.cpp
index 315fc68..676ad84 100644
--- a/toolkit/components/satchel/nsFormFillController.cpp
+++ b/toolkit/components/satchel/nsFormFillController.cpp
@@ -61,6 +61,7 @@ nsFormFillController::nsFormFillController() :
mSuppressOnInput(false)
{
mController = do_GetService("@mozilla.org/autocomplete/controller;1");
+ MOZ_ASSERT(mController);
}
struct PwmgrInputsEnumData
@@ -104,6 +105,21 @@ nsFormFillController::AttributeChanged(nsIDocument* aDocument,
int32_t aNameSpaceID,
nsIAtom* aAttribute, int32_t aModType)
{
+ if ((aAttribute == nsGkAtoms::type || aAttribute == nsGkAtoms::readonly ||
+ aAttribute == nsGkAtoms::autocomplete) &&
+ aNameSpaceID == kNameSpaceID_None) {
+ nsCOMPtr<nsIDOMHTMLInputElement> focusedInput(mFocusedInput);
+ // Reset the current state of the controller, unconditionally.
+ StopControllingInput();
+ // Then restart based on the new values. We have to delay this
+ // to avoid ending up in an endless loop due to re-registering our
+ // mutation observer (which would notify us again for *this* event).
+ nsCOMPtr<nsIRunnable> event =
+ NS_NewRunnableMethodWithArg<nsCOMPtr<nsIDOMHTMLInputElement>>
+ (this, &nsFormFillController::MaybeStartControllingInput, focusedInput);
+ NS_DispatchToCurrentThread(event);
+ }
+
if (mListNode && mListNode->Contains(aElement)) {
RevalidateDataList();
}
@@ -841,28 +857,26 @@ nsFormFillController::RemoveForDocumentEnumerator(const nsINode* aKey,
return PL_DHASH_NEXT;
}
-nsresult
-nsFormFillController::Focus(nsIDOMEvent* aEvent)
+void
+nsFormFillController::MaybeStartControllingInput(nsIDOMHTMLInputElement* aInput)
{
- nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
- aEvent->InternalDOMEvent()->GetTarget());
- nsCOMPtr<nsINode> inputNode = do_QueryInterface(input);
+ nsCOMPtr<nsINode> inputNode = do_QueryInterface(aInput);
if (!inputNode)
- return NS_OK;
+ return;
- nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(input);
+ nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(aInput);
if (!formControl || !formControl->IsSingleLineTextControl(true))
- return NS_OK;
+ return;
bool isReadOnly = false;
- input->GetReadOnly(&isReadOnly);
+ aInput->GetReadOnly(&isReadOnly);
if (isReadOnly)
- return NS_OK;
+ return;
- bool autocomplete = nsContentUtils::IsAutocompleteEnabled(input);
+ bool autocomplete = nsContentUtils::IsAutocompleteEnabled(aInput);
nsCOMPtr<nsIDOMHTMLElement> datalist;
- input->GetList(getter_AddRefs(datalist));
+ aInput->GetList(getter_AddRefs(datalist));
bool hasList = datalist != nullptr;
bool dummy;
@@ -871,9 +885,16 @@ nsFormFillController::Focus(nsIDOMEvent* aEvent)
isPwmgrInput = true;
if (isPwmgrInput || hasList || autocomplete) {
- StartControllingInput(input);
+ StartControllingInput(aInput);
}
+}
+nsresult
+nsFormFillController::Focus(nsIDOMEvent* aEvent)
+{
+ nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
+ aEvent->InternalDOMEvent()->GetTarget());
+ MaybeStartControllingInput(input);
return NS_OK;
}
@@ -1087,6 +1108,10 @@ nsFormFillController::StartControllingInput(nsIDOMHTMLInputElement *aInput)
// Make sure we're not still attached to an input
StopControllingInput();
+ if (!mController) {
+ return;
+ }
+
// Find the currently focused docShell
nsCOMPtr<nsIDocShell> docShell = GetDocShellForInput(aInput);
int32_t index = GetIndexOfDocShell(docShell);
@@ -1129,13 +1154,15 @@ nsFormFillController::StopControllingInput()
mListNode = nullptr;
}
- // Reset the controller's input, but not if it has been switched
- // to another input already, which might happen if the user switches
- // focus by clicking another autocomplete textbox
- nsCOMPtr<nsIAutoCompleteInput> input;
- mController->GetInput(getter_AddRefs(input));
- if (input == this)
- mController->SetInput(nullptr);
+ if (mController) {
+ // Reset the controller's input, but not if it has been switched
+ // to another input already, which might happen if the user switches
+ // focus by clicking another autocomplete textbox
+ nsCOMPtr<nsIAutoCompleteInput> input;
+ mController->GetInput(getter_AddRefs(input));
+ if (input == this)
+ mController->SetInput(nullptr);
+ }
if (mFocusedInputNode) {
MaybeRemoveMutationObserver(mFocusedInputNode);
diff --git a/toolkit/components/satchel/nsFormFillController.h b/toolkit/components/satchel/nsFormFillController.h
index b60d28d..8c3ba26 100644
--- a/toolkit/components/satchel/nsFormFillController.h
+++ b/toolkit/components/satchel/nsFormFillController.h
@@ -62,6 +62,11 @@ protected:
void StartControllingInput(nsIDOMHTMLInputElement *aInput);
void StopControllingInput();
+ /**
+ * Checks that aElement is a type of element we want to fill, then calls
+ * StartControllingInput on it.
+ */
+ void MaybeStartControllingInput(nsIDOMHTMLInputElement* aElement);
nsresult PerformInputListAutoComplete(nsIAutoCompleteResult* aPreviousResult);
--
2.2.1

33
gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch

@ -0,0 +1,33 @@
From 28b6204b1421aa57b3c10c43d90cb516910bc80f Mon Sep 17 00:00:00 2001
From: Markus Stange <mstange@themasta.com>
Date: Tue, 6 Jan 2015 12:08:39 +0100
Subject: [PATCH] Bug 1117304 - Also do the checks at the start of CopyRect in
release builds. r=Bas, a=sledru
---
gfx/2d/FilterNodeSoftware.cpp | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
index 00d790f..396d0da 100644
--- a/gfx/2d/FilterNodeSoftware.cpp
+++ b/gfx/2d/FilterNodeSoftware.cpp
@@ -253,9 +253,12 @@ CopyRect(DataSourceSurface* aSrc, DataSourceSurface* aDest,
MOZ_CRASH("we should never be getting invalid rects at this point");
}
- MOZ_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), "different surface formats");
- MOZ_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), "source rect too big for source surface");
- MOZ_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(aSrcRect - aSrcRect.TopLeft() + aDestPoint), "dest surface too small");
+ MOZ_RELEASE_ASSERT(aSrc->GetFormat() == aDest->GetFormat(),
+ "different surface formats");
+ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect),
+ "source rect too big for source surface");
+ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(IntRect(aDestPoint, aSrcRect.Size())),
+ "dest surface too small");
if (aSrcRect.IsEmpty()) {
return;
--
2.2.1

35
gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch

@ -0,0 +1,35 @@
From 5ff75fbe51d5760a96b4e614617c9cbf35f1fbaa Mon Sep 17 00:00:00 2001
From: Markus Stange <mstange@themasta.com>
Date: Mon, 5 Jan 2015 18:40:27 +0100
Subject: [PATCH] Bug 1117304 - Make sure the tile filter doesn't call CopyRect
on surfaces with different formats. r=Bas, a=sledru
---
gfx/2d/FilterNodeSoftware.cpp | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
index 396d0da..10d92c6 100644
--- a/gfx/2d/FilterNodeSoftware.cpp
+++ b/gfx/2d/FilterNodeSoftware.cpp
@@ -1568,7 +1568,16 @@ FilterNodeTileSoftware::Render(const IntRect& aRect)
return nullptr;
}
}
- MOZ_ASSERT(input->GetFormat() == target->GetFormat(), "different surface formats from the same input?");
+
+ if (input->GetFormat() != target->GetFormat()) {
+ // Different rectangles of the input can have different formats. If
+ // that happens, just convert everything to B8G8R8A8.
+ target = FilterProcessing::ConvertToB8G8R8A8(target);
+ input = FilterProcessing::ConvertToB8G8R8A8(input);
+ if (MOZ2D_WARN_IF(!target) || MOZ2D_WARN_IF(!input)) {
+ return nullptr;
+ }
+ }
CopyRect(input, target, srcRect - srcRect.TopLeft(), destRect.TopLeft() - aRect.TopLeft());
}
--
2.2.1

56
gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch

@ -0,0 +1,56 @@
From c91087708686ae1c47abee65e19536688e5ec8f2 Mon Sep 17 00:00:00 2001
From: Ryan VanderMeulen <ryanvm@gmail.com>
Date: Mon, 26 Jan 2015 17:24:46 -0500
Subject: [PATCH] Bug 1117304 - Add missing MOZ2D_WARN_IF definition to fix
bustage. r=milan, a=bustage
---
gfx/2d/FilterNodeSoftware.cpp | 1 +
gfx/2d/Logging.h | 19 +++++++++++++++++++
2 files changed, 20 insertions(+)
diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
index 10d92c6..48bf162 100644
--- a/gfx/2d/FilterNodeSoftware.cpp
+++ b/gfx/2d/FilterNodeSoftware.cpp
@@ -12,6 +12,7 @@
#include "Blur.h"
#include <map>
#include "FilterProcessing.h"
+#include "Logging.h"
#include "mozilla/PodOperations.h"
#include "mozilla/DebugOnly.h"
diff --git a/gfx/2d/Logging.h b/gfx/2d/Logging.h
index 85e788c..d7728bb 100644
--- a/gfx/2d/Logging.h
+++ b/gfx/2d/Logging.h
@@ -155,6 +155,25 @@ typedef Log<LOG_WARNING> WarningLog;
#define gfxWarning if (1) ; else NoLog
#endif
+// See nsDebug.h and the NS_WARN_IF macro
+
+#ifdef __cplusplus
+#ifdef DEBUG
+inline bool MOZ2D_warn_if_impl(bool aCondition, const char* aExpr,
+ const char* aFile, int32_t aLine)
+{
+ if (MOZ_UNLIKELY(aCondition)) {
+ gfxWarning() << aExpr << " at " << aFile << ":" << aLine;
+ }
+ return aCondition;
+}
+#define MOZ2D_WARN_IF(condition) \
+ MOZ2D_warn_if_impl(condition, #condition, __FILE__, __LINE__)
+#else
+#define MOZ2D_WARN_IF(condition) (bool)(condition)
+#endif
+#endif
+
const int INDENT_PER_LEVEL = 2;
class TreeLog
--
2.2.1

32
gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch

@ -0,0 +1,32 @@
From c8437505a63fc2b2552b8af217d60d79abb92ba3 Mon Sep 17 00:00:00 2001
From: Ben Turner <bent.mozilla@gmail.com>
Date: Fri, 6 Feb 2015 15:25:33 -0800
Subject: [PATCH] Bug 1130541. r=janv, a=sledru
---
dom/indexedDB/IDBDatabase.cpp | 2 ++
1 file changed, 2 insertions(+)
diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp
index 7329cec..c9c7e4f 100644
--- a/dom/indexedDB/IDBDatabase.cpp
+++ b/dom/indexedDB/IDBDatabase.cpp
@@ -536,6 +536,7 @@ IDBDatabase::CreateObjectStore(
IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
if (!transaction ||
+ transaction->Database() != this ||
transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
return nullptr;
@@ -577,6 +578,7 @@ IDBDatabase::DeleteObjectStore(const nsAString& aName, ErrorResult& aRv)
IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
if (!transaction ||
+ transaction->Database() != this ||
transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
return;
--
2.2.1

26
gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch

@ -0,0 +1,26 @@
From 4e799e44288c951f8d9acd17e7d8c56c9ee6a7d3 Mon Sep 17 00:00:00 2001
From: Ben Turner <bent.mozilla@gmail.com>
Date: Mon, 9 Feb 2015 14:38:26 -0800
Subject: [PATCH] Bug 1130541 followup a=test-only
--HG--
extra : amend_source : 23d80353f87897fdac9c99048d12ebe4ed390f76
---
dom/indexedDB/test/browser_quotaPrompt.html | 1 +
1 file changed, 1 insertion(+)
diff --git a/dom/indexedDB/test/browser_quotaPrompt.html b/dom/indexedDB/test/browser_quotaPrompt.html
index c139970..dbeea68 100644
--- a/dom/indexedDB/test/browser_quotaPrompt.html
+++ b/dom/indexedDB/test/browser_quotaPrompt.html
@@ -38,6 +38,7 @@
let request = indexedDB.open(window.location.pathname, version++);
request.onerror = errorHandler;
request.onupgradeneeded = function(event) {
+ let db = event.target.result;
db.deleteObjectStore("foo");
db.onversionchange = function () { db.close(); };
request.transaction.oncomplete = function(event) {
--
2.2.1

26
gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch

@ -0,0 +1,26 @@
From 4106ffa6ee83b814428bb07948b3595e3fa3847e Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 10 Feb 2015 09:40:46 +0100
Subject: [PATCH] Bug 1128196 - Don't relazify scripts with a TypeScript.
r=till, a=lmandel
---
js/src/jsscript.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
index 4d548ef..9a0cfbb 100644
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -1251,7 +1251,7 @@ class JSScript : public js::gc::BarrieredCell<JSScript>
}
bool isRelazifiable() const {
- return (selfHosted() || lazyScript) &&
+ return (selfHosted() || lazyScript) && !types &&
!isGenerator() && !hasBaselineScript() && !hasAnyIonScript() && !hasBeenInlined();
}
void setLazyScript(js::LazyScript *lazy) {
--
2.2.1

27
gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch

@ -0,0 +1,27 @@
From 83c4bfeea2d2203f726e3bfcb7ee6fe56b4d9703 Mon Sep 17 00:00:00 2001
From: Ryan VanderMeulen <ryanvm@gmail.com>
Date: Thu, 29 Jan 2015 10:31:25 -0500
Subject: [PATCH] Bug 1111248. r=Waldo, a=sledru
---
js/src/jsbool.cpp | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/js/src/jsbool.cpp b/js/src/jsbool.cpp
index 5d88bd5..8d5d672 100644
--- a/js/src/jsbool.cpp
+++ b/js/src/jsbool.cpp
@@ -198,7 +198,8 @@ js::ToBooleanSlow(HandleValue v)
bool
js::BooleanGetPrimitiveValueSlow(HandleObject wrappedBool)
{
- JSObject *obj = wrappedBool->as<ProxyObject>().target();
- JS_ASSERT(obj);
+ JSObject *obj = CheckedUnwrap(wrappedBool);
+ if (!obj || !obj->is<BooleanObject>())
+ return false;
return obj->as<BooleanObject>().unbox();
}
--
2.2.1

220
gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch

@ -0,0 +1,220 @@
From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001
From: Tom Schuster <evilpies@gmail.com>
Date: Sun, 25 Jan 2015 21:42:10 +0100
Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray.
r=efaust, a=abillings
---
browser/devtools/app-manager/app-projects.js | 2 ++
js/public/Class.h | 5 +++-
js/src/jsarray.cpp | 9 ++++--
js/src/jsobjinlines.h | 15 +++++++++-
js/src/json.cpp | 11 +++----
js/src/jsproxy.cpp | 45 ++++++++++++++++++++++++++++
6 files changed, 78 insertions(+), 9 deletions(-)
diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js
index d09f72f..77ca67b 100644
--- a/browser/devtools/app-manager/app-projects.js
+++ b/browser/devtools/app-manager/app-projects.js
@@ -61,6 +61,8 @@ const IDB = {
add: function(project) {
let deferred = promise.defer();
+ project = JSON.parse(JSON.stringify(project));
+
if (!project.location) {
// We need to make sure this object has a `.location` property.
deferred.reject("Missing location property on project object.");
diff --git a/js/public/Class.h b/js/public/Class.h
index ff864b1..46f7d39 100644
--- a/js/public/Class.h
+++ b/js/public/Class.h
@@ -521,7 +521,10 @@ Valueify(const JSClass *c)
*/
enum ESClassValue {
ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean,
- ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date
+ ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date,
+ // Special snowflake for the ES6 IsArray method.
+ // Please don't use it without calling that function.
+ ESClass_IsArray
};
/*
diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
index 24da176..46f1c20 100644
--- a/js/src/jsarray.cpp
+++ b/js/src/jsarray.cpp
@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp)
HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
if (v.isObject()) {
RootedObject obj(cx, &v.toObject());
- if (ObjectClassIs(obj, ESClass_Array, cx)) {
+ // This should be IsConcatSpreadable
+ if (IsArray(obj, cx)) {
uint32_t alength;
if (!GetLengthProperty(cx, obj, &alength))
return false;
@@ -2870,7 +2871,11 @@ static bool
array_isArray(JSContext *cx, unsigned argc, Value *vp)
{
CallArgs args = CallArgsFromVp(argc, vp);
- bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
+ bool isArray = false;
+ if (args.get(0).isObject()) {
+ RootedObject obj(cx, &args[0].toObject());
+ isArray = IsArray(obj, cx);
+ }
args.rval().setBoolean(isArray);
return true;
}
diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
index e848ba7..557dd26 100644
--- a/js/src/jsobjinlines.h
+++ b/js/src/jsobjinlines.h
@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx)
return Proxy::objectClassIs(obj, classValue, cx);
switch (classValue) {
- case ESClass_Array: return obj->is<ArrayObject>();
+ case ESClass_Array:
+ case ESClass_IsArray:
+ // There difference between those is only relevant for proxies.
+ return obj->is<ArrayObject>();
case ESClass_Number: return obj->is<NumberObject>();
case ESClass_String: return obj->is<StringObject>();
case ESClass_Boolean: return obj->is<BooleanObject>();
@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx)
return ObjectClassIs(obj, classValue, cx);
}
+// ES6 7.2.2
+inline bool
+IsArray(HandleObject obj, JSContext *cx)
+{
+ if (obj->is<ArrayObject>())
+ return true;
+
+ return ObjectClassIs(obj, ESClass_IsArray, cx);
+}
+
static MOZ_ALWAYS_INLINE bool
NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
{
diff --git a/js/src/json.cpp b/js/src/json.cpp
index 6e45bfd..81a99a6 100644
--- a/js/src/json.cpp
+++ b/js/src/json.cpp
@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx)
Maybe<AutoIdVector> ids;
const AutoIdVector *props;
if (scx->replacer && !scx->replacer->isCallable()) {
- JS_ASSERT(JS_IsArrayObject(cx, scx->replacer));
+ JS_ASSERT(IsArray(scx->replacer, cx));
props = &scx->propertyList;
} else {
JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0);
@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx)
scx->depth++;
bool ok;
- if (ObjectClassIs(obj, ESClass_Array, cx))
+ if (IsArray(obj, cx))
ok = JA(cx, obj, scx);
else
ok = JO(cx, obj, scx);
@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
if (replacer) {
if (replacer->isCallable()) {
/* Step 4a(i): use replacer to transform values. */
- } else if (ObjectClassIs(replacer, ESClass_Array, cx)) {
+ } else if (IsArray(replacer, cx)) {
/*
* Step 4b: The spec algorithm is unhelpfully vague about the exact
* steps taken when the replacer is an array, regarding the exact
@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
/* Step 4b(ii). */
uint32_t len;
- JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len));
+ if (!GetLengthProperty(cx, replacer, &len))
+ return false;
if (replacer->is<ArrayObject>() && !replacer->isIndexed())
len = Min(len, replacer->getDenseInitializedLength());
@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut
if (val.isObject()) {
RootedObject obj(cx, &val.toObject());
- if (ObjectClassIs(obj, ESClass_Array, cx)) {
+ if (IsArray(obj, cx)) {
/* Step 2a(ii). */
uint32_t length;
if (!GetLengthProperty(cx, obj, &length))
diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
index 7644da1..7453103 100644
--- a/js/src/jsproxy.cpp
+++ b/js/src/jsproxy.cpp
@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler {
virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE;
/* Spidermonkey extensions. */
+ // A scripted proxy should not be treated as generic in most contexts.
+ virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
+ CallArgs args) MOZ_OVERRIDE;
+ virtual bool objectClassIs(HandleObject obj, ESClassValue classValue,
+ JSContext *cx) MOZ_OVERRIDE;
+ virtual bool regexp_toShared(JSContext *cx, HandleObject proxy,
+ RegExpGuard *g) MOZ_OVERRIDE;
+
virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
virtual bool isScripted() MOZ_OVERRIDE { return true; }
@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C
return true;
}
+bool
+ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
+ CallArgs args)
+{
+ ReportIncompatible(cx, args);
+ return false;
+}
+
+bool
+ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue,
+ JSContext *cx)
+{
+ // Special case IsArray. In every other instance ES wants to have exactly
+ // one object type and not a proxy around it, so return false.
+ if (classValue != ESClass_IsArray)
+ return false;
+
+ // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here.
+ // The reason for this is that we have proxies for which looking at the target might
+ // be impossible. So instead we use our little objectClassIs function that just works
+ // already across different wrappers.
+ RootedObject target(cx, proxy->as<ProxyObject>().target());
+ if (!target)
+ return false;
+
+ return IsArray(target, cx);
+}
+
+bool
+ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy,
+ RegExpGuard *g)
+{
+ MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared");
+ return false;
+}
+
+
ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton;
#define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall) \
--
2.2.1

89
gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch

@ -0,0 +1,89 @@
From 97ba04bf95606b409b1b3035504a41c274ecffe2 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <shu@rfrn.org>
Date: Mon, 26 Jan 2015 18:26:25 -0800
Subject: [PATCH] Bug 1119579 - Don't GC while iterating compartments in
findAllGlobals. r=sfink, a=abillings
---
js/src/vm/Debugger.cpp | 56 ++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 22 deletions(-)
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index 27e993d..a8decef 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -2825,37 +2825,49 @@ Debugger::findAllGlobals(JSContext *cx, unsigned argc, Value *vp)
{
THIS_DEBUGGER(cx, argc, vp, "findAllGlobals", args, dbg);
- RootedObject result(cx, NewDenseEmptyArray(cx));
- if (!result)
- return false;
+ AutoObjectVector globals(cx);
- for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
- if (c->options().invisibleToDebugger())
- continue;
+ {
+ // Accumulate the list of globals before wrapping them, because
+ // wrapping can GC and collect compartments from under us, while
+ // iterating.
- c->zone()->scheduledForDestruction = false;
+ for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
+ if (c->options().invisibleToDebugger())
+ continue;
- GlobalObject *global = c->maybeGlobal();
+ c->zone()->scheduledForDestruction = false;
- if (cx->runtime()->isSelfHostingGlobal(global))
- continue;
+ GlobalObject *global = c->maybeGlobal();
- if (global) {
- /*
- * We pulled |global| out of nowhere, so it's possible that it was
- * marked gray by XPConnect. Since we're now exposing it to JS code,
- * we need to mark it black.
- */
- JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
+ if (cx->runtime()->isSelfHostingGlobal(global))
+ continue;
- RootedValue globalValue(cx, ObjectValue(*global));
- if (!dbg->wrapDebuggeeValue(cx, &globalValue))
- return false;
- if (!NewbornArrayPush(cx, result, globalValue))
- return false;
+ if (global) {
+ /*
+ * We pulled |global| out of nowhere, so it's possible that it was
+ * marked gray by XPConnect. Since we're now exposing it to JS code,
+ * we need to mark it black.
+ */
+ JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
+ if (!globals.append(global))
+ return false;
+ }
}
}
+ RootedObject result(cx, NewDenseEmptyArray(cx));
+ if (!result)
+ return false;
+
+ for (size_t i = 0; i < globals.length(); i++) {
+ RootedValue globalValue(cx, ObjectValue(*globals[i]));
+ if (!dbg->wrapDebuggeeValue(cx, &globalValue))
+ return false;
+ if (!NewbornArrayPush(cx, result, globalValue))
+ return false;
+ }
+
args.rval().setObject(*result);
return true;
}
--
2.2.1

25
gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch

@ -0,0 +1,25 @@
From 746ddf19ff532b8abc90d3a91322a04b462ebfa8 Mon Sep 17 00:00:00 2001
From: Brian Hackett <bhackett1024@gmail.com>
Date: Mon, 26 Jan 2015 13:14:34 -0500
Subject: [PATCH] Bug 1124018 - Null the allocation site table if
initialization fails. r=jonco, a=bkerensa
---
js/src/jsinfer.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
index b62ad1f..4019b16 100644
--- a/js/src/jsinfer.cpp
+++ b/js/src/jsinfer.cpp
@@ -2035,6 +2035,7 @@ TypeCompartment::addAllocationSiteTypeObject(JSContext *cx, AllocationSiteKey ke
allocationSiteTable = cx->new_<AllocationSiteTable>();
if (!allocationSiteTable || !allocationSiteTable->init()) {
js_delete(allocationSiteTable);
+ allocationSiteTable = nullptr;
return nullptr;
}
}
--
2.2.1

41
gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch

@ -0,0 +1,41 @@
From 0758363d982b0b3e6cf021c164715a028a345b9e Mon Sep 17 00:00:00 2001
From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
Date: Wed, 21 Jan 2015 08:56:36 -0800
Subject: [PATCH] Bug 1123882 - Fix case where offset != 0. r=derf, a=bkerensa
---
content/media/MediaDecoderStateMachine.cpp | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/content/media/MediaDecoderStateMachine.cpp b/content/media/MediaDecoderStateMachine.cpp
index ce5870f..4ed496c 100644
--- a/content/media/MediaDecoderStateMachine.cpp
+++ b/content/media/MediaDecoderStateMachine.cpp
@@ -328,6 +328,8 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
if (offset >= aAudio->mFrames)
return;
+ size_t framesToWrite = aAudio->mFrames - offset;
+
aAudio->EnsureAudioBuffer();
nsRefPtr<SharedBuffer> buffer = aAudio->mAudioBuffer;
AudioDataValue* bufferData = static_cast<AudioDataValue*>(buffer->Data());
@@ -335,10 +337,11 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
for (uint32_t i = 0; i < aAudio->mChannels; ++i) {
channels.AppendElement(bufferData + i*aAudio->mFrames + offset);
}
- aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames);
- VERBOSE_LOG("writing %d frames of data to MediaStream for AudioData at %lld",
- aAudio->mFrames - int32_t(offset), aAudio->mTime);
- aStream->mAudioFramesWritten += aAudio->mFrames - int32_t(offset);
+ aOutput->AppendFrames(buffer.forget(), channels, framesToWrite);
+ VERBOSE_LOG("writing %u frames of data to MediaStream for AudioData at %lld",
+ static_cast<unsigned>(framesToWrite),
+ aAudio->mTime);
+ aStream->mAudioFramesWritten += framesToWrite;
}
static void WriteVideoToMediaStream(layers::Image* aImage,
--
2.2.1

54
gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch

@ -0,0 +1,54 @@
From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001
From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
Date: Mon, 26 Jan 2015 16:07:00 -0500
Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values.
r=jmuizelaar, a=abillings
---
image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
index acaa835..8e6bc2d 100644
--- a/image/decoders/nsPNGDecoder.cpp
+++ b/image/decoders/nsPNGDecoder.cpp
@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr)
png_set_expand(png_ptr);
if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
- int sample_max = (1 << bit_depth);
png_color_16p trans_values;
png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values);
/* libpng doesn't reject a tRNS chunk with out-of-range samples
so we check it here to avoid setting up a useless opacity
- channel or producing unexpected transparent pixels when using
- libpng-1.2.19 through 1.2.26 (bug #428045) */
- if ((color_type == PNG_COLOR_TYPE_GRAY &&
- (int)trans_values->gray > sample_max) ||
- (color_type == PNG_COLOR_TYPE_RGB &&
- ((int)trans_values->red > sample_max ||
- (int)trans_values->green > sample_max ||
- (int)trans_values->blue > sample_max)))
+ channel or producing unexpected transparent pixels (bug #428045) */
+ if (bit_depth < 16) {
+ png_uint_16 sample_max = (1 << bit_depth) - 1;
+ if ((color_type == PNG_COLOR_TYPE_GRAY &&
+ trans_values->gray > sample_max) ||
+ (color_type == PNG_COLOR_TYPE_RGB &&
+ (trans_values->red > sample_max ||
+ trans_values->green > sample_max ||
+ trans_values->blue > sample_max)))
{
/* clear the tRNS valid flag and release tRNS memory */
png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
+ num_trans = 0;
}
- else
+ }
+ if (num_trans != 0)
png_set_expand(png_ptr);
}
--
2.2.1

53
gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch

@ -0,0 +1,53 @@
From 4920c5c447d1153dffa623dd70d8b535b9ca6795 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Mon, 26 Jan 2015 12:59:47 +0100
Subject: [PATCH] Bug 1115776 - Fix LApplyArgsGeneric to always emit the
has-script check. r=shu, a=sledru
---
js/src/jit/CodeGenerator.cpp | 24 ++++++++----------------
1 file changed, 8 insertions(+), 16 deletions(-)
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index ba14f86..0669692 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -2448,27 +2448,19 @@ CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply)
masm.checkStackAlignment();
- // If the function is known to be uncompilable, only emit the call to InvokeFunction.
+ // If the function is native, only emit the call to InvokeFunction.
ExecutionMode executionMode = gen->info().executionMode();
- if (apply->hasSingleTarget()) {
- JSFunction *target = apply->getSingleTarget();
- if (target->isNative()) {
- if (!emitCallInvokeFunction(apply, copyreg))
- return false;
- emitPopArguments(apply, copyreg);
- return true;
- }
+ if (apply->hasSingleTarget() && apply->getSingleTarget()->isNative()) {
+ if (!emitCallInvokeFunction(apply, copyreg))
+ return false;
+ emitPopArguments(apply, copyreg);
+ return true;
}
Label end, invoke;
- // Guard that calleereg is an interpreted function with a JSScript:
- if (!apply->hasSingleTarget()) {
- masm.branchIfFunctionHasNoScript(calleereg, &invoke);
- } else {
- // Native single targets are handled by LCallNative.
- JS_ASSERT(!apply->getSingleTarget()->isNative());
- }
+ // Guard that calleereg is an interpreted function with a JSScript.
+ masm.branchIfFunctionHasNoScript(calleereg, &invoke);
// Knowing that calleereg is a non-native function, load the JSScript.
masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
--
2.2.1

52
gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch

@ -0,0 +1,52 @@
From f7d24f37425d3d9054a7e5657815440a07166d3f Mon Sep 17 00:00:00 2001
From: Kartikaya Gupta <kgupta@mozilla.com>
Date: Tue, 20 Jan 2015 10:33:27 -0500
Subject: [PATCH] Bug 1107009 - Additional locking needed for esr31 backport.
r=BenWa a=sledru
---
gfx/layers/ipc/CompositorParent.cpp | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
index 97c8693..cb03e71 100644
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@@ -1286,13 +1286,19 @@ CrossProcessCompositorParent::ShadowLayersUpdated(
{
uint64_t id = aLayerTree->GetId();
MOZ_ASSERT(id != 0);
+ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
+ if (!state) {
+ return;
+ }
+ MOZ_ASSERT(state->mParent);
+
Layer* shadowRoot = aLayerTree->GetRoot();
if (shadowRoot) {
SetShadowProperties(shadowRoot);
}
UpdateIndirectTree(id, shadowRoot, aTargetConfig);
- sIndirectLayerTrees[id].mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
+ state->mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
}
void
@@ -1329,7 +1335,12 @@ AsyncCompositionManager*
CrossProcessCompositorParent::GetCompositionManager(LayerTransactionParent* aLayerTree)
{
uint64_t id = aLayerTree->GetId();
- return sIndirectLayerTrees[id].mParent->GetCompositionManager(aLayerTree);
+ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
+ if (!state) {
+ return nullptr;
+ }
+ MOZ_ASSERT(state->mParent);
+ return state->mParent->GetCompositionManager(aLayerTree);
}
void
--
2.2.1

219
gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch

@ -0,0 +1,219 @@
From 66e65b2138c6db20288ef4cf78d15995f382a7e2 Mon Sep 17 00:00:00 2001
From: Kartikaya Gupta <kgupta@mozilla.com>
Date: Tue, 13 Jan 2015 13:26:26 -0500
Subject: [PATCH] Bug 1107009. r=BenWa, a=sledru
---
gfx/layers/ipc/CompositorParent.cpp | 57 ++++++++++++++++++++++++++++++-------
1 file changed, 46 insertions(+), 11 deletions(-)
diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
index ce50277..cbbb2ef 100644
--- a/gfx/layers/ipc/CompositorParent.cpp
+++ b/gfx/layers/ipc/CompositorParent.cpp
@@ -22,6 +22,7 @@
#include "gfxPrefs.h" // for gfxPrefs
#include "ipc/ShadowLayersManager.h" // for ShadowLayersManager
#include "mozilla/AutoRestore.h" // for AutoRestore
+#include "mozilla/ClearOnShutdown.h" // for ClearOnShutdown
#include "mozilla/DebugOnly.h" // for DebugOnly
#include "mozilla/gfx/2D.h" // for DrawTarget
#include "mozilla/gfx/Point.h" // for IntSize
@@ -70,6 +71,16 @@ CompositorParent::LayerTreeState::LayerTreeState()
typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;
static LayerTreeMap sIndirectLayerTrees;
+static StaticAutoPtr<mozilla::Monitor> sIndirectLayerTreesLock;
+
+static void EnsureLayerTreeMapReady()
+{
+ MOZ_ASSERT(NS_IsMainThread());
+ if (!sIndirectLayerTreesLock) {
+ sIndirectLayerTreesLock = new Monitor("IndirectLayerTree");
+ mozilla::ClearOnShutdown(&sIndirectLayerTreesLock);
+ }
+}
// FIXME/bug 774386: we're assuming that there's only one
// CompositorParent, but that's not always true. This assumption only
@@ -132,6 +143,7 @@ void CompositorParent::StartUp()
return;
}
MOZ_ASSERT(!sCompositorLoop);
+ EnsureLayerTreeMapReady();
CreateCompositorMap();
CreateThread();
sMainLoop = MessageLoop::current();
@@ -206,7 +218,11 @@ CompositorParent::CompositorParent(nsIWidget* aWidget,
this, &mCompositorID));
mRootLayerTreeID = AllocateLayerTreeId();
- sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
+
+ { // scope lock
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
+ }
mApzcTreeManager = new APZCTreeManager();
++sCompositorThreadRefCount;
@@ -249,7 +265,10 @@ CompositorParent::Destroy()
mCompositionManager = nullptr;
mApzcTreeManager->ClearTree();
mApzcTreeManager = nullptr;
- sIndirectLayerTrees.erase(mRootLayerTreeID);
+ { // scope lock
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees.erase(mRootLayerTreeID);
+ }
}
void
@@ -266,6 +285,7 @@ CompositorParent::RecvWillStop()
// Ensure that the layer manager is destroyed before CompositorChild.
if (mLayerManager) {
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
it != sIndirectLayerTrees.end(); it++)
{
@@ -380,7 +400,10 @@ CompositorParent::ActorDestroy(ActorDestroyReason why)
if (mLayerManager) {
mLayerManager->Destroy();
mLayerManager = nullptr;
- sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
+ { // scope lock
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
+ }
mCompositionManager = nullptr;
mCompositor = nullptr;
}
@@ -696,6 +719,7 @@ CompositorParent::DidComposite()
{
unused << SendDidComposite(0);
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
it != sIndirectLayerTrees.end(); it++) {
LayerTreeState* lts = &it->second;
@@ -867,6 +891,7 @@ CompositorParent::InitializeLayerManager(const nsTArray<LayersBackend>& aBackend
mLayerManager = layerManager;
MOZ_ASSERT(compositor);
mCompositor = compositor;
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = layerManager;
return;
}
@@ -969,6 +994,7 @@ CompositorParent::RecvNotifyChildCreated(const uint64_t& child)
void
CompositorParent::NotifyChildCreated(uint64_t aChild)
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[aChild].mParent = this;
sIndirectLayerTrees[aChild].mLayerManager = mLayerManager;
}
@@ -985,6 +1011,7 @@ CompositorParent::AllocateLayerTreeId()
static void
EraseLayerState(uint64_t aId)
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees.erase(aId);
}
@@ -1001,6 +1028,7 @@ UpdateControllerForLayersId(uint64_t aLayersId,
GeckoContentController* aController)
{
// Adopt ref given to us by SetControllerForLayerTree()
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[aLayersId].mController =
already_AddRefed<GeckoContentController>(aController);
}
@@ -1010,12 +1038,15 @@ ScopedLayerTreeRegistration::ScopedLayerTreeRegistration(uint64_t aLayersId,
GeckoContentController* aController)
: mLayersId(aLayersId)
{
+ EnsureLayerTreeMapReady();
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[aLayersId].mRoot = aRoot;
sIndirectLayerTrees[aLayersId].mController = aController;
}
ScopedLayerTreeRegistration::~ScopedLayerTreeRegistration()
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees.erase(mLayersId);
}
@@ -1175,6 +1206,7 @@ CompositorParent::CloneToplevel(const InfallibleTArray<mozilla::ipc::ProtocolFdM
static void
UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig)
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[aId].mRoot = aRoot;
sIndirectLayerTrees[aId].mTargetConfig = aTargetConfig;
}
@@ -1182,6 +1214,7 @@ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig
/* static */ const CompositorParent::LayerTreeState*
CompositorParent::GetIndirectShadowTree(uint64_t aId)
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
LayerTreeMap::const_iterator cit = sIndirectLayerTrees.find(aId);
if (sIndirectLayerTrees.end() == cit) {
return nullptr;
@@ -1189,12 +1222,6 @@ CompositorParent::GetIndirectShadowTree(uint64_t aId)
return &cit->second;
}
-static void
-RemoveIndirectTree(uint64_t aId)
-{
- sIndirectLayerTrees.erase(aId);
-}
-
void
CrossProcessCompositorParent::ActorDestroy(ActorDestroyReason aWhy)
{
@@ -1211,6 +1238,8 @@ CrossProcessCompositorParent::AllocPLayerTransactionParent(const nsTArray<Layers
{
MOZ_ASSERT(aId != 0);
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+
if (sIndirectLayerTrees[aId].mLayerManager) {
sIndirectLayerTrees[aId].mCrossProcessParent = this;
LayerManagerComposite* lm = sIndirectLayerTrees[aId].mLayerManager;
@@ -1234,7 +1263,7 @@ bool
CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionParent* aLayers)
{
LayerTransactionParent* slp = static_cast<LayerTransactionParent*>(aLayers);
- RemoveIndirectTree(slp->GetId());
+ EraseLayerState(slp->GetId());
static_cast<LayerTransactionParent*>(aLayers)->ReleaseIPDLReference();
return true;
}
@@ -1242,6 +1271,7 @@ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionPa
bool
CrossProcessCompositorParent::RecvNotifyChildCreated(const uint64_t& child)
{
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
sIndirectLayerTrees[child].mParent->NotifyChildCreated(child);
return true;
}
@@ -1269,7 +1299,12 @@ CrossProcessCompositorParent::ForceComposite(LayerTransactionParent* aLayerTree)
{
uint64_t id = aLayerTree->GetId();
MOZ_ASSERT(id != 0);
- sIndirectLayerTrees[id].mParent->ForceComposite(aLayerTree);
+ CompositorParent* parent;
+ { // scope lock
+ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ parent = sIndirectLayerTrees[id].mParent;
+ }
+ parent->ForceComposite(aLayerTree);
}
bool
--
2.2.1

104
gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch

@ -0,0 +1,104 @@
From 3f0f685829445ae82974d61f6017fdb67349c32b Mon Sep 17 00:00:00 2001
From: Dan Gohman <sunfish@mozilla.com>
Date: Fri, 9 Jan 2015 09:04:12 -0500
Subject: [PATCH] Bug 1096138 - IonMonkey: Augment Nops with Mops to avoid
collisions with fixed live ranges. r=jandem, a=sledru
---
js/src/jit/CodeGenerator.cpp | 6 ++++++
js/src/jit/CodeGenerator.h | 1 +
js/src/jit/LIR-Common.h | 6 ++++++
js/src/jit/LOpcodes.h | 1 +
js/src/jit/Lowering.cpp | 12 ++++++++++++
5 files changed, 26 insertions(+)
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
index 4f07524..ba14f86 100644
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -1077,6 +1077,12 @@ CodeGenerator::visitNop(LNop *lir)
}
bool
+CodeGenerator::visitMop(LMop *lir)
+{
+ return true;
+}
+
+bool
CodeGenerator::visitOsiPoint(LOsiPoint *lir)
{
// Note: markOsiPoint ensures enough space exists between the last
diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h
index 03677a5..dce095d 100644
--- a/js/src/jit/CodeGenerator.h
+++ b/js/src/jit/CodeGenerator.h
@@ -58,6 +58,7 @@ class CodeGenerator : public CodeGeneratorSpecific
bool visitLabel(LLabel *lir);
bool visitNop(LNop *lir);
+ bool visitMop(LMop *lir);
bool visitOsiPoint(LOsiPoint *lir);
bool visitGoto(LGoto *lir);
bool visitTableSwitch(LTableSwitch *ins);
diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h
index c90aef9..e7a0e4c 100644
--- a/js/src/jit/LIR-Common.h
+++ b/js/src/jit/LIR-Common.h
@@ -42,6 +42,12 @@ class LNop : public LInstructionHelper<0, 0, 0>
LIR_HEADER(Nop)
};
+class LMop : public LInstructionHelper<0, 0, 0>
+{
+ public:
+ LIR_HEADER(Mop)
+};
+
// An LOsiPoint captures a snapshot after a call and ensures enough space to
// patch in a call to the invalidation mechanism.
//
diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h
index a32d64f..cd7eef8 100644
--- a/js/src/jit/LOpcodes.h
+++ b/js/src/jit/LOpcodes.h
@@ -10,6 +10,7 @@
#define LIR_COMMON_OPCODE_LIST(_) \
_(Label) \
_(Nop) \
+ _(Mop) \
_(OsiPoint) \
_(MoveGroup) \
_(Integer) \
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index d5f8227..48b7fa9 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -3616,12 +3616,24 @@ LIRGenerator::visitInstruction(MInstruction *ins)
ins->setInWorklistUnchecked();
#endif
+ // If we added a Nop for this instruction, we'll also add a Mop, so that
+ // that live-ranges for fixed register defs, which with LSRA extend through
+ // the Nop so that they can extend through the OsiPoint don't, with their
+ // one-extra extension, extend into a position where they use the input
+ // move group for the following instruction.
+ bool needsMop = !current->instructions().empty() && current->rbegin()->isNop();
+
// If no safepoint was created, there's no need for an OSI point.
if (LOsiPoint *osiPoint = popOsiPoint()) {
if (!add(osiPoint))
return false;
}
+ if (needsMop) {
+ if (!add(new(alloc()) LMop))
+ return false;
+ }
+
return true;
}
--
2.2.1
Loading…
Cancel
Save