rekahsoft/guix
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

gnu: icecat: Add fixes for several security flaws.

Browse Source 
* gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-7205.patch,
  gnu/packages/patches/icecat-CVE-2015-7210.patch,
  gnu/packages/patches/icecat-CVE-2015-7212.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7214.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
This commit is contained in:
Mark H Weaver 2015-12-17 12:07:13 -05:00
parent cbbe1a1c2c
commit 3faf214a0b
14 changed files with 996 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
gnu-system.am
View File

@ -510,6 +510,18 @@ dist_patch_DATA = \
gnu/packages/patches/hop-linker-flags.patch \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch \
gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch \
gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch \
gnu/packages/patches/icecat-CVE-2015-7205.patch \
gnu/packages/patches/icecat-CVE-2015-7210.patch \
gnu/packages/patches/icecat-CVE-2015-7212.patch \
gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch \
gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch \
gnu/packages/patches/icecat-CVE-2015-7214.patch \
gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch \
gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch \
gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
gnu/packages/patches/icecat-freetype-2.6.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \

14
gnu/packages/gnuzilla.scm
View File

@ -276,7 +276,19 @@ (define-public icecat
(sha256
(base32
"0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp"))
(patches (map search-patch '("icecat-avoid-bundled-includes.patch"
(patches (map search-patch '("icecat-CVE-2015-7210.patch"
"icecat-CVE-2015-7205.patch"
"icecat-CVE-2015-7201-pt1.patch"
"icecat-CVE-2015-7201-pt2.patch"
"icecat-CVE-2015-7212.patch"
"icecat-CVE-2015-7213-pt1.patch"
"icecat-CVE-2015-7213-pt2.patch"
"icecat-CVE-2015-7222-pt1.patch"
"icecat-CVE-2015-7222-pt2.patch"
"icecat-CVE-2015-7222-pt3.patch"
"icecat-CVE-2015-7214.patch"
"icecat-CVE-2015-7201-pt3.patch"
"icecat-avoid-bundled-includes.patch"
"icecat-freetype-2.6.patch")))
(modules '((guix build utils)))
(snippet

123
gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch Normal file
View File

@ -0,0 +1,123 @@
From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001
From: Andrew Comminos <andrew@comminos.com>
Date: Fri, 23 Oct 2015 21:35:16 -0700
Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute
count is exceeded on Mesa. r=jgilbert, a=ritu
--HG--
extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0
extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536
---
dom/canvas/WebGLProgram.cpp | 28 ++++++++++++++++++----------
dom/canvas/WebGLShader.cpp | 10 ++++++++++
dom/canvas/WebGLShader.h | 1 +
dom/canvas/WebGLShaderValidator.cpp | 6 ++++++
dom/canvas/WebGLShaderValidator.h | 1 +
5 files changed, 36 insertions(+), 10 deletions(-)
diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp
index 78f7413..0e056e8 100644
--- a/dom/canvas/WebGLProgram.cpp
+++ b/dom/canvas/WebGLProgram.cpp
@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram()
gl::GLContext* gl = mContext->gl;
gl->MakeCurrent();
- // Bug 777028: Mesa can't handle more than 16 samplers per program,
- // counting each array entry.
- size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
- mFragShader->CalcNumSamplerUniforms();
if (gl->WorkAroundDriverBugs() &&
- mContext->mIsMesa &&
- numSamplerUniforms_upperBound > 16)
+ mContext->mIsMesa)
{
- mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
- " Mesa drivers to avoid crashing.");
- mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
- return false;
+ // Bug 777028: Mesa can't handle more than 16 samplers per program,
+ // counting each array entry.
+ size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
+ mFragShader->CalcNumSamplerUniforms();
+ if (numSamplerUniforms_upperBound > 16) {
+ mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
+ " Mesa drivers to avoid crashing.");
+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
+ return false;
+ }
+
+ // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count.
+ if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) {
+ mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count.");
+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
+ return false;
+ }
}
// Bind the attrib locations.
diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp
index 85a3809..bab4157 100644
--- a/dom/canvas/WebGLShader.cpp
+++ b/dom/canvas/WebGLShader.cpp
@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const
return 0;
}
+size_t
+WebGLShader::NumAttributes() const
+{
+ if (mValidator)
+ return mValidator->NumAttributes();
+
+ // TODO
+ return 0;
+}
+
void
WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName,
GLuint index) const
diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h
index 698e30c..2c80b16a 100644
--- a/dom/canvas/WebGLShader.h
+++ b/dom/canvas/WebGLShader.h
@@ -45,6 +45,7 @@ public:
// Util funcs
bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const;
size_t CalcNumSamplerUniforms() const;
+ size_t NumAttributes() const;
void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const;
bool FindAttribUserNameByMappedName(const nsACString& mappedName,
nsDependentCString* const out_userName) const;
diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp
index 80005e2..8bedf88 100644
--- a/dom/canvas/WebGLShaderValidator.cpp
+++ b/dom/canvas/WebGLShaderValidator.cpp
@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const
return accum;
}
+size_t
+ShaderValidator::NumAttributes() const
+{
+ return ShGetAttributes(mHandle)->size();
+}
+
// Attribs cannot be structs or arrays, and neither can vertex inputs in ES3.
// Therefore, attrib names are always simple.
bool
diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h
index 35db2f1..1f794bf0 100644
--- a/dom/canvas/WebGLShaderValidator.h
+++ b/dom/canvas/WebGLShaderValidator.h
@@ -41,6 +41,7 @@ public:
void GetOutput(nsACString* out) const;
bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const;
size_t CalcNumSamplerUniforms() const;
+ size_t NumAttributes() const;
bool FindAttribUserNameByMappedName(const std::string& mappedName,
const std::string** const out_userName) const;
--
2.6.3

29
gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch Normal file
View File

@ -0,0 +1,29 @@
From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001
From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com>
Date: Tue, 8 Dec 2015 12:38:15 +0100
Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when
initialized from GPU texture. r=jmuizelaar, a=lizzard
---
gfx/2d/SourceSurfaceSkia.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp
index 4b95bc2..d7e0714 100644
--- a/gfx/2d/SourceSurfaceSkia.cpp
+++ b/gfx/2d/SourceSurfaceSkia.cpp
@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner,
GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue);
SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType);
SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false);
- mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4);
+ mBitmap.setInfo(imgInfo);
mBitmap.setPixelRef(texRef);
+ mFormat = aFormat;
+ mStride = mBitmap.rowBytes();
mDrawTarget = aOwner;
return true;
--
2.6.3

35
gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch Normal file
View File

@ -0,0 +1,35 @@
From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001
From: Edwin Flores <eflores@mozilla.com>
Date: Wed, 2 Dec 2015 16:15:29 +0100
Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth,
a=sledru
---
image/src/Downscaler.cpp | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
index 24ecfda..2a7acfd 100644
--- a/image/src/Downscaler.cpp
+++ b/image/src/Downscaler.cpp
@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize,
mTargetSize.height, mYFilter.get());
// Allocate the buffer, which contains scanlines of the original image.
- mRowBuffer = MakeUnique<uint8_t[]>(mOriginalSize.width * sizeof(uint32_t));
+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
+ mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
if (MOZ_UNLIKELY(!mRowBuffer)) {
return NS_ERROR_OUT_OF_MEMORY;
}
+ // Zero buffer to keep valgrind happy.
+ memset(mRowBuffer.get(), 0, bufferLen);
+
+
// Allocate the window, which contains horizontally downscaled scanlines. (We
// can store scanlines which are already downscale because our downscaling
// filter is separable.)
--
2.6.3

84
gnu/packages/patches/icecat-CVE-2015-7205.patch Normal file
View File

@ -0,0 +1,84 @@
From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001
From: Randell Jesup <rjesup@jesup.org>
Date: Thu, 5 Nov 2015 10:17:29 -0500
Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows.
r=pkerr a=sylvestre
--HG--
extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb
extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997
---
.../webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 26 ++++++++++++----------
1 file changed, 14 insertions(+), 12 deletions(-)
diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
index 9334b23..80cf55a 100644
--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
return false;
}
- const uint8_t CSRCocts = CC * 4;
-
- if ((ptr + CSRCocts) > _ptrRTPDataEnd) {
- return false;
- }
-
header.markerBit = M;
header.payloadType = PT;
header.sequenceNumber = sequenceNumber;
@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
header.numCSRCs = CC;
header.paddingLength = P ? *(_ptrRTPDataEnd - 1) : 0;
+ // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes
+ header.headerLength = 12 + (CC * 4);
+ // not a full validation, just safety against underflow. Padding must
+ // start after the header. We can have 0 payload bytes left, note.
+ if (header.paddingLength + header.headerLength > length) {
+ return false;
+ }
+
for (unsigned int i = 0; i < CC; ++i) {
uint32_t CSRC = *ptr++ << 24;
CSRC += *ptr++ << 16;
@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
CSRC += *ptr++;
header.arrOfCSRCs[i] = CSRC;
}
-
- header.headerLength = 12 + CSRCocts;
+ assert((ptr - _ptrRTPDataBegin) == header.headerLength);
// If in effect, MAY be omitted for those packets for which the offset
// is zero.
@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
| header extension |
| .... |
*/
- const ptrdiff_t remain = _ptrRTPDataEnd - ptr;
- if (remain < 4) {
+ // earlier test ensures we have at least paddingLength bytes left
+ const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength;
+ if (remain < 4) { // minimum header extension length = 32 bits
return false;
}
@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
uint16_t definedByProfile = *ptr++ << 8;
definedByProfile += *ptr++;
- uint16_t XLen = *ptr++ << 8;
+ size_t XLen = *ptr++ << 8;
XLen += *ptr++; // in 32 bit words
XLen *= 4; // in octs
- if (remain < (4 + XLen)) {
+ if (remain < (4 + XLen)) { // we already accounted for padding
return false;
}
if (definedByProfile == kRtpOneByteHeaderExtensionId) {
--
2.6.3

47
gnu/packages/patches/icecat-CVE-2015-7210.patch Normal file
View File

@ -0,0 +1,47 @@
From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001
From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
Date: Wed, 28 Oct 2015 12:48:17 -0500
Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed
PeerConnections. r=jesup a=sylvestre
--HG--
extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826
extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6
---
media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
index c3d8d26..fe86ff7 100644
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const
NS_IMETHODIMP
PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams)
{
- PC_AUTO_ENTER_API_CALL_NO_CHECK();
+ PC_AUTO_ENTER_API_CALL(false);
#ifdef MOZILLA_INTERNAL_API
if (mDataConnection) {
@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters(
nsresult
PeerConnectionImpl::InitializeDataChannel()
{
- PC_AUTO_ENTER_API_CALL_NO_CHECK();
+ PC_AUTO_ENTER_API_CALL(false);
CSFLogDebug(logTag, "%s", __FUNCTION__);
const JsepApplicationCodecDescription* codec;
@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel,
uint16_t aStream,
nsDOMDataChannel** aRetval)
{
- PC_AUTO_ENTER_API_CALL_NO_CHECK();
+ PC_AUTO_ENTER_API_CALL(false);
MOZ_ASSERT(aRetval);
#ifdef MOZILLA_INTERNAL_API
--
2.6.3

364
gnu/packages/patches/icecat-CVE-2015-7212.patch Normal file
View File

@ -0,0 +1,364 @@
From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001
From: Nicolas Silva <nsilva@mozilla.com>
Date: Wed, 18 Nov 2015 16:59:11 +0100
Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large
textures. r=Bas, a=sylvestre
---
gfx/2d/2D.h | 25 ++++++++++--
gfx/2d/Factory.cpp | 67 ++++++++++++++++++++++++++++-----
gfx/layers/ImageDataSerializer.cpp | 21 ++++++-----
gfx/layers/YCbCrImageDataSerializer.cpp | 7 ++++
gfx/layers/client/TextureClient.cpp | 12 ++++++
gfx/thebes/gfxPlatform.cpp | 15 ++++++--
gfx/thebes/gfxPrefs.h | 3 ++
7 files changed, 124 insertions(+), 26 deletions(-)
diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h
index cf35bb2..b1e0e3e 100644
--- a/gfx/2d/2D.h
+++ b/gfx/2d/2D.h
@@ -1082,22 +1082,41 @@ struct TileSet
size_t mTileCount;
};
+struct Config {
+ LogForwarder* mLogForwarder;
+ int32_t mMaxTextureSize;
+ int32_t mMaxAllocSize;
+
+ Config()
+ : mLogForwarder(nullptr)
+ , mMaxTextureSize(8192)
+ , mMaxAllocSize(52000000)
+ {}
+};
+
class GFX2D_API Factory
{
public:
+ static void Init(const Config& aConfig);
+ static void ShutDown();
+
static bool HasSSE2();
/** Make sure that the given dimensions don't overflow a 32-bit signed int
* using 4 bytes per pixel; optionally, make sure that either dimension
* doesn't exceed the given limit.
*/
- static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0);
+ static bool CheckSurfaceSize(const IntSize &sz,
+ int32_t limit = 0,
+ int32_t allocLimit = 0);
/** Make sure the given dimension satisfies the CheckSurfaceSize and is
* within 8k limit. The 8k value is chosen a bit randomly.
*/
static bool ReasonableSurfaceSize(const IntSize &aSize);
+ static bool AllowedSurfaceSize(const IntSize &aSize);
+
static TemporaryRef<DrawTarget> CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr);
static TemporaryRef<DrawTarget>
@@ -1171,10 +1190,10 @@ public:
static uint32_t GetMaxSurfaceSize(BackendType aType);
- static LogForwarder* GetLogForwarder() { return mLogForwarder; }
+ static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; }
private:
- static LogForwarder* mLogForwarder;
+ static Config* sConfig;
public:
#ifdef USE_SKIA_GPU
diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp
index 948d3c3..6750c28 100644
--- a/gfx/2d/Factory.cpp
+++ b/gfx/2d/Factory.cpp
@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device;
DrawEventRecorder *Factory::mRecorder;
+mozilla::gfx::Config* Factory::sConfig = nullptr;
+
+void
+Factory::Init(const Config& aConfig)
+{
+ MOZ_ASSERT(!sConfig);
+ sConfig = new Config(aConfig);
+
+ // Make sure we don't completely break rendering because of a typo in the
+ // pref or whatnot.
+ const int32_t kMinAllocPref = 10000000;
+ const int32_t kMinSizePref = 2048;
+ if (sConfig->mMaxAllocSize < kMinAllocPref) {
+ sConfig->mMaxAllocSize = kMinAllocPref;
+ }
+ if (sConfig->mMaxTextureSize < kMinSizePref) {
+ sConfig->mMaxTextureSize = kMinSizePref;
+ }
+}
+
+void
+Factory::ShutDown()
+{
+ if (sConfig) {
+ delete sConfig;
+ sConfig = nullptr;
+ }
+}
+
bool
Factory::HasSSE2()
{
@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize)
bool
Factory::ReasonableSurfaceSize(const IntSize &aSize)
{
- return Factory::CheckSurfaceSize(aSize,8192);
+ return Factory::CheckSurfaceSize(aSize, 8192);
+}
+
+bool
+Factory::AllowedSurfaceSize(const IntSize &aSize)
+{
+ if (sConfig) {
+ return Factory::CheckSurfaceSize(aSize,
+ sConfig->mMaxTextureSize,
+ sConfig->mMaxAllocSize);
+ }
+
+ return CheckSurfaceSize(aSize);
}
bool
-Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
+Factory::CheckSurfaceSize(const IntSize &sz,
+ int32_t extentLimit,
+ int32_t allocLimit)
{
if (sz.width <= 0 || sz.height <= 0) {
gfxDebug() << "Surface width or height <= 0!";
@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
}
// reject images with sides bigger than limit
- if (limit && (sz.width > limit || sz.height > limit)) {
- gfxDebug() << "Surface size too large (exceeds caller's limit)!";
+ if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) {
+ gfxDebug() << "Surface size too large (exceeds extent limit)!";
return false;
}
@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
return false;
}
+ if (allocLimit && allocLimit < numBytes.value()) {
+ gfxDebug() << "Surface size too large (exceeds allocation limit)!";
+ return false;
+ }
+
return true;
}
TemporaryRef<DrawTarget>
Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat)
{
- if (!CheckSurfaceSize(aSize)) {
+ if (!AllowedSurfaceSize(aSize)) {
gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
return nullptr;
}
@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend,
SurfaceFormat aFormat)
{
MOZ_ASSERT(aData);
- if (!CheckSurfaceSize(aSize)) {
+ if (!AllowedSurfaceSize(aSize)) {
gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
return nullptr;
}
@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize,
SurfaceFormat aFormat,
bool aZero)
{
- if (!CheckSurfaceSize(aSize)) {
+ if (!AllowedSurfaceSize(aSize)) {
gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
return nullptr;
}
@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder)
mRecorder = aRecorder;
}
-LogForwarder* Factory::mLogForwarder = nullptr;
-
// static
void
Factory::SetLogForwarder(LogForwarder* aLogFwd) {
- mLogForwarder = aLogFwd;
+ sConfig->mLogForwarder = aLogFwd;
}
+
// static
void
CriticalLogger::OutputMessage(const std::string &aString,
diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp
index 5dd6aca..331dd04 100644
--- a/gfx/layers/ImageDataSerializer.cpp
+++ b/gfx/layers/ImageDataSerializer.cpp
@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize,
SurfaceFormat aFormat)
{
MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0);
- if (aSize.height <= 0 || aSize.width <= 0) {
- gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height;
+
+ // This takes care of checking whether there could be overflow
+ // with enough margin for the metadata.
+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
return 0;
}
- CheckedInt<int32_t> bufsize = ComputeStride(aFormat, aSize.width);
- bufsize *= aSize.height;
+ int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width)
+ * aSize.height)
+ + SurfaceBufferInfo::GetOffset();
- if (!bufsize.isValid() || bufsize.value() <= 0) {
- gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height;
+ if (bufsize < 0) {
+ // This should not be possible thanks to Factory::AllowedSurfaceSize
return 0;
}
- return SurfaceBufferInfo::GetOffset()
- + GetAlignedStride<16>(bufsize.value());
+ return bufsize;
}
void
@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate()
}
size_t requiredSize =
ComputeMinBufferSize(IntSize(info->width, info->height), info->format);
- mIsValid = requiredSize <= mDataSize;
+
+ mIsValid = !!requiredSize && requiredSize <= mDataSize;
}
uint8_t*
diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
index c8e148d..05f5ab2 100644
--- a/gfx/layers/YCbCrImageDataSerializer.cpp
+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize,
gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width;
return 0;
}
+
+ if (!gfx::Factory::AllowedSurfaceSize(aYSize) ||
+ aCbCrSize.width > aYSize.width ||
+ aCbCrSize.height > aYSize.height) {
+ return 0;
+ }
+
return ComputeOffset(aYSize.height, aYStride)
+ 2 * ComputeOffset(aCbCrSize.height, aCbCrStride)
+ MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo));
diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp
index 9b45ca0..6ae7cbf 100644
--- a/gfx/layers/client/TextureClient.cpp
+++ b/gfx/layers/client/TextureClient.cpp
@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator,
aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend();
}
+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
+ return nullptr;
+ }
+
RefPtr<TextureClient> texture;
#if defined(MOZ_WIDGET_GONK) || defined(XP_WIN)
@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator,
TextureFlags aTextureFlags,
TextureAllocationFlags aAllocFlags)
{
+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
+ return nullptr;
+ }
+
RefPtr<BufferTextureClient> texture =
CreateBufferTextureClient(aAllocator, aFormat,
aTextureFlags, aMoz2DBackend);
@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator,
StereoMode aStereoMode,
TextureFlags aTextureFlags)
{
+ if (!gfx::Factory::AllowedSurfaceSize(aYSize)) {
+ return nullptr;
+ }
+
RefPtr<BufferTextureClient> texture;
if (aAllocator->IsSameProcess()) {
texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV,
diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
index 41e4b0c..209a0a8 100644
--- a/gfx/thebes/gfxPlatform.cpp
+++ b/gfx/thebes/gfxPlatform.cpp
@@ -458,13 +458,18 @@ gfxPlatform::Init()
}
gEverInitialized = true;
- CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError");
- mozilla::gfx::Factory::SetLogForwarder(logForwarder);
-
// Initialize the preferences by creating the singleton.
gfxPrefs::GetSingleton();
- logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
+ auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError");
+ fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
+
+ mozilla::gfx::Config cfg;
+ cfg.mLogForwarder = fwd;
+ cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize();
+ cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize();
+
+ gfx::Factory::Init(cfg);
gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");
@@ -641,6 +646,8 @@ gfxPlatform::Shutdown()
delete mozilla::gfx::Factory::GetLogForwarder();
mozilla::gfx::Factory::SetLogForwarder(nullptr);
+ gfx::Factory::ShutDown();
+
delete gGfxPlatformPrefsLock;
gfxPrefs::DestroySingleton();
diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h
index b7a5fb9..038e1ff 100644
--- a/gfx/thebes/gfxPrefs.h
+++ b/gfx/thebes/gfxPrefs.h
@@ -209,6 +209,9 @@ private:
DECL_GFX_PREF(Live, "gfx.layerscope.port", LayerScopePort, int32_t, 23456);
// Note that "gfx.logging.level" is defined in Logging.h
DECL_GFX_PREF(Once, "gfx.logging.crash.length", GfxLoggingCrashLength, uint32_t, 6);
+ // The maximums here are quite conservative, we can tighten them if problems show up.
+ DECL_GFX_PREF(Once, "gfx.max-alloc-size", MaxAllocSize, int32_t, (int32_t)500000000);
+ DECL_GFX_PREF(Once, "gfx.max-texture-size", MaxTextureSize, int32_t, (int32_t)32767);
DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled", PerfWarnings, bool, false);
DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs", WorkAroundDriverBugs, bool, true);
--
2.6.3

32
gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch Normal file
View File

@ -0,0 +1,32 @@
From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jyavenard@mozilla.com>
Date: Wed, 9 Dec 2015 09:54:58 +0100
Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
r=kentuckyfriedtakahe, a=sylvestre
---
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index 22163fa..318152a 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
CHECK_NE(err, (status_t)NO_INIT);
// copy pssh data into file metadata
- int psshsize = 0;
+ uint64_t psshsize = 0;
for (size_t i = 0; i < mPssh.size(); i++) {
psshsize += 20 + mPssh[i].datalen;
}
+ if (psshsize > kMAX_ALLOCATION) {
+ return ERROR_MALFORMED;
+ }
if (psshsize) {
char *buf = (char*)malloc(psshsize);
char *ptr = buf;
--
2.6.3

27
gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch Normal file
View File

@ -0,0 +1,27 @@
From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jyavenard@mozilla.com>
Date: Wed, 9 Dec 2015 09:55:16 +0100
Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe,
a=sylvestre
---
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 3 +++
1 file changed, 3 insertions(+)
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index 318152a..c6aaf1d 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() {
}
if (psshsize) {
char *buf = (char*)malloc(psshsize);
+ if (!buf) {
+ return ERROR_MALFORMED;
+ }
char *ptr = buf;
for (size_t i = 0; i < mPssh.size(); i++) {
memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
--
2.6.3

47
gnu/packages/patches/icecat-CVE-2015-7214.patch Normal file
View File

@ -0,0 +1,47 @@
From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001
From: Bobby Holley <bobbyholley@gmail.com>
Date: Mon, 14 Dec 2015 15:36:20 -0500
Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz,
a=lizzard
---
dom/base/nsHostObjectURI.cpp | 9 +++++++++
dom/base/nsHostObjectURI.h | 2 ++
2 files changed, 11 insertions(+)
diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp
index 94b02ff..57b0209 100644
--- a/dom/base/nsHostObjectURI.cpp
+++ b/dom/base/nsHostObjectURI.cpp
@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream)
true);
}
+NS_IMETHODIMP
+nsHostObjectURI::SetScheme(const nsACString& aScheme)
+{
+ // Disallow setting the scheme, since that could cause us to be associated
+ // with a different protocol handler that doesn't expect us to be carrying
+ // around a principal with nsIURIWithPrincipal.
+ return NS_ERROR_FAILURE;
+}
+
// nsIURI methods:
nsresult
nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode,
diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h
index b468d5d..23ff7ab 100644
--- a/dom/base/nsHostObjectURI.h
+++ b/dom/base/nsHostObjectURI.h
@@ -34,6 +34,8 @@ public:
NS_DECL_NSISERIALIZABLE
NS_DECL_NSICLASSINFO
+ NS_IMETHOD SetScheme(const nsACString &aProtocol) override;
+
// Override CloneInternal() and EqualsInternal()
virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode,
nsIURI** aClone) override;
--
2.6.3

112
gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch Normal file
View File

@ -0,0 +1,112 @@
From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001
From: Gerald Squelart <gsquelart@mozilla.com>
Date: Wed, 9 Dec 2015 09:59:37 +0100
Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage -
r=rillian, a=sylvestre
---
.../av/include/media/stagefright/MetaData.h | 2 +-
.../av/media/libstagefright/MetaData.cpp | 35 ++++++++++++++--------
2 files changed, 24 insertions(+), 13 deletions(-)
diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
index 30d969d..0a8ff77 100644
--- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
@@ -248,7 +248,7 @@ private:
return mSize <= sizeof(u.reservoir);
}
- void allocateStorage(size_t size);
+ bool allocateStorage(size_t size);
void freeStorage();
void *storage() {
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
index c832c96..cba324d 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type,
}
MetaData::typed_data::typed_data()
- : mType(0),
+ : mType(TYPE_NONE),
mSize(0) {
}
@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() {
MetaData::typed_data::typed_data(const typed_data &from)
: mType(from.mType),
mSize(0) {
- allocateStorage(from.mSize);
- memcpy(storage(), from.storage(), mSize);
+ if (allocateStorage(from.mSize)) {
+ memcpy(storage(), from.storage(), mSize);
+ }
}
MetaData::typed_data &MetaData::typed_data::operator=(
const MetaData::typed_data &from) {
if (this != &from) {
clear();
- mType = from.mType;
- allocateStorage(from.mSize);
- memcpy(storage(), from.storage(), mSize);
+ if (allocateStorage(from.mSize)) {
+ mType = from.mType;
+ memcpy(storage(), from.storage(), mSize);
+ }
}
return *this;
@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=(
void MetaData::typed_data::clear() {
freeStorage();
- mType = 0;
+ mType = TYPE_NONE;
}
void MetaData::typed_data::setData(
uint32_t type, const void *data, size_t size) {
clear();
- mType = type;
- allocateStorage(size);
- memcpy(storage(), data, size);
+ if (allocateStorage(size)) {
+ mType = type;
+ memcpy(storage(), data, size);
+ }
}
void MetaData::typed_data::getData(
@@ -269,14 +272,22 @@ void MetaData::typed_data::getData(
*data = storage();
}
-void MetaData::typed_data::allocateStorage(size_t size) {
+bool MetaData::typed_data::allocateStorage(size_t size) {
+ // Update mSize now, as it is needed by usesReservoir() below.
+ // (mSize will be reset if the allocation fails further below.)
mSize = size;
if (usesReservoir()) {
- return;
+ return true;
}
u.ext_data = malloc(mSize);
+ if (!u.ext_data) {
+ mType = TYPE_NONE;
+ mSize = 0;
+ return false;
+ }
+ return true;
}
void MetaData::typed_data::freeStorage() {
--
2.6.3

34
gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch Normal file
View File

@ -0,0 +1,34 @@
From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001
From: Gerald Squelart <gsquelart@mozilla.com>
Date: Wed, 9 Dec 2015 10:00:13 +0100
Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create
underflow - r=rillian, a=sylvestre
---
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index c6aaf1d..a69fc14 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
if (mFileMetaData != NULL) {
ALOGV("chunk_data_size = %lld and data_offset = %lld",
chunk_data_size, data_offset);
+ const int kSkipBytesOfDataBox = 16;
+ if (chunk_data_size <= kSkipBytesOfDataBox) {
+ return ERROR_MALFORMED;
+ }
sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
if (mDataSource->readAt(
data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
return ERROR_IO;
}
- const int kSkipBytesOfDataBox = 16;
mFileMetaData->setData(
kKeyAlbumArt, MetaData::TYPE_NONE,
buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
--
2.6.3

37
gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch Normal file
View File

@ -0,0 +1,37 @@
From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
From: Gerald Squelart <gsquelart@mozilla.com>
Date: Wed, 9 Dec 2015 10:00:32 +0100
Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
r=rillian, a=sylvestre
Found only one other use that needed better checks: the size of the pssh
data was only checked after all items were added up; so it would be
possible to create a set of big items such that they create an overflow,
but the final sum looks reasonable.
Instead each item size should be checked, and the sum should also be
checked at each step.
---
.../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
index a69fc14..413a495 100644
--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
uint64_t psshsize = 0;
for (size_t i = 0; i < mPssh.size(); i++) {
psshsize += 20 + mPssh[i].datalen;
- }
- if (psshsize > kMAX_ALLOCATION) {
- return ERROR_MALFORMED;
+ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
+ psshsize > kMAX_ALLOCATION) {
+ return ERROR_MALFORMED;
+ }
}
if (psshsize) {
char *buf = (char*)malloc(psshsize);
--
2.6.3