b7178dc45d
Actually, CVE-2015-0801 and CVE-2015-0816 were already patched in
4c153a9125, but the corresponding CVEs
were not yet announced.
* gnu/packages/patches/icecat-bug-1146339.patch: Rename to ...
* gnu/packages/patches/icecat-CVE-2015-0801.patch: ... this.
* gnu/packages/patches/icecat-bug-1144991.patch: Rename to ...
* gnu/packages/patches/icecat-CVE-2015-0816.patch: ... this.
* gnu/packages/patches/icecat-CVE-2015-0807.patch,
gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch,
gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch,
gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them, and adapt to renamed files.
* gnu/packages/gnuzilla.scm (icecat): Add patches, and adapt to renamed files.
90 lines
4.0 KiB
Diff
90 lines
4.0 KiB
Diff
From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001
|
|
From: Nathan Froyd <froydnj@mozilla.com>
|
|
Date: Fri, 6 Feb 2015 16:19:36 -0500
|
|
Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in
|
|
nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings
|
|
|
|
---
|
|
xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++---------------------
|
|
1 file changed, 28 insertions(+), 27 deletions(-)
|
|
|
|
diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp
|
|
index bd586c9..b95846f 100644
|
|
--- a/xpcom/threads/TimerThread.cpp
|
|
+++ b/xpcom/threads/TimerThread.cpp
|
|
@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run()
|
|
RemoveTimerInternal(timer);
|
|
timer = nullptr;
|
|
|
|
+#ifdef DEBUG_TIMERS
|
|
+ if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
|
|
+ PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
|
|
+ ("Timer thread woke up %fms from when it was supposed to\n",
|
|
+ fabs((now - timerRef->mTimeout).ToMilliseconds())));
|
|
+ }
|
|
+#endif
|
|
+
|
|
{
|
|
// We release mMonitor around the Fire call to avoid deadlock.
|
|
MonitorAutoUnlock unlock(mMonitor);
|
|
|
|
-#ifdef DEBUG_TIMERS
|
|
- if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) {
|
|
- PR_LOG(GetTimerLog(), PR_LOG_DEBUG,
|
|
- ("Timer thread woke up %fms from when it was supposed to\n",
|
|
- fabs((now - timerRef->mTimeout).ToMilliseconds())));
|
|
- }
|
|
-#endif
|
|
|
|
// We are going to let the call to PostTimerEvent here handle the
|
|
// release of the timer so that we don't end up releasing the timer
|
|
// on the TimerThread instead of on the thread it targets.
|
|
timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget());
|
|
+ }
|
|
|
|
- if (timerRef) {
|
|
- // We got our reference back due to an error.
|
|
- // Unhook the nsRefPtr, and release manually so we can get the
|
|
- // refcount.
|
|
- nsrefcnt rc = timerRef.forget().take()->Release();
|
|
- (void)rc;
|
|
-
|
|
- // The nsITimer interface requires that its users keep a reference
|
|
- // to the timers they use while those timers are initialized but
|
|
- // have not yet fired. If this ever happens, it is a bug in the
|
|
- // code that created and used the timer.
|
|
- //
|
|
- // Further, note that this should never happen even with a
|
|
- // misbehaving user, because nsTimerImpl::Release checks for a
|
|
- // refcount of 1 with an armed timer (a timer whose only reference
|
|
- // is from the timer thread) and when it hits this will remove the
|
|
- // timer from the timer thread and thus destroy the last reference,
|
|
- // preventing this situation from occurring.
|
|
- MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
|
|
- }
|
|
+ if (timerRef) {
|
|
+ // We got our reference back due to an error.
|
|
+ // Unhook the nsRefPtr, and release manually so we can get the
|
|
+ // refcount.
|
|
+ nsrefcnt rc = timerRef.forget().take()->Release();
|
|
+ (void)rc;
|
|
+
|
|
+ // The nsITimer interface requires that its users keep a reference
|
|
+ // to the timers they use while those timers are initialized but
|
|
+ // have not yet fired. If this ever happens, it is a bug in the
|
|
+ // code that created and used the timer.
|
|
+ //
|
|
+ // Further, note that this should never happen even with a
|
|
+ // misbehaving user, because nsTimerImpl::Release checks for a
|
|
+ // refcount of 1 with an armed timer (a timer whose only reference
|
|
+ // is from the timer thread) and when it hits this will remove the
|
|
+ // timer from the timer thread and thus destroy the last reference,
|
|
+ // preventing this situation from occurring.
|
|
+ MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!");
|
|
}
|
|
|
|
if (mShutdown)
|
|
--
|
|
2.2.1
|
|
|