summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-2739.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2739.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2739.patch66
1 files changed, 66 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch
new file mode 100644
index 0000000000..9f70db8cf9
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2739.patch
@@ -0,0 +1,66 @@
+From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001
+From: Boris Zbarsky <bzbarsky@mit.edu>
+Date: Mon, 1 Jun 2015 16:59:26 -0700
+Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in
+ XHR. r=baku a=lizzard
+
+---
+ content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++----------
+ 1 file changed, 15 insertions(+), 10 deletions(-)
+
+diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
+index 58a9ee0..56d1aa3 100644
+--- a/content/base/src/nsXMLHttpRequest.cpp
++++ b/content/base/src/nsXMLHttpRequest.cpp
+@@ -7,6 +7,7 @@
+ #include "nsXMLHttpRequest.h"
+
+ #include "mozilla/ArrayUtils.h"
++#include "mozilla/CheckedInt.h"
+ #include "mozilla/dom/XMLHttpRequestUploadBinding.h"
+ #include "mozilla/EventDispatcher.h"
+ #include "mozilla/EventListenerManager.h"
+@@ -3897,26 +3898,30 @@ bool
+ ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen,
+ uint32_t aMaxGrowth)
+ {
++ CheckedUint32 neededCapacity = mLength;
++ neededCapacity += aDataLen;
++ if (!neededCapacity.isValid()) {
++ return false;
++ }
+ if (mLength + aDataLen > mCapacity) {
+- uint32_t newcap;
++ CheckedUint32 newcap = mCapacity;
+ // Double while under aMaxGrowth or if not specified.
+ if (!aMaxGrowth || mCapacity < aMaxGrowth) {
+- newcap = mCapacity * 2;
++ newcap *= 2;
+ } else {
+- newcap = mCapacity + aMaxGrowth;
++ newcap += aMaxGrowth;
+ }
+
+- // But make sure there's always enough to satisfy our request.
+- if (newcap < mLength + aDataLen) {
+- newcap = mLength + aDataLen;
++ if (!newcap.isValid()) {
++ return false;
+ }
+
+- // Did we overflow?
+- if (newcap < mCapacity) {
+- return false;
++ // But make sure there's always enough to satisfy our request.
++ if (newcap.value() < neededCapacity.value()) {
++ newcap = neededCapacity;
+ }
+
+- if (!setCapacity(newcap)) {
++ if (!setCapacity(newcap.value())) {
+ return false;
+ }
+ }
+--
+2.4.3
+
generated by cgit v1.2.3 (git 2.45.2) at 2024-07-16 06:01:12 +0000