summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-2740.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-2740.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-2740.patch52
1 files changed, 52 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-2740.patch b/gnu/packages/patches/icecat-CVE-2015-2740.patch
new file mode 100644
index 0000000000..caafa52a23
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-2740.patch
@@ -0,0 +1,52 @@
+From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001
+From: Andrea Marchesini <amarchesini@mozilla.com>
+Date: Tue, 23 Jun 2015 10:47:38 -0400
+Subject: [PATCH] Bug 1170809 - Improve the buffer size check in
+ nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings
+
+---
+ content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++----
+ 1 file changed, 11 insertions(+), 4 deletions(-)
+
+diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp
+index 56d1aa3..86425d7 100644
+--- a/content/base/src/nsXMLHttpRequest.cpp
++++ b/content/base/src/nsXMLHttpRequest.cpp
+@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
+ &destBufferLen);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) {
++ uint32_t size = mResponseText.Length() + destBufferLen;
++ if (size < (uint32_t)destBufferLen) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
++
++ if (!mResponseText.SetCapacity(size, fallible_t())) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length();
+
+- int32_t totalChars = mResponseText.Length();
++ CheckedInt32 totalChars = mResponseText.Length();
+
+ // This code here is basically a copy of a similar thing in
+ // nsScanner::Append(const char* aBuffer, uint32_t aLen).
+@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer,
+ MOZ_ASSERT(NS_SUCCEEDED(rv));
+
+ totalChars += destlen;
++ if (!totalChars.isValid()) {
++ return NS_ERROR_OUT_OF_MEMORY;
++ }
+
+- mResponseText.SetLength(totalChars);
+-
++ mResponseText.SetLength(totalChars.value());
+ return NS_OK;
+ }
+
+--
+2.4.3
+
generated by cgit v1.2.3 (git 2.46.0) at 2024-08-23 03:48:00 +0000