aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2016-06-08 09:54:54 -0400
committerMark H Weaver <mhw@netris.org>2016-06-08 14:26:54 -0400
commit98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa (patch)
treed834031fb13adc817f0b4227cb3e54d3ce5493b0 /gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
parentc7c49446ebcc48c2b2136f4475ab66aecb63d18e (diff)
downloadgnu-guix-98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa.tar
gnu-guix-98d9182205e6655a0a55f1eadc84a0c9a1cdd9fa.tar.gz
gnu: icecat: Add fixes for CVE-2016-{2818,2819,2821,2824,2828,2831}.
* gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch, gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch, gnu/packages/patches/icecat-CVE-2016-2819.patch, gnu/packages/patches/icecat-CVE-2016-2821.patch, gnu/packages/patches/icecat-CVE-2016-2824.patch, gnu/packages/patches/icecat-CVE-2016-2828.patch, gnu/packages/patches/icecat-CVE-2016-2831.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch188
1 files changed, 188 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
new file mode 100644
index 0000000000..a72698cc0b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch
@@ -0,0 +1,188 @@
+ changeset: 312075:ee870911fabb
+ user: Timothy Nikkel <tnikkel@gmail.com>
+ Date: Wed May 04 16:12:48 2016 -0500
+ summary: Bug 1265577. r=mats, a=lizzard
+
+diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp
+--- a/dom/base/nsFrameLoader.cpp Thu May 26 17:07:49 2016 -0400
++++ b/dom/base/nsFrameLoader.cpp Wed May 04 16:12:48 2016 -0500
+@@ -155,7 +155,7 @@
+ nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated)
+ : mOwnerContent(aOwner)
+ , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID)
+- , mDetachedSubdocViews(nullptr)
++ , mDetachedSubdocFrame(nullptr)
+ , mIsPrerendered(false)
+ , mDepthTooGreat(false)
+ , mIsTopLevelContent(false)
+@@ -2507,18 +2507,18 @@
+ }
+
+ void
+-nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews,
+- nsIDocument* aContainerDoc)
++nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
++ nsIDocument* aContainerDoc)
+ {
+- mDetachedSubdocViews = aDetachedViews;
++ mDetachedSubdocFrame = aDetachedFrame;
+ mContainerDocWhileDetached = aContainerDoc;
+ }
+
+-nsView*
+-nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const
++nsIFrame*
++nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const
+ {
+ NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached);
+- return mDetachedSubdocViews;
++ return mDetachedSubdocFrame.GetFrame();
+ }
+
+ void
+diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h
+--- a/dom/base/nsFrameLoader.h Thu May 26 17:07:49 2016 -0400
++++ b/dom/base/nsFrameLoader.h Wed May 04 16:12:48 2016 -0500
+@@ -23,6 +23,7 @@
+ #include "mozilla/Attributes.h"
+ #include "FrameMetrics.h"
+ #include "nsStubMutationObserver.h"
++#include "nsIFrame.h"
+
+ class nsIURI;
+ class nsSubDocumentFrame;
+@@ -197,23 +198,23 @@
+ void SetRemoteBrowser(nsITabParent* aTabParent);
+
+ /**
+- * Stashes a detached view on the frame loader. We do this when we're
++ * Stashes a detached nsIFrame on the frame loader. We do this when we're
+ * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is
+- * being reframed we'll restore the detached view when it's recreated,
++ * being reframed we'll restore the detached nsIFrame when it's recreated,
+ * otherwise we'll discard the old presentation and set the detached
+- * subdoc view to null. aContainerDoc is the document containing the
++ * subdoc nsIFrame to null. aContainerDoc is the document containing the
+ * the subdoc frame. This enables us to detect when the containing
+ * document has changed during reframe, so we can discard the presentation
+ * in that case.
+ */
+- void SetDetachedSubdocView(nsView* aDetachedView,
+- nsIDocument* aContainerDoc);
++ void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame,
++ nsIDocument* aContainerDoc);
+
+ /**
+- * Retrieves the detached view and the document containing the view,
+- * as set by SetDetachedSubdocView().
++ * Retrieves the detached nsIFrame and the document containing the nsIFrame,
++ * as set by SetDetachedSubdocFrame().
+ */
+- nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const;
++ nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const;
+
+ /**
+ * Applies a new set of sandbox flags. These are merged with the sandbox
+@@ -326,12 +327,12 @@
+ nsRefPtr<nsFrameMessageManager> mMessageManager;
+ nsCOMPtr<nsIInProcessContentFrameMessageManager> mChildMessageManager;
+ private:
+- // Stores the root view of the subdocument while the subdocument is being
++ // Stores the root frame of the subdocument while the subdocument is being
+ // reframed. Used to restore the presentation after reframing.
+- nsView* mDetachedSubdocViews;
++ nsWeakFrame mDetachedSubdocFrame;
+ // Stores the containing document of the frame corresponding to this
+ // frame loader. This is reference is kept valid while the subframe's
+- // presentation is detached and stored in mDetachedSubdocViews. This
++ // presentation is detached and stored in mDetachedSubdocFrame. This
+ // enables us to detect whether the frame has moved documents during
+ // a reframe, so that we know not to restore the presentation.
+ nsCOMPtr<nsIDocument> mContainerDocWhileDetached;
+diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp
+--- a/layout/generic/nsSubDocumentFrame.cpp Thu May 26 17:07:49 2016 -0400
++++ b/layout/generic/nsSubDocumentFrame.cpp Wed May 04 16:12:48 2016 -0500
+@@ -130,13 +130,16 @@
+ nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
+ if (frameloader) {
+ nsCOMPtr<nsIDocument> oldContainerDoc;
+- nsView* detachedViews =
+- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
+- frameloader->SetDetachedSubdocView(nullptr, nullptr);
+- if (detachedViews) {
+- if (oldContainerDoc == aContent->OwnerDoc()) {
++ nsIFrame* detachedFrame =
++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
++ MOZ_ASSERT(oldContainerDoc || !detachedFrame);
++ if (oldContainerDoc) {
++ nsView* detachedView =
++ detachedFrame ? detachedFrame->GetView() : nullptr;
++ if (detachedView && oldContainerDoc == aContent->OwnerDoc()) {
+ // Restore stashed presentation.
+- ::InsertViewsInReverseOrder(detachedViews, mInnerView);
++ ::InsertViewsInReverseOrder(detachedView, mInnerView);
+ ::EndSwapDocShellsForViews(mInnerView->GetFirstChild());
+ } else {
+ // Presentation is for a different document, don't restore it.
+@@ -252,11 +255,12 @@
+ nsRefPtr<nsFrameLoader> frameloader = FrameLoader();
+ if (frameloader) {
+ nsCOMPtr<nsIDocument> oldContainerDoc;
+- nsView* detachedViews =
+- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
+- if (detachedViews) {
+- nsSize size = detachedViews->GetBounds().Size();
+- nsPresContext* presContext = detachedViews->GetFrame()->PresContext();
++ nsIFrame* detachedFrame =
++ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc));
++ nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr;
++ if (view) {
++ nsSize size = view->GetBounds().Size();
++ nsPresContext* presContext = detachedFrame->PresContext();
+ return nsIntSize(presContext->AppUnitsToDevPixels(size.width),
+ presContext->AppUnitsToDevPixels(size.height));
+ }
+@@ -939,7 +943,7 @@
+
+ // Either the frame has been constructed by now, or it never will be,
+ // either way we want to clear the stashed views.
+- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
++ mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr);
+
+ nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
+ if ((!frame && mHideViewerIfFrameless) ||
+@@ -974,15 +978,25 @@
+ RefPtr<nsFrameLoader> frameloader = FrameLoader();
+ if (frameloader) {
+ nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
+- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
+
+- // We call nsFrameLoader::HideViewer() in a script runner so that we can
+- // safely determine whether the frame is being reframed or destroyed.
+- nsContentUtils::AddScriptRunner(
+- new nsHideViewer(mContent,
+- frameloader,
+- PresContext()->PresShell(),
+- (mDidCreateDoc || mCallingShow)));
++ if (detachedViews && detachedViews->GetFrame()) {
++ MOZ_ASSERT(mContent->OwnerDoc());
++ frameloader->SetDetachedSubdocFrame(
++ detachedViews->GetFrame(), mContent->OwnerDoc());
++
++ // We call nsFrameLoader::HideViewer() in a script runner so that we can
++ // safely determine whether the frame is being reframed or destroyed.
++ nsContentUtils::AddScriptRunner(
++ new nsHideViewer(mContent,
++ frameloader,
++ PresContext()->PresShell(),
++ (mDidCreateDoc || mCallingShow)));
++ } else {
++ frameloader->SetDetachedSubdocFrame(nullptr, nullptr);
++ if (mDidCreateDoc || mCallingShow) {
++ frameloader->Hide();
++ }
++ }
+ }
+
+ nsLeafFrame::DestroyFrom(aDestructRoot);