diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2824.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2016-2824.patch | 85 |
1 files changed, 85 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2824.patch b/gnu/packages/patches/icecat-CVE-2016-2824.patch new file mode 100644 index 0000000000..72772ed15f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-2824.patch @@ -0,0 +1,85 @@ + changeset: 312070:4b54feddf36c + user: JerryShih <hshih@mozilla.com> + Date: Wed May 25 16:27:41 2016 +0200 + summary: Bug 1248580 - strip the uploading element num according to the uniform array size. r=jgilbert a=ritu + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLContextValidate.cpp +--- a/dom/canvas/WebGLContextValidate.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLContextValidate.cpp Wed May 25 16:27:41 2016 +0200 +@@ -1531,9 +1531,10 @@ + if (!loc->ValidateArrayLength(setterElemSize, setterArraySize, this, funcName)) + return false; + ++ MOZ_ASSERT((size_t)loc->mActiveInfo->mElemCount > loc->mArrayIndex); ++ size_t uniformElemCount = loc->mActiveInfo->mElemCount - loc->mArrayIndex; + *out_rawLoc = loc->mLoc; +- *out_numElementsToUpload = std::min((size_t)loc->mActiveInfo->mElemCount, +- setterArraySize / setterElemSize); ++ *out_numElementsToUpload = std::min(uniformElemCount, setterArraySize / setterElemSize); + return true; + } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLProgram.cpp +--- a/dom/canvas/WebGLProgram.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLProgram.cpp Wed May 25 16:27:41 2016 +0200 +@@ -510,8 +510,14 @@ + const NS_LossyConvertUTF16toASCII userName(userName_wide); + + nsDependentCString baseUserName; +- bool isArray; +- size_t arrayIndex; ++ bool isArray = false; ++ // GLES 2.0.25, Section 2.10, p35 ++ // If the the uniform location is an array, then the location of the first ++ // element of that array can be retrieved by either using the name of the ++ // uniform array, or the name of the uniform array appended with "[0]". ++ // The ParseName() can't recognize this rule. So always initialize ++ // arrayIndex with 0. ++ size_t arrayIndex = 0; + if (!ParseName(userName, &baseUserName, &isArray, &arrayIndex)) + return nullptr; + +@@ -536,7 +542,8 @@ + return nullptr; + + nsRefPtr<WebGLUniformLocation> locObj = new WebGLUniformLocation(mContext, LinkInfo(), +- loc, activeInfo); ++ loc, arrayIndex, ++ activeInfo); + return locObj.forget(); + } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.cpp +--- a/dom/canvas/WebGLUniformLocation.cpp Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLUniformLocation.cpp Wed May 25 16:27:41 2016 +0200 +@@ -16,10 +16,13 @@ + + WebGLUniformLocation::WebGLUniformLocation(WebGLContext* webgl, + const webgl::LinkedProgramInfo* linkInfo, +- GLuint loc, const WebGLActiveInfo* activeInfo) ++ GLuint loc, ++ size_t arrayIndex, ++ const WebGLActiveInfo* activeInfo) + : WebGLContextBoundObject(webgl) + , mLinkInfo(linkInfo) + , mLoc(loc) ++ , mArrayIndex(arrayIndex) + , mActiveInfo(activeInfo) + { } + +diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.h +--- a/dom/canvas/WebGLUniformLocation.h Tue May 10 22:58:47 2016 -0500 ++++ b/dom/canvas/WebGLUniformLocation.h Wed May 25 16:27:41 2016 +0200 +@@ -41,10 +41,11 @@ + + const WeakPtr<const webgl::LinkedProgramInfo> mLinkInfo; + const GLuint mLoc; ++ const size_t mArrayIndex; + const WebGLActiveInfo* const mActiveInfo; + + WebGLUniformLocation(WebGLContext* webgl, const webgl::LinkedProgramInfo* linkInfo, +- GLuint loc, const WebGLActiveInfo* activeInfo); ++ GLuint loc, size_t arrayIndex, const WebGLActiveInfo* activeInfo); + + bool ValidateForProgram(WebGLProgram* prog, WebGLContext* webgl, + const char* funcName) const; |