path: root/gnu/packages/patches/icecat-CVE-2016-2828.patch

  changeset:   312096:dc190bd03d24
  tag:         FIREFOX_45_2_0esr_BUILD2
  tag:         FIREFOX_45_2_0esr_RELEASE
  user:        Jeff Gilbert <jgilbert@mozilla.com>
  Date:        Thu Apr 14 13:50:04 2016 -0700
  summary:     Bug 1224199 - Destroy SharedSurfaces before ~GLContext(). - r=jrmuizel a=lizzard

diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLBlitHelper.cpp
--- a/gfx/gl/GLBlitHelper.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/GLBlitHelper.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -172,6 +172,9 @@
 
 GLBlitHelper::~GLBlitHelper()
 {
+    if (!mGL->MakeCurrent())
+        return;
+
     DeleteTexBlitProgram();
 
     GLuint tex[] = {
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.cpp
--- a/gfx/gl/GLContext.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/GLContext.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -2079,12 +2079,13 @@
     if (IsDestroyed())
         return;
 
+    // Null these before they're naturally nulled after dtor, as we want GLContext to
+    // still be alive in *their* dtors.
+    mScreen = nullptr;
+    mBlitHelper = nullptr;
+    mReadTexImageHelper = nullptr;
+
     if (MakeCurrent()) {
-        DestroyScreenBuffer();
-
-        mBlitHelper = nullptr;
-        mReadTexImageHelper = nullptr;
-
         mTexGarbageBin->GLContextTeardown();
     } else {
         NS_WARNING("MakeCurrent() failed during MarkDestroyed! Skipping GL object teardown.");
@@ -2328,8 +2329,6 @@
         return false;
     }
 
-    DestroyScreenBuffer();
-
     // This will rebind to 0 (Screen) if needed when
     // it falls out of scope.
     ScopedBindFramebuffer autoFB(this);
@@ -2349,12 +2348,6 @@
 }
 
 void
-GLContext::DestroyScreenBuffer()
-{
-    mScreen = nullptr;
-}
-
-void
 GLContext::ForceDirtyScreen()
 {
     ScopedBindFramebuffer autoFB(0);
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.h
--- a/gfx/gl/GLContext.h	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/GLContext.h	Thu Apr 14 13:50:04 2016 -0700
@@ -3492,8 +3492,6 @@
     friend class GLScreenBuffer;
     UniquePtr<GLScreenBuffer> mScreen;
 
-    void DestroyScreenBuffer();
-
     SharedSurface* mLockedSurface;
 
 public:
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLReadTexImageHelper.cpp
--- a/gfx/gl/GLReadTexImageHelper.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/GLReadTexImageHelper.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -31,6 +31,9 @@
 
 GLReadTexImageHelper::~GLReadTexImageHelper()
 {
+    if (!mGL->MakeCurrent())
+        return;
+
     mGL->fDeleteProgram(mPrograms[0]);
     mGL->fDeleteProgram(mPrograms[1]);
     mGL->fDeleteProgram(mPrograms[2]);
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceANGLE.cpp
--- a/gfx/gl/SharedSurfaceANGLE.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/SharedSurfaceANGLE.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -120,8 +120,10 @@
 {
     mEGL->fDestroySurface(Display(), mPBuffer);
 
+    if (!mGL->MakeCurrent())
+        return;
+
     if (mFence) {
-        mGL->MakeCurrent();
         mGL->fDeleteFences(1, &mFence);
     }
 }
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceEGL.cpp
--- a/gfx/gl/SharedSurfaceEGL.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/SharedSurfaceEGL.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -87,9 +87,12 @@
 {
     mEGL->fDestroyImage(Display(), mImage);
 
-    mGL->MakeCurrent();
-    mGL->fDeleteTextures(1, &mProdTex);
-    mProdTex = 0;
+    if (mSync) {
+        // We can't call this unless we have the ext, but we will always have
+        // the ext if we have something to destroy.
+        mEGL->fDestroySync(Display(), mSync);
+        mSync = 0;
+    }
 
     if (mConsTex) {
         MOZ_ASSERT(mGarbageBin);
@@ -97,12 +100,11 @@
         mConsTex = 0;
     }
 
-    if (mSync) {
-        // We can't call this unless we have the ext, but we will always have
-        // the ext if we have something to destroy.
-        mEGL->fDestroySync(Display(), mSync);
-        mSync = 0;
-    }
+    if (!mGL->MakeCurrent())
+        return;
+
+    mGL->fDeleteTextures(1, &mProdTex);
+    mProdTex = 0;
 }
 
 void
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceGralloc.cpp
--- a/gfx/gl/SharedSurfaceGralloc.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/SharedSurfaceGralloc.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -154,7 +154,9 @@

     DEBUG_PRINT("[SharedSurface_Gralloc %p] destroyed\n", this);
 
-    mGL->MakeCurrent();
+    if (!mGL->MakeCurrent())
+        return;
+
     mGL->fDeleteTextures(1, &mProdTex);
 
     if (mSync) {
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceIO.cpp
--- a/gfx/gl/SharedSurfaceIO.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/SharedSurfaceIO.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -111,11 +111,10 @@
 
 SharedSurface_IOSurface::~SharedSurface_IOSurface()
 {
-    if (mProdTex) {
-        DebugOnly<bool> success = mGL->MakeCurrent();
-        MOZ_ASSERT(success);
-        mGL->fDeleteTextures(1, &mProdTex);
-    }
+    if (!mGL->MakeCurrent())
+        return;
+
+    mGL->fDeleteTextures(1, &mProdTex);
 }
 
 ////////////////////////////////////////////////////////////////////////
diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/TextureGarbageBin.cpp
--- a/gfx/gl/TextureGarbageBin.cpp	Mon Mar 07 11:51:12 2016 +0000
+++ b/gfx/gl/TextureGarbageBin.cpp	Thu Apr 14 13:50:04 2016 -0700
@@ -36,6 +36,7 @@
     if (!mGL)
         return;
 
+    MOZ_RELEASE_ASSERT(mGL->IsCurrent());
     while (!mGarbageTextures.empty()) {
         GLuint tex = mGarbageTextures.top();
         mGarbageTextures.pop();