Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes

2 files changed, 62 insertions, 1 deletions

diff --git a/firefox.spec b/firefox.spec
index 95aad1a..ca3b69c 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -102,7 +102,7 @@
 Summary:        Mozilla Firefox Web browser
 Name:           firefox
 Version:        60.0.1
-Release:        2%{?pre_tag}%{?dist}
+Release:        3%{?pre_tag}%{?dist}
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:        https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%{version}%{?pre_version}.source.tar.xz
@@ -160,6 +160,7 @@ Patch414:        mozilla-1435212-ffmpeg-4.0.patch
 Patch415:        Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch
 Patch416:        mozilla-1424422.patch
 Patch417:        bug1375074-save-restore-x28.patch
+Patch418:        mozilla-1436242.patch
 
 Patch421:        complete-csd-window-offset-mozilla-1457691.patch
 
@@ -347,6 +348,7 @@ This package contains results of tests executed during build.
 %endif
 %patch416 -p1 -b .1424422
 %patch417 -p1 -b .bug1375074-save-restore-x28
+%patch418 -p1 -b .mozilla-1436242
 
 %patch421 -p1 -b .mozilla-1457691
 
@@ -906,6 +908,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 #---------------------------------------------------------------------
 
 %changelog
+* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-3
+- Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes.
+
 * Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-2
 - Enable Wayland backend.
 
diff --git a/mozilla-1436242.patch b/mozilla-1436242.patch
new file mode 100644
index 0000000..570b7c5
--- /dev/null
+++ b/mozilla-1436242.patch
@@ -0,0 +1,56 @@
+
+# HG changeset patch
+# User Jed Davis <jld@mozilla.com>
+# Date 1526943705 21600
+# Node ID 6bb3adfa15c6877f7874429462dad88f8c978c4f
+# Parent  4c71c8454879c841871ecf3afb7dbdc96bad97fc
+Bug 1436242 - Avoid undefined behavior in IPC fd-passing code.  r=froydnj
+
+MozReview-Commit-ID: 3szIPUssgF5
+
+diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
++++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+@@ -418,20 +418,37 @@ bool Channel::ChannelImpl::ProcessIncomi
+     const int* fds;
+     unsigned num_fds;
+     unsigned fds_i = 0;  // the index of the first unused descriptor
+ 
+     if (input_overflow_fds_.empty()) {
+       fds = wire_fds;
+       num_fds = num_wire_fds;
+     } else {
+-      const size_t prev_size = input_overflow_fds_.size();
+-      input_overflow_fds_.resize(prev_size + num_wire_fds);
+-      memcpy(&input_overflow_fds_[prev_size], wire_fds,
+-             num_wire_fds * sizeof(int));
++      // This code may look like a no-op in the case where
++      // num_wire_fds == 0, but in fact:
++      //
++      // 1. wire_fds will be nullptr, so passing it to memcpy is
++      // undefined behavior according to the C standard, even though
++      // the memcpy length is 0.
++      //
++      // 2. prev_size will be an out-of-bounds index for
++      // input_overflow_fds_; this is undefined behavior according to
++      // the C++ standard, even though the element only has its
++      // pointer taken and isn't accessed (and the corresponding
++      // operation on a C array would be defined).
++      //
++      // UBSan makes #1 a fatal error, and assertions in libstdc++ do
++      // the same for #2 if enabled.
++      if (num_wire_fds > 0) {
++        const size_t prev_size = input_overflow_fds_.size();
++        input_overflow_fds_.resize(prev_size + num_wire_fds);
++        memcpy(&input_overflow_fds_[prev_size], wire_fds,
++               num_wire_fds * sizeof(int));
++      }
+       fds = &input_overflow_fds_[0];
+       num_fds = input_overflow_fds_.size();
+     }
+ 
+     // The data for the message we're currently reading consists of any data
+     // stored in incoming_message_ followed by data in input_buf_ (followed by
+     // other messages).
+ 
+