Added fix for CVE-2017-5428, Added fix for mozbz#1158076

1 files changed, 88 insertions, 0 deletions

diff --git a/mozilla-1348168.patch b/mozilla-1348168.patch
new file mode 100644
index 0000000..e0627d2
--- /dev/null
+++ b/mozilla-1348168.patch
@@ -0,0 +1,88 @@
+
+# HG changeset patch
+# User Ehsan Akhgari <ehsan@mozilla.com>
+# Date 1489719163 14400
+# Node ID 4af7cd795eeef3bce2dd40d5a6e92d21304eaea1
+# Parent  dac467924a46c4bbff97c948bf4a7143dada2b19
+Bug 1348168 - Disable Mozilla custom ImageBitmap extensions that didn't go through proper API review; r=bzbarsky a=dveditz
+
+diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp
+--- a/dom/base/nsGlobalWindow.cpp
++++ b/dom/base/nsGlobalWindow.cpp
+@@ -14993,16 +14993,20 @@ nsGlobalWindow::CreateImageBitmap(const 
+ 
+ already_AddRefed<mozilla::dom::Promise>
+ nsGlobalWindow::CreateImageBitmap(const ImageBitmapSource& aImage,
+                                   int32_t aOffset, int32_t aLength,
+                                   ImageBitmapFormat aFormat,
+                                   const Sequence<ChannelPixelLayout>& aLayout,
+                                   ErrorResult& aRv)
+ {
++  if (!ImageBitmap::ExtensionsEnabled(nullptr, nullptr)) {
++    aRv.Throw(NS_ERROR_TYPE_ERR);
++    return nullptr;
++  }
+   if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) {
+     return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout,
+                                aRv);
+   } else {
+     aRv.Throw(NS_ERROR_TYPE_ERR);
+     return nullptr;
+   }
+ }
+diff --git a/dom/workers/WorkerScope.cpp b/dom/workers/WorkerScope.cpp
+--- a/dom/workers/WorkerScope.cpp
++++ b/dom/workers/WorkerScope.cpp
+@@ -471,16 +471,24 @@ WorkerGlobalScope::CreateImageBitmap(con
+ 
+ already_AddRefed<mozilla::dom::Promise>
+ WorkerGlobalScope::CreateImageBitmap(const ImageBitmapSource& aImage,
+                                      int32_t aOffset, int32_t aLength,
+                                      ImageBitmapFormat aFormat,
+                                      const Sequence<ChannelPixelLayout>& aLayout,
+                                      ErrorResult& aRv)
+ {
++  JSContext* cx = GetCurrentThreadJSContext();
++  MOZ_ASSERT(cx);
++
++  if (!ImageBitmap::ExtensionsEnabled(cx, nullptr)) {
++    aRv.Throw(NS_ERROR_TYPE_ERR);
++    return nullptr;
++  }
++
+   if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) {
+     return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout,
+                                aRv);
+   } else {
+     aRv.Throw(NS_ERROR_TYPE_ERR);
+     return nullptr;
+   }
+ }
+diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
+--- a/modules/libpref/init/all.js
++++ b/modules/libpref/init/all.js
+@@ -831,22 +831,18 @@ pref("ui.scrollToClick", 0);
+ pref("canvas.focusring.enabled", true);
+ pref("canvas.customfocusring.enabled", false);
+ pref("canvas.hitregions.enabled", false);
+ pref("canvas.filters.enabled", true);
+ // Add support for canvas path objects
+ pref("canvas.path.enabled", true);
+ pref("canvas.capturestream.enabled", true);
+ 
+-// Disable the ImageBitmap-extensions in the release build.
+-#ifdef RELEASE_OR_BETA
++// Disable the ImageBitmap-extensions for now.
+ pref("canvas.imagebitmap_extensions.enabled", false);
+-#else
+-pref("canvas.imagebitmap_extensions.enabled", true);
+-#endif
+ 
+ // We want the ability to forcibly disable platform a11y, because
+ // some non-a11y-related components attempt to bring it up.  See bug
+ // 538530 for details about Windows; we have a pref here that allows it
+ // to be disabled for performance and testing resons.
+ // See bug 761589 for the crossplatform aspect.
+ //
+ // This pref is checked only once, and the browser needs a restart to
+