diff options
| author | Martin Stransky <stransky@redhat.com> | 2018-08-28 12:40:57 +0200 |
|---|---|---|
| committer | Martin Stransky <stransky@redhat.com> | 2018-08-28 12:40:57 +0200 |
| commit | bd7726282836dc39fe7829db7363032ec272ed26 (patch) | |
| tree | e3b34257b58c850f543711e5462518df3c031193 /mozilla-1436242.patch | |
| parent | Added patches for mozbz#1427700 and mozbz#1463809 (diff) | |
| download | librewolf-fedora-ff-bd7726282836dc39fe7829db7363032ec272ed26.tar.gz librewolf-fedora-ff-bd7726282836dc39fe7829db7363032ec272ed26.tar.bz2 librewolf-fedora-ff-bd7726282836dc39fe7829db7363032ec272ed26.zip | |
Update to 62.0
Diffstat (limited to 'mozilla-1436242.patch')
| -rw-r--r-- | mozilla-1436242.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/mozilla-1436242.patch b/mozilla-1436242.patch deleted file mode 100644 index 570b7c5..0000000 --- a/mozilla-1436242.patch +++ /dev/null @@ -1,56 +0,0 @@ - -# HG changeset patch -# User Jed Davis <jld@mozilla.com> -# Date 1526943705 21600 -# Node ID 6bb3adfa15c6877f7874429462dad88f8c978c4f -# Parent 4c71c8454879c841871ecf3afb7dbdc96bad97fc -Bug 1436242 - Avoid undefined behavior in IPC fd-passing code. r=froydnj - -MozReview-Commit-ID: 3szIPUssgF5 - -diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc ---- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc -+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc -@@ -418,20 +418,37 @@ bool Channel::ChannelImpl::ProcessIncomi - const int* fds; - unsigned num_fds; - unsigned fds_i = 0; // the index of the first unused descriptor - - if (input_overflow_fds_.empty()) { - fds = wire_fds; - num_fds = num_wire_fds; - } else { -- const size_t prev_size = input_overflow_fds_.size(); -- input_overflow_fds_.resize(prev_size + num_wire_fds); -- memcpy(&input_overflow_fds_[prev_size], wire_fds, -- num_wire_fds * sizeof(int)); -+ // This code may look like a no-op in the case where -+ // num_wire_fds == 0, but in fact: -+ // -+ // 1. wire_fds will be nullptr, so passing it to memcpy is -+ // undefined behavior according to the C standard, even though -+ // the memcpy length is 0. -+ // -+ // 2. prev_size will be an out-of-bounds index for -+ // input_overflow_fds_; this is undefined behavior according to -+ // the C++ standard, even though the element only has its -+ // pointer taken and isn't accessed (and the corresponding -+ // operation on a C array would be defined). -+ // -+ // UBSan makes #1 a fatal error, and assertions in libstdc++ do -+ // the same for #2 if enabled. -+ if (num_wire_fds > 0) { -+ const size_t prev_size = input_overflow_fds_.size(); -+ input_overflow_fds_.resize(prev_size + num_wire_fds); -+ memcpy(&input_overflow_fds_[prev_size], wire_fds, -+ num_wire_fds * sizeof(int)); -+ } - fds = &input_overflow_fds_[0]; - num_fds = input_overflow_fds_.size(); - } - - // The data for the message we're currently reading consists of any data - // stored in incoming_message_ followed by data in input_buf_ (followed by - // other messages). - - |