summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--firefox.spec7
-rw-r--r--mozilla-1436242.patch56
2 files changed, 62 insertions, 1 deletions
diff --git a/firefox.spec b/firefox.spec
index 95aad1a..ca3b69c 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -102,7 +102,7 @@
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 60.0.1
-Release: 2%{?pre_tag}%{?dist}
+Release: 3%{?pre_tag}%{?dist}
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%{version}%{?pre_version}.source.tar.xz
@@ -160,6 +160,7 @@ Patch414: mozilla-1435212-ffmpeg-4.0.patch
Patch415: Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch
Patch416: mozilla-1424422.patch
Patch417: bug1375074-save-restore-x28.patch
+Patch418: mozilla-1436242.patch
Patch421: complete-csd-window-offset-mozilla-1457691.patch
@@ -347,6 +348,7 @@ This package contains results of tests executed during build.
%endif
%patch416 -p1 -b .1424422
%patch417 -p1 -b .bug1375074-save-restore-x28
+%patch418 -p1 -b .mozilla-1436242
%patch421 -p1 -b .mozilla-1457691
@@ -906,6 +908,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
#---------------------------------------------------------------------
%changelog
+* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-3
+- Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes.
+
* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-2
- Enable Wayland backend.
diff --git a/mozilla-1436242.patch b/mozilla-1436242.patch
new file mode 100644
index 0000000..570b7c5
--- /dev/null
+++ b/mozilla-1436242.patch
@@ -0,0 +1,56 @@
+
+# HG changeset patch
+# User Jed Davis <jld@mozilla.com>
+# Date 1526943705 21600
+# Node ID 6bb3adfa15c6877f7874429462dad88f8c978c4f
+# Parent 4c71c8454879c841871ecf3afb7dbdc96bad97fc
+Bug 1436242 - Avoid undefined behavior in IPC fd-passing code. r=froydnj
+
+MozReview-Commit-ID: 3szIPUssgF5
+
+diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
++++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
+@@ -418,20 +418,37 @@ bool Channel::ChannelImpl::ProcessIncomi
+ const int* fds;
+ unsigned num_fds;
+ unsigned fds_i = 0; // the index of the first unused descriptor
+
+ if (input_overflow_fds_.empty()) {
+ fds = wire_fds;
+ num_fds = num_wire_fds;
+ } else {
+- const size_t prev_size = input_overflow_fds_.size();
+- input_overflow_fds_.resize(prev_size + num_wire_fds);
+- memcpy(&input_overflow_fds_[prev_size], wire_fds,
+- num_wire_fds * sizeof(int));
++ // This code may look like a no-op in the case where
++ // num_wire_fds == 0, but in fact:
++ //
++ // 1. wire_fds will be nullptr, so passing it to memcpy is
++ // undefined behavior according to the C standard, even though
++ // the memcpy length is 0.
++ //
++ // 2. prev_size will be an out-of-bounds index for
++ // input_overflow_fds_; this is undefined behavior according to
++ // the C++ standard, even though the element only has its
++ // pointer taken and isn't accessed (and the corresponding
++ // operation on a C array would be defined).
++ //
++ // UBSan makes #1 a fatal error, and assertions in libstdc++ do
++ // the same for #2 if enabled.
++ if (num_wire_fds > 0) {
++ const size_t prev_size = input_overflow_fds_.size();
++ input_overflow_fds_.resize(prev_size + num_wire_fds);
++ memcpy(&input_overflow_fds_[prev_size], wire_fds,
++ num_wire_fds * sizeof(int));
++ }
+ fds = &input_overflow_fds_[0];
+ num_fds = input_overflow_fds_.size();
+ }
+
+ // The data for the message we're currently reading consists of any data
+ // stored in incoming_message_ followed by data in input_buf_ (followed by
+ // other messages).
+
+
bgstack15