From 73321592e7455cf23e31284292b638ebc5c1481e Mon Sep 17 00:00:00 2001 From: Martin Stransky Date: Wed, 22 Mar 2017 10:12:21 +0100 Subject: Added fix for CVE-2017-5428, Added fix for mozbz#1158076 --- mozilla-1348168.patch | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 mozilla-1348168.patch (limited to 'mozilla-1348168.patch') diff --git a/mozilla-1348168.patch b/mozilla-1348168.patch new file mode 100644 index 0000000..e0627d2 --- /dev/null +++ b/mozilla-1348168.patch @@ -0,0 +1,88 @@ + +# HG changeset patch +# User Ehsan Akhgari +# Date 1489719163 14400 +# Node ID 4af7cd795eeef3bce2dd40d5a6e92d21304eaea1 +# Parent dac467924a46c4bbff97c948bf4a7143dada2b19 +Bug 1348168 - Disable Mozilla custom ImageBitmap extensions that didn't go through proper API review; r=bzbarsky a=dveditz + +diff --git a/dom/base/nsGlobalWindow.cpp b/dom/base/nsGlobalWindow.cpp +--- a/dom/base/nsGlobalWindow.cpp ++++ b/dom/base/nsGlobalWindow.cpp +@@ -14993,16 +14993,20 @@ nsGlobalWindow::CreateImageBitmap(const + + already_AddRefed + nsGlobalWindow::CreateImageBitmap(const ImageBitmapSource& aImage, + int32_t aOffset, int32_t aLength, + ImageBitmapFormat aFormat, + const Sequence& aLayout, + ErrorResult& aRv) + { ++ if (!ImageBitmap::ExtensionsEnabled(nullptr, nullptr)) { ++ aRv.Throw(NS_ERROR_TYPE_ERR); ++ return nullptr; ++ } + if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) { + return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout, + aRv); + } else { + aRv.Throw(NS_ERROR_TYPE_ERR); + return nullptr; + } + } +diff --git a/dom/workers/WorkerScope.cpp b/dom/workers/WorkerScope.cpp +--- a/dom/workers/WorkerScope.cpp ++++ b/dom/workers/WorkerScope.cpp +@@ -471,16 +471,24 @@ WorkerGlobalScope::CreateImageBitmap(con + + already_AddRefed + WorkerGlobalScope::CreateImageBitmap(const ImageBitmapSource& aImage, + int32_t aOffset, int32_t aLength, + ImageBitmapFormat aFormat, + const Sequence& aLayout, + ErrorResult& aRv) + { ++ JSContext* cx = GetCurrentThreadJSContext(); ++ MOZ_ASSERT(cx); ++ ++ if (!ImageBitmap::ExtensionsEnabled(cx, nullptr)) { ++ aRv.Throw(NS_ERROR_TYPE_ERR); ++ return nullptr; ++ } ++ + if (aImage.IsArrayBuffer() || aImage.IsArrayBufferView()) { + return ImageBitmap::Create(this, aImage, aOffset, aLength, aFormat, aLayout, + aRv); + } else { + aRv.Throw(NS_ERROR_TYPE_ERR); + return nullptr; + } + } +diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js +--- a/modules/libpref/init/all.js ++++ b/modules/libpref/init/all.js +@@ -831,22 +831,18 @@ pref("ui.scrollToClick", 0); + pref("canvas.focusring.enabled", true); + pref("canvas.customfocusring.enabled", false); + pref("canvas.hitregions.enabled", false); + pref("canvas.filters.enabled", true); + // Add support for canvas path objects + pref("canvas.path.enabled", true); + pref("canvas.capturestream.enabled", true); + +-// Disable the ImageBitmap-extensions in the release build. +-#ifdef RELEASE_OR_BETA ++// Disable the ImageBitmap-extensions for now. + pref("canvas.imagebitmap_extensions.enabled", false); +-#else +-pref("canvas.imagebitmap_extensions.enabled", true); +-#endif + + // We want the ability to forcibly disable platform a11y, because + // some non-a11y-related components attempt to bring it up. See bug + // 538530 for details about Windows; we have a pref here that allows it + // to be disabled for performance and testing resons. + // See bug 761589 for the crossplatform aspect. + // + // This pref is checked only once, and the browser needs a restart to + -- cgit