From 0897c8df934a6b26ec3b3b94ebb2732325289e07 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Tue, 16 Feb 2021 20:08:42 -0800
Subject: [PATCH] #633: M1683627 M786797 and disable CSP reporting due to
 M1542194 and others

---
 dom/base/nsContentUtils.cpp        |  8 ++++----
 dom/security/nsCSPContext.cpp      |  5 +++++
 modules/libpref/init/all.js        |  2 ++
 parser/html/nsHtml5MetaScanner.cpp |  3 ++-
 parser/html/nsHtml5Portability.cpp | 10 ++++++++++
 parser/html/nsHtml5Portability.h   |  1 +
 parser/html/nsHtml5Tokenizer.cpp   |  2 +-
 7 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp
index d11002859..fde265d8a 100644
--- a/dom/base/nsContentUtils.cpp
+++ b/dom/base/nsContentUtils.cpp
@@ -8807,10 +8807,6 @@ ShouldEscape(nsIContent* aParent)
     nsGkAtoms::style, nsGkAtoms::script, nsGkAtoms::xmp,
     nsGkAtoms::iframe, nsGkAtoms::noembed, nsGkAtoms::noframes,
     nsGkAtoms::plaintext,
-    // Per the current spec noscript should be escaped in case
-    // scripts are disabled or if document doesn't have
-    // browsing context. However the latter seems to be a spec bug
-    // and Gecko hasn't traditionally done the former.
     nsGkAtoms::noscript
   };
   static mozilla::BloomFilter<12, nsIAtom> sFilter;
@@ -8826,6 +8822,10 @@ ShouldEscape(nsIContent* aParent)
   if (sFilter.mightContain(tag)) {
     for (uint32_t i = 0; i < ArrayLength(nonEscapingElements); ++i) {
       if (tag == nonEscapingElements[i]) {
+        if (MOZ_UNLIKELY(tag == nsGkAtoms::noscript) &&
+            MOZ_UNLIKELY(!aParent->OwnerDoc()->IsScriptEnabled())) {
+          return true;
+        }
         return false;
       }
     }
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
index bf56ac853..bed50c9f3 100644
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -740,6 +740,11 @@ nsCSPContext::SendReports(nsISupports* aBlockedContentSource,
                           nsAString& aScriptSample,
                           uint32_t aLineNum)
 {
+  /* Due to unclear vulnerabilities in bug 1542194 and others, just don't.
+     We probably don't do it right anymore anyway. -- Cameron */
+  if (!Preferences::GetBool("security.csp.sendreports", false))
+    return NS_OK;
+
   NS_ENSURE_ARG_MAX(aViolatedPolicyIndex, mPolicies.Length() - 1);
 
 #ifdef MOZ_B2G
diff --git a/modules/libpref/init/all.js b/modules/libpref/init/all.js
index 054037c21..00b731304 100644
--- a/modules/libpref/init/all.js
+++ b/modules/libpref/init/all.js
@@ -1978,6 +1978,8 @@ pref("security.notification_enable_delay", 500);
 pref("security.csp.enable", true);
 pref("security.csp.debug", false);
 pref("security.csp.experimentalEnabled", false);
+// see bug 1542194, etc.
+pref("security.csp.sendreports", false);
 
 // Default Content Security Policy to apply to privileged apps.
 pref("security.apps.privileged.CSP.default", "default-src * data: blob:; script-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline'");
diff --git a/parser/html/nsHtml5MetaScanner.cpp b/parser/html/nsHtml5MetaScanner.cpp
index 24f17b02b..9b3eff1f1 100644
--- a/parser/html/nsHtml5MetaScanner.cpp
+++ b/parser/html/nsHtml5MetaScanner.cpp
@@ -740,7 +740,8 @@ void
 nsHtml5MetaScanner::addToBuffer(int32_t c)
 {
   if (strBufLen == strBuf.length) {
-    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(strBuf.length + (strBuf.length << 1));
+    jArray<char16_t,int32_t> newBuf = jArray<char16_t,int32_t>::newJArray(
+        nsHtml5Portability::checkedAdd(strBuf.length, (strBuf.length << 1)));
     nsHtml5ArrayCopy::arraycopy(strBuf, newBuf, strBuf.length);
     strBuf = newBuf;
   }
diff --git a/parser/html/nsHtml5Portability.cpp b/parser/html/nsHtml5Portability.cpp
index 72f0d9ec5..b369d8041 100644
--- a/parser/html/nsHtml5Portability.cpp
+++ b/parser/html/nsHtml5Portability.cpp
@@ -7,6 +7,16 @@
 #include "jArray.h"
 #include "nsHtml5Portability.h"
 #include "nsHtml5TreeBuilder.h"
+#include "mozilla/CheckedInt.h"
+
+int32_t
+nsHtml5Portability::checkedAdd(int32_t a, int32_t b) {
+  mozilla::CheckedInt<int32_t> sum(a);
+  sum += b;
+  MOZ_RELEASE_ASSERT(sum.isValid(),
+                     "HTML input too large for signed 32-bit integer.");
+  return sum.value();
+}
 
 nsIAtom*
 nsHtml5Portability::newLocalNameFromBuffer(char16_t* buf, int32_t offset, int32_t length, nsHtml5AtomTable* interner)
diff --git a/parser/html/nsHtml5Portability.h b/parser/html/nsHtml5Portability.h
index a3214dd2f..a74e89f6a 100644
--- a/parser/html/nsHtml5Portability.h
+++ b/parser/html/nsHtml5Portability.h
@@ -58,6 +58,7 @@ class nsHtml5StateSnapshot;
 class nsHtml5Portability
 {
   public:
+    static int32_t checkedAdd(int32_t a, int32_t b);
     static nsIAtom* newLocalNameFromBuffer(char16_t* buf, int32_t offset, int32_t length, nsHtml5AtomTable* interner);
     static nsHtml5String newStringFromBuffer(char16_t* buf,
                                              int32_t offset,
diff --git a/parser/html/nsHtml5Tokenizer.cpp b/parser/html/nsHtml5Tokenizer.cpp
index 2f1033b87..80993880d 100644
--- a/parser/html/nsHtml5Tokenizer.cpp
+++ b/parser/html/nsHtml5Tokenizer.cpp
@@ -240,7 +240,7 @@ nsHtml5Tokenizer::emitStrBuf()
 void 
 nsHtml5Tokenizer::appendStrBuf(char16_t* buffer, int32_t offset, int32_t length)
 {
-  int32_t newLen = strBufLen + length;
+  int32_t newLen = nsHtml5Portability::checkedAdd(strBufLen, length);
   MOZ_ASSERT(newLen <= strBuf.length, "Previous buffer length insufficient.");
   if (MOZ_UNLIKELY(strBuf.length < newLen)) {
     if (MOZ_UNLIKELY(!EnsureBufferSpace(length))) {