Macintosh-SW
/
tenfourfox
mirror of https://github.com/classilla/tenfourfox.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

#566 and #651: update font blacklist, M1754724, M1758062, M1761026+backbugs, M1755555, M1663508, M1719215

This commit is contained in:
Cameron Kaiser 2022-04-30 19:46:57 -07:00
parent 0a9d355bee
commit 700da3e996
7 changed files with 235 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
dom/fetch/FetchDriver.cpp
View File

@ -617,9 +617,12 @@ FetchDriver::OnDataAvailable(nsIRequest* aRequest,
// NB: This can be called on any thread! But we're guaranteed that it is
// called between OnStartRequest and OnStopRequest, so we don't need to worry
// about races.
if (!mResponse) {
MOZ_ASSERT(false);
return NS_ERROR_UNEXPECTED;
}
uint32_t aRead;
MOZ_ASSERT(mResponse);
uint32_t aRead = 0;
MOZ_ASSERT(mPipeOutputStream);
nsresult rv = aInputStream->ReadSegments(NS_CopySegmentToStream,

30
dom/xslt/xslt/txMozillaXSLTProcessor.cpp
View File

@ -237,9 +237,10 @@ txToFragmentHandlerFactory::createHandlerWith(txOutputFormat* aFormat,
class txVariable : public txIGlobalParameter
{
public:
explicit txVariable(nsIVariant* aValue) : mValue(aValue)
explicit txVariable(nsIVariant* aValue, txAExprResult* aTxValue)
: mValue(aValue), mTxValue(aTxValue)
{
NS_ASSERTION(aValue, "missing value");
NS_ASSERTION(aValue && aTxValue, "missing value");
}
explicit txVariable(txAExprResult* aValue) : mTxValue(aValue)
{
@ -247,12 +248,7 @@ public:
}
nsresult getValue(txAExprResult** aValue)
{
NS_ASSERTION(mValue || mTxValue, "variablevalue is null");
if (!mTxValue) {
nsresult rv = Convert(mValue, getter_AddRefs(mTxValue));
NS_ENSURE_SUCCESS(rv, rv);
}
NS_ASSERTION(mTxValue, "variablevalue is null");
*aValue = mTxValue;
NS_ADDREF(*aValue);
@ -269,11 +265,11 @@ public:
{
return mValue;
}
void setValue(nsIVariant* aValue)
void setValue(nsIVariant* aValue, txAExprResult* aTxValue)
{
NS_ASSERTION(aValue, "setting variablevalue to null");
NS_ASSERTION(aValue && aTxValue, "setting variablevalue to null");
mValue = aValue;
mTxValue = nullptr;
mTxValue = aTxValue;
}
void setValue(txAExprResult* aValue)
{
@ -282,14 +278,14 @@ public:
mTxValue = aValue;
}
static nsresult Convert(nsIVariant* aValue, txAExprResult** aResult);
friend void ImplCycleCollectionUnlink(txVariable& aVariable);
friend void ImplCycleCollectionTraverse(
nsCycleCollectionTraversalCallback& aCallback, txVariable& aVariable,
const char* aName, uint32_t aFlags);
private:
static nsresult Convert(nsIVariant *aValue, txAExprResult** aResult);
nsCOMPtr<nsIVariant> mValue;
RefPtr<txAExprResult> mTxValue;
};
@ -949,13 +945,17 @@ txMozillaXSLTProcessor::SetParameter(const nsAString & aNamespaceURI,
nsCOMPtr<nsIAtom> localName = do_GetAtom(aLocalName);
txExpandedName varName(nsId, localName);
RefPtr<txAExprResult> txValue;
rv = txVariable::Convert(value, getter_AddRefs(txValue));
NS_ENSURE_SUCCESS(rv, rv);
txVariable* var = static_cast<txVariable*>(mVariables.get(varName));
if (var) {
var->setValue(value);
var->setValue(value, txValue);
return NS_OK;
}
var = new txVariable(value);
var = new txVariable(value, txValue);
return mVariables.add(varName, var);
}

15
gfx/2d/DrawTargetCairo.cpp
View File

@ -262,6 +262,15 @@ cairo_surface_t* GetAsImageSurface(cairo_surface_t* aSurface)
return nullptr;
}
// We're creating a subimage from the parent image's data (in aData) without
// altering that data or its stride. This constrains the values in aRect, and
// how they're used. Callers must see to it that the parent fully contains the
// subimage. Here we ensure that no clipping is done in the X dimension at the
// beginning of any line. (To do otherwise would require creating a copy of
// aData from parts of every line in aData (from aRect.Y() to aRect.Height()),
// and setting the copy to a different stride.) A non-zero aRect.X() is used
// only to specify the subimage's location in its parent (via
// cairo_surface_set_device_offset()). This change resolves bug 1719215.
cairo_surface_t* CreateSubImageForData(unsigned char* aData,
const IntRect& aRect,
int aStride,
@ -271,16 +280,14 @@ cairo_surface_t* CreateSubImageForData(unsigned char* aData,
gfxWarning() << "DrawTargetCairo.CreateSubImageForData null aData";
return nullptr;
}
unsigned char *data = aData +
aRect.y * aStride +
aRect.x * BytesPerPixel(aFormat);
unsigned char* data = aData + aRect.y * aStride;
cairo_surface_t *image =
cairo_image_surface_create_for_data(data,
GfxFormatToCairoFormat(aFormat),
aRect.width,
aRect.height,
aStride);
// Set the subimage's location in its parent
cairo_surface_set_device_offset(image, -aRect.x, -aRect.y);
return image;
}

2
gfx/thebes/gfxPlatformMac.cpp
View File

@ -345,6 +345,8 @@ gfxPlatformMac::IsFontFormatSupported(nsIURI *aFontURI, uint32_t aFormatFlags)
HTTP_OR_HTTPS_SUBDIR("hartzfacts.de", "/google-fonts/s/notoseriftc/v7/");
HTTP_OR_HTTPS_SUBDIR("som.yale.edu","/themes/custom/som/fonts/neuehaasunica/NeueHaasUnicaBlack");
// Check hostname and subpatterns (TenFourFox issue 477).
HOST_AND_KEY("www.latimes.com", "/fonts/KisFBDisplay-");
HOST_AND_KEY("www.nerdwallet.com", "Gotham-Book--critical");

189
parser/expat/lib/xmlparse.c
View File

@ -2719,10 +2719,35 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
/* get the attributes from the tokenizer */
n = XmlGetAttributes(enc, attStr, attsSize, atts);
/* Detect and prevent integer overflow */
if (n > INT_MAX - nDefaultAtts) {
return XML_ERROR_NO_MEMORY;
}
if (n + nDefaultAtts > attsSize) {
int oldAttsSize = attsSize;
ATTRIBUTE *temp;
/* Detect and prevent integer overflow */
if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE)
|| (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) {
return XML_ERROR_NO_MEMORY;
}
attsSize = n + nDefaultAtts + INIT_ATTS_SIZE;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) {
parser->m_attsSize = oldAttsSize;
return XML_ERROR_NO_MEMORY;
}
#endif
temp = (ATTRIBUTE *)REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE));
if (temp == NULL)
return XML_ERROR_NO_MEMORY;
@ -2868,10 +2893,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
/* END MOZILLA CHANGE */
int j; /* hash table index */
unsigned long version = nsAttsVersion;
int nsAttsSize = (int)1 << nsAttsPower;
/* Detect and prevent invalid shift */
if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) {
return XML_ERROR_NO_MEMORY;
}
unsigned int nsAttsSize = 1u << nsAttsPower;
/* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */
if (nPrefixes) {
/* END MOZILLA CHANGE */
unsigned char oldNsAttsPower = parser->m_nsAttsPower;
/* size of hash table must be at least 2 * (# of prefixed attributes) */
if ((nPrefixes << 1) >> nsAttsPower) { /* true for nsAttsPower = 0 */
NS_ATT *temp;
@ -2879,7 +2911,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
while (nPrefixes >> nsAttsPower++);
if (nsAttsPower < 3)
nsAttsPower = 3;
nsAttsSize = (int)1 << nsAttsPower;
/* Detect and prevent invalid shift */
if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) {
/* Restore actual size of memory in m_nsAtts */
parser->m_nsAttsPower = oldNsAttsPower;
return XML_ERROR_NO_MEMORY;
}
nsAttsSize = 1u << parser->m_nsAttsPower;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) {
/* Restore actual size of memory in m_nsAtts */
parser->m_nsAttsPower = oldNsAttsPower;
return XML_ERROR_NO_MEMORY;
}
#endif
temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT));
if (!temp)
return XML_ERROR_NO_MEMORY;
@ -3065,9 +3118,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc,
tagNamePtr->prefixLen = prefixLen;
for (i = 0; localPart[i++];)
; /* i includes null terminator */
/* Detect and prevent integer overflow */
if (binding->uriLen > INT_MAX - prefixLen
|| i > INT_MAX - (binding->uriLen + prefixLen)) {
return XML_ERROR_NO_MEMORY;
}
n = i + binding->uriLen + prefixLen;
if (n > binding->uriAlloc) {
TAG *p;
/* Detect and prevent integer overflow */
if (n > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
uri = (XML_Char *)MALLOC((n + EXPAND_SPARE) * sizeof(XML_Char));
if (!uri)
return XML_ERROR_NO_MEMORY;
@ -3164,6 +3239,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
if (freeBindingList) {
b = freeBindingList;
if (len > b->uriAlloc) {
/* Detect and prevent integer overflow */
if (len > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
XML_Char *temp = (XML_Char *)REALLOC(b->uri,
sizeof(XML_Char) * (len + EXPAND_SPARE));
if (temp == NULL)
@ -3177,6 +3267,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId,
b = (BINDING *)MALLOC(sizeof(BINDING));
if (!b)
return XML_ERROR_NO_MEMORY;
/* Detect and prevent integer overflow */
if (len > INT_MAX - EXPAND_SPARE) {
return XML_ERROR_NO_MEMORY;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) {
return XML_ERROR_NO_MEMORY;
}
#endif
b->uri = (XML_Char *)MALLOC(sizeof(XML_Char) * (len + EXPAND_SPARE));
if (!b->uri) {
FREE(b);
@ -4458,11 +4563,26 @@ doProlog(XML_Parser parser,
case XML_ROLE_GROUP_OPEN:
if (prologState.level >= groupSize) {
if (groupSize) {
/* Detect and prevent integer overflow */
if (parser->m_groupSize > (unsigned int)(-1) / 2u) {
return XML_ERROR_NO_MEMORY;
}
char *temp = (char *)REALLOC(groupConnector, groupSize *= 2);
if (temp == NULL)
return XML_ERROR_NO_MEMORY;
groupConnector = temp;
if (dtd->scaffIndex) {
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) {
return XML_ERROR_NO_MEMORY;
}
#endif
int *temp = (int *)REALLOC(dtd->scaffIndex,
groupSize * sizeof(int));
if (temp == NULL)
@ -5425,7 +5545,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata,
}
else {
DEFAULT_ATTRIBUTE *temp;
/* Detect and prevent integer overflow */
if (type->allocDefaultAtts > INT_MAX / 2) {
return 0;
}
int count = type->allocDefaultAtts * 2;
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) {
return 0;
}
#endif
temp = (DEFAULT_ATTRIBUTE *)
REALLOC(type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE)));
if (temp == NULL)
@ -6049,8 +6186,20 @@ lookup(HASH_TABLE *table, KEY name, size_t createSize)
/* check for overflow (table is half full) */
if (table->used >> (table->power - 1)) {
unsigned char newPower = table->power + 1;
/* Detect and prevent invalid shift */
if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) {
return NULL;
}
size_t newSize = (size_t)1 << newPower;
unsigned long newMask = (unsigned long)newSize - 1;
/* Detect and prevent integer overflow */
if (newSize > (size_t)(-1) / sizeof(NAMED *)) {
return NULL;
}
size_t tsize = newSize * sizeof(NAMED *);
NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize);
if (!newV)
@ -6331,6 +6480,20 @@ nextScaffoldPart(XML_Parser parser)
if (dtd->scaffCount >= dtd->scaffSize) {
CONTENT_SCAFFOLD *temp;
if (dtd->scaffold) {
/* Detect and prevent integer overflow */
if (dtd->scaffSize > UINT_MAX / 2u) {
return -1;
}
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) {
return -1;
}
#endif
temp = (CONTENT_SCAFFOLD *)
REALLOC(dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD));
if (temp == NULL)
@ -6407,8 +6570,26 @@ build_model (XML_Parser parser)
XML_Content *ret;
XML_Content *cpos;
XML_Char * str;
int allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ (dtd->contentStringLen * sizeof(XML_Char)));
/* Detect and prevent integer overflow.
* The preprocessor guard addresses the "always false" warning
* from -Wtype-limits on platforms where
* sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */
#if UINT_MAX >= SIZE_MAX
if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) {
return NULL;
}
if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) {
return NULL;
}
#endif
if (dtd->scaffCount * sizeof(XML_Content)
> (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) {
return NULL;
}
const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content)
+ (dtd->contentStringLen * sizeof(XML_Char)));
ret = (XML_Content *)MALLOC(allocsize);
if (!ret)

28
security/nss/lib/pki/trustdomain.c
View File

@ -11,6 +11,7 @@
#endif /* PKIM_H */
#include "cert.h"
#include "dev3hack.h"
#include "pki3hack.h"
#include "pk11pub.h"
#include "nssrwlk.h"
@ -61,11 +62,14 @@ static void
token_destructor(void *t)
{
NSSToken *tok = (NSSToken *)t;
/* The token holds the first/last reference to the slot.
* When the token is actually destroyed (ref count == 0),
* the slot will also be destroyed.
*/
nssToken_Destroy(tok);
/* Remove the token list's reference to the token */
(void)nssToken_Destroy(tok);
/* Signal that the slot should not give out any more references to the
* token. The token might still have a positive refcount after this call.
* The token has a reference to the slot, so the slot will not be destroyed
* until after the token's refcount drops to 0. */
PK11Slot_SetNSSToken(tok->pk11slot, NULL);
}
NSS_IMPLEMENT PRStatus
@ -127,7 +131,6 @@ nssTrustDomain_GetActiveSlots(
return NULL;
}
nssList_GetArray(td->tokenList, (void **)tokens, count);
NSSRWLock_UnlockRead(td->tokensLock);
count = 0;
for (tp = tokens; *tp; tp++) {
NSSSlot *slot = nssToken_GetSlot(*tp);
@ -137,6 +140,7 @@ nssTrustDomain_GetActiveSlots(
nssSlot_Destroy(slot);
}
}
NSSRWLock_UnlockRead(td->tokensLock);
nss_ZFreeIf(tokens);
if (!count) {
nss_ZFreeIf(slots);
@ -469,7 +473,7 @@ nssTrustDomain_FindCertificatesByNickname(
numRemaining,
&status);
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
if (status != PR_SUCCESS) {
errors++;
continue;
@ -618,7 +622,7 @@ nssTrustDomain_FindCertificatesBySubject(
numRemaining,
&status);
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
if (status != PR_SUCCESS) {
errors++;
continue;
@ -779,7 +783,7 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber(
tokenOnly,
&status);
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
if (status != PR_SUCCESS) {
continue;
}
@ -1022,7 +1026,7 @@ NSSTrustDomain_TraverseCertificates(
collector,
collection);
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
}
}
@ -1076,7 +1080,7 @@ nssTrustDomain_FindTrustForCertificate(
nssCryptokiObject_Destroy(to);
}
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
}
}
if (pkio) {
@ -1126,7 +1130,7 @@ nssTrustDomain_FindCRLsBySubject(
instances = nssToken_FindCRLsBySubject(token, session, subject,
tokenOnly, 0, &status);
}
nssToken_Destroy(token);
(void)nssToken_Destroy(token);
if (status == PR_SUCCESS) {
/* add the found CRL's to the collection */
status = nssPKIObjectCollection_AddInstances(collection,

2
widget/cocoa/nsDragService.mm
View File

@ -43,7 +43,7 @@ extern bool gUserCancelledDrag;
// This global makes the transferable array available to Cocoa's promised
// file destination callback.
nsISupportsArray *gDraggedTransferables = nullptr;
mozilla::StaticRefPtr<nsISupportsArray> gDraggedTransferables;
NSString* const kWildcardPboardType = @"MozillaWildcard";
NSString* const kCorePboardType_url = @"CorePasteboardFlavorType 0x75726C20"; // 'url ' url