From 700da3e996fe8d33137e50c414e4441c4fad3ef6 Mon Sep 17 00:00:00 2001 From: Cameron Kaiser Date: Sat, 30 Apr 2022 19:46:57 -0700 Subject: [PATCH] #566 and #651: update font blacklist, M1754724, M1758062, M1761026+backbugs, M1755555, M1663508, M1719215 --- dom/fetch/FetchDriver.cpp | 7 +- dom/xslt/xslt/txMozillaXSLTProcessor.cpp | 30 ++-- gfx/2d/DrawTargetCairo.cpp | 15 +- gfx/thebes/gfxPlatformMac.cpp | 2 + parser/expat/lib/xmlparse.c | 189 ++++++++++++++++++++++- security/nss/lib/pki/trustdomain.c | 28 ++-- widget/cocoa/nsDragService.mm | 2 +- 7 files changed, 235 insertions(+), 38 deletions(-) diff --git a/dom/fetch/FetchDriver.cpp b/dom/fetch/FetchDriver.cpp index c08195d73..d0c34a3e3 100644 --- a/dom/fetch/FetchDriver.cpp +++ b/dom/fetch/FetchDriver.cpp @@ -617,9 +617,12 @@ FetchDriver::OnDataAvailable(nsIRequest* aRequest, // NB: This can be called on any thread! But we're guaranteed that it is // called between OnStartRequest and OnStopRequest, so we don't need to worry // about races. + if (!mResponse) { + MOZ_ASSERT(false); + return NS_ERROR_UNEXPECTED; + } - uint32_t aRead; - MOZ_ASSERT(mResponse); + uint32_t aRead = 0; MOZ_ASSERT(mPipeOutputStream); nsresult rv = aInputStream->ReadSegments(NS_CopySegmentToStream, diff --git a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp index 026c20add..1418d1fef 100644 --- a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp +++ b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp @@ -237,9 +237,10 @@ txToFragmentHandlerFactory::createHandlerWith(txOutputFormat* aFormat, class txVariable : public txIGlobalParameter { public: - explicit txVariable(nsIVariant* aValue) : mValue(aValue) + explicit txVariable(nsIVariant* aValue, txAExprResult* aTxValue) + : mValue(aValue), mTxValue(aTxValue) { - NS_ASSERTION(aValue, "missing value"); + NS_ASSERTION(aValue && aTxValue, "missing value"); } explicit txVariable(txAExprResult* aValue) : mTxValue(aValue) { @@ -247,12 +248,7 @@ public: } nsresult getValue(txAExprResult** aValue) { - NS_ASSERTION(mValue || mTxValue, "variablevalue is null"); - - if (!mTxValue) { - nsresult rv = Convert(mValue, getter_AddRefs(mTxValue)); - NS_ENSURE_SUCCESS(rv, rv); - } + NS_ASSERTION(mTxValue, "variablevalue is null"); *aValue = mTxValue; NS_ADDREF(*aValue); @@ -269,11 +265,11 @@ public: { return mValue; } - void setValue(nsIVariant* aValue) + void setValue(nsIVariant* aValue, txAExprResult* aTxValue) { - NS_ASSERTION(aValue, "setting variablevalue to null"); + NS_ASSERTION(aValue && aTxValue, "setting variablevalue to null"); mValue = aValue; - mTxValue = nullptr; + mTxValue = aTxValue; } void setValue(txAExprResult* aValue) { @@ -282,14 +278,14 @@ public: mTxValue = aValue; } + static nsresult Convert(nsIVariant* aValue, txAExprResult** aResult); + friend void ImplCycleCollectionUnlink(txVariable& aVariable); friend void ImplCycleCollectionTraverse( nsCycleCollectionTraversalCallback& aCallback, txVariable& aVariable, const char* aName, uint32_t aFlags); private: - static nsresult Convert(nsIVariant *aValue, txAExprResult** aResult); - nsCOMPtr mValue; RefPtr mTxValue; }; @@ -949,13 +945,17 @@ txMozillaXSLTProcessor::SetParameter(const nsAString & aNamespaceURI, nsCOMPtr localName = do_GetAtom(aLocalName); txExpandedName varName(nsId, localName); + RefPtr txValue; + rv = txVariable::Convert(value, getter_AddRefs(txValue)); + NS_ENSURE_SUCCESS(rv, rv); + txVariable* var = static_cast(mVariables.get(varName)); if (var) { - var->setValue(value); + var->setValue(value, txValue); return NS_OK; } - var = new txVariable(value); + var = new txVariable(value, txValue); return mVariables.add(varName, var); } diff --git a/gfx/2d/DrawTargetCairo.cpp b/gfx/2d/DrawTargetCairo.cpp index d930561dd..f5dc39582 100644 --- a/gfx/2d/DrawTargetCairo.cpp +++ b/gfx/2d/DrawTargetCairo.cpp @@ -262,6 +262,15 @@ cairo_surface_t* GetAsImageSurface(cairo_surface_t* aSurface) return nullptr; } +// We're creating a subimage from the parent image's data (in aData) without +// altering that data or its stride. This constrains the values in aRect, and +// how they're used. Callers must see to it that the parent fully contains the +// subimage. Here we ensure that no clipping is done in the X dimension at the +// beginning of any line. (To do otherwise would require creating a copy of +// aData from parts of every line in aData (from aRect.Y() to aRect.Height()), +// and setting the copy to a different stride.) A non-zero aRect.X() is used +// only to specify the subimage's location in its parent (via +// cairo_surface_set_device_offset()). This change resolves bug 1719215. cairo_surface_t* CreateSubImageForData(unsigned char* aData, const IntRect& aRect, int aStride, @@ -271,16 +280,14 @@ cairo_surface_t* CreateSubImageForData(unsigned char* aData, gfxWarning() << "DrawTargetCairo.CreateSubImageForData null aData"; return nullptr; } - unsigned char *data = aData + - aRect.y * aStride + - aRect.x * BytesPerPixel(aFormat); - + unsigned char* data = aData + aRect.y * aStride; cairo_surface_t *image = cairo_image_surface_create_for_data(data, GfxFormatToCairoFormat(aFormat), aRect.width, aRect.height, aStride); + // Set the subimage's location in its parent cairo_surface_set_device_offset(image, -aRect.x, -aRect.y); return image; } diff --git a/gfx/thebes/gfxPlatformMac.cpp b/gfx/thebes/gfxPlatformMac.cpp index 80159985f..5e547642e 100644 --- a/gfx/thebes/gfxPlatformMac.cpp +++ b/gfx/thebes/gfxPlatformMac.cpp @@ -345,6 +345,8 @@ gfxPlatformMac::IsFontFormatSupported(nsIURI *aFontURI, uint32_t aFormatFlags) HTTP_OR_HTTPS_SUBDIR("hartzfacts.de", "/google-fonts/s/notoseriftc/v7/"); + HTTP_OR_HTTPS_SUBDIR("som.yale.edu","/themes/custom/som/fonts/neuehaasunica/NeueHaasUnicaBlack"); + // Check hostname and subpatterns (TenFourFox issue 477). HOST_AND_KEY("www.latimes.com", "/fonts/KisFBDisplay-"); HOST_AND_KEY("www.nerdwallet.com", "Gotham-Book--critical"); diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c index 3f835f85d..0025c8c34 100644 --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -2719,10 +2719,35 @@ storeAtts(XML_Parser parser, const ENCODING *enc, /* get the attributes from the tokenizer */ n = XmlGetAttributes(enc, attStr, attsSize, atts); + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - nDefaultAtts) { + return XML_ERROR_NO_MEMORY; + } + if (n + nDefaultAtts > attsSize) { int oldAttsSize = attsSize; ATTRIBUTE *temp; + + /* Detect and prevent integer overflow */ + if ((nDefaultAtts > INT_MAX - INIT_ATTS_SIZE) + || (n > INT_MAX - (nDefaultAtts + INIT_ATTS_SIZE))) { + return XML_ERROR_NO_MEMORY; + } + attsSize = n + nDefaultAtts + INIT_ATTS_SIZE; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)parser->m_attsSize > (size_t)(-1) / sizeof(ATTRIBUTE)) { + parser->m_attsSize = oldAttsSize; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (ATTRIBUTE *)REALLOC((void *)atts, attsSize * sizeof(ATTRIBUTE)); if (temp == NULL) return XML_ERROR_NO_MEMORY; @@ -2868,10 +2893,17 @@ storeAtts(XML_Parser parser, const ENCODING *enc, /* END MOZILLA CHANGE */ int j; /* hash table index */ unsigned long version = nsAttsVersion; - int nsAttsSize = (int)1 << nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(unsigned int) * 8 /* bits per byte */) { + return XML_ERROR_NO_MEMORY; + } + + unsigned int nsAttsSize = 1u << nsAttsPower; /* BEGIN MOZILLA CHANGE (Include xmlns attributes in attributes array) */ if (nPrefixes) { /* END MOZILLA CHANGE */ + unsigned char oldNsAttsPower = parser->m_nsAttsPower; /* size of hash table must be at least 2 * (# of prefixed attributes) */ if ((nPrefixes << 1) >> nsAttsPower) { /* true for nsAttsPower = 0 */ NS_ATT *temp; @@ -2879,7 +2911,28 @@ storeAtts(XML_Parser parser, const ENCODING *enc, while (nPrefixes >> nsAttsPower++); if (nsAttsPower < 3) nsAttsPower = 3; - nsAttsSize = (int)1 << nsAttsPower; + + /* Detect and prevent invalid shift */ + if (parser->m_nsAttsPower >= sizeof(nsAttsSize) * 8 /* bits per byte */) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } + + nsAttsSize = 1u << parser->m_nsAttsPower; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (nsAttsSize > (size_t)(-1) / sizeof(NS_ATT)) { + /* Restore actual size of memory in m_nsAtts */ + parser->m_nsAttsPower = oldNsAttsPower; + return XML_ERROR_NO_MEMORY; + } +#endif + temp = (NS_ATT *)REALLOC(nsAtts, nsAttsSize * sizeof(NS_ATT)); if (!temp) return XML_ERROR_NO_MEMORY; @@ -3065,9 +3118,31 @@ storeAtts(XML_Parser parser, const ENCODING *enc, tagNamePtr->prefixLen = prefixLen; for (i = 0; localPart[i++];) ; /* i includes null terminator */ + + /* Detect and prevent integer overflow */ + if (binding->uriLen > INT_MAX - prefixLen + || i > INT_MAX - (binding->uriLen + prefixLen)) { + return XML_ERROR_NO_MEMORY; + } + n = i + binding->uriLen + prefixLen; if (n > binding->uriAlloc) { TAG *p; + + /* Detect and prevent integer overflow */ + if (n > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(n + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + uri = (XML_Char *)MALLOC((n + EXPAND_SPARE) * sizeof(XML_Char)); if (!uri) return XML_ERROR_NO_MEMORY; @@ -3164,6 +3239,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, if (freeBindingList) { b = freeBindingList; if (len > b->uriAlloc) { + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + XML_Char *temp = (XML_Char *)REALLOC(b->uri, sizeof(XML_Char) * (len + EXPAND_SPARE)); if (temp == NULL) @@ -3177,6 +3267,21 @@ addBinding(XML_Parser parser, PREFIX *prefix, const ATTRIBUTE_ID *attId, b = (BINDING *)MALLOC(sizeof(BINDING)); if (!b) return XML_ERROR_NO_MEMORY; + + /* Detect and prevent integer overflow */ + if (len > INT_MAX - EXPAND_SPARE) { + return XML_ERROR_NO_MEMORY; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)(len + EXPAND_SPARE) > (size_t)(-1) / sizeof(XML_Char)) { + return XML_ERROR_NO_MEMORY; + } +#endif + b->uri = (XML_Char *)MALLOC(sizeof(XML_Char) * (len + EXPAND_SPARE)); if (!b->uri) { FREE(b); @@ -4458,11 +4563,26 @@ doProlog(XML_Parser parser, case XML_ROLE_GROUP_OPEN: if (prologState.level >= groupSize) { if (groupSize) { + /* Detect and prevent integer overflow */ + if (parser->m_groupSize > (unsigned int)(-1) / 2u) { + return XML_ERROR_NO_MEMORY; + } + char *temp = (char *)REALLOC(groupConnector, groupSize *= 2); if (temp == NULL) return XML_ERROR_NO_MEMORY; groupConnector = temp; if (dtd->scaffIndex) { + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (parser->m_groupSize > (size_t)(-1) / sizeof(int)) { + return XML_ERROR_NO_MEMORY; + } +#endif + int *temp = (int *)REALLOC(dtd->scaffIndex, groupSize * sizeof(int)); if (temp == NULL) @@ -5425,7 +5545,24 @@ defineAttribute(ELEMENT_TYPE *type, ATTRIBUTE_ID *attId, XML_Bool isCdata, } else { DEFAULT_ATTRIBUTE *temp; + + /* Detect and prevent integer overflow */ + if (type->allocDefaultAtts > INT_MAX / 2) { + return 0; + } + int count = type->allocDefaultAtts * 2; + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if ((unsigned)count > (size_t)(-1) / sizeof(DEFAULT_ATTRIBUTE)) { + return 0; + } +#endif + temp = (DEFAULT_ATTRIBUTE *) REALLOC(type->defaultAtts, (count * sizeof(DEFAULT_ATTRIBUTE))); if (temp == NULL) @@ -6049,8 +6186,20 @@ lookup(HASH_TABLE *table, KEY name, size_t createSize) /* check for overflow (table is half full) */ if (table->used >> (table->power - 1)) { unsigned char newPower = table->power + 1; + + /* Detect and prevent invalid shift */ + if (newPower >= sizeof(unsigned long) * 8 /* bits per byte */) { + return NULL; + } + size_t newSize = (size_t)1 << newPower; unsigned long newMask = (unsigned long)newSize - 1; + + /* Detect and prevent integer overflow */ + if (newSize > (size_t)(-1) / sizeof(NAMED *)) { + return NULL; + } + size_t tsize = newSize * sizeof(NAMED *); NAMED **newV = (NAMED **)table->mem->malloc_fcn(tsize); if (!newV) @@ -6331,6 +6480,20 @@ nextScaffoldPart(XML_Parser parser) if (dtd->scaffCount >= dtd->scaffSize) { CONTENT_SCAFFOLD *temp; if (dtd->scaffold) { + /* Detect and prevent integer overflow */ + if (dtd->scaffSize > UINT_MAX / 2u) { + return -1; + } + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffSize > (size_t)(-1) / 2u / sizeof(CONTENT_SCAFFOLD)) { + return -1; + } +#endif + temp = (CONTENT_SCAFFOLD *) REALLOC(dtd->scaffold, dtd->scaffSize * 2 * sizeof(CONTENT_SCAFFOLD)); if (temp == NULL) @@ -6407,8 +6570,26 @@ build_model (XML_Parser parser) XML_Content *ret; XML_Content *cpos; XML_Char * str; - int allocsize = (dtd->scaffCount * sizeof(XML_Content) - + (dtd->contentStringLen * sizeof(XML_Char))); + + /* Detect and prevent integer overflow. + * The preprocessor guard addresses the "always false" warning + * from -Wtype-limits on platforms where + * sizeof(unsigned int) < sizeof(size_t), e.g. on x86_64. */ +#if UINT_MAX >= SIZE_MAX + if (dtd->scaffCount > (size_t)(-1) / sizeof(XML_Content)) { + return NULL; + } + if (dtd->contentStringLen > (size_t)(-1) / sizeof(XML_Char)) { + return NULL; + } +#endif + if (dtd->scaffCount * sizeof(XML_Content) + > (size_t)(-1) - dtd->contentStringLen * sizeof(XML_Char)) { + return NULL; + } + + const size_t allocsize = (dtd->scaffCount * sizeof(XML_Content) + + (dtd->contentStringLen * sizeof(XML_Char))); ret = (XML_Content *)MALLOC(allocsize); if (!ret) diff --git a/security/nss/lib/pki/trustdomain.c b/security/nss/lib/pki/trustdomain.c index 151b88875..c8f9f1d5b 100644 --- a/security/nss/lib/pki/trustdomain.c +++ b/security/nss/lib/pki/trustdomain.c @@ -11,6 +11,7 @@ #endif /* PKIM_H */ #include "cert.h" +#include "dev3hack.h" #include "pki3hack.h" #include "pk11pub.h" #include "nssrwlk.h" @@ -61,11 +62,14 @@ static void token_destructor(void *t) { NSSToken *tok = (NSSToken *)t; - /* The token holds the first/last reference to the slot. - * When the token is actually destroyed (ref count == 0), - * the slot will also be destroyed. - */ - nssToken_Destroy(tok); + /* Remove the token list's reference to the token */ + (void)nssToken_Destroy(tok); + + /* Signal that the slot should not give out any more references to the + * token. The token might still have a positive refcount after this call. + * The token has a reference to the slot, so the slot will not be destroyed + * until after the token's refcount drops to 0. */ + PK11Slot_SetNSSToken(tok->pk11slot, NULL); } NSS_IMPLEMENT PRStatus @@ -127,7 +131,6 @@ nssTrustDomain_GetActiveSlots( return NULL; } nssList_GetArray(td->tokenList, (void **)tokens, count); - NSSRWLock_UnlockRead(td->tokensLock); count = 0; for (tp = tokens; *tp; tp++) { NSSSlot *slot = nssToken_GetSlot(*tp); @@ -137,6 +140,7 @@ nssTrustDomain_GetActiveSlots( nssSlot_Destroy(slot); } } + NSSRWLock_UnlockRead(td->tokensLock); nss_ZFreeIf(tokens); if (!count) { nss_ZFreeIf(slots); @@ -469,7 +473,7 @@ nssTrustDomain_FindCertificatesByNickname( numRemaining, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { errors++; continue; @@ -618,7 +622,7 @@ nssTrustDomain_FindCertificatesBySubject( numRemaining, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { errors++; continue; @@ -779,7 +783,7 @@ nssTrustDomain_FindCertificateByIssuerAndSerialNumber( tokenOnly, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status != PR_SUCCESS) { continue; } @@ -1022,7 +1026,7 @@ NSSTrustDomain_TraverseCertificates( collector, collection); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); } } @@ -1076,7 +1080,7 @@ nssTrustDomain_FindTrustForCertificate( nssCryptokiObject_Destroy(to); } } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); } } if (pkio) { @@ -1126,7 +1130,7 @@ nssTrustDomain_FindCRLsBySubject( instances = nssToken_FindCRLsBySubject(token, session, subject, tokenOnly, 0, &status); } - nssToken_Destroy(token); + (void)nssToken_Destroy(token); if (status == PR_SUCCESS) { /* add the found CRL's to the collection */ status = nssPKIObjectCollection_AddInstances(collection, diff --git a/widget/cocoa/nsDragService.mm b/widget/cocoa/nsDragService.mm index 6185809c4..b1f9cee45 100644 --- a/widget/cocoa/nsDragService.mm +++ b/widget/cocoa/nsDragService.mm @@ -43,7 +43,7 @@ extern bool gUserCancelledDrag; // This global makes the transferable array available to Cocoa's promised // file destination callback. -nsISupportsArray *gDraggedTransferables = nullptr; +mozilla::StaticRefPtr gDraggedTransferables; NSString* const kWildcardPboardType = @"MozillaWildcard"; NSString* const kCorePboardType_url = @"CorePasteboardFlavorType 0x75726C20"; // 'url ' url