From 71cf5b95ad31e71e7a6155e61029161fc9221a3a Mon Sep 17 00:00:00 2001 From: Cameron Kaiser Date: Wed, 16 Oct 2019 22:25:44 -0700 Subject: [PATCH] #574: M1581950 M1584216 M1577107 M1584907 M1558522 --- dom/indexedDB/IDBDatabase.cpp | 2 ++ dom/indexedDB/IDBObjectStore.cpp | 23 ++++++++++++++++--- .../third_party/nICEr/src/ice/ice_component.c | 7 +++++- parser/expat/lib/xmlparse.c | 20 ++++++++++------ parser/html/nsHtml5Tokenizer.cpp | 15 ++---------- 5 files changed, 43 insertions(+), 24 deletions(-) diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp index 0d501ac9a..6536c3cb2 100644 --- a/dom/indexedDB/IDBDatabase.cpp +++ b/dom/indexedDB/IDBDatabase.cpp @@ -1312,6 +1312,8 @@ IDBDatabase::LastRelease() CloseInternal(); + ExpireFileActors(/* aExpireAll */ true); + if (mBackgroundActor) { mBackgroundActor->SendDeleteMeInternal(); MOZ_ASSERT(!mBackgroundActor, "SendDeleteMeInternal should have cleared!"); diff --git a/dom/indexedDB/IDBObjectStore.cpp b/dom/indexedDB/IDBObjectStore.cpp index aff35903e..351bac876 100644 --- a/dom/indexedDB/IDBObjectStore.cpp +++ b/dom/indexedDB/IDBObjectStore.cpp @@ -1002,7 +1002,7 @@ IDBObjectStore::AppendIndexUpdateInfo( } bool isArray; - if (!JS_IsArrayObject(aCx, val, &isArray)) { + if (NS_WARN_IF(!JS_IsArrayObject(aCx, val, &isArray))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } @@ -1015,8 +1015,25 @@ IDBObjectStore::AppendIndexUpdateInfo( } for (uint32_t arrayIndex = 0; arrayIndex < arrayLength; arrayIndex++) { - JS::Rooted arrayItem(aCx); - if (NS_WARN_IF(!JS_GetElement(aCx, array, arrayIndex, &arrayItem))) { + JS::RootedId indexId(aCx); + if (NS_WARN_IF(!JS_IndexToId(aCx, arrayIndex, &indexId))) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; + } + + bool hasOwnProperty; + if (NS_WARN_IF( + !JS_HasOwnPropertyById(aCx, array, indexId, &hasOwnProperty))) { + IDB_REPORT_INTERNAL_ERR(); + return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; + } + + if (!hasOwnProperty) { + continue; + } + + JS::RootedValue arrayItem(aCx); + if (NS_WARN_IF(!JS_GetPropertyById(aCx, array, indexId, &arrayItem))) { IDB_REPORT_INTERNAL_ERR(); return NS_ERROR_DOM_INDEXEDDB_UNKNOWN_ERR; } diff --git a/media/mtransport/third_party/nICEr/src/ice/ice_component.c b/media/mtransport/third_party/nICEr/src/ice/ice_component.c index c4d639438..0b665320b 100644 --- a/media/mtransport/third_party/nICEr/src/ice/ice_component.c +++ b/media/mtransport/third_party/nICEr/src/ice/ice_component.c @@ -875,7 +875,6 @@ static int nr_ice_component_process_incoming_check(nr_ice_component *comp, nr_tr nr_ice_candidate_pair_set_state(pair->pctx,pair,NR_ICE_PAIR_STATE_FROZEN); if(r=nr_ice_component_insert_pair(comp,pair)) { *error=(r==R_NO_MEMORY)?500:400; - nr_ice_candidate_pair_destroy(&pair); ABORT(r); } @@ -1335,6 +1334,7 @@ int nr_ice_component_finalize(nr_ice_component *lcomp, nr_ice_component *rcomp) int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair) { int r,_status; + int pair_inserted=0; /* Pairs for peer reflexive are marked SUCCEEDED immediately */ if (pair->state != NR_ICE_PAIR_STATE_FROZEN && @@ -1346,6 +1346,8 @@ int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair if(r=nr_ice_candidate_pair_insert(&pair->remote->stream->check_list,pair)) ABORT(r); + pair_inserted=1; + /* Make sure the check timer is running, if the stream was previously * started. We will not start streams just because a pair was created, * unless it is the first pair to be created across all streams. */ @@ -1362,6 +1364,9 @@ int nr_ice_component_insert_pair(nr_ice_component *pcomp, nr_ice_cand_pair *pair _status=0; abort: + if (_status && !pair_inserted) { + nr_ice_candidate_pair_destroy(&pair); + } return(_status); } diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c index aa8b75d4b..3f835f85d 100644 --- a/parser/expat/lib/xmlparse.c +++ b/parser/expat/lib/xmlparse.c @@ -333,7 +333,7 @@ initializeEncoding(XML_Parser parser); static enum XML_Error doProlog(XML_Parser parser, const ENCODING *enc, const char *s, const char *end, int tok, const char *next, const char **nextPtr, - XML_Bool haveMore); + XML_Bool haveMore, XML_Bool allowClosingDoctype); static enum XML_Error processInternalEntity(XML_Parser parser, ENTITY *entity, XML_Bool betweenDecl); @@ -3729,7 +3729,7 @@ externalParEntProcessor(XML_Parser parser, processor = prologProcessor; return doProlog(parser, encoding, s, end, tok, next, - nextPtr, (XML_Bool)!ps_finalBuffer); + nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE); } static enum XML_Error PTRCALL @@ -3779,7 +3779,7 @@ prologProcessor(XML_Parser parser, const char *next = s; int tok = XmlPrologTok(encoding, s, end, &next); return doProlog(parser, encoding, s, end, tok, next, - nextPtr, (XML_Bool)!ps_finalBuffer); + nextPtr, (XML_Bool)!ps_finalBuffer, XML_TRUE); } static enum XML_Error @@ -3790,7 +3790,8 @@ doProlog(XML_Parser parser, int tok, const char *next, const char **nextPtr, - XML_Bool haveMore) + XML_Bool haveMore, + XML_Bool allowClosingDoctype) { #ifdef XML_DTD static const XML_Char externalSubsetName[] = { '#' , '\0' }; @@ -3956,6 +3957,11 @@ doProlog(XML_Parser parser, } break; case XML_ROLE_DOCTYPE_CLOSE: + if (allowClosingDoctype != XML_TRUE) { + /* Must not close doctype from within expanded parameter entities */ + return XML_ERROR_INVALID_TOKEN; + } + if (doctypeName) { startDoctypeDeclHandler(handlerArg, doctypeName, doctypeSysid, doctypePubid, 0); @@ -4861,7 +4867,7 @@ processInternalEntity(XML_Parser parser, ENTITY *entity, if (entity->is_param) { int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next); result = doProlog(parser, internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + next, &next, XML_FALSE, XML_FALSE); } else #endif /* XML_DTD */ @@ -4906,7 +4912,7 @@ internalEntityProcessor(XML_Parser parser, if (entity->is_param) { int tok = XmlPrologTok(internalEncoding, textStart, textEnd, &next); result = doProlog(parser, internalEncoding, textStart, textEnd, tok, - next, &next, XML_FALSE); + next, &next, XML_FALSE, XML_TRUE); } else #endif /* XML_DTD */ @@ -4933,7 +4939,7 @@ internalEntityProcessor(XML_Parser parser, processor = prologProcessor; tok = XmlPrologTok(encoding, s, end, &next); return doProlog(parser, encoding, s, end, tok, next, nextPtr, - (XML_Bool)!ps_finalBuffer); + (XML_Bool)!ps_finalBuffer, XML_TRUE); } else #endif /* XML_DTD */ diff --git a/parser/html/nsHtml5Tokenizer.cpp b/parser/html/nsHtml5Tokenizer.cpp index aa48cd2b6..2f1033b87 100644 --- a/parser/html/nsHtml5Tokenizer.cpp +++ b/parser/html/nsHtml5Tokenizer.cpp @@ -1027,9 +1027,6 @@ nsHtml5Tokenizer::stateLoop(int32_t state, char16_t c, int32_t pos, char16_t* bu } c = checkChar(buf, pos); switch(c) { - case '\0': { - NS_HTML5_BREAK(stateloop); - } case '-': { clearStrBuf(); state = P::transition(mViewSource, NS_HTML5TOKENIZER_COMMENT_START, reconsume, pos); @@ -1432,9 +1429,6 @@ nsHtml5Tokenizer::stateLoop(int32_t state, char16_t c, int32_t pos, char16_t* bu NS_HTML5_BREAK(stateloop); } c = checkChar(buf, pos); - if (c == '\0') { - NS_HTML5_BREAK(stateloop); - } switch(c) { case ' ': case '\t': @@ -1442,7 +1436,8 @@ nsHtml5Tokenizer::stateLoop(int32_t state, char16_t c, int32_t pos, char16_t* bu case '\r': case '\f': case '<': - case '&': { + case '&': + case '\0': { emitOrAppendCharRefBuf(returnState); if (!(returnState & NS_HTML5TOKENIZER_DATA_AND_RCDATA_MASK)) { cstart = pos; @@ -1490,9 +1485,6 @@ nsHtml5Tokenizer::stateLoop(int32_t state, char16_t c, int32_t pos, char16_t* bu NS_HTML5_BREAK(stateloop); } c = checkChar(buf, pos); - if (c == '\0') { - NS_HTML5_BREAK(stateloop); - } int32_t hilo = 0; if (c <= 'z') { const int32_t* row = nsHtml5NamedCharactersAccel::HILO_ACCEL[c]; @@ -1527,9 +1519,6 @@ nsHtml5Tokenizer::stateLoop(int32_t state, char16_t c, int32_t pos, char16_t* bu NS_HTML5_BREAK(stateloop); } c = checkChar(buf, pos); - if (c == '\0') { - NS_HTML5_BREAK(stateloop); - } entCol++; for (; ; ) { if (hi < lo) {