From fb91afbb46fe6e17c0c33ec52e9455185b264d53 Mon Sep 17 00:00:00 2001
From: Cameron Kaiser <classilla@floodgap.com>
Date: Sun, 16 Apr 2023 16:18:01 -0700
Subject: [PATCH] #651: M1761233 M1687303 M1633019 M1797336 M1799748 M1801102

---
 dom/base/nsHTMLContentSerializer.cpp  |  4 ++--
 gfx/cairo/libpixman/src/pixman-trap.c |  2 +-
 gfx/ots/src/vdmx.cc                   | 30 +++++++++++++++++++++------
 layout/base/nsPresShell.cpp           |  6 +++++-
 modules/libjar/nsZipArchive.cpp       | 10 +++++++++
 parser/expat/lib/xmlparse.c           |  8 +++++++
 6 files changed, 50 insertions(+), 10 deletions(-)

diff --git a/dom/base/nsHTMLContentSerializer.cpp b/dom/base/nsHTMLContentSerializer.cpp
index ef31e6d4a..e12d7440a 100644
--- a/dom/base/nsHTMLContentSerializer.cpp
+++ b/dom/base/nsHTMLContentSerializer.cpp
@@ -281,7 +281,7 @@ nsHTMLContentSerializer::AppendElementStart(Element* aElement,
   if (ns == kNameSpaceID_XHTML &&
       (name == nsGkAtoms::script ||
        name == nsGkAtoms::style ||
-       name == nsGkAtoms::noscript ||
+       (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) ||
        name == nsGkAtoms::noframes)) {
     ++mDisableEntityEncoding;
   }
@@ -310,7 +310,7 @@ nsHTMLContentSerializer::AppendElementEnd(Element* aElement,
   if (ns == kNameSpaceID_XHTML &&
       (name == nsGkAtoms::script ||
        name == nsGkAtoms::style ||
-       name == nsGkAtoms::noscript ||
+       (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) ||
        name == nsGkAtoms::noframes)) {
     --mDisableEntityEncoding;
   }
diff --git a/gfx/cairo/libpixman/src/pixman-trap.c b/gfx/cairo/libpixman/src/pixman-trap.c
index 91766fdbf..7560405ee 100644
--- a/gfx/cairo/libpixman/src/pixman-trap.c
+++ b/gfx/cairo/libpixman/src/pixman-trap.c
@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
 
     if (f < Y_FRAC_FIRST (n))
     {
-	if (pixman_fixed_to_int (i) == 0x8000)
+	if (pixman_fixed_to_int (i) == 0xffff8000)
 	{
 	    f = 0; /* saturate */
 	}
diff --git a/gfx/ots/src/vdmx.cc b/gfx/ots/src/vdmx.cc
index 54055777a..17433f889 100644
--- a/gfx/ots/src/vdmx.cc
+++ b/gfx/ots/src/vdmx.cc
@@ -4,18 +4,23 @@
 
 #include "vdmx.h"
 
+#include <set>
+
 // VDMX - Vertical Device Metrics
 // http://www.microsoft.com/typography/otspec/vdmx.htm
 
 namespace ots {
 
+#define TABLE_NAME "VDMX"
+
 bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
   Buffer table(data, length);
+  ots::Font* font = this->GetFont();
 
   if (!table.ReadU16(&this->version) ||
       !table.ReadU16(&this->num_recs) ||
       !table.ReadU16(&this->num_ratios)) {
-    return Error("Failed to read table header");
+    return Drop("Failed to read table header");
   }
 
   if (this->version > 1) {
@@ -30,7 +35,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
         !table.ReadU8(&rec.x_ratio) ||
         !table.ReadU8(&rec.y_start_ratio) ||
         !table.ReadU8(&rec.y_end_ratio)) {
-      return Error("Failed to read RatioRange record %d", i);
+      return Drop("Failed to read RatioRange record %d", i);
     }
 
     if (rec.charset > 1) {
@@ -56,17 +61,28 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
 
   this->offsets.reserve(this->num_ratios);
   const size_t current_offset = table.offset();
+  std::set<uint16_t> unique_offsets;
   // current_offset is less than (2 bytes * 3) + (4 bytes * USHRT_MAX) = 256k.
   for (unsigned i = 0; i < this->num_ratios; ++i) {
     uint16_t offset;
     if (!table.ReadU16(&offset)) {
-      return Error("Failed to read ratio offset %d", i);
+      return Drop("Failed to read ratio offset %d", i);
     }
     if (current_offset + offset >= length) {  // thus doesn't overflow.
-      return Error("Bad ratio offset %d for ration %d", offset, i);
+      return Drop("Bad ratio offset %d for ration %d", offset, i);
     }
 
     this->offsets.push_back(offset);
+    unique_offsets.insert(offset);
+  }
+
+  // Check that num_recs is sufficient to provide as many VDMXGroup records
+  // as there are unique offsets; if not, update it (we'll return an error
+  // below if they're not actually present).
+  if (unique_offsets.size() > this->num_recs) {
+    OTS_WARNING("increasing num_recs (%u is too small for %u unique offsets)",
+                this->num_recs, unique_offsets.size());
+    this->num_recs = unique_offsets.size();
   }
 
   this->groups.reserve(this->num_recs);
@@ -75,7 +91,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
     if (!table.ReadU16(&group.recs) ||
         !table.ReadU8(&group.startsz) ||
         !table.ReadU8(&group.endsz)) {
-      return Error("Failed to read record header %d", i);
+      return Drop("Failed to read record header %d", i);
     }
     group.entries.reserve(group.recs);
     for (unsigned j = 0; j < group.recs; ++j) {
@@ -83,7 +99,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
       if (!table.ReadU16(&vt.y_pel_height) ||
           !table.ReadS16(&vt.y_max) ||
           !table.ReadS16(&vt.y_min)) {
-        return Error("Failed to read reacord %d group %d", i, j);
+        return Drop("Failed to read record %d group %d", i, j);
       }
       if (vt.y_max < vt.y_min) {
         return Drop("bad y min/max");
@@ -152,4 +168,6 @@ bool OpenTypeVDMX::Serialize(OTSStream *out) {
   return true;
 }
 
+#undef TABLE_NAME
+
 }  // namespace ots
diff --git a/layout/base/nsPresShell.cpp b/layout/base/nsPresShell.cpp
index ee68dba20..d6202872a 100644
--- a/layout/base/nsPresShell.cpp
+++ b/layout/base/nsPresShell.cpp
@@ -6598,7 +6598,11 @@ PresShell::RecordMouseLocation(WidgetGUIEvent* aEvent)
 
 nsIFrame* GetNearestFrameContainingPresShell(nsIPresShell* aPresShell)
 {
-  nsView* view = aPresShell->GetViewManager()->GetRootView();
+  nsViewManager* vm = aPresShell->GetViewManager();
+  if (!vm) {
+    return nullptr;
+  }
+  nsView* view = vm->GetRootView();
   while (view && !view->GetFrame()) {
     view = view->GetParent();
   }
diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp
index 568d0b68e..c491614bc 100644
--- a/modules/libjar/nsZipArchive.cpp
+++ b/modules/libjar/nsZipArchive.cpp
@@ -826,6 +826,11 @@ MOZ_WIN_MEM_TRY_BEGIN
   uint32_t offset = aItem->LocalOffset();
   if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
     return 0;
+  // Check there's enough space for the signature
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt local offset in JAR file");
+    return 0;
+  }
 
   // -- check signature before using the structure, in case the zip file is corrupt
   ZipLocal* Local = (ZipLocal*)(data + offset);
@@ -838,6 +843,11 @@ MOZ_WIN_MEM_TRY_BEGIN
   offset += ZIPLOCAL_SIZE +
             xtoint(Local->filename_len) +
             xtoint(Local->extrafield_len);
+  // Check data points inside the file.
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt local offset in JAR file");
+    return 0;
+  }
 
   return offset;
 MOZ_WIN_MEM_TRY_CATCH(return 0)
diff --git a/parser/expat/lib/xmlparse.c b/parser/expat/lib/xmlparse.c
index 0025c8c34..429b7c380 100644
--- a/parser/expat/lib/xmlparse.c
+++ b/parser/expat/lib/xmlparse.c
@@ -786,6 +786,14 @@ parserCreate(const XML_Char *encodingName,
   parserInit(parser, encodingName);
 
   if (encodingName && !protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }