#659: tuneups and edgecases

browser/locales/en-US/chrome/browser/aboutDialog.dtd

@@ -49,7 +49,7 @@
 <!ENTITY helpus.getInvolvedLink     "get involved!">
 <!ENTITY helpus.end                 "">
 
-<!ENTITY copyright.blurb            "Copyright © 2010-2022 Contributors to TenFourFox. All rights reserved.">
+<!ENTITY copyright.blurb            "Copyright © 2010-2023 Contributors to TenFourFox. All rights reserved.">
 
 <!-- LOCALIZATION NOTE (bottomLinks.license): This is a link title that links to about:license. -->
 <!ENTITY bottomLinks.license        "Licensing Information">

caps/nsScriptSecurityManager.cpp

@@ -699,6 +699,7 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
             ToLowerCase(hostname);
 #define BLOC(q) hostname.EqualsLiteral(q)
 #define BLOCU(q) url.EqualsLiteral(q)
+#define BLOCS(q) (StringBeginsWith(url, NS_LITERAL_CSTRING(q)))
 #define BLOCE(q) (StringEndsWith(url, NS_LITERAL_CSTRING(q)))
 
             if (0 ||
@@ -711,10 +712,12 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal,
                       BLOCE("/public/scripts/tldr/index.js")
                     ) ||
 #endif // __ppc__
+                    BLOCS("https://developer.mozilla.org/static/js/main.") ||
 
                     0) {
 #undef BLOC
 #undef BLOCU
+#undef BLOCS
 #undef BLOCE
 
 #ifndef DEBUG

dom/base/nsHTMLContentSerializer.cpp

@@ -281,7 +281,7 @@ nsHTMLContentSerializer::AppendElementStart(Element* aElement,
   if (ns == kNameSpaceID_XHTML &&
       (name == nsGkAtoms::script ||
        name == nsGkAtoms::style ||
-       name == nsGkAtoms::noscript ||
+       (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) ||
        name == nsGkAtoms::noframes)) {
     ++mDisableEntityEncoding;
   }
@@ -310,7 +310,7 @@ nsHTMLContentSerializer::AppendElementEnd(Element* aElement,
   if (ns == kNameSpaceID_XHTML &&
       (name == nsGkAtoms::script ||
        name == nsGkAtoms::style ||
-       name == nsGkAtoms::noscript ||
+       (name == nsGkAtoms::noscript && aElement->OwnerDoc()->IsScriptEnabled()) ||
        name == nsGkAtoms::noframes)) {
     --mDisableEntityEncoding;
   }

gfx/cairo/libpixman/src/pixman-trap.c

@@ -74,7 +74,7 @@ pixman_sample_floor_y (pixman_fixed_t y,
 
     if (f < Y_FRAC_FIRST (n))
     {
-	if (pixman_fixed_to_int (i) == 0x8000)
+	if (pixman_fixed_to_int (i) == 0xffff8000)
 	{
 	    f = 0; /* saturate */
 	}

gfx/ots/src/vdmx.cc

@@ -4,18 +4,23 @@
 
 #include "vdmx.h"
 
+#include <set>
+
 // VDMX - Vertical Device Metrics
 // http://www.microsoft.com/typography/otspec/vdmx.htm
 
 namespace ots {
 
+#define TABLE_NAME "VDMX"
+
 bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
   Buffer table(data, length);
+  ots::Font* font = this->GetFont();
 
   if (!table.ReadU16(&this->version) ||
       !table.ReadU16(&this->num_recs) ||
       !table.ReadU16(&this->num_ratios)) {
-    return Error("Failed to read table header");
+    return Drop("Failed to read table header");
   }
 
   if (this->version > 1) {
@@ -30,7 +35,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
         !table.ReadU8(&rec.x_ratio) ||
         !table.ReadU8(&rec.y_start_ratio) ||
         !table.ReadU8(&rec.y_end_ratio)) {
-      return Error("Failed to read RatioRange record %d", i);
+      return Drop("Failed to read RatioRange record %d", i);
     }
 
     if (rec.charset > 1) {
@@ -56,17 +61,28 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
 
   this->offsets.reserve(this->num_ratios);
   const size_t current_offset = table.offset();
+  std::set<uint16_t> unique_offsets;
   // current_offset is less than (2 bytes * 3) + (4 bytes * USHRT_MAX) = 256k.
   for (unsigned i = 0; i < this->num_ratios; ++i) {
     uint16_t offset;
     if (!table.ReadU16(&offset)) {
-      return Error("Failed to read ratio offset %d", i);
+      return Drop("Failed to read ratio offset %d", i);
     }
     if (current_offset + offset >= length) {  // thus doesn't overflow.
-      return Error("Bad ratio offset %d for ration %d", offset, i);
+      return Drop("Bad ratio offset %d for ration %d", offset, i);
     }
 
     this->offsets.push_back(offset);
+    unique_offsets.insert(offset);
+  }
+
+  // Check that num_recs is sufficient to provide as many VDMXGroup records
+  // as there are unique offsets; if not, update it (we'll return an error
+  // below if they're not actually present).
+  if (unique_offsets.size() > this->num_recs) {
+    OTS_WARNING("increasing num_recs (%u is too small for %u unique offsets)",
+                this->num_recs, unique_offsets.size());
+    this->num_recs = unique_offsets.size();
   }
 
   this->groups.reserve(this->num_recs);
@@ -75,7 +91,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
     if (!table.ReadU16(&group.recs) ||
         !table.ReadU8(&group.startsz) ||
         !table.ReadU8(&group.endsz)) {
-      return Error("Failed to read record header %d", i);
+      return Drop("Failed to read record header %d", i);
     }
     group.entries.reserve(group.recs);
     for (unsigned j = 0; j < group.recs; ++j) {
@@ -83,7 +99,7 @@ bool OpenTypeVDMX::Parse(const uint8_t *data, size_t length) {
       if (!table.ReadU16(&vt.y_pel_height) ||
           !table.ReadS16(&vt.y_max) ||
           !table.ReadS16(&vt.y_min)) {
-        return Error("Failed to read reacord %d group %d", i, j);
+        return Drop("Failed to read record %d group %d", i, j);
       }
       if (vt.y_max < vt.y_min) {
         return Drop("bad y min/max");
@@ -152,4 +168,6 @@ bool OpenTypeVDMX::Serialize(OTSStream *out) {
   return true;
 }
 
+#undef TABLE_NAME
+
 }  // namespace ots

layout/base/nsLayoutUtils.cpp

@@ -174,6 +174,9 @@ static ContentMap& GetContentMap() {
 // When the pref "layout.css.grid.enabled" changes, this function is invoked
 // to let us update kDisplayKTable, to selectively disable or restore the
 // entries for "grid" and "inline-grid" in that table.
+//
+// NB: as of TenFourFox issue 659, a whitelist entry per host is also required
+// to enable (but turning it off turns it off globally).
 static void
 GridEnabledPrefChangeCallback(const char* aPrefName, void* aClosure)
 {

layout/base/nsPresShell.cpp

@@ -6598,7 +6598,11 @@ PresShell::RecordMouseLocation(WidgetGUIEvent* aEvent)
 
 nsIFrame* GetNearestFrameContainingPresShell(nsIPresShell* aPresShell)
 {
-  nsView* view = aPresShell->GetViewManager()->GetRootView();
+  nsViewManager* vm = aPresShell->GetViewManager();
+  if (!vm) {
+    return nullptr;
+  }
+  nsView* view = vm->GetRootView();
   while (view && !view->GetFrame()) {
     view = view->GetParent();
   }

layout/style/nsCSSParser.cpp

@@ -1439,6 +1439,10 @@ protected:
   // Value to make sure our resolved variable results stay within sane limits.
   const uint32_t MAX_CSS_VAR_LENGTH = 10240;
 
+  // TenFourFox issue 659
+  // If this host is whitelisted, turn on CSS grid and inline grid.
+  bool mHostCSSGridOK : 1;
+
 public:
   // Used from nsCSSParser constructors and destructors
   CSSParserImpl* mNextFree;
@@ -1587,6 +1591,32 @@ CSSParserImpl::InitScanner(nsCSSScanner& aScanner,
   mSheetURI = aSheetURI;
   mSheetPrincipal = aSheetPrincipal;
   mHavePushBack = false;
+
+  // TenFourFox issue 659
+  mHostCSSGridOK = false;
+  if (MOZ_LIKELY(mBaseURI)) {
+    nsCString host;
+    bool isChrome;
+
+    // Never turn on grid for browser chrome.
+    nsresult rv = mBaseURI->SchemeIs("chrome", &isChrome);
+    if (NS_SUCCEEDED(rv) && !isChrome) {
+      // Get host and check pref.
+      rv = mBaseURI->GetHost(host);
+      if (NS_SUCCEEDED(rv) && !host.IsEmpty()) {
+        nsCString pref;
+
+        pref.AssignLiteral("layout.css.grid.host.");
+        pref.SetCapacity(pref.Length() + host.Length());
+        pref += host;
+        mHostCSSGridOK = Preferences::GetBool(pref.get(), false);
+#if DEBUG
+        if (mHostCSSGridOK)
+          fprintf(stderr, "CSS grid enabled for %s\n", pref.get());
+#endif
+      }
+    }
+  }
 }
 
 void
@@ -7586,6 +7616,14 @@ CSSParserImpl::ParseVariant(nsCSSValue& aValue,
       }
       if ((aVariantMask & VARIANT_KEYWORD) != 0) {
         int32_t value;
+
+        // TenFourFox issue 659
+        if (MOZ_UNLIKELY(!mHostCSSGridOK &&
+             aKeywordTable == nsCSSProps::kDisplayKTable &&
+             (keyword == eCSSKeyword_grid ||
+              keyword == eCSSKeyword_inline_grid))) {
+          // pretend the keyword wasn't found
+        } else
         if (nsCSSProps::FindKeyword(keyword, aKeywordTable, value)) {
           aValue.SetIntValue(value, eCSSUnit_Enumerated);
           return CSSParseResult::Ok;

modules/libjar/nsZipArchive.cpp

@@ -826,6 +826,11 @@ MOZ_WIN_MEM_TRY_BEGIN
   uint32_t offset = aItem->LocalOffset();
   if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE)
     return 0;
+  // Check there's enough space for the signature
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt local offset in JAR file");
+    return 0;
+  }
 
   // -- check signature before using the structure, in case the zip file is corrupt
   ZipLocal* Local = (ZipLocal*)(data + offset);
@@ -838,6 +843,11 @@ MOZ_WIN_MEM_TRY_BEGIN
   offset += ZIPLOCAL_SIZE +
             xtoint(Local->filename_len) +
             xtoint(Local->extrafield_len);
+  // Check data points inside the file.
+  if (offset > mFd->mLen) {
+    NS_WARNING("Corrupt local offset in JAR file");
+    return 0;
+  }
 
   return offset;
 MOZ_WIN_MEM_TRY_CATCH(return 0)

modules/libpref/init/all.js

@@ -2395,11 +2395,10 @@ pref("layout.css.variables.enabled", true);
 pref("layout.css.overflow-clip-box.enabled", false);
 
 // Is support for CSS grid enabled?
-#ifdef RELEASE_BUILD
-pref("layout.css.grid.enabled", false);
-#else
+// TenFourFox issue 659 makes this into a per-host whitelist.
 pref("layout.css.grid.enabled", true);
-#endif
+// Whitelist by default:
+pref("layout.css.grid.host.developer.mozilla.org", true);
 
 // Is support for CSS "grid-template-{columns,rows}: subgrid X" enabled?
 pref("layout.css.grid-template-subgrid-value.enabled", false);

netwerk/cookie/nsCookieService.cpp

@@ -3224,11 +3224,13 @@ nsCookieService::SetCookieInternal(nsIURI                        *aHostURI,
   // 3 = secure and "https:"
   bool isHTTPS;
   nsresult rv = aHostURI->SchemeIs("https", &isHTTPS);
+/*
   if (NS_SUCCEEDED(rv)) {
     Telemetry::Accumulate(Telemetry::COOKIE_SCHEME_SECURITY,
                           ((cookieAttributes.isSecure)? 0x02 : 0x00) |
                           ((isHTTPS)? 0x01 : 0x00));
   }
+*/
 
   int64_t currentTimeInUsec = PR_Now();
 
@@ -3285,6 +3287,15 @@ nsCookieService::SetCookieInternal(nsIURI                        *aHostURI,
     return newCookie;
   }
 
+  if (!CheckHiddenPrefix(cookieAttributes)) {
+    COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the CheckHiddenPrefix tests");
+    return newCookie;
+  }
+  if (!CheckPrefixes(cookieAttributes, isHTTPS)) {
+    COOKIE_LOGFAILURE(SET_COOKIE, aHostURI, savedCookieHeader, "failed the prefix tests");
+    return newCookie;
+  }
+
   // create a new nsCookie and copy attributes
   RefPtr<nsCookie> cookie =
     nsCookie::Create(cookieAttributes.name,
@@ -4108,6 +4119,56 @@ nsCookieService::CheckPath(nsCookieAttributes &aCookieAttributes,
   return true;
 }
 
+bool
+nsCookieService::CheckPrefixes(nsCookieAttributes &aCookieAttributes,
+                               bool                aSecureRequest)
+{
+  if (aCookieAttributes.name.IsEmpty() || aCookieAttributes.name.Length() == 0)
+    return true;
+
+  bool isSecure = StringBeginsWith(aCookieAttributes.name, NS_LITERAL_CSTRING("__Secure-"));
+  bool isHost = StringBeginsWith(aCookieAttributes.name, NS_LITERAL_CSTRING("__Host-"));
+
+  if (!isSecure && !isHost) {
+    // not one of the magic prefixes: carry on
+    return true;
+  }
+
+  if (!aSecureRequest || !aCookieAttributes.isSecure) {
+    // the magic prefixes may only be used from a secure request and
+    // the secure attribute must be set on the cookie
+    return false;
+  }
+
+  if (isHost) {
+    // The host prefix requires that the path is "/" and that the cookie
+    // had no domain attribute. CheckDomain() and CheckPath() MUST be run
+    // first to make sure invalid attributes are rejected and to regularlize
+    // them. In particular all explicit domain attributes result in a host
+    // that starts with a dot, and if the host doesn't start with a dot it
+    // correctly matches the true host.
+    if (aCookieAttributes.host[0] == '.' ||
+        !aCookieAttributes.path.EqualsLiteral("/")) {
+      return false;
+    }
+  }
+
+  return true;
+}
+
+bool
+nsCookieService::CheckHiddenPrefix(nsCookieAttributes &aCookieAttributes)
+{
+  if (aCookieAttributes.name.IsEmpty() || aCookieAttributes.name.Length() == 0)
+    return true;
+  if (StringBeginsWith(aCookieAttributes.value, NS_LITERAL_CSTRING("__Host-")))
+    return false;
+  if (StringBeginsWith(aCookieAttributes.value, NS_LITERAL_CSTRING("__Secure-")))
+    return false;
+
+  return true;
+}
+
 bool
 nsCookieService::GetExpiry(nsCookieAttributes &aCookieAttributes,
                            int64_t             aServerTime,

netwerk/cookie/nsCookieService.h

@@ -309,6 +309,8 @@ class nsCookieService final : public nsICookieService
     CookieStatus                  CheckPrefs(nsIURI *aHostURI, bool aIsForeign, bool aRequireHostMatch, const char *aCookieHeader);
     bool                          CheckDomain(nsCookieAttributes &aCookie, nsIURI *aHostURI, const nsCString &aBaseDomain, bool aRequireHostMatch);
     static bool                   CheckPath(nsCookieAttributes &aCookie, nsIURI *aHostURI);
+    bool                          CheckPrefixes(nsCookieAttributes &aCookie, bool aSecureRequest);
+    bool                          CheckHiddenPrefix(nsCookieAttributes &aCookie);
     static bool                   GetExpiry(nsCookieAttributes &aCookie, int64_t aServerTime, int64_t aCurrentTime);
     void                          RemoveAllFromMemory();
     already_AddRefed<nsIArray>    PurgeCookies(int64_t aCurrentTimeInUsec);

parser/expat/lib/xmlparse.c

@@ -786,6 +786,14 @@ parserCreate(const XML_Char *encodingName,
   parserInit(parser, encodingName);
 
   if (encodingName && !protocolEncodingName) {
+    if (dtd) {
+      // We need to stop the upcoming call to XML_ParserFree from happily
+      // destroying parser->m_dtd because the DTD is shared with the parent
+      // parser and the only guard that keeps XML_ParserFree from destroying
+      // parser->m_dtd is parser->m_isParamEntity but it will be set to
+      // XML_TRUE only later in XML_ExternalEntityParserCreate (or not at all).
+      parser->m_dtd = NULL;
+    }
     XML_ParserFree(parser);
     return NULL;
   }

xpcom/io/nsLocalFileUnix.cpp

@@ -1572,13 +1572,22 @@ nsLocalFile::IsExecutable(bool* aResult)
 
     // Search for any of the set of executable extensions.
     static const char* const executableExts[] = {
+#ifdef MOZ_WIDGET_COCOA
+      "afploc", // Can point to other files.
+#endif
       "air",  // Adobe AIR installer
 #ifdef MOZ_WIDGET_COCOA
-      "inetloc",  // https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/
+      "atloc",    // Can point to other files.
       "fileloc",  // File location files can be used to point to other files.
-      "webloc",   // same URL
+      "ftploc",   // Can point to other files.
+      "inetloc",  // https://ssd-disclosure.com/ssd-advisory-macos-finder-rce/
+                  // Shouldn't be able to do the same, but can, due to
+                  // macOS vulnerabilities.
 #endif
       "jar"   // java application bundle
+#ifdef MOZ_WIDGET_COCOA
+      ,"webloc"   // same URL
+#endif
     };
     nsDependentSubstring ext = Substring(path, dotIdx + 1);
     for (size_t i = 0; i < ArrayLength(executableExts); i++) {
@@ -1781,11 +1790,14 @@ nsLocalFile::GetNativeTarget(nsACString& aResult)
     return NS_ERROR_OUT_OF_MEMORY;
   }
 
-  if (readlink(mPath.get(), target, (size_t)size) < 0) {
+  ssize_t written = readlink(mPath.get(), target, (size_t)size);
+  if (written < 0) {
     free(target);
     return NSRESULT_FOR_ERRNO();
   }
-  target[size] = '\0';
+  // Target might have changed since the lstat call, or lstat might lie, see bug
+  // 1791029.
+  target[written] = '\0';
 
   nsresult rv = NS_OK;
   nsCOMPtr<nsIFile> self(this);