diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2016-05-25 21:21:42 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2016-05-25 21:22:54 +0000 |
commit | d4346ba273a38e0de47a4a858a281a5dc4f692f0 (patch) | |
tree | 8e5c719a95d1235689199c351274f7fc7b78140a /testing/firefox/fix-stack-overflow.patch | |
parent | 3d491c7d11c2856c46f397a1004c7ba47676c4d1 (diff) | |
download | aports-d4346ba273a38e0de47a4a858a281a5dc4f692f0.tar.bz2 aports-d4346ba273a38e0de47a4a858a281a5dc4f692f0.tar.xz |
testing/firefox: fix stack overflow in brotli decompressor
fixes #5559
https://bugzilla.mozilla.org/show_bug.cgi?id=1274732
Diffstat (limited to 'testing/firefox/fix-stack-overflow.patch')
-rw-r--r-- | testing/firefox/fix-stack-overflow.patch | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/testing/firefox/fix-stack-overflow.patch b/testing/firefox/fix-stack-overflow.patch new file mode 100644 index 0000000000..e164fc69b6 --- /dev/null +++ b/testing/firefox/fix-stack-overflow.patch @@ -0,0 +1,45 @@ +https://bugs.alpinelinux.org/issues/5559 +https://bugzilla.mozilla.org/show_bug.cgi?id=1274732 + +diff --git a/netwerk/streamconv/converters/nsHTTPCompressConv.cpp b/netwerk/streamconv/converters/nsHTTPCompressConv.cpp +index 1193529..aeb96b5 100644 +--- a/netwerk/streamconv/converters/nsHTTPCompressConv.cpp ++++ b/netwerk/streamconv/converters/nsHTTPCompressConv.cpp +@@ -165,9 +165,8 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + nsHTTPCompressConv *self = static_cast<nsHTTPCompressConv *>(closure); + *countRead = 0; + +- const uint32_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop +- unsigned char outBuffer[kOutSize]; +- unsigned char *outPtr; ++ const size_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop ++ uint8_t *outPtr; + size_t outSize; + size_t avail = aAvail; + BrotliResult res; +@@ -177,9 +176,15 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + return NS_OK; + } + ++ auto outBuffer = MakeUniqueFallible<uint8_t[]>(kOutSize); ++ if (outBuffer == nullptr) { ++ self->mBrotli->mStatus = NS_ERROR_OUT_OF_MEMORY; ++ return self->mBrotli->mStatus; ++ } ++ + do { + outSize = kOutSize; +- outPtr = outBuffer; ++ outPtr = outBuffer.get(); + + // brotli api is documented in brotli/dec/decode.h and brotli/dec/decode.c + LOG(("nsHttpCompresssConv %p brotlihandler decompress %d\n", self, avail)); +@@ -210,7 +215,7 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + nsresult rv = self->do_OnDataAvailable(self->mBrotli->mRequest, + self->mBrotli->mContext, + self->mBrotli->mSourceOffset, +- reinterpret_cast<const char *>(outBuffer), ++ reinterpret_cast<const char *>(outBuffer.get()), + outSize); + LOG(("nsHttpCompressConv %p BrotliHandler ODA rv=%x", self, rv)); + if (NS_FAILED(rv)) { |