From d4346ba273a38e0de47a4a858a281a5dc4f692f0 Mon Sep 17 00:00:00 2001 From: Natanael Copa Date: Wed, 25 May 2016 21:21:42 +0000 Subject: testing/firefox: fix stack overflow in brotli decompressor fixes #5559 https://bugzilla.mozilla.org/show_bug.cgi?id=1274732 --- testing/firefox/APKBUILD | 6 ++++- testing/firefox/fix-stack-overflow.patch | 45 ++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 1 deletion(-) create mode 100644 testing/firefox/fix-stack-overflow.patch (limited to 'testing/firefox') diff --git a/testing/firefox/APKBUILD b/testing/firefox/APKBUILD index 404b8d3785..42cb186b00 100644 --- a/testing/firefox/APKBUILD +++ b/testing/firefox/APKBUILD @@ -4,7 +4,7 @@ pkgname=firefox pkgver=46.0.1 _pkgver=$pkgver _xulver=$pkgver -pkgrel=0 +pkgrel=1 pkgdesc="Firefox web browser" url="http://www.firefox.com" arch="all" @@ -71,6 +71,7 @@ source="https://ftp.mozilla.org/pub/firefox/releases/$pkgver/source/firefox-$pkg libavutil.patch mallinfo.patch firefox-gtk3-20.patch + fix-stack-overflow.patch firefox.desktop firefox-safe.desktop" @@ -188,6 +189,7 @@ f29e0036edc7b3a4158a82fa97bde500 fix-fortify-inline.patch b8b2a3cdb38f402e4eb4885908233811 libavutil.patch 0db0cce8350d59a91ae2c4f0400f7146 mallinfo.patch 4398feb7543ef216a9f4a3690ea97180 firefox-gtk3-20.patch +0538d10d2a14576c5aad6048c942a42c fix-stack-overflow.patch ba96924ece1d77453e462429037a2ce5 firefox.desktop 6f38a5899034b7786cb1f75ad42032b8 firefox-safe.desktop" sha256sums="98b8292a31b7e3e426f3204de1fed2a6ab38dcf64dd27bdfae556b407a198bf9 firefox-46.0.1.source.tar.xz @@ -208,6 +210,7 @@ a1ba79ec0c50c19edcfb24bb2686a718a77b02035e412989b9208b9b818abe14 allow-utf8-fal 83113f1fbc0389602b3623e8a5428d41837c4ec9557615c37ca05619526a7404 libavutil.patch 2f564fa5f347f3c7f20d589ef273f000ca9c9aeca2c6ad0fb5b15bfc715d8b81 mallinfo.patch 440c3e22d98ecf8c44dcedbe90bbb302da3a059e3fc3fba205d89f0eca329cbf firefox-gtk3-20.patch +e568adf5d43220b831fd538b4387c14c046efc1bdab4257467fbfd86ee5830aa fix-stack-overflow.patch b571c4a49884a3c98806246c9cc3e60c73d5a8f4aeb7f96217db0be1d6210eda firefox.desktop 4b6de45753856a890f4482055666e77f9b01bdfb7e0df08bafaa3a4d9937eed3 firefox-safe.desktop" sha512sums="c58642774f93ceaef4f99bc3fe578db6e4f6de7f1d23080da97b61bc4fc6b516ce99fa04368893c0fa2cb9cd0b36e96955656daa97d0bd0d8f4da6a2d364cb98 firefox-46.0.1.source.tar.xz @@ -228,5 +231,6 @@ ebbc2b1336197c289e9b7c073d196fb5734e1dad0109fe70538f8089b1873e4b55305cd39cefcf95 2213dbd7eb36f954add09977c0bb979aea79376164bc98d7e8957ecf584776bc11cc88b6d8235f9e04ac69d5975a47c2f52fd9aff9076326f15997657af8c9f3 libavutil.patch bdcd1b402d2ec94957ba5d08cbad7b1a7f59c251c311be9095208491a05abb05a956c79f27908e1f26b54a3679387b2f33a51e945b650671ad85c0a2d59a5a29 mallinfo.patch ee891acc644bea7eeccea8414292ada80d813864ce003d03189c9ef4f7e2c97e7209301725b1d55a02dd7af497eb9c7493fafc208b5a5fde574ddcf1bf7870c4 firefox-gtk3-20.patch +c815131b04e25162d8b32e75e58c3f670492996a41a0cc27a72432ed37fb3a5488a6eb474c2a1bf455d3546cde3b6871b46bcdbef8e2f37d1133c40819aa6f11 fix-stack-overflow.patch f3b7c3e804ce04731012a46cb9e9a6b0769e3772aef9c0a4a8c7520b030fdf6cd703d5e9ff49275f14b7d738fe82a0a4fde3bc3219dff7225d5db0e274987454 firefox.desktop 5dcb6288d0444a8a471d669bbaf61cdb1433663eff38b72ee5e980843f5fc07d0d60c91627a2c1159215d0ad77ae3f115dcc5fdfe87e64ca704b641aceaa44ed firefox-safe.desktop" diff --git a/testing/firefox/fix-stack-overflow.patch b/testing/firefox/fix-stack-overflow.patch new file mode 100644 index 0000000000..e164fc69b6 --- /dev/null +++ b/testing/firefox/fix-stack-overflow.patch @@ -0,0 +1,45 @@ +https://bugs.alpinelinux.org/issues/5559 +https://bugzilla.mozilla.org/show_bug.cgi?id=1274732 + +diff --git a/netwerk/streamconv/converters/nsHTTPCompressConv.cpp b/netwerk/streamconv/converters/nsHTTPCompressConv.cpp +index 1193529..aeb96b5 100644 +--- a/netwerk/streamconv/converters/nsHTTPCompressConv.cpp ++++ b/netwerk/streamconv/converters/nsHTTPCompressConv.cpp +@@ -165,9 +165,8 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + nsHTTPCompressConv *self = static_cast(closure); + *countRead = 0; + +- const uint32_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop +- unsigned char outBuffer[kOutSize]; +- unsigned char *outPtr; ++ const size_t kOutSize = 128 * 1024; // just a chunk size, we call in a loop ++ uint8_t *outPtr; + size_t outSize; + size_t avail = aAvail; + BrotliResult res; +@@ -177,9 +176,15 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + return NS_OK; + } + ++ auto outBuffer = MakeUniqueFallible(kOutSize); ++ if (outBuffer == nullptr) { ++ self->mBrotli->mStatus = NS_ERROR_OUT_OF_MEMORY; ++ return self->mBrotli->mStatus; ++ } ++ + do { + outSize = kOutSize; +- outPtr = outBuffer; ++ outPtr = outBuffer.get(); + + // brotli api is documented in brotli/dec/decode.h and brotli/dec/decode.c + LOG(("nsHttpCompresssConv %p brotlihandler decompress %d\n", self, avail)); +@@ -210,7 +215,7 @@ nsHTTPCompressConv::BrotliHandler(nsIInputStream *stream, void *closure, const c + nsresult rv = self->do_OnDataAvailable(self->mBrotli->mRequest, + self->mBrotli->mContext, + self->mBrotli->mSourceOffset, +- reinterpret_cast(outBuffer), ++ reinterpret_cast(outBuffer.get()), + outSize); + LOG(("nsHttpCompressConv %p BrotliHandler ODA rv=%x", self, rv)); + if (NS_FAILED(rv)) { -- cgit v1.2.3