From ff9eb9dabfdfdb76411c3791713aac76c2e821d8 Mon Sep 17 00:00:00 2001 From: Martin Stransky Date: Fri, 25 May 2018 15:23:41 +0200 Subject: [PATCH] Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes --- firefox.spec | 7 +++++- mozilla-1436242.patch | 56 +++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 1 deletion(-) create mode 100644 mozilla-1436242.patch diff --git a/firefox.spec b/firefox.spec index 95aad1a..ca3b69c 100644 --- a/firefox.spec +++ b/firefox.spec @@ -102,7 +102,7 @@ Summary: Mozilla Firefox Web browser Name: firefox Version: 60.0.1 -Release: 2%{?pre_tag}%{?dist} +Release: 3%{?pre_tag}%{?dist} URL: https://www.mozilla.org/firefox/ License: MPLv1.1 or GPLv2+ or LGPLv2+ Source0: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%{version}%{?pre_version}.source.tar.xz @@ -160,6 +160,7 @@ Patch414: mozilla-1435212-ffmpeg-4.0.patch Patch415: Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch Patch416: mozilla-1424422.patch Patch417: bug1375074-save-restore-x28.patch +Patch418: mozilla-1436242.patch Patch421: complete-csd-window-offset-mozilla-1457691.patch @@ -347,6 +348,7 @@ This package contains results of tests executed during build. %endif %patch416 -p1 -b .1424422 %patch417 -p1 -b .bug1375074-save-restore-x28 +%patch418 -p1 -b .mozilla-1436242 %patch421 -p1 -b .mozilla-1457691 @@ -906,6 +908,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || : #--------------------------------------------------------------------- %changelog +* Fri May 25 2018 Martin Stransky - 60.0.1-3 +- Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes. + * Fri May 25 2018 Martin Stransky - 60.0.1-2 - Enable Wayland backend. diff --git a/mozilla-1436242.patch b/mozilla-1436242.patch new file mode 100644 index 0000000..570b7c5 --- /dev/null +++ b/mozilla-1436242.patch @@ -0,0 +1,56 @@ + +# HG changeset patch +# User Jed Davis +# Date 1526943705 21600 +# Node ID 6bb3adfa15c6877f7874429462dad88f8c978c4f +# Parent 4c71c8454879c841871ecf3afb7dbdc96bad97fc +Bug 1436242 - Avoid undefined behavior in IPC fd-passing code. r=froydnj + +MozReview-Commit-ID: 3szIPUssgF5 + +diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc +--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc ++++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc +@@ -418,20 +418,37 @@ bool Channel::ChannelImpl::ProcessIncomi + const int* fds; + unsigned num_fds; + unsigned fds_i = 0; // the index of the first unused descriptor + + if (input_overflow_fds_.empty()) { + fds = wire_fds; + num_fds = num_wire_fds; + } else { +- const size_t prev_size = input_overflow_fds_.size(); +- input_overflow_fds_.resize(prev_size + num_wire_fds); +- memcpy(&input_overflow_fds_[prev_size], wire_fds, +- num_wire_fds * sizeof(int)); ++ // This code may look like a no-op in the case where ++ // num_wire_fds == 0, but in fact: ++ // ++ // 1. wire_fds will be nullptr, so passing it to memcpy is ++ // undefined behavior according to the C standard, even though ++ // the memcpy length is 0. ++ // ++ // 2. prev_size will be an out-of-bounds index for ++ // input_overflow_fds_; this is undefined behavior according to ++ // the C++ standard, even though the element only has its ++ // pointer taken and isn't accessed (and the corresponding ++ // operation on a C array would be defined). ++ // ++ // UBSan makes #1 a fatal error, and assertions in libstdc++ do ++ // the same for #2 if enabled. ++ if (num_wire_fds > 0) { ++ const size_t prev_size = input_overflow_fds_.size(); ++ input_overflow_fds_.resize(prev_size + num_wire_fds); ++ memcpy(&input_overflow_fds_[prev_size], wire_fds, ++ num_wire_fds * sizeof(int)); ++ } + fds = &input_overflow_fds_[0]; + num_fds = input_overflow_fds_.size(); + } + + // The data for the message we're currently reading consists of any data + // stored in incoming_message_ followed by data in input_buf_ (followed by + // other messages). + +