Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes
This commit is contained in:
parent
dd0eb4d9d8
commit
ff9eb9dabf
@ -102,7 +102,7 @@
|
|||||||
Summary: Mozilla Firefox Web browser
|
Summary: Mozilla Firefox Web browser
|
||||||
Name: firefox
|
Name: firefox
|
||||||
Version: 60.0.1
|
Version: 60.0.1
|
||||||
Release: 2%{?pre_tag}%{?dist}
|
Release: 3%{?pre_tag}%{?dist}
|
||||||
URL: https://www.mozilla.org/firefox/
|
URL: https://www.mozilla.org/firefox/
|
||||||
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
License: MPLv1.1 or GPLv2+ or LGPLv2+
|
||||||
Source0: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%{version}%{?pre_version}.source.tar.xz
|
Source0: https://hg.mozilla.org/releases/mozilla-release/archive/firefox-%{version}%{?pre_version}.source.tar.xz
|
||||||
@ -160,6 +160,7 @@ Patch414: mozilla-1435212-ffmpeg-4.0.patch
|
|||||||
Patch415: Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch
|
Patch415: Bug-1238661---fix-mozillaSignalTrampoline-to-work-.patch
|
||||||
Patch416: mozilla-1424422.patch
|
Patch416: mozilla-1424422.patch
|
||||||
Patch417: bug1375074-save-restore-x28.patch
|
Patch417: bug1375074-save-restore-x28.patch
|
||||||
|
Patch418: mozilla-1436242.patch
|
||||||
|
|
||||||
Patch421: complete-csd-window-offset-mozilla-1457691.patch
|
Patch421: complete-csd-window-offset-mozilla-1457691.patch
|
||||||
|
|
||||||
@ -347,6 +348,7 @@ This package contains results of tests executed during build.
|
|||||||
%endif
|
%endif
|
||||||
%patch416 -p1 -b .1424422
|
%patch416 -p1 -b .1424422
|
||||||
%patch417 -p1 -b .bug1375074-save-restore-x28
|
%patch417 -p1 -b .bug1375074-save-restore-x28
|
||||||
|
%patch418 -p1 -b .mozilla-1436242
|
||||||
|
|
||||||
%patch421 -p1 -b .mozilla-1457691
|
%patch421 -p1 -b .mozilla-1457691
|
||||||
|
|
||||||
@ -906,6 +908,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
|
|||||||
#---------------------------------------------------------------------
|
#---------------------------------------------------------------------
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-3
|
||||||
|
- Added fix for mozbz#1436242 (rhbz#1577277) - Firefox IPC crashes.
|
||||||
|
|
||||||
* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-2
|
* Fri May 25 2018 Martin Stransky <stransky@redhat.com> - 60.0.1-2
|
||||||
- Enable Wayland backend.
|
- Enable Wayland backend.
|
||||||
|
|
||||||
|
56
mozilla-1436242.patch
Normal file
56
mozilla-1436242.patch
Normal file
@ -0,0 +1,56 @@
|
|||||||
|
|
||||||
|
# HG changeset patch
|
||||||
|
# User Jed Davis <jld@mozilla.com>
|
||||||
|
# Date 1526943705 21600
|
||||||
|
# Node ID 6bb3adfa15c6877f7874429462dad88f8c978c4f
|
||||||
|
# Parent 4c71c8454879c841871ecf3afb7dbdc96bad97fc
|
||||||
|
Bug 1436242 - Avoid undefined behavior in IPC fd-passing code. r=froydnj
|
||||||
|
|
||||||
|
MozReview-Commit-ID: 3szIPUssgF5
|
||||||
|
|
||||||
|
diff --git a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
|
||||||
|
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
|
||||||
|
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc
|
||||||
|
@@ -418,20 +418,37 @@ bool Channel::ChannelImpl::ProcessIncomi
|
||||||
|
const int* fds;
|
||||||
|
unsigned num_fds;
|
||||||
|
unsigned fds_i = 0; // the index of the first unused descriptor
|
||||||
|
|
||||||
|
if (input_overflow_fds_.empty()) {
|
||||||
|
fds = wire_fds;
|
||||||
|
num_fds = num_wire_fds;
|
||||||
|
} else {
|
||||||
|
- const size_t prev_size = input_overflow_fds_.size();
|
||||||
|
- input_overflow_fds_.resize(prev_size + num_wire_fds);
|
||||||
|
- memcpy(&input_overflow_fds_[prev_size], wire_fds,
|
||||||
|
- num_wire_fds * sizeof(int));
|
||||||
|
+ // This code may look like a no-op in the case where
|
||||||
|
+ // num_wire_fds == 0, but in fact:
|
||||||
|
+ //
|
||||||
|
+ // 1. wire_fds will be nullptr, so passing it to memcpy is
|
||||||
|
+ // undefined behavior according to the C standard, even though
|
||||||
|
+ // the memcpy length is 0.
|
||||||
|
+ //
|
||||||
|
+ // 2. prev_size will be an out-of-bounds index for
|
||||||
|
+ // input_overflow_fds_; this is undefined behavior according to
|
||||||
|
+ // the C++ standard, even though the element only has its
|
||||||
|
+ // pointer taken and isn't accessed (and the corresponding
|
||||||
|
+ // operation on a C array would be defined).
|
||||||
|
+ //
|
||||||
|
+ // UBSan makes #1 a fatal error, and assertions in libstdc++ do
|
||||||
|
+ // the same for #2 if enabled.
|
||||||
|
+ if (num_wire_fds > 0) {
|
||||||
|
+ const size_t prev_size = input_overflow_fds_.size();
|
||||||
|
+ input_overflow_fds_.resize(prev_size + num_wire_fds);
|
||||||
|
+ memcpy(&input_overflow_fds_[prev_size], wire_fds,
|
||||||
|
+ num_wire_fds * sizeof(int));
|
||||||
|
+ }
|
||||||
|
fds = &input_overflow_fds_[0];
|
||||||
|
num_fds = input_overflow_fds_.size();
|
||||||
|
}
|
||||||
|
|
||||||
|
// The data for the message we're currently reading consists of any data
|
||||||
|
// stored in incoming_message_ followed by data in input_buf_ (followed by
|
||||||
|
// other messages).
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user