c037a0f7ce
WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable to backport some of the patches (for upstream bugs 1182711 and 1146213). I was also unable to backport CVE-2015-4484 (upstream bug 1171540) and CVE-2015-4487 (upstream bug 1171603). I was unable to find any commit in the upstream repository that claims to address bug 1105914 (CVE-2015-4478). * gnu/packages/patches/icecat-CVE-2015-4473-partial.patch, gnu/packages/patches/icecat-CVE-2015-4482.patch, gnu/packages/patches/icecat-CVE-2015-4488.patch, gnu/packages/patches/icecat-CVE-2015-4489.patch, gnu/packages/patches/icecat-CVE-2015-4491.patch, gnu/packages/patches/icecat-CVE-2015-4492.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
81 lines
2.9 KiB
Diff
81 lines
2.9 KiB
Diff
From 9d5f21ee3a754d20bca4513f55553ea6694a7b25 Mon Sep 17 00:00:00 2001
|
|
From: Andrea Marchesini <amarchesini@mozilla.com>
|
|
Date: Wed, 29 Jul 2015 16:10:15 -0400
|
|
Subject: [PATCH] Bug 1185820 - XMLHttpRequest::Open() in worker should count
|
|
the recursion using a uint32_t and not a boolean. r=khuey, a=lmandel
|
|
|
|
--HG--
|
|
extra : transplant_source : %8F%89%24%FF%A1%F7d%5B%BE%E9%FC3%C6%E1%AC%27r%5Eq%16
|
|
extra : histedit_source : 5857f0cedf1cfb5361e6f404a094719814a2b415
|
|
---
|
|
dom/workers/XMLHttpRequest.cpp | 20 +++++++++++---------
|
|
1 file changed, 11 insertions(+), 9 deletions(-)
|
|
|
|
diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
|
|
index aac97ab..7099279 100644
|
|
--- a/dom/workers/XMLHttpRequest.cpp
|
|
+++ b/dom/workers/XMLHttpRequest.cpp
|
|
@@ -100,6 +100,7 @@ public:
|
|
// Only touched on the worker thread.
|
|
uint32_t mOuterEventStreamId;
|
|
uint32_t mOuterChannelId;
|
|
+ uint32_t mOpenCount;
|
|
uint64_t mLastLoaded;
|
|
uint64_t mLastTotal;
|
|
uint64_t mLastUploadLoaded;
|
|
@@ -109,7 +110,6 @@ public:
|
|
bool mLastUploadLengthComputable;
|
|
bool mSeenLoadStart;
|
|
bool mSeenUploadLoadStart;
|
|
- bool mOpening;
|
|
|
|
// Only touched on the main thread.
|
|
bool mUploadEventListenersAttached;
|
|
@@ -122,10 +122,10 @@ public:
|
|
: mWorkerPrivate(nullptr), mXMLHttpRequestPrivate(aXHRPrivate),
|
|
mMozAnon(aMozAnon), mMozSystem(aMozSystem),
|
|
mInnerEventStreamId(0), mInnerChannelId(0), mOutstandingSendCount(0),
|
|
- mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
|
|
- mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
|
|
+ mOuterEventStreamId(0), mOuterChannelId(0), mOpenCount(0), mLastLoaded(0),
|
|
+ mLastTotal(0), mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
|
|
mLastLengthComputable(false), mLastUploadLengthComputable(false),
|
|
- mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
|
|
+ mSeenLoadStart(false), mSeenUploadLoadStart(false),
|
|
mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
|
|
mInOpen(false), mArrayBufferResponseWasTransferred(false)
|
|
{ }
|
|
@@ -1850,7 +1850,7 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
|
|
mWorkerPrivate->AssertIsOnWorkerThread();
|
|
|
|
// No send() calls when open is running.
|
|
- if (mProxy->mOpening) {
|
|
+ if (mProxy->mOpenCount) {
|
|
aRv.Throw(NS_ERROR_FAILURE);
|
|
return;
|
|
}
|
|
@@ -1945,15 +1945,17 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
|
|
mBackgroundRequest, mWithCredentials,
|
|
mTimeout);
|
|
|
|
- mProxy->mOpening = true;
|
|
+ ++mProxy->mOpenCount;
|
|
if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
|
|
- mProxy->mOpening = false;
|
|
- ReleaseProxy();
|
|
+ if (!--mProxy->mOpenCount) {
|
|
+ ReleaseProxy();
|
|
+ }
|
|
+
|
|
aRv.Throw(NS_ERROR_FAILURE);
|
|
return;
|
|
}
|
|
|
|
- mProxy->mOpening = false;
|
|
+ --mProxy->mOpenCount;
|
|
mProxy->mIsSyncXHR = !aAsync;
|
|
}
|
|
|
|
--
|
|
2.4.3
|
|
|