cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

MFH: r473585

Browse Source 
www/waterfox: update to 56.2.1.48

Changes:	ff88ad0b62...7f6ff796ee
Approved by:	ports-secteam blanket
This commit is contained in:
Jan Beich 2018-06-29 21:48:16 +00:00
parent 3023ba4e31
commit 9c29a3cdc3
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/branches/2018Q2/; revision=473586
12 changed files with 5 additions and 669 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
www/waterfox/Makefile
View File

@ -1,9 +1,8 @@
# $FreeBSD$
PORTNAME= waterfox
DISTVERSION= 56.2.1-19
DISTVERSIONSUFFIX= -gff88ad0b627dc
PORTREVISION= 2
DISTVERSION= 56.2.1-48
DISTVERSIONSUFFIX= -g7f6ff796eeda4
CATEGORIES= www ipv6
MAINTAINER= jbeich@FreeBSD.org

6
www/waterfox/distinfo
View File

@ -1,3 +1,3 @@
TIMESTAMP = 1529323760
SHA256 (MrAlex94-Waterfox-56.2.1-19-gff88ad0b627dc_GH0.tar.gz) = f94cb6a907e287fd599cbd57dd2cabc0dd9a4747dd2ec38600db7709dcd1b04b
SIZE (MrAlex94-Waterfox-56.2.1-19-gff88ad0b627dc_GH0.tar.gz) = 395126403
TIMESTAMP = 1530292793
SHA256 (MrAlex94-Waterfox-56.2.1-48-g7f6ff796eeda4_GH0.tar.gz) = 07b65c4e20917968ce5086ddef09dcfe37bd90135f4f37fa2d4cd6029ac38df8
SIZE (MrAlex94-Waterfox-56.2.1-48-g7f6ff796eeda4_GH0.tar.gz) = 395133776

31
www/waterfox/files/patch-bug1261175
View File

@ -1,31 +0,0 @@
commit 315fe73694f9
Author: Matt Woodrow <mwoodrow@mozilla.com>
Date: Tue Nov 14 10:31:36 2017 +1300
Bug 1261175. r=bobowen a=gchang
MozReview-Commit-ID: B9yAN0F01rj
--HG--
extra : amend_source : 7585df8257930896070ddcb64c93a28a39fbbee7
---
layout/base/nsDocumentViewer.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git layout/base/nsDocumentViewer.cpp layout/base/nsDocumentViewer.cpp
index be33cf990d91..4fe03d3f7f88 100644
--- layout/base/nsDocumentViewer.cpp
+++ layout/base/nsDocumentViewer.cpp
@@ -549,6 +549,12 @@ nsDocumentViewer::~nsDocumentViewer()
mDocument->Destroy();
}
+ if (mPrintEngine) {
+ mPrintEngine->Destroy();
+ mPrintEngine = nullptr;
+ }
+
+ MOZ_RELEASE_ASSERT(mDestroyRefCount == 0);
NS_ASSERTION(!mPresShell && !mPresContext,
"User did not call nsIContentViewer::Destroy");
if (mPresShell || mPresContext) {

54
www/waterfox/files/patch-bug1436241
View File

@ -1,54 +0,0 @@
commit 540471c8085c
Author: Kyle Machulis <kyle@nonpolynomial.com>
Date: Mon Apr 30 12:49:15 2018 -0700
Bug 1436241 - Check redirect status code before forwarding to NPAPI. r=jimm, r=pauljt, a=RyanVM
NPAPI may handle a 307 redirect across different origins, while they
should only happen on same origin requests. Have the browser check
this before forwarding to NPAPI.
MozReview-Commit-ID: 5vxMooygI4g
--HG--
extra : source : 6d595a423fb52766abb5c1d10d4b9d7d6027d68a
---
dom/plugins/base/nsPluginStreamListenerPeer.cpp | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git dom/plugins/base/nsPluginStreamListenerPeer.cpp dom/plugins/base/nsPluginStreamListenerPeer.cpp
index b780688ddd0c7..dd8e84d2df075 100644
--- dom/plugins/base/nsPluginStreamListenerPeer.cpp
+++ dom/plugins/base/nsPluginStreamListenerPeer.cpp
@@ -668,15 +668,6 @@ nsPluginStreamListenerPeer::AsyncOnChannelRedirect(nsIChannel *oldChannel, nsICh
return NS_ERROR_FAILURE;
}
- nsCOMPtr<nsIAsyncVerifyRedirectCallback> proxyCallback =
- new ChannelRedirectProxyCallback(this, callback, oldChannel, newChannel);
-
- // Give NPAPI a chance to control redirects.
- bool notificationHandled = mPStreamListener->HandleRedirectNotification(oldChannel, newChannel, proxyCallback);
- if (notificationHandled) {
- return NS_OK;
- }
-
// Don't allow cross-origin 307 POST redirects.
nsCOMPtr<nsIHttpChannel> oldHttpChannel(do_QueryInterface(oldChannel));
if (oldHttpChannel) {
@@ -700,6 +691,15 @@ nsPluginStreamListenerPeer::AsyncOnChannelRedirect(nsIChannel *oldChannel, nsICh
}
}
+ nsCOMPtr<nsIAsyncVerifyRedirectCallback> proxyCallback =
+ new ChannelRedirectProxyCallback(this, callback, oldChannel, newChannel);
+
+ // Give NPAPI a chance to control redirects.
+ bool notificationHandled = mPStreamListener->HandleRedirectNotification(oldChannel, newChannel, proxyCallback);
+ if (notificationHandled) {
+ return NS_OK;
+ }
+
// Fall back to channel event sink for window.
nsCOMPtr<nsIChannelEventSink> channelEventSink;
nsresult rv = GetInterfaceGlobal(NS_GET_IID(nsIChannelEventSink), getter_AddRefs(channelEventSink));

133
www/waterfox/files/patch-bug1452375
View File

@ -1,133 +0,0 @@
commit 73284efb9ac4
Author: Jeff Muizelaar <jmuizelaar@mozilla.com>
Date: Thu May 31 21:19:18 2018 -0400
Bug 1452375 - ssse3-scaler: handle init failure. r=sotaro, a=abillings
--HG--
extra : amend_source : b9070901c9a52e7790db4e81ba093b08511bab6a
---
gfx/2d/ssse3-scaler.c | 8 +++++++-
gfx/2d/ssse3-scaler.h | 4 +++-
gfx/layers/basic/BasicCompositor.cpp | 14 +++++++-------
3 files changed, 17 insertions(+), 9 deletions(-)
diff --git gfx/2d/ssse3-scaler.c gfx/2d/ssse3-scaler.c
index 345844b841dc5..0a571e064dc31 100644
--- gfx/2d/ssse3-scaler.c
+++ gfx/2d/ssse3-scaler.c
@@ -37,6 +37,7 @@
#include <tmmintrin.h>
#include <stdint.h>
#include <assert.h>
+#include "ssse3-scaler.h"
typedef int32_t pixman_fixed_16_16_t;
typedef pixman_fixed_16_16_t pixman_fixed_t;
@@ -505,7 +506,7 @@ fail:
/* scale the src from src_width/height to dest_width/height drawn
* into the rectangle x,y width,height
* src_stride and dst_stride are 4 byte units */
-void ssse3_scale_data(uint32_t *src, int src_width, int src_height, int src_stride,
+bool ssse3_scale_data(uint32_t *src, int src_width, int src_height, int src_stride,
uint32_t *dest, int dest_width, int dest_height,
int dest_stride,
int x, int y,
@@ -551,6 +552,10 @@ void ssse3_scale_data(uint32_t *src, int src_width, int src_height, int src_stri
iter.data = NULL;
ssse3_bilinear_cover_iter_init(&iter);
+
+ if (!iter.fini)
+ return false;
+
if (iter.data) {
for (int iy = 0; iy < height; iy++) {
ssse3_fetch_bilinear_cover(&iter, NULL);
@@ -558,4 +563,5 @@ void ssse3_scale_data(uint32_t *src, int src_width, int src_height, int src_stri
}
ssse3_bilinear_cover_iter_fini(&iter);
}
+ return true;
}
diff --git gfx/2d/ssse3-scaler.h gfx/2d/ssse3-scaler.h
index b3b53ed643689..ea8d8a066303a 100644
--- gfx/2d/ssse3-scaler.h
+++ gfx/2d/ssse3-scaler.h
@@ -6,10 +6,12 @@
#ifndef MOZILLA_GFX_2D_SSSE3_SCALER_H_
#define MOZILLA_GFX_2D_SSSE3_SCALER_H_
+#include <stdbool.h>
+
#ifdef __cplusplus
extern "C" {
#endif
-void ssse3_scale_data(uint32_t *src, int src_width, int src_height,
+bool ssse3_scale_data(uint32_t *src, int src_width, int src_height,
int src_stride,
uint32_t *dest, int dest_width, int dest_height,
int dest_rowstride,
diff --git gfx/layers/basic/BasicCompositor.cpp gfx/layers/basic/BasicCompositor.cpp
index 1ff27f7957301..634d9e3407f7b 100644
--- gfx/layers/basic/BasicCompositor.cpp
+++ gfx/layers/basic/BasicCompositor.cpp
@@ -470,15 +470,15 @@ AttemptVideoScale(TextureSourceBasic* aSource, const SourceSurface* aSourceMask,
RefPtr<DataSourceSurface> srcSource = aSource->GetSurface(aDest)->GetDataSurface();
DataSourceSurface::ScopedMap mapSrc(srcSource, DataSourceSurface::READ);
- ssse3_scale_data((uint32_t*)mapSrc.GetData(), srcSource->GetSize().width, srcSource->GetSize().height,
- mapSrc.GetStride()/4,
- ((uint32_t*)dstData) + fillRect.x + (dstStride / 4) * fillRect.y, dstRect.width, dstRect.height,
- dstStride / 4,
- offset.x, offset.y,
- fillRect.width, fillRect.height);
+ bool success = ssse3_scale_data((uint32_t*)mapSrc.GetData(), srcSource->GetSize().width, srcSource->GetSize().height,
+ mapSrc.GetStride()/4,
+ ((uint32_t*)dstData) + fillRect.x + (dstStride / 4) * fillRect.y, dstRect.width, dstRect.height,
+ dstStride / 4,
+ offset.x, offset.y,
+ fillRect.width, fillRect.height);
aDest->ReleaseBits(dstData);
- return true;
+ return success;
} else
#endif // MOZILLA_SSE_HAVE_CPUID_DETECTION
return false;
commit 083548141193 (origin/esr52)
Author: Jeff Muizelaar <jmuizelaar@mozilla.com>
Date: Thu May 31 21:20:05 2018 -0400
Bug 1452375 - ssse3-scaler: make sure iter->x/y is representable. r=sotaro, a=abillings
---
gfx/2d/ssse3-scaler.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git gfx/2d/ssse3-scaler.c gfx/2d/ssse3-scaler.c
index 0a571e064dc31..745f58f6f8f43 100644
--- gfx/2d/ssse3-scaler.c
+++ gfx/2d/ssse3-scaler.c
@@ -45,6 +45,8 @@ typedef pixman_fixed_16_16_t pixman_fixed_t;
#define pixman_fixed_to_int(f) ((int) ((f) >> 16))
#define pixman_int_to_fixed(i) ((pixman_fixed_t) ((i) << 16))
#define pixman_double_to_fixed(d) ((pixman_fixed_t) ((d) * 65536.0))
+#define PIXMAN_FIXED_INT_MAX 32767
+#define PIXMAN_FIXED_INT_MIN -32768
typedef struct pixman_vector pixman_vector_t;
typedef int pixman_bool_t;
@@ -464,6 +466,12 @@ ssse3_bilinear_cover_iter_init (pixman_iter_t *iter)
bilinear_info_t *info;
pixman_vector_t v;
+ if (iter->x > PIXMAN_FIXED_INT_MAX ||
+ iter->x < PIXMAN_FIXED_INT_MIN ||
+ iter->y > PIXMAN_FIXED_INT_MAX ||
+ iter->y < PIXMAN_FIXED_INT_MIN)
+ goto fail;
+
/* Reference point is the center of the pixel */
v.vector[0] = pixman_int_to_fixed (iter->x) + pixman_fixed_1 / 2;
v.vector[1] = pixman_int_to_fixed (iter->y) + pixman_fixed_1 / 2;

36
www/waterfox/files/patch-bug1453127
View File

@ -1,39 +1,3 @@
commit 7f8f5d958ed6
Author: Bryce Van Dyk <bvandyk@mozilla.com>
Date: Wed Apr 18 15:30:57 2018 -0400
Bug 1453127 - Do not use iterators in MediaStreamTrack when removing listeners. r=pehrsons a=lizzard
--HG--
extra : source : 6b3aaee40f7507e240da08d6e073cff3c53971f4
---
dom/media/MediaStreamTrack.cpp | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git dom/media/MediaStreamTrack.cpp dom/media/MediaStreamTrack.cpp
index 010373e9086dc..af6c6014cf02a 100644
--- dom/media/MediaStreamTrack.cpp
+++ dom/media/MediaStreamTrack.cpp
@@ -166,11 +166,15 @@ MediaStreamTrack::Destroy()
mPrincipalHandleListener->Forget();
mPrincipalHandleListener = nullptr;
}
- for (auto l : mTrackListeners) {
- RemoveListener(l);
+ // Remove all listeners -- avoid iterating over the list we're removing from
+ const nsTArray<RefPtr<MediaStreamTrackListener>> trackListeners(mTrackListeners);
+ for (auto listener : trackListeners) {
+ RemoveListener(listener);
}
- for (auto l : mDirectTrackListeners) {
- RemoveDirectListener(l);
+ // Do the same as above for direct listeners
+ const nsTArray<RefPtr<DirectMediaStreamTrackListener>> directTrackListeners(mDirectTrackListeners);
+ for (auto listener : directTrackListeners) {
+ RemoveDirectListener(listener);
}
}
commit 890e77744a2a
Author: Andreas Pehrson <pehrsons@mozilla.com>
Date: Tue May 29 10:13:14 2018 +0200

71
www/waterfox/files/patch-bug1459162
View File

@ -1,71 +0,0 @@
commit 7588031f0792
Author: Jonathan Kew <jkew@mozilla.com>
Date: Thu May 17 09:49:58 2018 +0100
Bug 1459162 - Update dimensions early in ClearTarget. r=lsalzman a=abillings
---
dom/canvas/CanvasRenderingContext2D.cpp | 14 +++++++++-----
dom/canvas/CanvasRenderingContext2D.h | 5 ++++-
2 files changed, 13 insertions(+), 6 deletions(-)
diff --git dom/canvas/CanvasRenderingContext2D.cpp dom/canvas/CanvasRenderingContext2D.cpp
index 1e057824a4675..4501ffaff2d97 100644
--- dom/canvas/CanvasRenderingContext2D.cpp
+++ dom/canvas/CanvasRenderingContext2D.cpp
@@ -1928,8 +1928,6 @@ CanvasRenderingContext2D::GetHeight() const
NS_IMETHODIMP
CanvasRenderingContext2D::SetDimensions(int32_t aWidth, int32_t aHeight)
{
- ClearTarget();
-
// Zero sized surfaces can cause problems.
mZero = false;
if (aHeight == 0) {
@@ -1940,14 +1938,14 @@ CanvasRenderingContext2D::SetDimensions(int32_t aWidth, int32_t aHeight)
aWidth = 1;
mZero = true;
}
- mWidth = aWidth;
- mHeight = aHeight;
+
+ ClearTarget(aWidth, aHeight);
return NS_OK;
}
void
-CanvasRenderingContext2D::ClearTarget()
+CanvasRenderingContext2D::ClearTarget(int32_t aWidth, int32_t aHeight)
{
Reset();
@@ -1955,6 +1953,12 @@ CanvasRenderingContext2D::ClearTarget()
SetInitialState();
+ // Update dimensions only if new (strictly positive) values were passed.
+ if (aWidth > 0 && aHeight > 0) {
+ mWidth = aWidth;
+ mHeight = aHeight;
+ }
+
// For vertical writing-mode, unless text-orientation is sideways,
// we'll modify the initial value of textBaseline to 'middle'.
RefPtr<nsStyleContext> canvasStyle;
diff --git dom/canvas/CanvasRenderingContext2D.h dom/canvas/CanvasRenderingContext2D.h
index 6f0f6279e0cf5..c2ed098b053d0 100644
--- dom/canvas/CanvasRenderingContext2D.h
+++ dom/canvas/CanvasRenderingContext2D.h
@@ -683,8 +683,11 @@ protected:
/**
* Disposes an old target and prepares to lazily create a new target.
+ *
+ * Parameters are the new dimensions to be used, or if either is negative,
+ * existing dimensions will be left unchanged.
*/
- void ClearTarget();
+ void ClearTarget(int32_t aWidth = -1, int32_t aHeight = -1);
/*
* Returns the target to the buffer provider. i.e. this will queue a frame for

44
www/waterfox/files/patch-bug1459206
View File

@ -1,44 +0,0 @@
commit 4741651d3ac6
Author: Andrea Marchesini <amarchesini@mozilla.com>
Date: Thu May 10 11:24:25 2018 +0200
Bug 1459206 - Use FileSystemSecurity in ContentParent::RecvGetFilesRequest. r=ehsan, a=RyanVM
--HG--
extra : source : a3ebab26f0d9e962f1f892335838ee1b51335378
---
dom/filesystem/tests/test_webkitdirectory.html | 1 +
dom/ipc/ContentParent.cpp | 8 ++++++++
2 files changed, 9 insertions(+)
diff --git dom/filesystem/tests/test_webkitdirectory.html dom/filesystem/tests/test_webkitdirectory.html
index 3611039a5a46a..45957f9bb56d0 100644
--- dom/filesystem/tests/test_webkitdirectory.html
+++ dom/filesystem/tests/test_webkitdirectory.html
@@ -151,6 +151,7 @@ function test_changeDataWhileWorking() {
function test_setup() {
SpecialPowers.pushPrefEnv({"set": [["dom.input.dirpicker", true],
+ ["dom.filesystem.pathcheck.disabled", true],
["dom.webkitBlink.dirPicker.enabled", true]]}, next);
}
diff --git dom/ipc/ContentParent.cpp dom/ipc/ContentParent.cpp
index 9912238b27744..c55fb106690f0 100644
--- dom/ipc/ContentParent.cpp
+++ dom/ipc/ContentParent.cpp
@@ -5241,6 +5241,14 @@ ContentParent::RecvGetFilesRequest(const nsID& aUUID,
{
MOZ_ASSERT(!mGetFilesPendingRequests.GetWeak(aUUID));
+ if (!mozilla::Preferences::GetBool("dom.filesystem.pathcheck.disabled", false)) {
+ RefPtr<FileSystemSecurity> fss = FileSystemSecurity::Get();
+ if (NS_WARN_IF(!fss ||
+ !fss->ContentProcessHasAccessTo(ChildID(), aDirectoryPath))) {
+ return IPC_FAIL_NO_REASON(this);
+ }
+ }
+
ErrorResult rv;
RefPtr<GetFilesHelper> helper =
GetFilesHelperParent::Create(aUUID, aDirectoryPath, aRecursiveFlag, this,

26
www/waterfox/files/patch-bug1459693
View File

@ -1,26 +0,0 @@
commit b639bb848489
Author: Olli Pettay <Olli.Pettay@helsinki.fi>
Date: Wed May 30 17:04:18 2018 +0300
Bug 1459693 - Ensure the right anonymous element is focused when calling input.focus(). r=mccr8, a=RyanVM
--HG--
extra : source : 8398d902299c9df8c0cb522d2d34c1419ee2682b
---
dom/html/HTMLInputElement.cpp | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git dom/html/HTMLInputElement.cpp dom/html/HTMLInputElement.cpp
index 4ba4ef9f9371b..9b4862626c6e0 100644
--- dom/html/HTMLInputElement.cpp
+++ dom/html/HTMLInputElement.cpp
@@ -3177,7 +3177,8 @@ HTMLInputElement::Focus(ErrorResult& aError)
nsNumberControlFrame* numberControlFrame =
do_QueryFrame(GetPrimaryFrame());
if (numberControlFrame) {
- HTMLInputElement* textControl = numberControlFrame->GetAnonTextControl();
+ RefPtr<HTMLInputElement> textControl =
+ numberControlFrame->GetAnonTextControl();
if (textControl) {
textControl->Focus(aError);
return;

161
www/waterfox/files/patch-bug1463244
View File

@ -1,161 +0,0 @@
commit 937a30033acb
Author: Lee Salzman <lsalzman@mozilla.com>
Date: Fri May 25 00:56:22 2018 -0400
Bug 1463244 - Cleanup of swizzle stride calculations. r=rhunt, a=RyanVM
MozReview-Commit-ID: GMXRKnu8zHB
--HG--
extra : source : 2aaf8f2a1975c57f5467968734d110ac7becc7ee
---
gfx/2d/DataSurfaceHelpers.cpp | 33 ++++++++++++++++++++++++---------
gfx/2d/Swizzle.cpp | 34 +++++++++++++++++++++++++++-------
2 files changed, 51 insertions(+), 16 deletions(-)
diff --git gfx/2d/DataSurfaceHelpers.cpp gfx/2d/DataSurfaceHelpers.cpp
index f13be059c8ba0..7af32ff005771 100644
--- gfx/2d/DataSurfaceHelpers.cpp
+++ gfx/2d/DataSurfaceHelpers.cpp
@@ -157,9 +157,16 @@ SurfaceToPackedBGRA(DataSourceSurface *aSurface)
}
IntSize size = aSurface->GetSize();
-
- UniquePtr<uint8_t[]> imageBuffer(
- new (std::nothrow) uint8_t[size.width * size.height * sizeof(uint32_t)]);
+ if (size.width < 0 || size.width >= INT32_MAX / 4) {
+ return nullptr;
+ }
+ int32_t stride = size.width * 4;
+ CheckedInt<size_t> bufferSize =
+ CheckedInt<size_t>(stride) * CheckedInt<size_t>(size.height);
+ if (!bufferSize.isValid()) {
+ return nullptr;
+ }
+ UniquePtr<uint8_t[]> imageBuffer(new (std::nothrow) uint8_t[bufferSize.value()]);
if (!imageBuffer) {
return nullptr;
}
@@ -170,14 +177,14 @@ SurfaceToPackedBGRA(DataSourceSurface *aSurface)
}
CopySurfaceDataToPackedArray(map.mData, imageBuffer.get(), size,
- map.mStride, 4 * sizeof(uint8_t));
+ map.mStride, 4);
aSurface->Unmap();
if (format == SurfaceFormat::B8G8R8X8) {
// Convert BGRX to BGRA by setting a to 255.
- SwizzleData(imageBuffer.get(), size.width * sizeof(uint32_t), SurfaceFormat::X8R8G8B8_UINT32,
- imageBuffer.get(), size.width * sizeof(uint32_t), SurfaceFormat::A8R8G8B8_UINT32,
+ SwizzleData(imageBuffer.get(), stride, SurfaceFormat::X8R8G8B8_UINT32,
+ imageBuffer.get(), stride, SurfaceFormat::A8R8G8B8_UINT32,
size);
}
@@ -196,8 +203,16 @@ SurfaceToPackedBGR(DataSourceSurface *aSurface)
}
IntSize size = aSurface->GetSize();
-
- uint8_t* imageBuffer = new (std::nothrow) uint8_t[size.width * size.height * 3 * sizeof(uint8_t)];
+ if (size.width < 0 || size.width >= INT32_MAX / 3) {
+ return nullptr;
+ }
+ int32_t stride = size.width * 3;
+ CheckedInt<size_t> bufferSize =
+ CheckedInt<size_t>(stride) * CheckedInt<size_t>(size.height);
+ if (!bufferSize.isValid()) {
+ return nullptr;
+ }
+ uint8_t* imageBuffer = new (std::nothrow) uint8_t[bufferSize.value()];
if (!imageBuffer) {
return nullptr;
}
@@ -209,7 +224,7 @@ SurfaceToPackedBGR(DataSourceSurface *aSurface)
}
SwizzleData(map.mData, map.mStride, SurfaceFormat::B8G8R8X8,
- imageBuffer, size.width * 3, SurfaceFormat::B8G8R8,
+ imageBuffer, stride, SurfaceFormat::B8G8R8,
size);
aSurface->Unmap();
diff --git gfx/2d/Swizzle.cpp gfx/2d/Swizzle.cpp
index 99bd1e17662c4..acbe2cabf9819 100644
--- gfx/2d/Swizzle.cpp
+++ gfx/2d/Swizzle.cpp
@@ -259,7 +259,8 @@ static inline IntSize
CollapseSize(const IntSize& aSize, int32_t aSrcStride, int32_t aDstStride)
{
if (aSrcStride == aDstStride &&
- aSrcStride == 4 * aSize.width) {
+ (aSrcStride & 3) == 0 &&
+ aSrcStride / 4 == aSize.width) {
CheckedInt32 area = CheckedInt32(aSize.width) * CheckedInt32(aSize.height);
if (area.isValid()) {
return IntSize(area.value(), 1);
@@ -268,6 +269,16 @@ CollapseSize(const IntSize& aSize, int32_t aSrcStride, int32_t aDstStride)
return aSize;
}
+static inline int32_t
+GetStrideGap(int32_t aWidth, SurfaceFormat aFormat, int32_t aStride)
+{
+ CheckedInt32 used = CheckedInt32(aWidth) * BytesPerPixel(aFormat);
+ if (!used.isValid() || used.value() < 0) {
+ return -1;
+ }
+ return aStride - used.value();
+}
+
bool
PremultiplyData(const uint8_t* aSrc, int32_t aSrcStride, SurfaceFormat aSrcFormat,
uint8_t* aDst, int32_t aDstStride, SurfaceFormat aDstFormat,
@@ -278,9 +289,12 @@ PremultiplyData(const uint8_t* aSrc, int32_t aSrcStride, SurfaceFormat aSrcForma
}
IntSize size = CollapseSize(aSize, aSrcStride, aDstStride);
// Find gap from end of row to the start of the next row.
- int32_t srcGap = aSrcStride - BytesPerPixel(aSrcFormat) * aSize.width;
- int32_t dstGap = aDstStride - BytesPerPixel(aDstFormat) * aSize.width;
+ int32_t srcGap = GetStrideGap(aSize.width, aSrcFormat, aSrcStride);
+ int32_t dstGap = GetStrideGap(aSize.width, aDstFormat, aDstStride);
MOZ_ASSERT(srcGap >= 0 && dstGap >= 0);
+ if (srcGap < 0 || dstGap < 0) {
+ return false;
+ }
#define FORMAT_CASE_CALL(...) __VA_ARGS__(aSrc, srcGap, aDst, dstGap, size)
@@ -404,9 +418,12 @@ UnpremultiplyData(const uint8_t* aSrc, int32_t aSrcStride, SurfaceFormat aSrcFor
}
IntSize size = CollapseSize(aSize, aSrcStride, aDstStride);
// Find gap from end of row to the start of the next row.
- int32_t srcGap = aSrcStride - BytesPerPixel(aSrcFormat) * aSize.width;
- int32_t dstGap = aDstStride - BytesPerPixel(aDstFormat) * aSize.width;
+ int32_t srcGap = GetStrideGap(aSize.width, aSrcFormat, aSrcStride);
+ int32_t dstGap = GetStrideGap(aSize.width, aDstFormat, aDstStride);
MOZ_ASSERT(srcGap >= 0 && dstGap >= 0);
+ if (srcGap < 0 || dstGap < 0) {
+ return false;
+ }
#define FORMAT_CASE_CALL(...) __VA_ARGS__(aSrc, srcGap, aDst, dstGap, size)
@@ -702,9 +719,12 @@ SwizzleData(const uint8_t* aSrc, int32_t aSrcStride, SurfaceFormat aSrcFormat,
}
IntSize size = CollapseSize(aSize, aSrcStride, aDstStride);
// Find gap from end of row to the start of the next row.
- int32_t srcGap = aSrcStride - BytesPerPixel(aSrcFormat) * aSize.width;
- int32_t dstGap = aDstStride - BytesPerPixel(aDstFormat) * aSize.width;
+ int32_t srcGap = GetStrideGap(aSize.width, aSrcFormat, aSrcStride);
+ int32_t dstGap = GetStrideGap(aSize.width, aDstFormat, aDstStride);
MOZ_ASSERT(srcGap >= 0 && dstGap >= 0);
+ if (srcGap < 0 || dstGap < 0) {
+ return false;
+ }
#define FORMAT_CASE_CALL(...) __VA_ARGS__(aSrc, srcGap, aDst, dstGap, size)

55
www/waterfox/files/patch-bug1464829
View File

@ -1,55 +0,0 @@
commit 325496dfe42a
Author: Nicolas B. Pierron <nicolas.b.pierron@gmail.com>
Date: Thu May 31 14:22:14 2018 +0200
Bug 1464829 - Ensure the recover instruction vector has the expected size. r=jandem, a=jcristau
--HG--
extra : source : 931f3ee17589096df1e87223362051c0aec26931
extra : intermediate-source : eab56078999a914abc3cf9ac16ca2ca7c06548d8
---
js/src/jit/JitFrameIterator.h | 2 --
js/src/jit/JitFrames.cpp | 4 +---
2 files changed, 1 insertion(+), 5 deletions(-)
diff --git js/src/jit/JitFrameIterator.h js/src/jit/JitFrameIterator.h
index ba5efef6a5438..3620badbda07e 100644
--- js/src/jit/JitFrameIterator.h
+++ js/src/jit/JitFrameIterator.h
@@ -322,9 +322,7 @@ class RInstructionResults
MOZ_MUST_USE bool init(JSContext* cx, uint32_t numResults);
bool isInitialized() const;
-#ifdef DEBUG
size_t length() const;
-#endif
JitFrameLayout* frame() const;
diff --git js/src/jit/JitFrames.cpp js/src/jit/JitFrames.cpp
index 646442b4c0358..dbb080e3d08d7 100644
--- js/src/jit/JitFrames.cpp
+++ js/src/jit/JitFrames.cpp
@@ -1621,13 +1621,11 @@ RInstructionResults::isInitialized() const
return initialized_;
}
-#ifdef DEBUG
size_t
RInstructionResults::length() const
{
return results_->length();
}
-#endif
JitFrameLayout*
RInstructionResults::frame() const
@@ -2083,7 +2081,7 @@ SnapshotIterator::initInstructionResults(MaybeReadFallback& fallback)
}
MOZ_ASSERT(results->isInitialized());
- MOZ_ASSERT(results->length() == recover_.numInstructions() - 1);
+ MOZ_RELEASE_ASSERT(results->length() == recover_.numInstructions() - 1);
instructionResults_ = results;
return true;
}

52
www/waterfox/files/patch-bug1465686
View File

@ -1,52 +0,0 @@
commit e963f75ef278
Author: Lee Salzman <lsalzman@mozilla.com>
Date: Fri Jun 1 15:52:26 2018 -0400
Bug 1465686 - Validate SkArenaAlloc sizes. r=rhunt, a=RyanVM
MozReview-Commit-ID: Cc4cxKeF4xn
--HG--
extra : source : 9019db1eaddb79dbfd1d4c357765599499eb02b4
---
gfx/skia/skia/src/core/SkArenaAlloc.h | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git gfx/skia/skia/src/core/SkArenaAlloc.h gfx/skia/skia/src/core/SkArenaAlloc.h
index c9e7274e63ded..b93054cff0177 100644
--- gfx/skia/skia/src/core/SkArenaAlloc.h
+++ gfx/skia/skia/src/core/SkArenaAlloc.h
@@ -112,9 +112,14 @@ public:
return sk_sp<T>(SkRef(this->make<T>(std::forward<Args>(args)...)));
}
+ uint32_t safeU32(size_t n) {
+ SkASSERT_RELEASE(SkTFitsIn<uint32_t>(n));
+ return uint32_t(n);
+ }
+
template <typename T>
T* makeArrayDefault(size_t count) {
- uint32_t safeCount = SkTo<uint32_t>(count);
+ uint32_t safeCount = safeU32(count);
T* array = (T*)this->commonArrayAlloc<T>(safeCount);
// If T is primitive then no initialization takes place.
@@ -126,7 +131,7 @@ public:
template <typename T>
T* makeArray(size_t count) {
- uint32_t safeCount = SkTo<uint32_t>(count);
+ uint32_t safeCount = safeU32(count);
T* array = (T*)this->commonArrayAlloc<T>(safeCount);
// If T is primitive then the memory is initialized. For example, an array of chars will
@@ -139,7 +144,7 @@ public:
// Only use makeBytesAlignedTo if none of the typed variants are impractical to use.
void* makeBytesAlignedTo(size_t size, size_t align) {
- auto objStart = this->allocObject(SkTo<uint32_t>(size), SkTo<uint32_t>(align));
+ auto objStart = this->allocObject(safeU32(size), safeU32(align));
fCursor = objStart + size;
return objStart;
}