- Fix startup DoS. overlong document.title setting can corrupt history

data, causing non-responsive temporary hang on subsequent startups patches from https://bugzilla.mozilla.org/show_bug.cgi?id=319004 - Fix use after free segfault after printing reported by Andy Wingate. FT_Done_Face was being called twice on the same mFace.
2005-12-21 15:33:00 +00:00 · 2005-12-21 15:33:00 +00:00 · 5454dfe735
commit 5454dfe735
parent cb9ff0d5e5
5 changed files with 161 additions and 2 deletions
--- a/www/mozilla-firefox/Makefile
+++ b/www/mozilla-firefox/Makefile
@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.42 2005/12/20 23:44:00 bernd Exp $
+# $OpenBSD: Makefile,v 1.43 2005/12/21 15:33:00 kurt Exp $

 ONLY_FOR_ARCHS=	alpha amd64 i386 powerpc sparc sparc64

@ -6,7 +6,7 @@ COMMENT=	"redesign of Mozilla's browser component"

 VER=		1.5
 DISTNAME=	mozilla
-PKGNAME=	mozilla-firefox-${VER}
+PKGNAME=	mozilla-firefox-${VER}p0
 SO_VERSION=	8.0
 # NOTE: Must bump minor version if any shlib's are removed from the
 # components dir to avoid pkg_add -r issues.
--- a/www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp
+++ b/www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp
@ -0,0 +1,22 @@
+$OpenBSD: patch-db_mork_src_morkSink_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- db/mork/src/morkSink.cpp.orig	Sat Apr 17 17:49:24 2004
+++ db/mork/src/morkSink.cpp	Tue Dec 20 21:47:21 2005
+@@ -115,15 +115,10 @@ morkSpool::SpillPutc(morkEnv* ev, int c)
+           coil->mBuf_Fill = fill;
+           if ( at >= end ) // need to grow the coil?
+           {
+-            if ( size > 2048 ) // grow slower over 2K?
+-              size += 512;
+            if ( size > 65536 )
+              size += 65536;
+             else
+-            {
+-              mork_size growth = ( size * 4 ) / 3; // grow by 33%
+-              if ( growth < 64 ) // grow faster under (64 * 3)?
+-                growth = 64;
+-              size += growth;
+-            }
+              size *= 2;
+             if ( coil->GrowCoil(ev, size) ) // made coil bigger?
+             {
+               body = (mork_u1*) coil->mBuf_Body;
--- a/www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp
+++ b/www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp
@ -0,0 +1,27 @@
+$OpenBSD: patch-gfx_src_ps_nsFontMetricsPS_cpp,v 1.4 2005/12/21 15:33:01 kurt Exp $
+--- gfx/src/ps/nsFontMetricsPS.cpp.orig	Tue Dec 20 11:16:58 2005
+++ gfx/src/ps/nsFontMetricsPS.cpp	Tue Dec 20 11:17:37 2005
+@@ -1033,8 +1033,10 @@ nsFontPSXft::Init(nsXftEntry* aEntry,
+ 
+ nsFontPSXft::~nsFontPSXft()
+ {
+-  if (mEntry->mFace) 
+  if (mEntry->mFace) {
+     FT_Done_Face(mEntry->mFace);
+    mEntry->mFace = nsnull;
+  }
+ 
+   if (FT_Done_FreeType(mFreeTypeLibrary))
+     return;
+@@ -2323,8 +2325,10 @@ nsXftType1Generator::Init(nsXftEntry* aE
+ 
+ nsXftType1Generator::~nsXftType1Generator()
+ {
+-  if (mEntry->mFace) 
+  if (mEntry->mFace) {
+     FT_Done_Face(mEntry->mFace);
+    mEntry->mFace = nsnull;
+  }
+ 
+   if (FT_Done_FreeType(mFreeTypeLibrary))
+     return;
--- a/www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp
+++ b/www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp
@ -0,0 +1,56 @@
+$OpenBSD: patch-toolkit_components_history_src_nsGlobalHistory_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- toolkit/components/history/src/nsGlobalHistory.cpp.orig	Sun Oct 23 14:55:54 2005
+++ toolkit/components/history/src/nsGlobalHistory.cpp	Tue Dec 20 21:45:57 2005
+@@ -113,6 +113,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
+ 
+ #define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+ 
+// see bug #319004 -- clamp title and URL to generously-large but not too large
+// length
+#define HISTORY_URI_LENGTH_MAX 65536
+#define HISTORY_TITLE_LENGTH_MAX 4096
+
+ // sync history every 10 seconds
+ #define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
+ //#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
+@@ -618,6 +623,9 @@ nsGlobalHistory::AddPageToDatabase(nsIUR
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
+  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+
+ #ifdef DEBUG_bsmedberg
+   printf("AddURI: %s%s%s",
+          URISpec.get(),
+@@ -1110,7 +1118,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
+   nsresult rv;
+   NS_ENSURE_ARG_POINTER(aURI);
+ 
+-  const nsAFlatString& titleString = PromiseFlatString(aTitle);
+  nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
+ 
+   // skip about: URIs to avoid reading in the db (about:blank, especially)
+   PRBool isAbout;
+@@ -1411,6 +1419,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
+  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+
+ #ifdef DEBUG_bsmedberg
+   printf("nsGlobalHistory::HidePage: %s\n", URISpec.get());
+ #endif
+@@ -1447,7 +1458,10 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI 
+   nsCAutoString spec;
+   nsresult rv = aURI->GetSpec(spec);
+   if (NS_FAILED(rv)) return rv;
+-  
+ 
+  if (spec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+
+   nsCOMPtr<nsIMdbRow> row;
+   rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));
+   if (NS_FAILED(rv)) {
--- a/www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp
+++ b/www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp
@ -0,0 +1,54 @@
+$OpenBSD: patch-xpfe_components_history_src_nsGlobalHistory_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- xpfe/components/history/src/nsGlobalHistory.cpp.orig	Wed Oct 26 15:58:33 2005
+++ xpfe/components/history/src/nsGlobalHistory.cpp	Tue Dec 20 21:43:18 2005
+@@ -111,6 +111,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
+ 
+ #define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+ 
+// see bug #319004 -- clamp title and URL to generously-large but not too large
+// length
+#define HISTORY_URI_LENGTH_MAX 65536
+#define HISTORY_TITLE_LENGTH_MAX 4096
+
+ // sync history every 10 seconds
+ #define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
+ //#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
+@@ -589,6 +594,9 @@ nsGlobalHistory::AddURI(nsIURI *aURI, PR
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
+  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+
+   nsCAutoString referrerSpec;
+   if (aReferrer) {
+     rv = aReferrer->GetSpec(referrerSpec);
+@@ -1033,7 +1041,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
+   nsresult rv;
+   NS_ENSURE_ARG_POINTER(aURI);
+ 
+-  const nsAFlatString& titleString = PromiseFlatString(aTitle);
+  nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
+ 
+   // skip about: URIs to avoid reading in the db (about:blank, especially)
+   PRBool isAbout;
+@@ -1333,6 +1341,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+   
+  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+
+   nsCOMPtr<nsIMdbRow> row;
+ 
+   rv = FindRow(kToken_URLColumn, URISpec.get(), getter_AddRefs(row));
+@@ -1365,6 +1376,9 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI 
+   nsCAutoString spec;
+   nsresult rv = aURI->GetSpec(spec);
+   if (NS_FAILED(rv)) return rv;
+
+  if (spec.Length() > HISTORY_URI_LENGTH_MAX)
+     return NS_OK;
+ 
+   nsCOMPtr<nsIMdbRow> row;
+   rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));