From 5454dfe735556961df676b6c1075ba9c7df0bc78 Mon Sep 17 00:00:00 2001
From: kurt <kurt@openbsd.org>
Date: Wed, 21 Dec 2005 15:33:00 +0000
Subject: [PATCH] - Fix startup DoS. overlong document.title setting can
 corrupt history data, causing non-responsive temporary hang on subsequent
 startups patches from https://bugzilla.mozilla.org/show_bug.cgi?id=319004 -
 Fix use after free segfault after printing reported by Andy Wingate.
 FT_Done_Face was being called twice on the same mFace.

---
 www/mozilla-firefox/Makefile                  |  4 +-
 .../patches/patch-db_mork_src_morkSink_cpp    | 22 ++++++++
 .../patch-gfx_src_ps_nsFontMetricsPS_cpp      | 27 +++++++++
 ...components_history_src_nsGlobalHistory_cpp | 56 +++++++++++++++++++
 ...components_history_src_nsGlobalHistory_cpp | 54 ++++++++++++++++++
 5 files changed, 161 insertions(+), 2 deletions(-)
 create mode 100644 www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp
 create mode 100644 www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp
 create mode 100644 www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp
 create mode 100644 www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp

diff --git a/www/mozilla-firefox/Makefile b/www/mozilla-firefox/Makefile
index f2d3f4e47ad..151bb429a0a 100644
--- a/www/mozilla-firefox/Makefile
+++ b/www/mozilla-firefox/Makefile
@@ -1,4 +1,4 @@
-# $OpenBSD: Makefile,v 1.42 2005/12/20 23:44:00 bernd Exp $
+# $OpenBSD: Makefile,v 1.43 2005/12/21 15:33:00 kurt Exp $
 
 ONLY_FOR_ARCHS=	alpha amd64 i386 powerpc sparc sparc64
 
@@ -6,7 +6,7 @@ COMMENT=	"redesign of Mozilla's browser component"
 
 VER=		1.5
 DISTNAME=	mozilla
-PKGNAME=	mozilla-firefox-${VER}
+PKGNAME=	mozilla-firefox-${VER}p0
 SO_VERSION=	8.0
 # NOTE: Must bump minor version if any shlib's are removed from the
 # components dir to avoid pkg_add -r issues.
diff --git a/www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp b/www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp
new file mode 100644
index 00000000000..1f2f971a3f7
--- /dev/null
+++ b/www/mozilla-firefox/patches/patch-db_mork_src_morkSink_cpp
@@ -0,0 +1,22 @@
+$OpenBSD: patch-db_mork_src_morkSink_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- db/mork/src/morkSink.cpp.orig	Sat Apr 17 17:49:24 2004
++++ db/mork/src/morkSink.cpp	Tue Dec 20 21:47:21 2005
+@@ -115,15 +115,10 @@ morkSpool::SpillPutc(morkEnv* ev, int c)
+           coil->mBuf_Fill = fill;
+           if ( at >= end ) // need to grow the coil?
+           {
+-            if ( size > 2048 ) // grow slower over 2K?
+-              size += 512;
++            if ( size > 65536 )
++              size += 65536;
+             else
+-            {
+-              mork_size growth = ( size * 4 ) / 3; // grow by 33%
+-              if ( growth < 64 ) // grow faster under (64 * 3)?
+-                growth = 64;
+-              size += growth;
+-            }
++              size *= 2;
+             if ( coil->GrowCoil(ev, size) ) // made coil bigger?
+             {
+               body = (mork_u1*) coil->mBuf_Body;
diff --git a/www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp b/www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp
new file mode 100644
index 00000000000..ca84a6d6d1c
--- /dev/null
+++ b/www/mozilla-firefox/patches/patch-gfx_src_ps_nsFontMetricsPS_cpp
@@ -0,0 +1,27 @@
+$OpenBSD: patch-gfx_src_ps_nsFontMetricsPS_cpp,v 1.4 2005/12/21 15:33:01 kurt Exp $
+--- gfx/src/ps/nsFontMetricsPS.cpp.orig	Tue Dec 20 11:16:58 2005
++++ gfx/src/ps/nsFontMetricsPS.cpp	Tue Dec 20 11:17:37 2005
+@@ -1033,8 +1033,10 @@ nsFontPSXft::Init(nsXftEntry* aEntry,
+ 
+ nsFontPSXft::~nsFontPSXft()
+ {
+-  if (mEntry->mFace) 
++  if (mEntry->mFace) {
+     FT_Done_Face(mEntry->mFace);
++    mEntry->mFace = nsnull;
++  }
+ 
+   if (FT_Done_FreeType(mFreeTypeLibrary))
+     return;
+@@ -2323,8 +2325,10 @@ nsXftType1Generator::Init(nsXftEntry* aE
+ 
+ nsXftType1Generator::~nsXftType1Generator()
+ {
+-  if (mEntry->mFace) 
++  if (mEntry->mFace) {
+     FT_Done_Face(mEntry->mFace);
++    mEntry->mFace = nsnull;
++  }
+ 
+   if (FT_Done_FreeType(mFreeTypeLibrary))
+     return;
diff --git a/www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp b/www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp
new file mode 100644
index 00000000000..0977e6d60c6
--- /dev/null
+++ b/www/mozilla-firefox/patches/patch-toolkit_components_history_src_nsGlobalHistory_cpp
@@ -0,0 +1,56 @@
+$OpenBSD: patch-toolkit_components_history_src_nsGlobalHistory_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- toolkit/components/history/src/nsGlobalHistory.cpp.orig	Sun Oct 23 14:55:54 2005
++++ toolkit/components/history/src/nsGlobalHistory.cpp	Tue Dec 20 21:45:57 2005
+@@ -113,6 +113,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
+ 
+ #define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+ 
++// see bug #319004 -- clamp title and URL to generously-large but not too large
++// length
++#define HISTORY_URI_LENGTH_MAX 65536
++#define HISTORY_TITLE_LENGTH_MAX 4096
++
+ // sync history every 10 seconds
+ #define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
+ //#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
+@@ -618,6 +623,9 @@ nsGlobalHistory::AddPageToDatabase(nsIUR
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
++  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
++
+ #ifdef DEBUG_bsmedberg
+   printf("AddURI: %s%s%s",
+          URISpec.get(),
+@@ -1110,7 +1118,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
+   nsresult rv;
+   NS_ENSURE_ARG_POINTER(aURI);
+ 
+-  const nsAFlatString& titleString = PromiseFlatString(aTitle);
++  nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
+ 
+   // skip about: URIs to avoid reading in the db (about:blank, especially)
+   PRBool isAbout;
+@@ -1411,6 +1419,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
++  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
++
+ #ifdef DEBUG_bsmedberg
+   printf("nsGlobalHistory::HidePage: %s\n", URISpec.get());
+ #endif
+@@ -1447,7 +1458,10 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI 
+   nsCAutoString spec;
+   nsresult rv = aURI->GetSpec(spec);
+   if (NS_FAILED(rv)) return rv;
+-  
++ 
++  if (spec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
++
+   nsCOMPtr<nsIMdbRow> row;
+   rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));
+   if (NS_FAILED(rv)) {
diff --git a/www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp b/www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp
new file mode 100644
index 00000000000..446db808f20
--- /dev/null
+++ b/www/mozilla-firefox/patches/patch-xpfe_components_history_src_nsGlobalHistory_cpp
@@ -0,0 +1,54 @@
+$OpenBSD: patch-xpfe_components_history_src_nsGlobalHistory_cpp,v 1.1 2005/12/21 15:33:01 kurt Exp $
+--- xpfe/components/history/src/nsGlobalHistory.cpp.orig	Wed Oct 26 15:58:33 2005
++++ xpfe/components/history/src/nsGlobalHistory.cpp	Tue Dec 20 21:43:18 2005
+@@ -111,6 +111,11 @@ nsIPrefBranch* nsGlobalHistory::gPrefBra
+ 
+ #define FIND_BY_AGEINDAYS_PREFIX "find:datasource=history&match=AgeInDays&method="
+ 
++// see bug #319004 -- clamp title and URL to generously-large but not too large
++// length
++#define HISTORY_URI_LENGTH_MAX 65536
++#define HISTORY_TITLE_LENGTH_MAX 4096
++
+ // sync history every 10 seconds
+ #define HISTORY_SYNC_TIMEOUT (10 * PR_MSEC_PER_SEC)
+ //#define HISTORY_SYNC_TIMEOUT 3000 // every 3 seconds - testing only!
+@@ -589,6 +594,9 @@ nsGlobalHistory::AddURI(nsIURI *aURI, PR
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+ 
++  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
++
+   nsCAutoString referrerSpec;
+   if (aReferrer) {
+     rv = aReferrer->GetSpec(referrerSpec);
+@@ -1033,7 +1041,7 @@ nsGlobalHistory::SetPageTitle(nsIURI *aU
+   nsresult rv;
+   NS_ENSURE_ARG_POINTER(aURI);
+ 
+-  const nsAFlatString& titleString = PromiseFlatString(aTitle);
++  nsAutoString titleString(StringHead(aTitle, HISTORY_TITLE_LENGTH_MAX));
+ 
+   // skip about: URIs to avoid reading in the db (about:blank, especially)
+   PRBool isAbout;
+@@ -1333,6 +1341,9 @@ nsGlobalHistory::HidePage(nsIURI *aURI)
+   rv = aURI->GetSpec(URISpec);
+   NS_ENSURE_SUCCESS(rv, rv);
+   
++  if (URISpec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
++
+   nsCOMPtr<nsIMdbRow> row;
+ 
+   rv = FindRow(kToken_URLColumn, URISpec.get(), getter_AddRefs(row));
+@@ -1365,6 +1376,9 @@ nsGlobalHistory::MarkPageAsTyped(nsIURI 
+   nsCAutoString spec;
+   nsresult rv = aURI->GetSpec(spec);
+   if (NS_FAILED(rv)) return rv;
++
++  if (spec.Length() > HISTORY_URI_LENGTH_MAX)
++     return NS_OK;
+ 
+   nsCOMPtr<nsIMdbRow> row;
+   rv = FindRow(kToken_URLColumn, spec.get(), getter_AddRefs(row));