guix-play/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch
Mark H Weaver 98d9182205
gnu: icecat: Add fixes for CVE-2016-{2818,2819,2821,2824,2828,2831}.
* gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch,
gnu/packages/patches/icecat-CVE-2016-2819.patch,
gnu/packages/patches/icecat-CVE-2016-2821.patch,
gnu/packages/patches/icecat-CVE-2016-2824.patch,
gnu/packages/patches/icecat-CVE-2016-2828.patch,
gnu/packages/patches/icecat-CVE-2016-2831.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
2016-06-08 14:26:54 -04:00

268 lines
9.0 KiB
Diff

changeset: 312069:3c2bd9158ad3
user: Timothy Nikkel <tnikkel@gmail.com>
Date: Tue May 10 22:58:47 2016 -0500
summary: Bug 1261752. Part 3. r=mats a=ritu
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 layout/forms/nsComboboxControlFrame.cpp
--- a/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500
+++ b/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500
@@ -1417,7 +1417,11 @@
// The popup's visibility doesn't update until the minimize animation has
// finished, so call UpdateWidgetGeometry to update it right away.
nsViewManager* viewManager = mDropdownFrame->GetView()->GetViewManager();
- viewManager->UpdateWidgetGeometry();
+ viewManager->UpdateWidgetGeometry(); // might destroy us
+ }
+
+ if (!weakFrame.IsAlive()) {
+ return consume;
}
return consume;
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 view/nsViewManager.cpp
--- a/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500
+++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500
@@ -670,15 +670,16 @@
void nsViewManager::WillPaintWindow(nsIWidget* aWidget)
{
- if (aWidget) {
- nsView* view = nsView::GetViewFor(aWidget);
- LayerManager *manager = aWidget->GetLayerManager();
+ RefPtr<nsIWidget> widget(aWidget);
+ if (widget) {
+ nsView* view = nsView::GetViewFor(widget);
+ LayerManager* manager = widget->GetLayerManager();
if (view &&
(view->ForcedRepaint() || !manager->NeedsWidgetInvalidation())) {
ProcessPendingUpdates();
// Re-get the view pointer here since the ProcessPendingUpdates might have
// destroyed it during CallWillPaintOnObservers.
- view = nsView::GetViewFor(aWidget);
+ view = nsView::GetViewFor(widget);
if (view) {
view->SetForcedRepaint(false);
}
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/PuppetWidget.cpp
--- a/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500
+++ b/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500
@@ -823,6 +823,8 @@
mDirtyRegion.SetEmpty();
mPaintTask.Revoke();
+ RefPtr<PuppetWidget> strongThis(this);
+
mAttachedWidgetListener->WillPaintWindow(this);
if (mAttachedWidgetListener) {
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/cocoa/nsChildView.mm
--- a/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500
+++ b/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500
@@ -3716,6 +3716,8 @@
- (void)viewWillDraw
{
+ nsAutoRetainCocoaObject kungFuDeathGrip(self);
+
if (mGeckoChild) {
// The OS normally *will* draw our NSWindow, no matter what we do here.
// But Gecko can delete our parent widget(s) (along with mGeckoChild)
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gonk/nsWindow.cpp
--- a/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
+++ b/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
@@ -196,7 +196,7 @@
return;
}
- nsWindow *targetWindow = (nsWindow *)sTopWindows[0];
+ RefPtr<nsWindow> targetWindow = (nsWindow *)sTopWindows[0];
while (targetWindow->GetLastChild())
targetWindow = (nsWindow *)targetWindow->GetLastChild();
@@ -205,15 +205,15 @@
listener->WillPaintWindow(targetWindow);
}
- LayerManager* lm = targetWindow->GetLayerManager();
- if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) {
- // No need to do anything, the compositor will handle drawing
- } else {
- NS_RUNTIMEABORT("Unexpected layer manager type");
- }
-
listener = targetWindow->GetWidgetListener();
if (listener) {
+ LayerManager* lm = targetWindow->GetLayerManager();
+ if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) {
+ // No need to do anything, the compositor will handle drawing
+ } else {
+ NS_RUNTIMEABORT("Unexpected layer manager type");
+ }
+
listener->DidPaintWindow();
}
}
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.cpp
--- a/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
+++ b/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
@@ -469,6 +469,12 @@
}
}
+nsIWidgetListener*
+nsWindow::GetListener()
+{
+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+}
+
nsresult
nsWindow::DispatchEvent(WidgetGUIEvent* aEvent, nsEventStatus& aStatus)
{
@@ -481,8 +487,7 @@
aEvent->refPoint.y = GdkCoordToDevicePixels(aEvent->refPoint.y);
aStatus = nsEventStatus_eIgnore;
- nsIWidgetListener* listener =
- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+ nsIWidgetListener* listener = GetListener();
if (listener) {
aStatus = listener->HandleEvent(aEvent, mUseAttachedEvents);
}
@@ -2119,8 +2124,7 @@
if (!mGdkWindow || mIsFullyObscured || !mHasMappedToplevel)
return FALSE;
- nsIWidgetListener *listener =
- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+ nsIWidgetListener *listener = GetListener();
if (!listener)
return FALSE;
@@ -2149,6 +2153,8 @@
clientLayers->SendInvalidRegion(region);
}
+ RefPtr<nsWindow> strongThis(this);
+
// Dispatch WillPaintWindow notification to allow scripts etc. to run
// before we paint
{
@@ -2161,8 +2167,7 @@
// Re-get the listener since the will paint notification might have
// killed it.
- listener =
- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+ listener = GetListener();
if (!listener)
return FALSE;
}
@@ -2223,6 +2228,13 @@
// If this widget uses OMTC...
if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_CLIENT) {
listener->PaintWindow(this, region);
+
+ // Re-get the listener since the will paint notification might have
+ // killed it.
+ listener = GetListener();
+ if (!listener)
+ return TRUE;
+
listener->DidPaintWindow();
return TRUE;
}
@@ -2307,6 +2319,13 @@
if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_BASIC) {
AutoLayerManagerSetup setupLayerManager(this, ctx, layerBuffering);
painted = listener->PaintWindow(this, region);
+
+ // Re-get the listener since the will paint notification might have
+ // killed it.
+ listener = GetListener();
+ if (!listener)
+ return TRUE;
+
}
}
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.h
--- a/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500
+++ b/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500
@@ -359,6 +359,7 @@
GdkWindow** aWindow, gint* aButton,
gint* aRootX, gint* aRootY);
void ClearCachedResources();
+ nsIWidgetListener* GetListener();
GtkWidget *mShell;
MozContainer *mContainer;
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.cpp
--- a/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
+++ b/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500
@@ -857,18 +857,28 @@
// EVENTS
+nsIWidgetListener*
+nsWindow::GetPaintListener()
+{
+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+}
+
void
nsWindow::OnPaint()
{
LOGDRAW(("nsWindow::%s [%p]\n", __FUNCTION__, (void *)this));
- nsIWidgetListener* listener =
- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener;
+ nsIWidgetListener* listener = GetPaintListener();
if (!listener) {
return;
}
listener->WillPaintWindow(this);
+ nsIWidgetListener* listener = GetPaintListener();
+ if (!listener) {
+ return;
+ }
+
switch (GetLayerManager()->GetBackendType()) {
case mozilla::layers::LayersBackend::LAYERS_CLIENT: {
nsIntRegion region(nsIntRect(0, 0, mWidget->width(), mWidget->height()));
@@ -879,6 +889,11 @@
NS_ERROR("Invalid layer manager");
}
+ nsIWidgetListener* listener = GetPaintListener();
+ if (!listener) {
+ return;
+ }
+
listener->DidPaintWindow();
}
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.h
--- a/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500
+++ b/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500
@@ -254,6 +254,7 @@
bool needDispatch;
} MozCachedMoveEvent;
+ nsIWidgetListener* GetPaintListener();
bool CheckForRollup(double aMouseX, double aMouseY, bool aIsWheel);
void* SetupPluginPort(void);
nsresult SetWindowIconList(const nsTArray<nsCString> &aIconList);
diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/windows/nsWindowGfx.cpp
--- a/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500
+++ b/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500
@@ -298,6 +298,8 @@
clientLayerManager->SendInvalidRegion(region);
}
+ RefPtr<nsWindow> strongThis(this);
+
nsIWidgetListener* listener = GetPaintListener();
if (listener) {
listener->WillPaintWindow(this);