gnu: icecat: Add fixes for CVE-2016-{2805,2807,2808,2814} etc.

* gnu/packages/patches/icecat-CVE-2016-2805.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2808.patch,
gnu/packages/patches/icecat-CVE-2016-2814.patch,
gnu/packages/patches/icecat-update-bundled-graphite2: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

icecat fixup
This commit is contained in:
Mark H Weaver 2016-04-27 22:33:02 -04:00
parent 3161f6a4ec
commit dde2a94c09
11 changed files with 3215 additions and 1 deletions

View File

@ -530,6 +530,15 @@ dist_patch_DATA = \
gnu/packages/patches/hydra-disable-darcs-test.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch \
gnu/packages/patches/icecat-update-bundled-graphite2.patch \
gnu/packages/patches/icecat-CVE-2016-2805.patch \
gnu/packages/patches/icecat-CVE-2016-2807-pt1.patch \
gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch \
gnu/packages/patches/icecat-CVE-2016-2807-pt3.patch \
gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch \
gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch \
gnu/packages/patches/icecat-CVE-2016-2808.patch \
gnu/packages/patches/icecat-CVE-2016-2814.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \

View File

@ -299,7 +299,16 @@ standards.")
"1wdmd6hasra36g86ha1dw8sl7a5mvr7c4jbjx4zyg9629y5gqr8g"))
(patches (search-patches
"icecat-avoid-bundled-includes.patch"
"icecat-re-enable-DHE-cipher-suites.patch"))
"icecat-re-enable-DHE-cipher-suites.patch"
"icecat-update-bundled-graphite2.patch"
"icecat-CVE-2016-2805.patch"
"icecat-CVE-2016-2807-pt1.patch"
"icecat-CVE-2016-2807-pt2.patch"
"icecat-CVE-2016-2807-pt3.patch"
"icecat-CVE-2016-2807-pt4.patch"
"icecat-CVE-2016-2807-pt5.patch"
"icecat-CVE-2016-2808.patch"
"icecat-CVE-2016-2814.patch"))
(modules '((guix build utils)))
(snippet
'(begin

View File

@ -0,0 +1,75 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/bf34b97757b3
# HG changeset patch
# User Jon Coppeard <jcoppeard@mozilla.com>
# Date 1453890675 0
# Node ID bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
# Parent 228ca3f46cabaf3f388f6c6640690772aa13c1a5
Bug 1241731 - Handle incomplete buffer in DiscardTransferables r=sfink a=abillings a=sylvestre
diff --git a/js/src/jit-test/tests/gc/bug-1241731.js b/js/src/jit-test/tests/gc/bug-1241731.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/gc/bug-1241731.js
@@ -0,0 +1,4 @@
+if (!('oomTest' in this))
+ quit();
+
+oomTest(() => serialize(0, [{}]));
diff --git a/js/src/vm/StructuredClone.cpp b/js/src/vm/StructuredClone.cpp
--- a/js/src/vm/StructuredClone.cpp
+++ b/js/src/vm/StructuredClone.cpp
@@ -379,39 +379,50 @@ ReadStructuredClone(JSContext* cx, uint6
// If the given buffer contains Transferables, free them. Note that custom
// Transferables will use the JSStructuredCloneCallbacks::freeTransfer() to
// delete their transferables.
static void
Discard(uint64_t* buffer, size_t nbytes, const JSStructuredCloneCallbacks* cb, void* cbClosure)
{
MOZ_ASSERT(nbytes % sizeof(uint64_t) == 0);
- if (nbytes < sizeof(uint64_t))
+ uint64_t* end = buffer + nbytes / sizeof(uint64_t);
+ uint64_t* point = buffer;
+ if (point == end)
return; // Empty buffer
- uint64_t* point = buffer;
uint32_t tag, data;
SCInput::getPair(point++, &tag, &data);
if (tag != SCTAG_TRANSFER_MAP_HEADER)
return;
if (TransferableMapHeader(data) == SCTAG_TM_TRANSFERRED)
return;
// freeTransfer should not GC
JS::AutoSuppressGCAnalysis nogc;
+ if (point == end)
+ return;
+
uint64_t numTransferables = LittleEndian::readUint64(point++);
while (numTransferables--) {
+ if (point == end)
+ return;
+
uint32_t ownership;
SCInput::getPair(point++, &tag, &ownership);
MOZ_ASSERT(tag >= SCTAG_TRANSFER_MAP_PENDING_ENTRY);
+ if (point == end)
+ return;
void* content;
SCInput::getPtr(point++, &content);
+ if (point == end)
+ return;
uint64_t extraData = LittleEndian::readUint64(point++);
if (ownership < JS::SCTAG_TMO_FIRST_OWNED)
continue;
if (ownership == JS::SCTAG_TMO_ALLOC_DATA) {
js_free(content);

View File

@ -0,0 +1,35 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/e7c23c08bf84
# HG changeset patch
# User Randell Jesup <rjesup@jesup.org>
# Date 1458543433 14400
# Node ID e7c23c08bf84a02d9154f31e0c5d121a45884a69
# Parent a6de1f453712edabff597879398606708c191098
Bug 1254876: assert windows recording is shut down r=pkerr a=ritu
MozReview-Commit-ID: JRqxBb5TgrE
diff --git a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
--- a/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
+++ b/media/webrtc/trunk/webrtc/modules/audio_device/win/audio_device_core_win.cc
@@ -567,16 +567,19 @@ AudioDeviceWindowsCore::AudioDeviceWindo
// ----------------------------------------------------------------------------
AudioDeviceWindowsCore::~AudioDeviceWindowsCore()
{
WEBRTC_TRACE(kTraceMemory, kTraceAudioDevice, _id, "%s destroyed", __FUNCTION__);
Terminate();
+ // Recording thread should be shut down before this!
+ assert(_hRecThread == NULL);
+
// The IMMDeviceEnumerator is created during construction. Must release
// it here and not in Terminate() since we don't recreate it in Init().
SAFE_RELEASE(_ptrEnumerator);
_ptrAudioBuffer = NULL;
if (NULL != _hRenderSamplesReadyEvent)
{

View File

@ -0,0 +1,69 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
# HG changeset patch
# User Shu-yu Guo <shu@rfrn.org>
# Date 1459741387 -7200
# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
# Parent 9d4364f6b55c6ee65c13c491292c3abe1ee2c993
Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
new file mode 100644
--- /dev/null
+++ b/js/src/jit-test/tests/parser/bug-1254164.js
@@ -0,0 +1,6 @@
+// |jit-test| slow;
+
+var s = '';
+for (var i = 0; i < 70000; i++)
+ s += 'function x' + i + '() { x' + i + '(); }\n';
+eval("(function() { " + s + " })();");
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
// JITs when interpreting/compiling aliasedvar ops.)
// Since unaliased variables are, by definition, only accessed by local
// operations and never through the scope chain, only give shapes to
// aliased variables. While the debugger may observe any scope object at
// any time, such accesses are mediated by DebugScopeProxy (see
// DebugScopeProxy::handleUnaliasedAccess).
uint32_t nslots = CallObject::RESERVED_SLOTS;
- uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
+
+ // Unless there are aliased body-level lexical bindings at all, set the
+ // begin index to an impossible slot number.
+ uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
for (BindingIter bi(self); bi; bi++) {
if (bi->aliased()) {
// Per ES6, lexical bindings cannot be accessed until
// initialized. Remember the first aliased slot that is a
// body-level lexical, so that they may be initialized to sentinel
// magic values.
if (numBodyLevelLexicals > 0 &&
nslots < aliasedBodyLevelLexicalBegin &&
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -201,18 +201,18 @@ class Bindings
friend class BindingIter;
friend class AliasedFormalIter;
RelocatablePtrShape callObjShape_;
uintptr_t bindingArrayAndFlag_;
uint16_t numArgs_;
uint16_t numBlockScoped_;
uint16_t numBodyLevelLexicals_;
- uint16_t aliasedBodyLevelLexicalBegin_;
uint16_t numUnaliasedBodyLevelLexicals_;
+ uint32_t aliasedBodyLevelLexicalBegin_;
uint32_t numVars_;
uint32_t numUnaliasedVars_;
#if JS_BITS_PER_WORD == 32
// Bindings is allocated inline inside JSScript, which needs to be
// gc::Cell aligned.
uint32_t padding_;
#endif

View File

@ -0,0 +1,33 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/88f1eb2c3f4b
# HG changeset patch
# User Timothy Nikkel <tnikkel@gmail.com>
# Date 1457637807 21600
# Node ID 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
# Parent bf34b97757b334af1f9f53b9b59e0b6902e7ed6f
Bug 1187420. r=drc r=jmuizelaar a=sylvestre
MozReview-Commit-ID: Hh0Khqfj8Bf
diff --git a/media/libjpeg/jstdhuff.c b/media/libjpeg/jstdhuff.c
--- a/media/libjpeg/jstdhuff.c
+++ b/media/libjpeg/jstdhuff.c
@@ -36,16 +36,17 @@ add_huff_table (j_common_ptr cinfo,
*/
nsymbols = 0;
for (len = 1; len <= 16; len++)
nsymbols += bits[len];
if (nsymbols < 1 || nsymbols > 256)
ERREXIT(cinfo, JERR_BAD_HUFF_TABLE);
MEMCOPY((*htblptr)->huffval, val, nsymbols * sizeof(UINT8));
+ MEMZERO(&((*htblptr)->huffval[nsymbols]), (256 - nsymbols) * sizeof(UINT8));
/* Initialize sent_table FALSE so table will be written to JPEG file. */
(*htblptr)->sent_table = FALSE;
}
LOCAL(void)
std_huff_tables (j_common_ptr cinfo)

View File

@ -0,0 +1,37 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/5c312182da90
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1458828581 -3600
# Node ID 5c312182da9020504103aa329360abaffa7e232d
# Parent fa4efccde9b7efde8763a178a6cf422b6d37a0e9
Bug 1254622 - Relookup group->newScript in CreateThisForFunctionWithGroup. r=bhackett a=sylvestre
MozReview-Commit-ID: KXd7kB70f1Z
diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
--- a/js/src/jsobj.cpp
+++ b/js/src/jsobj.cpp
@@ -1574,18 +1574,19 @@ CreateThisForFunctionWithGroup(JSContext
// Not enough objects with this group have been created yet, so make a
// plain object and register it with the group. Use the maximum number
// of fixed slots, as is also required by the TypeNewScript.
gc::AllocKind allocKind = GuessObjectGCKind(NativeObject::MAX_FIXED_SLOTS);
PlainObject* res = NewObjectWithGroup<PlainObject>(cx, group, parent, allocKind, newKind);
if (!res)
return nullptr;
- if (newKind != SingletonObject)
- newScript->registerNewObject(res);
+ // Make sure group->newScript is still there.
+ if (newKind != SingletonObject && group->newScript())
+ group->newScript()->registerNewObject(res);
return res;
}
gc::AllocKind allocKind = NewObjectGCKind(&PlainObject::class_);
if (newKind == SingletonObject) {
Rooted<TaggedProto> protoRoot(cx, group->proto());

View File

@ -0,0 +1,35 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099
# HG changeset patch
# User Carsten "Tomcat" Book <cbook@mozilla.com>
# Date 1461123938 -7200
# Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24
# Parent 52dfdd37150d62f708dc5bf61dd28f3967596788
Bug 1252707 - a=sylvestre
diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona
if (obj->inDictionaryMode()) {
MOZ_ASSERT(parent == obj->lastProperty());
RootedGeneric<StackShape*> childRoot(cx, &child);
shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx);
if (!shape)
return nullptr;
if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) {
- if (!obj->setSlotSpan(cx, childRoot->slot() + 1))
+ if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) {
+ new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
return nullptr;
+ }
}
shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_);
}
return shape;
}
/* static */ Shape*

View File

@ -0,0 +1,389 @@
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/71f611fd27c7
# HG changeset patch
# User Jeff Walden <jwalden@mit.edu>
# Date 1458941573 25200
# Node ID 71f611fd27c7d6cb7d6dab9895c2922948042543
# Parent 861f6b83ce1deade2a976cabe059776ad51ce370
Bug 1246061. r=luke, r=froydnj, a=sylvestre
diff --git a/js/public/HashTable.h b/js/public/HashTable.h
--- a/js/public/HashTable.h
+++ b/js/public/HashTable.h
@@ -8,16 +8,17 @@
#define js_HashTable_h
#include "mozilla/Alignment.h"
#include "mozilla/Assertions.h"
#include "mozilla/Attributes.h"
#include "mozilla/Casting.h"
#include "mozilla/MemoryReporting.h"
#include "mozilla/Move.h"
+#include "mozilla/Opaque.h"
#include "mozilla/PodOperations.h"
#include "mozilla/ReentrancyGuard.h"
#include "mozilla/TemplateLib.h"
#include "mozilla/TypeTraits.h"
#include "js/Utility.h"
namespace js {
@@ -27,16 +28,18 @@ template <class> struct DefaultHasher;
template <class, class> class HashMapEntry;
namespace detail {
template <class T> class HashTableEntry;
template <class T, class HashPolicy, class AllocPolicy> class HashTable;
}
/*****************************************************************************/
+using Generation = mozilla::Opaque<uint64_t>;
+
// A JS-friendly, STL-like container providing a hash-based map from keys to
// values. In particular, HashMap calls constructors and destructors of all
// objects added so non-PODs may be used safely.
//
// Key/Value requirements:
// - movable, destructible, assignable
// HashPolicy requirements:
// - see Hash Policy section below
@@ -200,17 +203,19 @@ class HashMap
return impl.sizeOfExcludingThis(mallocSizeOf);
}
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
}
// If |generation()| is the same before and after a HashMap operation,
// pointers into the table remain valid.
- uint32_t generation() const { return impl.generation(); }
+ Generation generation() const {
+ return impl.generation();
+ }
/************************************************** Shorthand operations */
bool has(const Lookup& l) const {
return impl.lookup(l).found();
}
// Overwrite existing value with v. Return false on oom.
@@ -431,17 +436,19 @@ class HashSet
return impl.sizeOfExcludingThis(mallocSizeOf);
}
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return mallocSizeOf(this) + impl.sizeOfExcludingThis(mallocSizeOf);
}
// If |generation()| is the same before and after a HashSet operation,
// pointers into the table remain valid.
- uint32_t generation() const { return impl.generation(); }
+ Generation generation() const {
+ return impl.generation();
+ }
/************************************************** Shorthand operations */
bool has(const Lookup& l) const {
return impl.lookup(l).found();
}
// Add |u| if it is not present already. Return false on oom.
@@ -766,17 +773,17 @@ class HashTable : private AllocPolicy
// table operations unless |generation()| is tested.
class Ptr
{
friend class HashTable;
Entry* entry_;
#ifdef JS_DEBUG
const HashTable* table_;
- uint32_t generation;
+ Generation generation;
#endif
protected:
Ptr(Entry& entry, const HashTable& tableArg)
: entry_(&entry)
#ifdef JS_DEBUG
, table_(&tableArg)
, generation(tableArg.generation())
@@ -873,17 +880,17 @@ class HashTable : private AllocPolicy
while (cur < end && !cur->isLive())
++cur;
}
Entry* cur, *end;
#ifdef JS_DEBUG
const HashTable* table_;
uint64_t mutationCount;
- uint32_t generation;
+ Generation generation;
bool validEntry;
#endif
public:
Range()
: cur(nullptr)
, end(nullptr)
#ifdef JS_DEBUG
@@ -1012,18 +1019,18 @@ class HashTable : private AllocPolicy
// HashTable is not copyable or assignable
HashTable(const HashTable&) = delete;
void operator=(const HashTable&) = delete;
private:
static const size_t CAP_BITS = 24;
public:
- Entry* table; // entry storage
- uint32_t gen; // entry storage generation number
+ uint64_t gen; // entry storage generation number
+ Entry* table; // entry storage
uint32_t entryCount; // number of entries in table
uint32_t removedCount:CAP_BITS; // removed entry sentinels in table
uint32_t hashShift:8; // multiplicative hash shift
#ifdef JS_DEBUG
uint64_t mutationCount;
mutable bool mEntered;
mutable struct Stats
@@ -1097,18 +1104,18 @@ class HashTable : private AllocPolicy
for (Entry* e = oldTable, *end = e + capacity; e < end; ++e)
e->destroyIfLive();
alloc.free_(oldTable);
}
public:
explicit HashTable(AllocPolicy ap)
: AllocPolicy(ap)
+ , gen(0)
, table(nullptr)
- , gen(0)
, entryCount(0)
, removedCount(0)
, hashShift(sHashBits)
#ifdef JS_DEBUG
, mutationCount(0)
, mEntered(false)
#endif
{}
@@ -1524,20 +1531,20 @@ class HashTable : private AllocPolicy
}
uint32_t capacity() const
{
MOZ_ASSERT(table);
return JS_BIT(sHashBits - hashShift);
}
- uint32_t generation() const
+ Generation generation() const
{
MOZ_ASSERT(table);
- return gen;
+ return Generation(gen);
}
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const
{
return mallocSizeOf(table);
}
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -270,20 +270,16 @@ class AutoHashMapRooter : protected Auto
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return map.sizeOfExcludingThis(mallocSizeOf);
}
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return map.sizeOfIncludingThis(mallocSizeOf);
}
- uint32_t generation() const {
- return map.generation();
- }
-
/************************************************** Shorthand operations */
bool has(const Lookup& l) const {
return map.has(l);
}
template<typename KeyInput, typename ValueInput>
bool put(const KeyInput& k, const ValueInput& v) {
@@ -385,20 +381,16 @@ class AutoHashSetRooter : protected Auto
size_t sizeOfExcludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return set.sizeOfExcludingThis(mallocSizeOf);
}
size_t sizeOfIncludingThis(mozilla::MallocSizeOf mallocSizeOf) const {
return set.sizeOfIncludingThis(mallocSizeOf);
}
- uint32_t generation() const {
- return set.generation();
- }
-
/************************************************** Shorthand operations */
bool has(const Lookup& l) const {
return set.has(l);
}
bool put(const T& t) {
return set.put(t);
diff --git a/js/src/jscntxt.h b/js/src/jscntxt.h
--- a/js/src/jscntxt.h
+++ b/js/src/jscntxt.h
@@ -30,21 +30,21 @@ class DebugModeOSRVolatileJitFrameIterat
}
typedef HashSet<JSObject*> ObjectSet;
typedef HashSet<Shape*> ShapeSet;
/* Detects cycles when traversing an object graph. */
class AutoCycleDetector
{
+ Generation hashsetGenerationAtInit;
JSContext* cx;
RootedObject obj;
+ ObjectSet::AddPtr hashsetAddPointer;
bool cyclic;
- uint32_t hashsetGenerationAtInit;
- ObjectSet::AddPtr hashsetAddPointer;
MOZ_DECL_USE_GUARD_OBJECT_NOTIFIER
public:
AutoCycleDetector(JSContext* cx, HandleObject objArg
MOZ_GUARD_OBJECT_NOTIFIER_PARAM)
: cx(cx), obj(cx, objArg), cyclic(true)
{
MOZ_GUARD_OBJECT_NOTIFIER_INIT;
diff --git a/js/src/jswatchpoint.cpp b/js/src/jswatchpoint.cpp
--- a/js/src/jswatchpoint.cpp
+++ b/js/src/jswatchpoint.cpp
@@ -22,25 +22,25 @@ DefaultHasher<WatchKey>::hash(const Look
{
return DefaultHasher<JSObject*>::hash(key.object.get()) ^ HashId(key.id.get());
}
namespace {
class AutoEntryHolder {
typedef WatchpointMap::Map Map;
+ Generation gen;
Map& map;
Map::Ptr p;
- uint32_t gen;
RootedObject obj;
RootedId id;
public:
AutoEntryHolder(JSContext* cx, Map& map, Map::Ptr p)
- : map(map), p(p), gen(map.generation()), obj(cx, p->key().object), id(cx, p->key().id)
+ : gen(map.generation()), map(map), p(p), obj(cx, p->key().object), id(cx, p->key().id)
{
MOZ_ASSERT(!p->value().held);
p->value().held = true;
}
~AutoEntryHolder() {
if (gen != map.generation())
p = map.lookup(WatchKey(obj, id));
diff --git a/js/src/shell/jsheaptools.cpp b/js/src/shell/jsheaptools.cpp
--- a/js/src/shell/jsheaptools.cpp
+++ b/js/src/shell/jsheaptools.cpp
@@ -267,17 +267,17 @@ HeapReverser::traverseEdge(void* cell, J
Map::AddPtr a = map.lookupForAdd(cell);
if (!a) {
/*
* We've never visited this cell before. Add it to the map (thus
* marking it as visited), and put it on the work stack, to be
* visited from the main loop.
*/
Node n(kind);
- uint32_t generation = map.generation();
+ Generation generation = map.generation();
if (!map.add(a, cell, Move(n)) ||
!work.append(Child(cell, kind)))
return false;
/* If the map has been resized, re-check the pointer. */
if (map.generation() != generation)
a = map.lookupForAdd(cell);
}
diff --git a/mfbt/Opaque.h b/mfbt/Opaque.h
new file mode 100644
--- /dev/null
+++ b/mfbt/Opaque.h
@@ -0,0 +1,44 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+/* An opaque integral type supporting only comparison operators. */
+
+#ifndef mozilla_Opaque_h
+#define mozilla_Opaque_h
+
+#include "mozilla/TypeTraits.h"
+
+namespace mozilla {
+
+/**
+ * Opaque<T> is a replacement for integral T in cases where only comparisons
+ * must be supported, and it's desirable to prevent accidental dependency on
+ * exact values.
+ */
+template<typename T>
+class Opaque final
+{
+ static_assert(mozilla::IsIntegral<T>::value,
+ "mozilla::Opaque only supports integral types");
+
+ T mValue;
+
+public:
+ Opaque() {}
+ explicit Opaque(T aValue) : mValue(aValue) {}
+
+ bool operator==(const Opaque& aOther) const {
+ return mValue == aOther.mValue;
+ }
+
+ bool operator!=(const Opaque& aOther) const {
+ return !(*this == aOther);
+ }
+};
+
+} // namespace mozilla
+
+#endif /* mozilla_Opaque_h */
diff --git a/mfbt/moz.build b/mfbt/moz.build
--- a/mfbt/moz.build
+++ b/mfbt/moz.build
@@ -48,16 +48,17 @@ EXPORTS.mozilla = [
'MathAlgorithms.h',
'Maybe.h',
'MaybeOneOf.h',
'MemoryChecking.h',
'MemoryReporting.h',
'Move.h',
'NullPtr.h',
'NumericLimits.h',
+ 'Opaque.h',
'Pair.h',
'PodOperations.h',
'Poison.h',
'Range.h',
'RangedPtr.h',
'RefCountType.h',
'ReentrancyGuard.h',
'RefPtr.h',

View File

@ -0,0 +1,35 @@
# HG changeset patch
# User Jean-Yves Avenard <jyavenard@mozilla.com>
# Date 1460655260 25200
# Node ID a13c0bc84d6eb132f4199f563fbe228d2d3b3a51
# Parent 88f1eb2c3f4b4b57365ed88223cf8adc2bec4610
Bug 1254721: Ensure consistency between Cenc offsets and sizes table. r=gerald a=sylvestre
MozReview-Commit-ID: E1KbKIIBR87
diff --git a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
--- a/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
+++ b/media/libstagefright/frameworks/av/media/libstagefright/SampleTable.cpp
@@ -612,18 +612,18 @@ status_t
SampleTable::parseSampleCencInfo() {
if ((!mCencDefaultSize && !mCencInfoCount) || mCencOffsets.isEmpty()) {
// We don't have all the cenc information we need yet. Quietly fail and
// hope we get the data we need later in the track header.
ALOGV("Got half of cenc saio/saiz pair. Deferring parse until we get the other half.");
return OK;
}
- if (!mCencSizes.isEmpty() && mCencOffsets.size() > 1 &&
- mCencSizes.size() != mCencOffsets.size()) {
+ if ((mCencOffsets.size() > 1 && mCencOffsets.size() < mCencInfoCount) ||
+ (!mCencDefaultSize && mCencSizes.size() < mCencInfoCount)) {
return ERROR_MALFORMED;
}
if (mCencInfoCount > kMAX_ALLOCATION / sizeof(SampleCencInfo)) {
// Avoid future OOM.
return ERROR_MALFORMED;
}

File diff suppressed because it is too large Load Diff