diff options
author | Joe Marcus Clarke <marcus@FreeBSD.org> | 2004-09-28 03:24:41 +0000 |
---|---|---|
committer | Joe Marcus Clarke <marcus@FreeBSD.org> | 2004-09-28 03:24:41 +0000 |
commit | 9117080c8cad1c52d48353ffa32ca6aef1e4d28a (patch) | |
tree | 04e19765bcb2a19c30d1773dfd27a70855396e17 /www | |
parent | 235d74f9546cab8a468e95a9bfd221f3d6ec77c7 (diff) |
Patch the various recently reported security vulnerabilities in Mozilla.
This is being done instead of the update to 1.0 PR 1 since we're in a ports
freeze, and too many big changes is not a good idea.
This update covers the following Mozilla bugs:
250862
255067
256316
Thanks to nectar for scraping all of these patches together.
Obtained from: Mozilla CVS
Approved by: portmgr (implicit)
Notes
Notes:
svn path=/head/; revision=118476
Diffstat (limited to 'www')
36 files changed, 909 insertions, 0 deletions
diff --git a/www/firefox-devel/Makefile b/www/firefox-devel/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox-devel/Makefile +++ b/www/firefox-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox-devel/files/patch-250862 b/www/firefox-devel/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox-devel/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox-devel/files/patch-255067 b/www/firefox-devel/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox-devel/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox-devel/files/patch-256316 b/www/firefox-devel/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox-devel/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox-esr/Makefile b/www/firefox-esr/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox-esr/Makefile +++ b/www/firefox-esr/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox-esr/files/patch-250862 b/www/firefox-esr/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox-esr/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox-esr/files/patch-255067 b/www/firefox-esr/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox-esr/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox-esr/files/patch-256316 b/www/firefox-esr/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox-esr/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox/Makefile b/www/firefox/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox/Makefile +++ b/www/firefox/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox/files/patch-250862 b/www/firefox/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox/files/patch-255067 b/www/firefox/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox/files/patch-256316 b/www/firefox/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox10/Makefile b/www/firefox10/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox10/Makefile +++ b/www/firefox10/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox10/files/patch-250862 b/www/firefox10/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox10/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox10/files/patch-255067 b/www/firefox10/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox10/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox10/files/patch-256316 b/www/firefox10/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox10/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox15/Makefile b/www/firefox15/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox15/Makefile +++ b/www/firefox15/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox15/files/patch-250862 b/www/firefox15/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox15/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox15/files/patch-255067 b/www/firefox15/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox15/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox15/files/patch-256316 b/www/firefox15/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox15/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox3-devel/Makefile b/www/firefox3-devel/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox3-devel/Makefile +++ b/www/firefox3-devel/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox3-devel/files/patch-250862 b/www/firefox3-devel/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox3-devel/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox3-devel/files/patch-255067 b/www/firefox3-devel/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox3-devel/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox3-devel/files/patch-256316 b/www/firefox3-devel/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox3-devel/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox35/Makefile b/www/firefox35/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox35/Makefile +++ b/www/firefox35/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox35/files/patch-250862 b/www/firefox35/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox35/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox35/files/patch-255067 b/www/firefox35/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox35/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox35/files/patch-256316 b/www/firefox35/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox35/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/firefox36/Makefile b/www/firefox36/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/firefox36/Makefile +++ b/www/firefox36/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/firefox36/files/patch-250862 b/www/firefox36/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/firefox36/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/firefox36/files/patch-255067 b/www/firefox36/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/firefox36/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/firefox36/files/patch-256316 b/www/firefox36/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/firefox36/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) diff --git a/www/flock/Makefile b/www/flock/Makefile index 4cf8da901bc2..1168c9a59e8f 100644 --- a/www/flock/Makefile +++ b/www/flock/Makefile @@ -7,6 +7,7 @@ PORTNAME= firefox PORTVERSION= 0.9.3 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= ${MASTER_SITE_MOZILLA} MASTER_SITE_SUBDIR= ${PORTNAME}/releases/${PORTVERSION} diff --git a/www/flock/files/patch-250862 b/www/flock/files/patch-250862 new file mode 100644 index 000000000000..05423dc84195 --- /dev/null +++ b/www/flock/files/patch-250862 @@ -0,0 +1,22 @@ +Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js +=================================================================== +RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v +retrieving revision 1.32 +retrieving revision 1.32.88.1 +diff -u -r1.32 -r1.32.88.1 +--- xpfe/communicator/resources/content/contentAreaDD.js 10 Jul 2002 01:23:50 -0000 1.32 ++++ xpfe/communicator/resources/content/contentAreaDD.js 27 Aug 2004 01:13:39 -0000 1.32.88.1 +@@ -53,8 +53,11 @@ + { + var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType); + +- // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out +- if (!url || !url.length || url.indexOf(" ", 0) != -1) ++ // valid urls don't contain spaces ' '; if we have a space it ++ // isn't a valid url, or if it's a javascript: or data: url, ++ // bail out ++ if (!url || !url.length || url.indexOf(" ", 0) != -1 || ++ /^\s*(javascript|data):/.test(url)) + return; + + switch (document.firstChild.getAttribute('windowtype')) { diff --git a/www/flock/files/patch-255067 b/www/flock/files/patch-255067 new file mode 100644 index 000000000000..cddf17ca8328 --- /dev/null +++ b/www/flock/files/patch-255067 @@ -0,0 +1,60 @@ +Index: mozilla/gfx/src/shared/gfxImageFrame.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v +retrieving revision 1.26 +retrieving revision 1.26.12.1 +diff -u -r1.26 -r1.26.12.1 +--- gfx/src/shared/gfxImageFrame.cpp 16 Jan 2004 23:28:48 -0000 1.26 ++++ gfx/src/shared/gfxImageFrame.cpp 27 Aug 2004 11:02:58 -0000 1.26.12.1 +@@ -72,6 +72,13 @@ + return NS_ERROR_FAILURE; + } + ++ /* reject over-wide or over-tall images */ ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if ( aWidth > k64KLimit || aHeight > k64KLimit ){ ++ NS_ERROR("image too big"); ++ return NS_ERROR_FAILURE; ++ } ++ + nsresult rv; + + mOffset.MoveTo(aX, aY); +Index: mozilla/gfx/src/windows/nsImageWin.cpp +=================================================================== +RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v +retrieving revision 3.130.2.1 +retrieving revision 3.130.2.1.6.1 +diff -u -r3.130.2.1 -r3.130.2.1.6.1 +--- gfx/src/windows/nsImageWin.cpp 11 May 2004 21:53:49 -0000 3.130.2.1 ++++ gfx/src/windows/nsImageWin.cpp 27 Aug 2004 11:02:58 -0000 3.130.2.1.6.1 +@@ -131,6 +131,10 @@ + return NS_ERROR_UNEXPECTED; + } + ++ // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor) ++ const PRInt32 k64KLimit = 0x0000FFFF; ++ if (aWidth > k64KLimit || aHeight > k64KLimit) ++ return NS_ERROR_FAILURE; + + if (mNumPaletteColors >= 0){ + // If we have a palette +Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp +=================================================================== +RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v +retrieving revision 1.24.2.1 +retrieving revision 1.24.2.1.6.1 +diff -u -r1.24.2.1 -r1.24.2.1.6.1 +--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 13 May 2004 22:27:35 -0000 1.24.2.1 ++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp 27 Aug 2004 11:02:58 -0000 1.24.2.1.6.1 +@@ -274,7 +274,9 @@ + CalcBitShift(); + } + // BMPs with negative width are invalid +- if (mBIH.width < 0) ++ // Reject extremely wide images to keep the math sane ++ const PRInt32 k64KWidth = 0x0000FFFF; ++ if (mBIH.width < 0 || mBIH.width > k64KWidth) + return NS_ERROR_FAILURE; + + PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height; diff --git a/www/flock/files/patch-256316 b/www/flock/files/patch-256316 new file mode 100644 index 000000000000..147d15e5303d --- /dev/null +++ b/www/flock/files/patch-256316 @@ -0,0 +1,18 @@ +Index: mozilla/netwerk/dns/src/nsIDNService.cpp +=================================================================== +RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v +retrieving revision 1.18 +retrieving revision 1.18.10.1 +diff -u -r1.18 -r1.18.10.1 +--- netwerk/dns/src/nsIDNService.cpp 3 Apr 2004 07:32:18 -0000 1.18 ++++ netwerk/dns/src/nsIDNService.cpp 27 Aug 2004 11:23:21 -0000 1.18.10.1 +@@ -242,6 +242,9 @@ + + NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output) + { ++ // protect against bogus input ++ NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED); ++ + nsAutoString outUTF16; + nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16); + if (NS_SUCCEEDED(rv)) |