From 7ff7885567551b5594cda505ad1b4daaaa83cb8a Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Wed, 29 May 2024 17:09:27 +0800
Subject: [PATCH] fix CVE-2022-22740

---
 CVE-2022-22740.patch | 123 +++++++++++++++++++++++++++++++++++++++++++
 mozjs78.spec         |   6 ++-
 2 files changed, 128 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-22740.patch

diff --git a/CVE-2022-22740.patch b/CVE-2022-22740.patch
new file mode 100644
index 0000000..230297a
--- /dev/null
+++ b/CVE-2022-22740.patch
@@ -0,0 +1,123 @@
+From c6649f32c4edf56f91541df6ae1d4bfe15d1179b Mon Sep 17 00:00:00 2001
+From: technology208 <technology@208suo.com>
+Date: Wed, 29 May 2024 17:01:27 +0800
+Subject: [PATCH] CreatePatch
+
+---
+ netwerk/ipc/ChannelEventQueue.cpp                     | 11 ++++++++++-
+ netwerk/ipc/ChannelEventQueue.h                       |  5 +++++
+ netwerk/protocol/http/HttpChannelChild.cpp            |  1 +
+ netwerk/protocol/http/HttpChannelParent.cpp           |  1 +
+ netwerk/protocol/http/HttpTransactionParent.cpp       |  1 +
+ netwerk/protocol/websocket/WebSocketChannelChild.cpp  |  1 +
+ .../extensions/webrequest/StreamFilterParent.cpp      |  1 +
+ 7 files changed, 20 insertions(+), 1 deletion(-)
+
+diff --git a/netwerk/ipc/ChannelEventQueue.cpp b/netwerk/ipc/ChannelEventQueue.cpp
+index c02f892ba8..ba5235b62e 100644
+--- a/netwerk/ipc/ChannelEventQueue.cpp
++++ b/netwerk/ipc/ChannelEventQueue.cpp
+@@ -34,7 +34,12 @@ void ChannelEventQueue::FlushQueue() {
+   // Events flushed could include destruction of channel (and our own
+   // destructor) unless we make sure its refcount doesn't drop to 0 while this
+   // method is running.
+-  nsCOMPtr<nsISupports> kungFuDeathGrip(mOwner);
++  nsCOMPtr<nsISupports> kungFuDeathGrip;
++  {
++    MutexAutoLock lock(mMutex);
++    kungFuDeathGrip = mOwner;
++  }
++
+   mozilla::Unused << kungFuDeathGrip;  // Not used in this function
+ 
+ #ifdef DEBUG
+@@ -156,6 +161,10 @@ void ChannelEventQueue::ResumeInternal() {
+       nsCOMPtr<nsISupports> mOwner;
+     };
+ 
++    if (!mOwner) {
++      return;
++    }
++
+     // Worker thread requires a CancelableRunnable.
+     RefPtr<Runnable> event = new CompleteResumeRunnable(this, mOwner);
+ 
+diff --git a/netwerk/ipc/ChannelEventQueue.h b/netwerk/ipc/ChannelEventQueue.h
+index 650ee5b96f..aedbc00c63 100644
+--- a/netwerk/ipc/ChannelEventQueue.h
++++ b/netwerk/ipc/ChannelEventQueue.h
+@@ -171,6 +171,11 @@ class ChannelEventQueue final {
+   // dispatched in a new event on the current thread.
+   void Resume();
+ 
++  void NotifyReleasingOwner() {
++    MutexAutoLock lock(mMutex);
++    mOwner = nullptr;
++  }
++
+  private:
+   // Private destructor, to discourage deletion outside of Release():
+   ~ChannelEventQueue() = default;
+diff --git a/netwerk/protocol/http/HttpChannelChild.cpp b/netwerk/protocol/http/HttpChannelChild.cpp
+index 2949f7f35c..ba06148c61 100644
+--- a/netwerk/protocol/http/HttpChannelChild.cpp
++++ b/netwerk/protocol/http/HttpChannelChild.cpp
+@@ -228,6 +228,7 @@ HttpChannelChild::~HttpChannelChild() {
+         mLoadInfo->RedirectChainIncludingInternalRedirects().Length(), flags);
+   }
+ #endif
++  mEventQ->NotifyReleasingOwner();
+ 
+   ReleaseMainThreadOnlyReferences();
+ }
+diff --git a/netwerk/protocol/http/HttpChannelParent.cpp b/netwerk/protocol/http/HttpChannelParent.cpp
+index 9ebae5fc7a..40ea4283cf 100644
+--- a/netwerk/protocol/http/HttpChannelParent.cpp
++++ b/netwerk/protocol/http/HttpChannelParent.cpp
+@@ -1058,6 +1058,7 @@ void HttpChannelParent::ContinueRedirect2Verify(const nsresult& aResult) {
+     mRedirectCallback->OnRedirectVerifyCallback(aResult);
+     mRedirectCallback = nullptr;
+   }
++  mEventQ->NotifyReleasingOwner();
+ }
+ 
+ mozilla::ipc::IPCResult HttpChannelParent::RecvDocumentChannelCleanup(
+diff --git a/netwerk/protocol/http/HttpTransactionParent.cpp b/netwerk/protocol/http/HttpTransactionParent.cpp
+index 041ecb804d..37d0e996c8 100644
+--- a/netwerk/protocol/http/HttpTransactionParent.cpp
++++ b/netwerk/protocol/http/HttpTransactionParent.cpp
+@@ -99,6 +99,7 @@ HttpTransactionParent::HttpTransactionParent(bool aIsDocumentLoad)
+ 
+ HttpTransactionParent::~HttpTransactionParent() {
+   LOG(("Destroying HttpTransactionParent @%p\n", this));
++  mEventQ->NotifyReleasingOwner();
+ }
+ 
+ //-----------------------------------------------------------------------------
+diff --git a/netwerk/protocol/websocket/WebSocketChannelChild.cpp b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
+index a9b7a52bb7..e0d2b2137c 100644
+--- a/netwerk/protocol/websocket/WebSocketChannelChild.cpp
++++ b/netwerk/protocol/websocket/WebSocketChannelChild.cpp
+@@ -63,6 +63,7 @@ WebSocketChannelChild::WebSocketChannelChild(bool aEncrypted)
+ 
+ WebSocketChannelChild::~WebSocketChannelChild() {
+   LOG(("WebSocketChannelChild::~WebSocketChannelChild() %p\n", this));
++  mEventQ->NotifyReleasingOwner();
+ }
+ 
+ void WebSocketChannelChild::AddIPDLReference() {
+diff --git a/toolkit/components/extensions/webrequest/StreamFilterParent.cpp b/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
+index 6632712fbf..aac58f2871 100644
+--- a/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
++++ b/toolkit/components/extensions/webrequest/StreamFilterParent.cpp
+@@ -106,6 +106,7 @@ StreamFilterParent::~StreamFilterParent() {
+   NS_ReleaseOnMainThread("StreamFilterParent::mOrigListener",
+                          mOrigListener.forget());
+   NS_ReleaseOnMainThread("StreamFilterParent::mContext", mContext.forget());
++  mQueue->NotifyReleasingOwner();
+ }
+ 
+ auto StreamFilterParent::Create(dom::ContentParent* aContentParent,
+-- 
+2.33.0
+
diff --git a/mozjs78.spec b/mozjs78.spec
index 32c4557..0d2b606 100644
--- a/mozjs78.spec
+++ b/mozjs78.spec
@@ -2,7 +2,7 @@
 
 Name:           mozjs%{major}
 Version:        78.4.0
-Release:        3
+Release:        4
 Summary:        SpiderMonkey JavaScript library
 License:        MPLv2.0 and MPLv1.1 and BSD and GPLv2+ and GPLv3+ and LGPLv2+ and AFL and ASL 2.0
 URL:            https://developer.mozilla.org/en-US/docs/Mozilla/Projects/SpiderMonkey
@@ -26,6 +26,7 @@ Patch10:        Fix-build-with-rust-nightly.patch
 Patch11:        backport-CVE-2023-23599.patch
 Patch12:        backport-CVE-2023-23601.patch
 Patch13:        backport-CVE-2023-23602.patch
+Patch14:        CVE-2022-22740.patch
 
 BuildRequires:  autoconf213 cargo clang-devel gcc gcc-c++ perl-devel pkgconfig(libffi) pkgconfig(zlib) 
 BuildRequires:  python3-devel python3-six readline-devel zip nasm llvm llvm-devel icu rust
@@ -105,6 +106,9 @@ popd
 %doc js/src/README.html
 
 %changelog
+* Wed May 29 2024 technology208 <technology@208suo.com> - 78.4.0-4
+- fix CVE-2022-22740 Make sure to null out ChannelEventQueue::mOwner when object is released
+
 * Mon Apr 08 2024 sunhai <sunhai10@huawei.com> - 78.4.0-3
 - fix CVEs
 
-- 
Gitee