diff --git a/CVE-2022-46885-1.patch b/CVE-2022-46885-1.patch new file mode 100644 index 0000000000000000000000000000000000000000..6f945aac5be0a24910d310b51a7a3cdd9cc18f80 --- /dev/null +++ b/CVE-2022-46885-1.patch @@ -0,0 +1,104 @@ +From 54ddf8aabaa517ba344b4ea44c41e5072d8c705f Mon Sep 17 00:00:00 2001 +From: Ashly Hale +Date: Thu, 19 Sep 2024 14:05:13 +0800 +Subject: [PATCH] Implement webgl.max-size-per-texture-mib r=jgilbert a=RyanVM + +--- + dom/canvas/WebGLTextureUpload.cpp | 35 +++++++++++++++++++----- + modules/libpref/init/StaticPrefList.yaml | 5 ++++ + 2 files changed, 33 insertions(+), 7 deletions(-) + +diff --git a/dom/canvas/WebGLTextureUpload.cpp b/dom/canvas/WebGLTextureUpload.cpp +index 56d29e1c3e..fb2a089869 100644 +--- a/dom/canvas/WebGLTextureUpload.cpp ++++ b/dom/canvas/WebGLTextureUpload.cpp +@@ -752,9 +752,27 @@ static bool ValidateCompressedTexImageRestrictions( + return true; + } + +-static bool ValidateTargetForFormat(const WebGLContext* webgl, +- TexImageTarget target, +- const webgl::FormatInfo* format) { ++static bool ValidateFormatAndSize(const WebGLContext* webgl, ++ TexImageTarget target, ++ const webgl::FormatInfo* format, ++ const uvec3& size) { ++ // Check if texture size will likely be rejected by the driver and give a more ++ // meaningful error message. ++ auto baseImageSize = CheckedInt(format->estimatedBytesPerPixel) * ++ (uint32_t)size.x * (uint32_t)size.y * (uint32_t)size.z; ++ if (target == LOCAL_GL_TEXTURE_CUBE_MAP) { ++ baseImageSize *= 6; ++ } ++ if (!baseImageSize.isValid() || ++ baseImageSize.value() > ++ (uint64_t)StaticPrefs::webgl_max_size_per_texture_mib() * ++ (1024 * 1024)) { ++ webgl->ErrorOutOfMemory( ++ "Texture size too large; base image mebibytes > " ++ "webgl.max-size-per-texture-mib"); ++ return false; ++ } ++ + // GLES 3.0.4 p127: + // "Textures with a base internal format of DEPTH_COMPONENT or DEPTH_STENCIL + // are supported by texture image specification commands only if `target` is +@@ -822,7 +840,7 @@ void WebGLTexture::TexStorage(TexTarget target, uint32_t levels, + } + auto dstFormat = dstUsage->format; + +- if (!ValidateTargetForFormat(mContext, testTarget, dstFormat)) return; ++ if (!ValidateFormatAndSize(mContext, testTarget, dstFormat, size)) return; + + if (dstFormat->compression) { + if (!ValidateCompressedTexImageRestrictions(mContext, testTarget, 0, +@@ -987,7 +1005,7 @@ void WebGLTexture::TexImage(uint32_t level, GLenum respecFormat, + } + + const auto& dstFormat = dstUsage->format; +- if (!ValidateTargetForFormat(mContext, imageTarget, dstFormat)) return; ++ if (!ValidateFormatAndSize(mContext, imageTarget, dstFormat, size)) return; + + if (!mContext->IsWebGL2() && dstFormat->d) { + if (imageTarget != LOCAL_GL_TEXTURE_2D || blob->HasData() || level != 0) { +@@ -1179,7 +1197,9 @@ void WebGLTexture::CompressedTexImage(bool sub, GLenum imageTarget, + } + MOZ_ASSERT(imageInfo); + +- if (!ValidateTargetForFormat(mContext, imageTarget, usage->format)) return; ++ if (!ValidateFormatAndSize(mContext, imageTarget, usage->format, size)) ++ return; ++ + if (!ValidateCompressedTexImageRestrictions(mContext, imageTarget, level, + usage->format, size)) { + return; +@@ -1815,8 +1835,9 @@ void WebGLTexture::CopyTexImage(GLenum imageTarget, uint32_t level, + dstUsage = ValidateCopyDestUsage(mContext, srcFormat, respecFormat); + if (!dstUsage) return; + +- if (!ValidateTargetForFormat(mContext, imageTarget, dstUsage->format)) ++ if (!ValidateFormatAndSize(mContext, imageTarget, dstUsage->format, size)) + return; ++ + } else { + if (!ValidateTexImageSelection(imageTarget, level, dstOffset, size, + &imageInfo)) { +diff --git a/modules/libpref/init/StaticPrefList.yaml b/modules/libpref/init/StaticPrefList.yaml +index 832aa92b10..3d09182376 100644 +--- a/modules/libpref/init/StaticPrefList.yaml ++++ b/modules/libpref/init/StaticPrefList.yaml +@@ -11409,6 +11409,11 @@ + value: 300 + mirror: always + ++- name: webgl.max-size-per-texture-mib ++ type: RelaxedAtomicUint32 ++ value: 1024 ++ mirror: always ++ + - name: webgl.max-warnings-per-context + type: RelaxedAtomicUint32 + value: 32 +-- +2.27.0 + diff --git a/CVE-2022-46885-2.patch b/CVE-2022-46885-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..b9a456d704c46f6b1c75a24e9179dc17cac87616 --- /dev/null +++ b/CVE-2022-46885-2.patch @@ -0,0 +1,71 @@ +From 8e639ae5b4d73040af12a545a93cbdd14402c614 Mon Sep 17 00:00:00 2001 +From: Jens Stutte +Date: Thu, 19 Sep 2024 14:10:52 +0800 +Subject: [PATCH] Add a value for DEL to kBase64URLDecodeTable and have static asserts for lookup tables' length. r=xpcom-reviewers,nika a=RyanVM + +--- + xpcom/io/Base64.cpp | 22 +++++++++++++--------- + 1 file changed, 13 insertions(+), 9 deletions(-) + +diff --git a/xpcom/io/Base64.cpp b/xpcom/io/Base64.cpp +index d7a07a1029..cc7122fd95 100644 +--- a/xpcom/io/Base64.cpp ++++ b/xpcom/io/Base64.cpp +@@ -276,26 +276,25 @@ static const uint8_t kBase64DecodeTable[] = { + /* 112 */ 41, 42, 43, 44, 45, 46, 47, 48, + /* 120 */ 49, 50, 51, 255, 255, 255, 255, 255, + }; +++static_assert(mozilla::ArrayLength(kBase64DecodeTable) == 0x80); + // clang-format on + + template + [[nodiscard]] bool Base64CharToValue(T aChar, uint8_t* aValue) { +- static const size_t mask = 0x7f; +- static_assert( +- (mask + 1) == sizeof(kBase64DecodeTable) / sizeof(kBase64DecodeTable[0]), +- "wrong mask"); + size_t index = static_cast(aChar); + +- if (index & ~mask) { ++ if (index >= mozilla::ArrayLength(kBase64DecodeTable)) { ++ *aValue = 255; + return false; + } +- *aValue = kBase64DecodeTable[index & mask]; ++ *aValue = kBase64DecodeTable[index]; + + return *aValue != 255; + } + + static const char kBase64URLAlphabet[] = + "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_"; ++static_assert(mozilla::ArrayLength(kBase64URLAlphabet) == 0x41); + + // Maps an encoded character to a value in the Base64 URL alphabet, per + // RFC 4648, Table 2. Invalid input characters map to UINT8_MAX. +@@ -318,14 +317,19 @@ static const uint8_t kBase64URLDecodeTable[] = { + 255, + 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, + 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, /* a - z */ +- 255, 255, 255, 255, ++ 255, 255, 255, 255,255, + }; ++static_assert(mozilla::ArrayLength(kBase64URLDecodeTable) == 0x80); + // clang-format on + + bool Base64URLCharToValue(char aChar, uint8_t* aValue) { + uint8_t index = static_cast(aChar); +- *aValue = kBase64URLDecodeTable[index & 0x7f]; +- return (*aValue != 255) && !(index & ~0x7f); ++ if (index >= mozilla::ArrayLength(kBase64URLDecodeTable)) { ++ *aValue = 255; ++ return false; ++ } ++ *aValue = kBase64URLDecodeTable[index]; ++ return *aValue != 255; + } + + } // namespace +-- +2.27.0 + diff --git a/CVE-2022-46885-3.patch b/CVE-2022-46885-3.patch new file mode 100644 index 0000000000000000000000000000000000000000..6d281470d627dc1ef4f4817a6a394772e812e655 --- /dev/null +++ b/CVE-2022-46885-3.patch @@ -0,0 +1,41 @@ +From 251291105e660a0bb1aeb440dd3f47a72f447102 Mon Sep 17 00:00:00 2001 +From: Timothy Nikkel +Date: Thu, 19 Sep 2024 14:13:46 +0800 +Subject: [PATCH] r=mstange + +--- + dom/base/nsDOMWindowUtils.cpp | 2 +- + image/SVGDocumentWrapper.cpp | 4 +++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/dom/base/nsDOMWindowUtils.cpp b/dom/base/nsDOMWindowUtils.cpp +index fbcb9cc1ae..2bd708a47e 100644 +--- a/dom/base/nsDOMWindowUtils.cpp ++++ b/dom/base/nsDOMWindowUtils.cpp +@@ -2735,7 +2735,7 @@ nsDOMWindowUtils::AdvanceTimeAndRefresh(int64_t aMilliseconds) { + + nsPresContext* presContext = GetPresContext(); + if (presContext) { +- nsRefreshDriver* driver = presContext->RefreshDriver(); ++ RefPtr driver = presContext->RefreshDriver(); + driver->AdvanceTimeAndRefresh(aMilliseconds); + + RefPtr transaction = GetLayerTransaction(); +diff --git a/image/SVGDocumentWrapper.cpp b/image/SVGDocumentWrapper.cpp +index a85176db49..2c081afb9e 100644 +--- a/image/SVGDocumentWrapper.cpp ++++ b/image/SVGDocumentWrapper.cpp +@@ -180,7 +180,9 @@ void SVGDocumentWrapper::SetCurrentTime(float aTime) { + void SVGDocumentWrapper::TickRefreshDriver() { + if (RefPtr presShell = mViewer->GetPresShell()) { + if (RefPtr presContext = presShell->GetPresContext()) { +- presContext->RefreshDriver()->DoTick(); ++ if (RefPtr driver = presContext->RefreshDriver()) { ++ driver->DoTick(); ++ } + } + } + } +-- +2.27.0 + diff --git a/mozjs91.spec b/mozjs91.spec index 10f075a22d1a7257bc294d96bc4811079930f3b7..3a5395318c96620430b3fb5d23e7c21139933373 100644 --- a/mozjs91.spec +++ b/mozjs91.spec @@ -12,7 +12,7 @@ # Big endian platforms Name: mozjs%{major} Version: 91.6.0 -Release: 3 +Release: 4 Summary: SpiderMonkey JavaScript library License: MPL-2.0 Group: System/Libraries @@ -36,6 +36,9 @@ Patch14: init_patch.patch # TODO: Check with mozilla for cause of these fails and re-enable spidermonkey compile time checks if needed Patch15: spidermonkey_checks_disable.patch Patch16: spidermonkey_support_loongarch64.patch +Patch17: CVE-2022-46885-1.patch +Patch18: CVE-2022-46885-2.patch +Patch19: CVE-2022-46885-3.patch BuildRequires: autoconf213 cargo clang-devel gcc gcc-c++ libtool perl-devel llvm llvm-devel nasm pkgconfig python3-devel python3-setuptools BuildRequires: python3-six readline-devel zip rust pkgconfig(icu-i18n) >= 67.1 pkgconfig(libffi) pkgconfig(nspr) pkgconfig(zlib) icu @@ -207,6 +210,9 @@ popd %{_includedir}/mozjs-%{major}/ %changelog +* Thu Sep 19 2024 happyworker <208suo@208suo.com> - 91.6.0-4 +- fix CVE-2022-46885 + * Thu Dec 15 2022 liuyu - 91.6.0-3 - support loongarch64 in spidermonkey