firefox/CVE-2020-15678.patch

# HG changeset patch
# User Botond Ballo <botond@mozilla.com>
# Date 1598039821 0
#      Fri Aug 21 19:57:01 2020 +0000
# Node ID 5718234b1f27780b0d98ca4e6f1a22e1b012205a
# Parent  b6b562c539e326715fda1dcd020c1095a9520e93
Bug 1660211 - Respect iterator invalidation rules in ComputeClippedCompositionBounds(). r=kats

Differential Revision: https://phabricator.services.mozilla.com/D87893

diff -r b6b562c539e3 -r 5718234b1f27 gfx/layers/apz/src/APZCTreeManager.cpp
--- a/gfx/layers/apz/src/APZCTreeManager.cpp	Fri Aug 21 20:42:59 2020 +0000
+++ b/gfx/layers/apz/src/APZCTreeManager.cpp	Fri Aug 21 19:57:01 2020 +0000
@@ -899,14 +899,13 @@
 ParentLayerRect APZCTreeManager::ComputeClippedCompositionBounds(
     const MutexAutoLock& aProofOfMapLock, ClippedCompositionBoundsMap& aDestMap,
     ScrollableLayerGuid aGuid) {
-  auto insertResult = aDestMap.insert(std::make_pair(aGuid, ParentLayerRect()));
-  if (!insertResult.second) {
+  if (auto iter = aDestMap.find(aGuid); iter != aDestMap.end()) {
     // We already computed it for this one, early-exit. This might happen
     // because on a later iteration of mApzcMap we might encounter an ancestor
     // of an APZC that we processed on an earlier iteration. In this case we
     // would have computed the ancestor's clipped composition bounds when
     // recursing up on the earlier iteration.
-    return insertResult.first->second;
+    return iter->second;
   }
 
   ParentLayerRect bounds = mApzcMap[aGuid].apzc->GetCompositionBounds();
@@ -916,7 +915,7 @@
     // Recursion base case, where the APZC with guid `aGuid` has no parent.
     // In this case, we don't need to clip `bounds` any further and can just
     // early exit.
-    insertResult.first->second = bounds;
+    aDestMap.emplace(aGuid, bounds);
     return bounds;
   }
 
@@ -950,7 +949,7 @@
                                PixelCastJustification::MovingDownToChildren));
 
   // Done!
-  insertResult.first->second = bounds;
+  aDestMap.emplace(aGuid, bounds);
   return bounds;
 }