packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!7 fix CVE-2020-6811 CVE-2020-6814

Browse Source 
Merge pull request !7 from cuibb1/master
This commit is contained in:
openeuler-ci-bot 2020-05-26 14:55:34 +08:00 committed by Gitee
commit 468b240542
5 changed files with 736 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
CVE-2020-6811.patch Normal file
View File

@ -0,0 +1,102 @@
From c73d875661b96789047dd5cdccff82f1f639924d Mon Sep 17 00:00:00 2001
From: Jan Odvarko <odvarko@gmail.com>
Date: Wed, 12 Feb 2020 11:52:30 +0000
Subject: [PATCH] Bug 1607742 - Escape method argument r=Gijs
Differential Revision: https://phabricator.services.mozilla.com/D60413
--HG--
extra : moz-landing-system : lando
---
devtools/client/shared/curl.js | 33 ++++++++++++++++++++++-----------
1 file changed, 22 insertions(+), 11 deletions(-)
diff --git a/devtools/client/shared/curl.js b/devtools/client/shared/curl.js
index 30d8382..6d862be 100644
--- a/devtools/client/shared/curl.js
+++ b/devtools/client/shared/curl.js
@@ -59,6 +59,17 @@ const Curl = {
const utils = CurlUtils;
let command = ["curl"];
+ // Make sure to use the following helpers to sanitize arguments before execution.
+ const addParam = value => {
+ const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+ command.push(safe);
+ };
+
+ const addPostData = value => {
+ const safe = /^[a-zA-Z-]+$/.test(value) ? value : escapeString(value);
+ postData.push(safe);
+ };
+
const ignoredHeaders = new Set();
// The cURL command is expected to run on the same platform that Firefox runs
@@ -67,7 +78,7 @@ const Curl = {
utils.escapeStringWin : utils.escapeStringPosix;
// Add URL.
- command.push(escapeString(data.url));
+ addParam(data.url);
let postDataText = null;
const multipartRequest = utils.isMultipartRequest(data);
@@ -77,15 +88,15 @@ const Curl = {
if (utils.isUrlEncodedRequest(data) ||
["PUT", "POST", "PATCH"].includes(data.method)) {
postDataText = data.postDataText;
- postData.push("--data");
- postData.push(escapeString(utils.writePostDataTextParams(postDataText)));
+ addPostData("--data");
+ addPostData(utils.writePostDataTextParams(postDataText));
ignoredHeaders.add("content-length");
} else if (multipartRequest) {
postDataText = data.postDataText;
- postData.push("--data-binary");
+ addPostData("--data-binary");
const boundary = utils.getMultipartBoundary(data);
const text = utils.removeBinaryDataFromMultipartText(postDataText, boundary);
- postData.push(escapeString(text));
+ addPostData(text);
ignoredHeaders.add("content-length");
}
// curl generates the host header itself based on the given URL
@@ -95,13 +106,13 @@ const Curl = {
// For servers that supports HEAD.
// This will fetch the header of a document only.
if (data.method == "HEAD") {
- command.push("-I");
+ addParam("-I");
} else if (!(data.method == "GET" || data.method == "POST")) {
// Add method.
// For HEAD, GET and POST requests this is not necessary. GET is the
// default, if --data or --binary is added POST is used, -I implies HEAD.
- command.push("-X");
- command.push(data.method);
+ addParam("-X");
+ addParam(data.method);
}
// Add request headers.
@@ -113,14 +124,14 @@ const Curl = {
for (let i = 0; i < headers.length; i++) {
const header = headers[i];
if (header.name.toLowerCase() === "accept-encoding") {
- command.push("--compressed");
+ addParam("--compressed");
continue;
}
if (ignoredHeaders.has(header.name.toLowerCase())) {
continue;
}
- command.push("-H");
- command.push(escapeString(header.name + ": " + header.value));
+ addParam("-H");
+ addParam(header.name + ": " + header.value);
}
// Add post data.
--
2.23.0

415
CVE-2020-6814-1.patch Normal file
View File

@ -0,0 +1,415 @@
From 187b93c6acb2340749b1586bd12afac1d619b136 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 4 Feb 2020 14:18:11 +0000
Subject: [PATCH] Bug 1608256 - Remove MakeMRegExpHoistable optimization
.
r=tcampbell
It's a lot of code and doesn't seem to affect Octane-regexp.
Differential Revision: https://phabricator.services.mozilla.com/D61427
--HG--
extra : moz-landing-system : lando
---
js/src/jit/Ion.cpp | 8 -
js/src/jit/IonAnalysis.cpp | 267 --------------------------------
js/src/jit/IonAnalysis.h | 3 -
js/src/jit/Lowering.cpp | 11 +-
js/src/jit/MIR.h | 8 -
js/src/vm/CommonPropertyNames.h | 6 -
6 files changed, 3 insertions(+), 300 deletions(-)
diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp
index fd31413..08d49bd 100644
--- a/js/src/jit/Ion.cpp
+++ b/js/src/jit/Ion.cpp
@@ -1361,14 +1361,6 @@ OptimizeMIR(MIRGenerator* mir)
if (mir->shouldCancel("Start"))
return false;
- if (!mir->compilingWasm()) {
- if (!MakeMRegExpHoistable(mir, graph))
- return false;
-
- if (mir->shouldCancel("Make MRegExp Hoistable"))
- return false;
- }
-
gs.spewPass("BuildSSA");
AssertBasicGraphCoherency(graph);
diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp
index fd89546..217a4c5 100644
--- a/js/src/jit/IonAnalysis.cpp
+++ b/js/src/jit/IonAnalysis.cpp
@@ -2033,273 +2033,6 @@ jit::ApplyTypeInformation(MIRGenerator* mir, MIRGraph& graph)
return true;
}
-// Check if `def` is only the N-th operand of `useDef`.
-static inline size_t
-IsExclusiveNthOperand(MDefinition* useDef, size_t n, MDefinition* def)
-{
- uint32_t num = useDef->numOperands();
- if (n >= num || useDef->getOperand(n) != def)
- return false;
-
- for (uint32_t i = 0; i < num; i++) {
- if (i == n)
- continue;
- if (useDef->getOperand(i) == def)
- return false;
- }
-
- return true;
-}
-
-static size_t
-IsExclusiveThisArg(MCall* call, MDefinition* def)
-{
- return IsExclusiveNthOperand(call, MCall::IndexOfThis(), def);
-}
-
-static size_t
-IsExclusiveFirstArg(MCall* call, MDefinition* def)
-{
- return IsExclusiveNthOperand(call, MCall::IndexOfArgument(0), def);
-}
-
-static bool
-IsRegExpHoistableCall(CompileRuntime* runtime, MCall* call, MDefinition* def)
-{
- if (call->isConstructing())
- return false;
-
- JSAtom* name;
- if (WrappedFunction* fun = call->getSingleTarget()) {
- if (!fun->isSelfHostedBuiltin())
- return false;
- name = GetSelfHostedFunctionName(fun->rawJSFunction());
- } else {
- MDefinition* funDef = call->getFunction();
- if (funDef->isDebugCheckSelfHosted())
- funDef = funDef->toDebugCheckSelfHosted()->input();
- if (funDef->isTypeBarrier())
- funDef = funDef->toTypeBarrier()->input();
-
- if (!funDef->isCallGetIntrinsicValue())
- return false;
- name = funDef->toCallGetIntrinsicValue()->name();
- }
-
- // Hoistable only if the RegExp is the first argument of RegExpBuiltinExec.
- if (name == runtime->names().RegExpBuiltinExec ||
- name == runtime->names().UnwrapAndCallRegExpBuiltinExec ||
- name == runtime->names().RegExpMatcher ||
- name == runtime->names().RegExpTester ||
- name == runtime->names().RegExpSearcher)
- {
- return IsExclusiveFirstArg(call, def);
- }
-
- if (name == runtime->names().RegExp_prototype_Exec)
- return IsExclusiveThisArg(call, def);
-
- return false;
-}
-
-static bool
-CanCompareRegExp(MCompare* compare, MDefinition* def)
-{
- MDefinition* value;
- if (compare->lhs() == def) {
- value = compare->rhs();
- } else {
- MOZ_ASSERT(compare->rhs() == def);
- value = compare->lhs();
- }
-
- // Comparing two regexp that weren't cloned will give different result
- // than if they were cloned.
- if (value->mightBeType(MIRType::Object))
- return false;
-
- // Make sure @@toPrimitive is not called which could notice
- // the difference between a not cloned/cloned regexp.
-
- JSOp op = compare->jsop();
- // Strict equality comparison won't invoke @@toPrimitive.
- if (op == JSOP_STRICTEQ || op == JSOP_STRICTNE)
- return true;
-
- if (op != JSOP_EQ && op != JSOP_NE) {
- // Relational comparison always invoke @@toPrimitive.
- MOZ_ASSERT(op == JSOP_GT || op == JSOP_GE || op == JSOP_LT || op == JSOP_LE);
- return false;
- }
-
- // Loose equality comparison can invoke @@toPrimitive.
- if (value->mightBeType(MIRType::Boolean) || value->mightBeType(MIRType::String) ||
- value->mightBeType(MIRType::Int32) ||
- value->mightBeType(MIRType::Double) || value->mightBeType(MIRType::Float32) ||
- value->mightBeType(MIRType::Symbol))
- {
- return false;
- }
-
- return true;
-}
-
-static inline void
-SetNotInWorklist(MDefinitionVector& worklist)
-{
- for (size_t i = 0; i < worklist.length(); i++)
- worklist[i]->setNotInWorklist();
-}
-
-static bool
-IsRegExpHoistable(MIRGenerator* mir, MDefinition* regexp, MDefinitionVector& worklist,
- bool* hoistable)
-{
- MOZ_ASSERT(worklist.length() == 0);
-
- if (!worklist.append(regexp))
- return false;
- regexp->setInWorklist();
-
- for (size_t i = 0; i < worklist.length(); i++) {
- MDefinition* def = worklist[i];
- if (mir->shouldCancel("IsRegExpHoistable outer loop"))
- return false;
-
- for (MUseIterator use = def->usesBegin(); use != def->usesEnd(); use++) {
- if (mir->shouldCancel("IsRegExpHoistable inner loop"))
- return false;
-
- // Ignore resume points. At this point all uses are listed.
- // No DCE or GVN or something has happened.
- if (use->consumer()->isResumePoint())
- continue;
-
- MDefinition* useDef = use->consumer()->toDefinition();
-
- // Step through a few white-listed ops.
- if (useDef->isPhi() || useDef->isFilterTypeSet() || useDef->isGuardShape()) {
- if (useDef->isInWorklist())
- continue;
-
- if (!worklist.append(useDef))
- return false;
- useDef->setInWorklist();
- continue;
- }
-
- // Instructions that doesn't invoke unknown code that may modify
- // RegExp instance or pass it to elsewhere.
- if (useDef->isRegExpMatcher() || useDef->isRegExpTester() ||
- useDef->isRegExpSearcher())
- {
- if (IsExclusiveNthOperand(useDef, 0, def))
- continue;
- } else if (useDef->isLoadFixedSlot() || useDef->isTypeOf()) {
- continue;
- } else if (useDef->isCompare()) {
- if (CanCompareRegExp(useDef->toCompare(), def))
- continue;
- }
- // Instructions that modifies `lastIndex` property.
- else if (useDef->isStoreFixedSlot()) {
- if (IsExclusiveNthOperand(useDef, 0, def)) {
- MStoreFixedSlot* store = useDef->toStoreFixedSlot();
- if (store->slot() == RegExpObject::lastIndexSlot())
- continue;
- }
- } else if (useDef->isSetPropertyCache()) {
- if (IsExclusiveNthOperand(useDef, 0, def)) {
- MSetPropertyCache* setProp = useDef->toSetPropertyCache();
- if (setProp->idval()->isConstant()) {
- Value propIdVal = setProp->idval()->toConstant()->toJSValue();
- if (propIdVal.isString()) {
- CompileRuntime* runtime = mir->runtime;
- if (propIdVal.toString() == runtime->names().lastIndex)
- continue;
- }
- }
- }
- }
- // MCall is safe only for some known safe functions.
- else if (useDef->isCall()) {
- if (IsRegExpHoistableCall(mir->runtime, useDef->toCall(), def))
- continue;
- }
-
- // Everything else is unsafe.
- SetNotInWorklist(worklist);
- worklist.clear();
- *hoistable = false;
-
- return true;
- }
- }
-
- SetNotInWorklist(worklist);
- worklist.clear();
- *hoistable = true;
- return true;
-}
-
-bool
-jit::MakeMRegExpHoistable(MIRGenerator* mir, MIRGraph& graph)
-{
- // If we are compiling try blocks, regular expressions may be observable
- // from catch blocks (which Ion does not compile). For now just disable the
- // pass in this case.
- if (graph.hasTryBlock())
- return true;
-
- MDefinitionVector worklist(graph.alloc());
-
- for (ReversePostorderIterator block(graph.rpoBegin()); block != graph.rpoEnd(); block++) {
- if (mir->shouldCancel("MakeMRegExpHoistable outer loop"))
- return false;
-
- for (MDefinitionIterator iter(*block); iter; iter++) {
- if (!*iter)
- MOZ_CRASH("confirm bug 1263794.");
-
- if (mir->shouldCancel("MakeMRegExpHoistable inner loop"))
- return false;
-
- if (!iter->isRegExp())
- continue;
-
- MRegExp* regexp = iter->toRegExp();
-
- bool hoistable = false;
- if (!IsRegExpHoistable(mir, regexp, worklist, &hoistable))
- return false;
-
- if (!hoistable)
- continue;
-
- // Make MRegExp hoistable
- regexp->setMovable();
- regexp->setDoNotClone();
-
- // That would be incorrect for global/sticky, because lastIndex
- // could be wrong. Therefore setting the lastIndex to 0. That is
- // faster than a not movable regexp.
- RegExpObject* source = regexp->source();
- if (source->sticky() || source->global()) {
- if (!graph.alloc().ensureBallast())
- return false;
- MConstant* zero = MConstant::New(graph.alloc(), Int32Value(0));
- regexp->block()->insertAfter(regexp, zero);
-
- MStoreFixedSlot* lastIndex =
- MStoreFixedSlot::New(graph.alloc(), regexp, RegExpObject::lastIndexSlot(), zero);
- regexp->block()->insertAfter(zero, lastIndex);
- }
- }
- }
-
- return true;
-}
-
void
jit::RenumberBlocks(MIRGraph& graph)
{
diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h
index 512c6bd..d49783c 100644
--- a/js/src/jit/IonAnalysis.h
+++ b/js/src/jit/IonAnalysis.h
@@ -59,9 +59,6 @@ EliminateDeadCode(MIRGenerator* mir, MIRGraph& graph);
MOZ_MUST_USE bool
ApplyTypeInformation(MIRGenerator* mir, MIRGraph& graph);
-MOZ_MUST_USE bool
-MakeMRegExpHoistable(MIRGenerator* mir, MIRGraph& graph);
-
void
RenumberBlocks(MIRGraph& graph);
diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
index 3b52ec5..2ba15a6 100644
--- a/js/src/jit/Lowering.cpp
+++ b/js/src/jit/Lowering.cpp
@@ -2413,14 +2413,9 @@ LIRGenerator::visitToObjectOrNull(MToObjectOrNull* ins)
void
LIRGenerator::visitRegExp(MRegExp* ins)
{
- if (ins->mustClone()) {
- LRegExp* lir = new(alloc()) LRegExp(temp());
- define(lir, ins);
- assignSafepoint(lir, ins);
- } else {
- RegExpObject* source = ins->source();
- define(new(alloc()) LPointer(source), ins);
- }
+ LRegExp* lir = new(alloc()) LRegExp(temp());
+ define(lir, ins);
+ assignSafepoint(lir, ins);
}
void
diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h
index e90b500..4a97c41 100644
--- a/js/src/jit/MIR.h
+++ b/js/src/jit/MIR.h
@@ -8605,14 +8605,12 @@ class MDefFun
class MRegExp : public MNullaryInstruction
{
CompilerGCPointer<RegExpObject*> source_;
- bool mustClone_;
bool hasShared_;
MRegExp(TempAllocator& alloc, CompilerConstraintList* constraints, RegExpObject* source,
bool hasShared)
: MNullaryInstruction(classOpcode),
source_(source),
- mustClone_(true),
hasShared_(hasShared)
{
setResultType(MIRType::Object);
@@ -8623,12 +8621,6 @@ class MRegExp : public MNullaryInstruction
INSTRUCTION_HEADER(RegExp)
TRIVIAL_NEW_WRAPPERS_WITH_ALLOC
- void setDoNotClone() {
- mustClone_ = false;
- }
- bool mustClone() const {
- return mustClone_;
- }
bool hasShared() const {
return hasShared_;
}
diff --git a/js/src/vm/CommonPropertyNames.h b/js/src/vm/CommonPropertyNames.h
index 0d537fb..3d2eeb5 100644
--- a/js/src/vm/CommonPropertyNames.h
+++ b/js/src/vm/CommonPropertyNames.h
@@ -346,12 +346,7 @@
"ReadableStreamDefaultReader_releaseLock") \
macro(ReadableStreamTee, ReadableStreamTee, "ReadableStreamTee") \
macro(reason, reason, "reason") \
- macro(RegExpBuiltinExec, RegExpBuiltinExec, "RegExpBuiltinExec") \
macro(RegExpFlagsGetter, RegExpFlagsGetter, "RegExpFlagsGetter") \
- macro(RegExpMatcher, RegExpMatcher, "RegExpMatcher") \
- macro(RegExpSearcher, RegExpSearcher, "RegExpSearcher") \
- macro(RegExpTester, RegExpTester, "RegExpTester") \
- macro(RegExp_prototype_Exec, RegExp_prototype_Exec, "RegExp_prototype_Exec") \
macro(Reify, Reify, "Reify") \
macro(reject, reject, "reject") \
macro(rejected, rejected, "rejected") \
@@ -429,7 +424,6 @@
macro(uninitialized, uninitialized, "uninitialized") \
macro(unsized, unsized, "unsized") \
macro(unwatch, unwatch, "unwatch") \
- macro(UnwrapAndCallRegExpBuiltinExec, UnwrapAndCallRegExpBuiltinExec, "UnwrapAndCallRegExpBuiltinExec") \
macro(url, url, "url") \
macro(usage, usage, "usage") \
macro(useAsm, useAsm, "use asm") \
--
2.23.0

133
CVE-2020-6814-2.patch Normal file
View File

@ -0,0 +1,133 @@
From 235ee6bbd95335ede2a095e3e2ed67022afe7800 Mon Sep 17 00:00:00 2001
From: Perry Jiang <perry@mozilla.com>
Date: Wed, 19 Feb 2020 17:56:08 +0000
Subject: [PATCH] Bug 1604847 - let ClientSourceOpChild finish
initialization
r=dom-workers-and-storage-reviewers,asuth
Differential Revision: https://phabricator.services.mozilla.com/D63239
--HG--
extra : moz-landing-system : lando
---
dom/clients/manager/ClientSourceChild.cpp | 2 +-
dom/clients/manager/ClientSourceOpChild.cpp | 28 ++++++++++++++++++++-
dom/clients/manager/ClientSourceOpChild.h | 22 ++++++++++------
3 files changed, 43 insertions(+), 9 deletions(-)
diff --git a/dom/clients/manager/ClientSourceChild.cpp b/dom/clients/manager/ClientSourceChild.cpp
index 0f13a63..e4a8330 100644
--- a/dom/clients/manager/ClientSourceChild.cpp
+++ b/dom/clients/manager/ClientSourceChild.cpp
@@ -37,7 +37,7 @@ ClientSourceChild::AllocPClientSourceOpChild(const ClientOpConstructorArgs& aArg
bool
ClientSourceChild::DeallocPClientSourceOpChild(PClientSourceOpChild* aActor)
{
- delete aActor;
+ static_cast<ClientSourceOpChild*>(aActor)->ScheduleDeletion();
return true;
}
diff --git a/dom/clients/manager/ClientSourceOpChild.cpp b/dom/clients/manager/ClientSourceOpChild.cpp
index dff99d2..b19787f 100644
--- a/dom/clients/manager/ClientSourceOpChild.cpp
+++ b/dom/clients/manager/ClientSourceOpChild.cpp
@@ -8,6 +8,7 @@
#include "ClientSource.h"
#include "ClientSourceChild.h"
+#include "mozilla/Assertions.h"
#include "mozilla/Unused.h"
namespace mozilla {
@@ -72,7 +73,7 @@ ClientSourceOpChild::DoSourceOp(Method aMethod, const Args& aArgs)
void
ClientSourceOpChild::ActorDestroy(ActorDestroyReason aReason)
{
- mPromiseRequestHolder.DisconnectIfExists();
+ Cleanup();
}
void
@@ -111,6 +112,31 @@ ClientSourceOpChild::Init(const ClientOpConstructorArgs& aArgs)
break;
}
}
+
+ mInitialized.Flip();
+
+ if (mDeletionRequested) {
+ Cleanup();
+ delete this;
+ }
+}
+
+void ClientSourceOpChild::ScheduleDeletion() {
+ if (mInitialized) {
+ Cleanup();
+ delete this;
+ return;
+ }
+
+ mDeletionRequested.Flip();
+}
+
+ClientSourceOpChild::~ClientSourceOpChild() {
+ MOZ_DIAGNOSTIC_ASSERT(mInitialized);
+}
+
+void ClientSourceOpChild::Cleanup() {
+ mPromiseRequestHolder.DisconnectIfExists();
}
} // namespace dom
diff --git a/dom/clients/manager/ClientSourceOpChild.h b/dom/clients/manager/ClientSourceOpChild.h
index 1132353..7f30eb0 100644
--- a/dom/clients/manager/ClientSourceOpChild.h
+++ b/dom/clients/manager/ClientSourceOpChild.h
@@ -6,6 +6,7 @@
#ifndef _mozilla_dom_ClientSourceOpChild_h
#define _mozilla_dom_ClientSourceOpChild_h
+#include "mozilla/dom/FlippedOnce.h"
#include "mozilla/dom/PClientSourceOpChild.h"
#include "ClientOpPromise.h"
@@ -16,7 +17,17 @@ class ClientSource;
class ClientSourceOpChild final : public PClientSourceOpChild
{
- MozPromiseRequestHolder<ClientOpPromise> mPromiseRequestHolder;
+ public:
+ void Init(const ClientOpConstructorArgs& aArgs);
+
+ // Deletes "this" after initialization (or immediately if already
+ // initialized.) It's UB to use "this" after calling ScheduleDeletion.
+ void ScheduleDeletion();
+
+ private:
+ ~ClientSourceOpChild();
+
+ void Cleanup();
ClientSource*
GetSource() const;
@@ -29,12 +40,9 @@ class ClientSourceOpChild final : public PClientSourceOpChild
void
ActorDestroy(ActorDestroyReason aReason) override;
-public:
- ClientSourceOpChild() = default;
- ~ClientSourceOpChild() = default;
-
- void
- Init(const ClientOpConstructorArgs& aArgs);
+ MozPromiseRequestHolder<ClientOpPromise> mPromiseRequestHolder;
+ FlippedOnce<false> mDeletionRequested;
+ FlippedOnce<false> mInitialized;
};
} // namespace dom
--
2.23.0

74
CVE-2020-6814-Add-FlippedOnce-class.patch Normal file
View File

@ -0,0 +1,74 @@
From 311de0b6358ba2b8eae20dcc5baf29472a273fc6 Mon Sep 17 00:00:00 2001
From: Simon Giesecke <sgiesecke@mozilla.com>
Date: Tue, 3 Dec 2019 15:25:49 +0000
Subject: [PATCH] Bug 1598164 - Added FlippedOnce class template to help
reducing statefulness of boolean flags.
r=dom-workers-and-storage-reviewers,ytausky
Differential Revision: https://phabricator.services.mozilla.com/D55080
--HG--
extra : moz-landing-system : lando
---
dom/indexedDB/FlippedOnce.h | 39 +++++++++++++++++++++++++++++++++++++
dom/indexedDB/moz.build | 1 +
2 files changed, 40 insertions(+)
create mode 100644 dom/indexedDB/FlippedOnce.h
diff --git a/dom/indexedDB/FlippedOnce.h b/dom/indexedDB/FlippedOnce.h
new file mode 100644
index 0000000000000..94cd8570a4b6e
--- /dev/null
+++ b/dom/indexedDB/FlippedOnce.h
@@ -0,0 +1,39 @@
+/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */
+/* vim: set ts=8 sts=2 et sw=2 tw=80: */
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this file,
+ * You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#ifndef mozilla_dom_indexeddb_flippedonce_h__
+#define mozilla_dom_indexeddb_flippedonce_h__
+
+#include "mozilla/Assertions.h"
+#include "mozilla/Attributes.h"
+
+namespace mozilla {
+
+// A state-restricted bool, which can only be flipped once. It isn't required to
+// be flipped during its lifetime.
+template <bool Initial>
+class FlippedOnce {
+ public:
+ FlippedOnce(const FlippedOnce&) = delete;
+ FlippedOnce& operator=(const FlippedOnce&) = delete;
+
+ FlippedOnce() = default;
+
+ MOZ_IMPLICIT operator bool() const { return mValue; };
+
+ void Flip() {
+ MOZ_ASSERT(mValue == Initial);
+ EnsureFlipped();
+ }
+
+ void EnsureFlipped() { mValue = !Initial; }
+
+ private:
+ bool mValue = Initial;
+};
+} // namespace mozilla
+
+#endif
diff --git a/dom/indexedDB/moz.build b/dom/indexedDB/moz.build
index 4302528e6847b..5237528963127 100644
--- a/dom/indexedDB/moz.build
+++ b/dom/indexedDB/moz.build
@@ -24,6 +24,7 @@ XPCSHELL_TESTS_MANIFESTS += [
]
EXPORTS.mozilla.dom += [
+ 'FlippedOnce.h',
'IDBCursor.h',
'IDBDatabase.h',
'IDBEvents.h',

13
firefox.spec
View File

@ -1,7 +1,7 @@
Name: firefox
Summary: Mozilla Firefox Web browser
Version: 62.0.3
Release: 5
Release: 6
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: http://download-origin.cdn.mozilla.net/pub/firefox/releases/62.0.3/source/firefox-62.0.3.source.tar.xz
@ -30,6 +30,11 @@ Patch0017: mozilla-1467128.patch
Patch0018: mozilla-1415078.patch
Patch0019: openeuler-20200525.patch
Patch6000: CVE-2020-6811.patch
Patch6001: CVE-2020-6814-Add-FlippedOnce-class.patch
Patch6002: CVE-2020-6814-1.patch
Patch6003: CVE-2020-6814-2.patch
BuildRequires: pkgconfig(nspr) >= 4.19 pkgconfig(nss) >= 3.37.3 pkgconfig(libpng) pkgconfig(libffi)
BuildRequires: pkgconfig(zlib) pkgconfig(libIDL-2.0) pkgconfig(gtk+-3.0) pkgconfig(gtk+-2.0) pkgconfig(krb5)
BuildRequires: pkgconfig(pango) pkgconfig(freetype2) >= 2.1.9 pkgconfig(xt) pkgconfig(xrender) pkgconfig(dri)
@ -316,6 +321,12 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%{_datadir}/applications/firefox-wayland.desktop
%changelog
* Mon May 25 2020 huanghaitao <huanghaitao8@huawei.com> - 62.0.3-6
- Type:cves
- ID: CVE-2020-6811 CVE-2020-6814
- SUG:restart
- DESC: fix CVE-2020-6811 CVE-2020-6814
* Mon May 25 2020 Captain Wei<captain.a.wei@gmail.com> - 62.0.3-5
- fix unstable_name_collisions problem when compile