packages/firefox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-22755

Browse Source
This commit is contained in:
lvfei 2024-03-12 10:59:13 +08:00
parent ce4c738936
commit 3e860cb1fb
2 changed files with 237 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

231
CVE-2022-22755.patch Normal file
View File

@ -0,0 +1,231 @@
From 309ddf3970408bb3cf21a2eeee31104452bddc67 Mon Sep 17 00:00:00 2001
From: Peter Van der Beken <peterv@propagandism.org>
Date: Tue, 21 Dec 2021 17:56:02 +0000 (2021-12-22)
Subject: [PATCH] CVE-2022-22755
---
dom/xslt/xslt/txExecutionState.cpp | 7 +-
dom/xslt/xslt/txExecutionState.h | 5 +-
dom/xslt/xslt/txMozillaXSLTProcessor.cpp | 101 ++++++++++++++++++++++-
dom/xslt/xslt/txXSLTProcessor.cpp | 25 ++++--
4 files changed, 126 insertions(+), 12 deletions(-)
diff --git a/dom/xslt/xslt/txExecutionState.cpp b/dom/xslt/xslt/txExecutionState.cpp
index a4e7609dfc..8d849886ac 100644
--- a/dom/xslt/xslt/txExecutionState.cpp
+++ b/dom/xslt/xslt/txExecutionState.cpp
@@ -417,7 +417,12 @@ txExecutionState::TemplateRule* txExecutionState::getCurrentTemplateRule() {
return &mTemplateRules[mTemplateRules.Length() - 1];
}
-txInstruction* txExecutionState::getNextInstruction() {
+mozilla::Result<txInstruction*, nsresult>
+txExecutionState::getNextInstruction() {
+ if (mStopProcessing) {
+ return mozilla::Err(NS_ERROR_FAILURE);
+ }
+
txInstruction* instr = mNextInstruction;
if (instr) {
mNextInstruction = instr->mNext.get();
diff --git a/dom/xslt/xslt/txExecutionState.h b/dom/xslt/xslt/txExecutionState.h
index 7d91df704e..c4b15edd60 100644
--- a/dom/xslt/xslt/txExecutionState.h
+++ b/dom/xslt/xslt/txExecutionState.h
@@ -17,6 +17,7 @@
#include "txStylesheet.h"
#include "txXPathTreeWalker.h"
#include "nsTArray.h"
+#include "mozilla/Result.h"
class txAOutputHandlerFactory;
class txAXMLEventHandler;
@@ -115,13 +116,14 @@ class txExecutionState : public txIMatchContext {
}
// state-modification functions
- txInstruction* getNextInstruction();
+ mozilla::Result<txInstruction*, nsresult> getNextInstruction();
nsresult runTemplate(txInstruction* aInstruction);
nsresult runTemplate(txInstruction* aInstruction, txInstruction* aReturnTo);
void gotoInstruction(txInstruction* aNext);
void returnFromTemplate();
nsresult bindVariable(const txExpandedName& aName, txAExprResult* aValue);
void removeVariable(const txExpandedName& aName);
+ void stopProcessing() { mStopProcessing = true; }
txAXMLEventHandler* mOutputHandler;
txAXMLEventHandler* mResultHandler;
@@ -156,6 +158,7 @@ class txExecutionState : public txIMatchContext {
txKeyHash mKeyHash;
RefPtr<txResultRecycler> mRecycler;
bool mDisableLoads;
+ bool mStopProcessing = false;
static const int32_t kMaxRecursionDepth;
};
diff --git a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
index 1b22b1caf0..5d810471b6 100644
--- a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
+++ b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
@@ -538,6 +538,80 @@ already_AddRefed<Document> txMozillaXSLTProcessor::TransformToDocument(
return doc.forget();
}
+class XSLTProcessRequest final : public nsIRequest {
+ public:
+ explicit XSLTProcessRequest(txExecutionState* aState) : mState(aState) {}
+
+ NS_DECL_ISUPPORTS
+ NS_DECL_NSIREQUEST
+
+ void Done() { mState = nullptr; }
+
+ private:
+ ~XSLTProcessRequest() {}
+ txExecutionState* mState;
+};
+NS_IMPL_ISUPPORTS(XSLTProcessRequest, nsIRequest)
+
+NS_IMETHODIMP
+XSLTProcessRequest::GetName(nsACString& aResult) {
+ aResult.AssignLiteral("about:xslt-load-blocker");
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::IsPending(bool* _retval) {
+ *_retval = true;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::GetStatus(nsresult* status) {
+ *status = NS_OK;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::Cancel(nsresult status) {
+ mState->stopProcessing();
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::Suspend(void) { return NS_OK; }
+
+NS_IMETHODIMP
+XSLTProcessRequest::Resume(void) { return NS_OK; }
+
+NS_IMETHODIMP
+XSLTProcessRequest::GetLoadGroup(nsILoadGroup** aLoadGroup) {
+ *aLoadGroup = nullptr;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::SetLoadGroup(nsILoadGroup* aLoadGroup) { return NS_OK; }
+
+NS_IMETHODIMP
+XSLTProcessRequest::GetLoadFlags(nsLoadFlags* aLoadFlags) {
+ *aLoadFlags = nsIRequest::LOAD_NORMAL;
+ return NS_OK;
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::SetLoadFlags(nsLoadFlags aLoadFlags) { return NS_OK; }
+
+NS_IMETHODIMP
+XSLTProcessRequest::GetTRRMode(nsIRequest::TRRMode* aTRRMode) {
+ return GetTRRModeImpl(aTRRMode);
+}
+
+NS_IMETHODIMP
+XSLTProcessRequest::SetTRRMode(nsIRequest::TRRMode aTRRMode) {
+ return SetTRRModeImpl(aTRRMode);
+}
+
+
nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
bool aCreateDataDocument) {
UniquePtr<txXPathNode> sourceNode(
@@ -548,11 +622,31 @@ nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
txExecutionState es(mStylesheet, IsLoadDisabled());
+ Document* sourceDoc = mSource->OwnerDoc();
+ nsCOMPtr<nsILoadGroup> loadGroup = sourceDoc->GetDocumentLoadGroup();
+ if (!loadGroup) {
+ nsCOMPtr<nsPIDOMWindowInner> win = do_QueryInterface(mOwner);
+ if (win && win->IsCurrentInnerWindow()) {
+ Document* doc = win->GetDoc();
+ if (doc) {
+ loadGroup = doc->GetDocumentLoadGroup();
+ }
+ }
+
+ if (!loadGroup) {
+ return NS_ERROR_FAILURE;
+ }
+ }
+
+ RefPtr<XSLTProcessRequest> xsltProcessRequest = new XSLTProcessRequest(&es);
+ loadGroup->AddRequest(xsltProcessRequest, nullptr);
+
+
// XXX Need to add error observers
// If aResult is non-null, we're a data document
- txToDocHandlerFactory handlerFactory(&es, mSource->OwnerDoc(), mObserver,
- aCreateDataDocument);
+ txToDocHandlerFactory handlerFactory(&es, sourceDoc, mObserver,
+ aCreateDataDocument);
es.mOutputHandlerFactory = &handlerFactory;
nsresult rv = es.init(*sourceNode, &mVariables);
@@ -562,6 +656,9 @@ nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
rv = txXSLTProcessor::execute(es);
}
+ xsltProcessRequest->Done();
+ loadGroup->RemoveRequest(xsltProcessRequest, nullptr, NS_OK);
+
nsresult endRv = es.end(rv);
if (NS_SUCCEEDED(rv)) {
rv = endRv;
diff --git a/dom/xslt/xslt/txXSLTProcessor.cpp b/dom/xslt/xslt/txXSLTProcessor.cpp
index dfcdeb5595..4a5117efcf 100644
--- a/dom/xslt/xslt/txXSLTProcessor.cpp
+++ b/dom/xslt/xslt/txXSLTProcessor.cpp
@@ -31,12 +31,21 @@ void txXSLTProcessor::shutdown() { txHandlerTable::shutdown(); }
/* static */
nsresult txXSLTProcessor::execute(txExecutionState& aEs) {
- nsresult rv = NS_OK;
- txInstruction* instr;
- while ((instr = aEs.getNextInstruction())) {
- rv = instr->execute(aEs);
- NS_ENSURE_SUCCESS(rv, rv);
- }
-
- return NS_OK;
+
+ nsresult rv;
+ do {
+ mozilla::Result<txInstruction*, nsresult> result = aEs.getNextInstruction();
+ if (result.isErr()) {
+ return result.unwrapErr();
+ }
+
+ txInstruction* instr = result.unwrap();
+ if (!instr) {
+ return NS_OK;
+ }
+
+ rv = instr->execute(aEs);
+ } while (NS_SUCCEEDED(rv));
+
+ return rv;
}
--
2.27.0

7
firefox.spec
View File

@ -88,7 +88,7 @@
Summary: Mozilla Firefox Web browser
Name: firefox
Version: 79.0
Release: 15
Release: 16
URL: https://www.mozilla.org/firefox/
License: MPLv1.1 or GPLv2+ or LGPLv2+
Source0: https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -194,6 +194,7 @@ Patch651: CVE-2023-4863-2.patch
# https://hg.mozilla.org/mozilla-central/raw-rev/c53f5ef77b62b79af86951a7f9130e1896b695d2
Patch652: CVE-2023-5217.patch
Patch653: CVE-2023-7104.patch
Patch654: CVE-2022-22755.patch
@ -384,6 +385,7 @@ tar -xf %{SOURCE3}
%patch651 -p1
%patch652 -p1
%patch653 -p1
%patch654 -p1
%{__rm} -f .mozconfig
@ -833,6 +835,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
%endif
%changelog
* Mon Mar 04 2024 lvfei <lvfei@kylinos.cn> - 79.0-16
- fix CVE-2022-22755
* Tue Jan 02 2024 wangkai <13474090681@163.com> - 79.0-15
- Fix CVE-2023-7104