!236 Fix CVE-2021-43539

From: @jackssir Reviewed-by: @wk333 Signed-off-by: @wk333
2024-11-18 02:39:12 +00:00 · 2024-11-18 02:39:12 +00:00 · a97e1bb8ba
commit a97e1bb8ba
parent 2bfdfd1c87 7bdb98bf34
2 changed files with 67 additions and 1 deletions
--- a/CVE-2021-43539.patch
+++ b/CVE-2021-43539.patch
@ -0,0 +1,61 @@
+From 1784bcb159d7dd8c65f6c016dcca6ed5b2982d2b Mon Sep 17 00:00:00 2001
+From: Asumu Takikawa <asumu@igalia.com>
+Date: Mon, 15 Nov 2021 16:26:57 +0000 (2021-11-16)
+Subject: [PATCH] CVE-2021-43539
+
+---
+ js/src/jit/CodeGenerator.cpp | 17 +++++++++--------
+ 1 file changed, 9 insertions(+), 8 deletions(-)
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+index 81e723f196..a703024aa1 100644
+--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
+@@ -7914,35 +7914,36 @@ void CodeGenerator::visitWasmCall(LWasmCall* lir) {
+ 
+   const wasm::CallSiteDesc& desc = mir->desc();
+   const wasm::CalleeDesc& callee = mir->callee();
+  CodeOffset retOffset;
+   switch (callee.which()) {
+     case wasm::CalleeDesc::Func:
+-      masm.call(desc, callee.funcIndex());
+      retOffset = masm.call(desc, callee.funcIndex());
+       reloadRegs = false;
+       switchRealm = false;
+       break;
+     case wasm::CalleeDesc::Import:
+-      masm.wasmCallImport(desc, callee);
+      retOffset = masm.wasmCallImport(desc, callee);
+       break;
+     case wasm::CalleeDesc::AsmJSTable:
+     case wasm::CalleeDesc::WasmTable:
+-      masm.wasmCallIndirect(desc, callee, needsBoundsCheck);
+      retOffset = masm.wasmCallIndirect(desc, callee, needsBoundsCheck);
+       reloadRegs = switchRealm = callee.which() == wasm::CalleeDesc::WasmTable;
+       break;
+     case wasm::CalleeDesc::Builtin:
+-      masm.call(desc, callee.builtin());
+      retOffset = masm.call(desc, callee.builtin());
+       reloadRegs = false;
+       switchRealm = false;
+       break;
+     case wasm::CalleeDesc::BuiltinInstanceMethod:
+-      masm.wasmCallBuiltinInstanceMethod(desc, mir->instanceArg(),
+-                                         callee.builtin(),
+-                                         mir->builtinMethodFailureMode());
+      retOffset = masm.wasmCallBuiltinInstanceMethod(
+          desc, mir->instanceArg(), callee.builtin(),
+          mir->builtinMethodFailureMode()); 
+       switchRealm = false;
+       break;
+   }
+ 
+   // Note the assembler offset for the associated LSafePoint.
+-  markSafepointAt(masm.currentOffset(), lir);
+  markSafepointAt(retOffset.offset(), lir);
+ 
+   // Now that all the outbound in-memory args are on the stack, note the
+   // required lower boundary point of the associated StackMap.
+-- 
+2.33.0
+
--- a/firefox.spec
+++ b/firefox.spec
@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             33
+Release:             34
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -214,6 +214,7 @@ Patch670:            CVE-2022-29912.patch
 Patch671:            CVE-2024-0745.patch
 Patch672:            CVE-2023-1945.patch
 Patch673:            CVE-2021-29970.patch
+Patch674:            CVE-2021-43539.patch 

 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@ -422,6 +423,7 @@ tar -xf %{SOURCE3}
 %patch671 -p1
 %patch672 -p1
 %patch673 -p1
+%patch674 -p1

 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@ -870,6 +872,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif

 %changelog
+* Wed Nov 06 2024 lvfei <lvfei@kylinos.cn> - 79.0-34
+- Fix CVE-2021-43539
+
 * Fri Nov 01 2024 lvfei <lvfei@kylinos.cn> - 79.0-33
 - Fix CVE-2021-29970