fix CVE-2021-29988

2024-07-18 16:31:40 +08:00 · 2024-07-18 16:31:40 +08:00 · aebbc1f4f4
commit aebbc1f4f4
parent ee96d788da
2 changed files with 145 additions and 1 deletions
--- a/CVE-2021-29988.patch
+++ b/CVE-2021-29988.patch
@ -0,0 +1,139 @@
+From 52d20e23934d31541e8da0a0fcfc88622db6c695 Mon Sep 17 00:00:00 2001
+From: Emilio Cobos Álvarez <emilio@crisal.io>
+Date: Thu, 18 Jul 2024 16:23:41 +0800
+Subject: [PATCH] Blockify outside markers at used value time rather than at computed value time. r=jfkthame, a=pascal
+
+---
+ layout/base/nsCSSFrameConstructor.cpp         | 28 ++++++++++++++++---
+ layout/base/nsCSSFrameConstructor.h           |  5 +++-
+ .../components/style/values/specified/box.rs  |  6 ++++
+ servo/ports/geckolib/glue.rs                  | 10 +++++++
+ 4 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
+index f9e5162c56..d18c1643cb 100644
+--- a/layout/base/nsCSSFrameConstructor.cpp
+++ b/layout/base/nsCSSFrameConstructor.cpp
+@@ -1613,7 +1613,8 @@ already_AddRefed<nsIContent> nsCSSFrameConstructor::CreateGeneratedContent(
+ void nsCSSFrameConstructor::CreateGeneratedContentItem(
+     nsFrameConstructorState& aState, nsContainerFrame* aParentFrame,
+     Element& aOriginatingElement, ComputedStyle& aStyle,
+-    PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems) {
+    PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems,
+    ItemFlags aExtraFlags) {
+   MOZ_ASSERT(aPseudoElement == PseudoStyleType::before ||
+                  aPseudoElement == PseudoStyleType::after ||
+                  aPseudoElement == PseudoStyleType::marker,
+@@ -1720,9 +1721,11 @@ void nsCSSFrameConstructor::CreateGeneratedContentItem(
+     }
+   }
+ 
+  auto flags = ItemFlags{ItemFlag::IsGeneratedContent} + aExtraFlags;
+
+   AddFrameConstructionItemsInternal(aState, container, aParentFrame, true,
+-                                    pseudoStyle, {ItemFlag::IsGeneratedContent},
+-                                    aItems);
+                                    pseudoStyle, flags, aItems);
+
+ }
+ 
+ /****************************************************
+@@ -5268,6 +5271,17 @@ nsCSSFrameConstructor::FindElementData(const Element& aElement,
+     return &sImgData;
+   }
+ 
+  const bool shouldBlockify = aFlags.contains(ItemFlag::IsForOutsideMarker);
+  if (shouldBlockify && !aStyle.StyleDisplay()->IsBlockOutsideStyle()) {
+    // Make a temp copy of StyleDisplay and blockify its mDisplay value.
+    auto display = *aStyle.StyleDisplay();
+    bool isRootElement = false;
+    uint16_t rawDisplayValue =
+        Servo_ComputedValues_BlockifiedDisplay(&aStyle, isRootElement);
+    display.mDisplay = StyleDisplay(rawDisplayValue);
+    return FindDisplayData(display, aElement);
+  }
+
+   const auto& display = *aStyle.StyleDisplay();
+   return FindDisplayData(display, aElement);
+ }
+@@ -9522,9 +9536,15 @@ void nsCSSFrameConstructor::ProcessChildren(
+           !styleParentFrame->IsFieldSetFrame()) {
+         isOutsideMarker = computedStyle->StyleList()->mListStylePosition ==
+                           NS_STYLE_LIST_STYLE_POSITION_OUTSIDE;
+        ItemFlags extraFlags;
+        if (isOutsideMarker) {
+          extraFlags += ItemFlag::IsForOutsideMarker;
+        }
+
+         CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
+                                    *computedStyle, PseudoStyleType::marker,
+-                                   itemsToConstruct);
+                                   itemsToConstruct, extraFlags);
+
+       }
+       // Probe for generated content before
+       CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
+diff --git a/layout/base/nsCSSFrameConstructor.h b/layout/base/nsCSSFrameConstructor.h
+index 053674bcaf..1347eaf628 100644
+--- a/layout/base/nsCSSFrameConstructor.h
+++ b/layout/base/nsCSSFrameConstructor.h
+@@ -369,6 +369,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
+     AllowTextPathChild,
+     // The item is content created by an nsIAnonymousContentCreator frame.
+     IsAnonymousContentCreatorContent,
+    // This will be an outside ::marker.
+    IsForOutsideMarker,
+   };
+ 
+   using ItemFlags = mozilla::EnumSet<ItemFlag>;
+@@ -457,7 +459,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
+                                   nsContainerFrame* aParentFrame,
+                                   Element& aOriginatingElement, ComputedStyle&,
+                                   PseudoStyleType aPseudoElement,
+-                                  FrameConstructionItemList& aItems);
+                                  FrameConstructionItemList& aItems,
+                                  ItemFlags aExtraFlags = {});
+ 
+   // This method is called by ContentAppended() and ContentRangeInserted() when
+   // appending flowed frames to a parent's principal child list. It handles the
+diff --git a/servo/components/style/values/specified/box.rs b/servo/components/style/values/specified/box.rs
+index 6fc86b4867..a43b0e18ba 100644
+--- a/servo/components/style/values/specified/box.rs
+++ b/servo/components/style/values/specified/box.rs
+@@ -277,6 +277,12 @@ impl Display {
+         .unwrap()
+     }
+ 
+    /// Returns the raw underlying u16 value.
+    #[inline]
+    pub fn to_u16(&self) -> u16 {
+        self.0
+    }
+
+     /// Whether this is `display: inline` (or `inline list-item`).
+     #[inline]
+     pub fn is_inline_flow(&self) -> bool {
+diff --git a/servo/ports/geckolib/glue.rs b/servo/ports/geckolib/glue.rs
+index 9f89aa0cb8..eede9c0185 100644
+--- a/servo/ports/geckolib/glue.rs
+++ b/servo/ports/geckolib/glue.rs
+@@ -4017,6 +4017,16 @@ pub extern "C" fn Servo_ComputedValues_HasOverriddenAppearance(
+         })
+ }
+ 
+#[no_mangle]
+pub extern "C" fn Servo_ComputedValues_BlockifiedDisplay(
+    style: &ComputedValues,
+    is_root_element : bool,
+) -> u16 {
+    let display = style.get_box().clone_display();
+    let blockified_display = display.equivalent_block_display(is_root_element);
+    blockified_display.to_u16()
+}
+
+ #[no_mangle]
+ pub extern "C" fn Servo_StyleSet_Init(doc: &structs::Document) -> *mut RawServoStyleSet {
+     let data = Box::new(PerDocumentStyleData::new(doc));
+-- 
+2.27.0
+
--- a/firefox.spec
+++ b/firefox.spec
@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             27
+Release:             28
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@ -208,6 +208,7 @@ Patch664:            CVE-2020-15675.patch
 Patch665:            CVE-2021-23972.patch
 Patch666:            CVE-2021-23954.patch
 Patch667:            CVE-2021-29984.patch
+Patch668:            CVE-2021-29988.patch

 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@ -410,6 +411,7 @@ tar -xf %{SOURCE3}
 %patch665 -p1
 %patch666 -p1
 %patch667 -p1
+%patch668 -p1

 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@ -858,6 +860,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif

 %changelog
+* Thu Jul 18 2024 technology208 <technology@208suo.com> - 79.0-28
+- Fix CVE-2021-29988
+
 * Mon Jul 15 2024 technology208 <technology@208suo.com> - 79.0-27
 - Fix CVE-2021-29984