File mozilla-bmo1436242.patch of Package MozillaFirefox.11622

# HG changeset patch
# User msirringhaus@suse.de
# Date 1558421128 -7200
#      Tue May 21 08:45:28 2019 +0200
# Node ID c7bd9330978c828c02a1e77b736c0ef8a7697747
# Parent  f89b77ac9b345f0c1b7868b38639836eba200a66
https://bugzilla.redhat.com/show_bug.cgi?id=1577277
https://hg.mozilla.org/mozilla-central/rev/6bb3adfa15c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1436242

diff -r f89b77ac9b34 -r c7bd9330978c ipc/chromium/src/chrome/common/ipc_channel_posix.cc
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc	Wed Feb 28 13:57:52 2018 +0100
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc	Tue May 21 08:45:28 2019 +0200
@@ -412,10 +412,27 @@
       fds = wire_fds;
       num_fds = num_wire_fds;
     } else {
-      const size_t prev_size = input_overflow_fds_.size();
-      input_overflow_fds_.resize(prev_size + num_wire_fds);
-      memcpy(&input_overflow_fds_[prev_size], wire_fds,
-             num_wire_fds * sizeof(int));
+      // This code may look like a no-op in the case where
+      // num_wire_fds == 0, but in fact:
+      //
+      // 1. wire_fds will be nullptr, so passing it to memcpy is
+      // undefined behavior according to the C standard, even though
+      // the memcpy length is 0.
+      //
+      // 2. prev_size will be an out-of-bounds index for
+      // input_overflow_fds_; this is undefined behavior according to
+      // the C++ standard, even though the element only has its
+      // pointer taken and isn't accessed (and the corresponding
+      // operation on a C array would be defined).
+      //
+      // UBSan makes #1 a fatal error, and assertions in libstdc++ do
+      // the same for #2 if enabled.
+      if (num_wire_fds > 0) {
+        const size_t prev_size = input_overflow_fds_.size();
+        input_overflow_fds_.resize(prev_size + num_wire_fds);
+        memcpy(&input_overflow_fds_[prev_size], wire_fds,
+               num_wire_fds * sizeof(int));
+      }
       fds = &input_overflow_fds_[0];
       num_fds = input_overflow_fds_.size();
     }
openSUSE Build Service is sponsored by