File mozilla-bmo1436242.patch of Package MozillaFirefox.11624
# HG changeset patch
# User msirringhaus@suse.de
# Date 1560926145 -7200
# Wed Jun 19 08:35:45 2019 +0200
# Node ID 1f6f73d1f75eb81fc98ff51827df2ef52f4904e4
# Parent 8ba5f9a48bebbcd43f159035449544313ab056eb
https://bugzilla.redhat.com/show_bug.cgi?id=1577277
https://hg.mozilla.org/mozilla-central/rev/6bb3adfa15c6
https://bugzilla.mozilla.org/show_bug.cgi?id=1436242
diff -r 8ba5f9a48beb -r 1f6f73d1f75e ipc/chromium/src/chrome/common/ipc_channel_posix.cc
--- a/ipc/chromium/src/chrome/common/ipc_channel_posix.cc Wed Feb 28 13:57:52 2018 +0100
+++ b/ipc/chromium/src/chrome/common/ipc_channel_posix.cc Wed Jun 19 08:35:45 2019 +0200
@@ -412,10 +412,27 @@
fds = wire_fds;
num_fds = num_wire_fds;
} else {
- const size_t prev_size = input_overflow_fds_.size();
- input_overflow_fds_.resize(prev_size + num_wire_fds);
- memcpy(&input_overflow_fds_[prev_size], wire_fds,
- num_wire_fds * sizeof(int));
+ // This code may look like a no-op in the case where
+ // num_wire_fds == 0, but in fact:
+ //
+ // 1. wire_fds will be nullptr, so passing it to memcpy is
+ // undefined behavior according to the C standard, even though
+ // the memcpy length is 0.
+ //
+ // 2. prev_size will be an out-of-bounds index for
+ // input_overflow_fds_; this is undefined behavior according to
+ // the C++ standard, even though the element only has its
+ // pointer taken and isn't accessed (and the corresponding
+ // operation on a C array would be defined).
+ //
+ // UBSan makes #1 a fatal error, and assertions in libstdc++ do
+ // the same for #2 if enabled.
+ if (num_wire_fds > 0) {
+ const size_t prev_size = input_overflow_fds_.size();
+ input_overflow_fds_.resize(prev_size + num_wire_fds);
+ memcpy(&input_overflow_fds_[prev_size], wire_fds,
+ num_wire_fds * sizeof(int));
+ }
fds = &input_overflow_fds_[0];
num_fds = input_overflow_fds_.size();
}
