From 623b31ca5c4bab1717988e2102612a81ad9c3a09 Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Mon, 4 Mar 2024 15:15:08 +0800
Subject: [PATCH 1/2] Fix CVE-2022-22755

---
 CVE-2022-22755.patch | 232 +++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |   7 +-
 2 files changed, 238 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-22755.patch

diff --git a/CVE-2022-22755.patch b/CVE-2022-22755.patch
new file mode 100644
index 0000000..ee76a4e
--- /dev/null
+++ b/CVE-2022-22755.patch
@@ -0,0 +1,232 @@
+From 309ddf3970408bb3cf21a2eeee31104452bddc67 Mon Sep 17 00:00:00 2001
+From: lvfei <lvfei@kylinos.cn>
+Date: Mon, 15 May 2023 09:52:46 +0800
+Subject: [PATCH] CVE-2022-22755
+
+---
+ dom/xslt/xslt/txExecutionState.cpp       |   7 +-
+ dom/xslt/xslt/txExecutionState.h         |   5 +-
+ dom/xslt/xslt/txMozillaXSLTProcessor.cpp | 101 ++++++++++++++++++++++-
+ dom/xslt/xslt/txXSLTProcessor.cpp        |  25 ++++--
+ 4 files changed, 126 insertions(+), 12 deletions(-)
+
+diff --git a/dom/xslt/xslt/txExecutionState.cpp b/dom/xslt/xslt/txExecutionState.cpp
+index a4e7609dfc..8d849886ac 100644
+--- a/dom/xslt/xslt/txExecutionState.cpp
++++ b/dom/xslt/xslt/txExecutionState.cpp
+@@ -417,7 +417,12 @@ txExecutionState::TemplateRule* txExecutionState::getCurrentTemplateRule() {
+   return &mTemplateRules[mTemplateRules.Length() - 1];
+ }
+ 
+-txInstruction* txExecutionState::getNextInstruction() {
++mozilla::Result<txInstruction*, nsresult>
++txExecutionState::getNextInstruction() {
++  if (mStopProcessing) {
++    return mozilla::Err(NS_ERROR_FAILURE);
++  }
++  
+   txInstruction* instr = mNextInstruction;
+   if (instr) {
+     mNextInstruction = instr->mNext.get();
+diff --git a/dom/xslt/xslt/txExecutionState.h b/dom/xslt/xslt/txExecutionState.h
+index 7d91df704e..c4b15edd60 100644
+--- a/dom/xslt/xslt/txExecutionState.h
++++ b/dom/xslt/xslt/txExecutionState.h
+@@ -17,6 +17,7 @@
+ #include "txStylesheet.h"
+ #include "txXPathTreeWalker.h"
+ #include "nsTArray.h"
++#include "mozilla/Result.h"
+ 
+ class txAOutputHandlerFactory;
+ class txAXMLEventHandler;
+@@ -115,13 +116,14 @@ class txExecutionState : public txIMatchContext {
+   }
+ 
+   // state-modification functions
+-  txInstruction* getNextInstruction();
++  mozilla::Result<txInstruction*, nsresult> getNextInstruction();
+   nsresult runTemplate(txInstruction* aInstruction);
+   nsresult runTemplate(txInstruction* aInstruction, txInstruction* aReturnTo);
+   void gotoInstruction(txInstruction* aNext);
+   void returnFromTemplate();
+   nsresult bindVariable(const txExpandedName& aName, txAExprResult* aValue);
+   void removeVariable(const txExpandedName& aName);
++  void stopProcessing() { mStopProcessing = true; }
+ 
+   txAXMLEventHandler* mOutputHandler;
+   txAXMLEventHandler* mResultHandler;
+@@ -156,6 +158,7 @@ class txExecutionState : public txIMatchContext {
+   txKeyHash mKeyHash;
+   RefPtr<txResultRecycler> mRecycler;
+   bool mDisableLoads;
++  bool mStopProcessing = false;
+ 
+   static const int32_t kMaxRecursionDepth;
+ };
+diff --git a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
+index 1b22b1caf0..5d810471b6 100644
+--- a/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
++++ b/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
+@@ -538,6 +538,80 @@ already_AddRefed<Document> txMozillaXSLTProcessor::TransformToDocument(
+   return doc.forget();
+ }
+ 
++class XSLTProcessRequest final : public nsIRequest {
++ public:
++  explicit XSLTProcessRequest(txExecutionState* aState) : mState(aState) {}
++
++  NS_DECL_ISUPPORTS
++  NS_DECL_NSIREQUEST
++
++  void Done() { mState = nullptr; }
++
++ private:
++  ~XSLTProcessRequest() {}
++  txExecutionState* mState;
++};
++NS_IMPL_ISUPPORTS(XSLTProcessRequest, nsIRequest)
++
++NS_IMETHODIMP
++XSLTProcessRequest::GetName(nsACString& aResult) {
++  aResult.AssignLiteral("about:xslt-load-blocker");
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::IsPending(bool* _retval) {
++  *_retval = true;
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::GetStatus(nsresult* status) {
++  *status = NS_OK;
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::Cancel(nsresult status) {
++  mState->stopProcessing();
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::Suspend(void) { return NS_OK; }
++
++NS_IMETHODIMP
++XSLTProcessRequest::Resume(void) { return NS_OK; }
++
++NS_IMETHODIMP
++XSLTProcessRequest::GetLoadGroup(nsILoadGroup** aLoadGroup) {
++  *aLoadGroup = nullptr;
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::SetLoadGroup(nsILoadGroup* aLoadGroup) { return NS_OK; }
++
++NS_IMETHODIMP
++XSLTProcessRequest::GetLoadFlags(nsLoadFlags* aLoadFlags) {
++  *aLoadFlags = nsIRequest::LOAD_NORMAL;
++  return NS_OK;
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::SetLoadFlags(nsLoadFlags aLoadFlags) { return NS_OK; }
++
++NS_IMETHODIMP
++XSLTProcessRequest::GetTRRMode(nsIRequest::TRRMode* aTRRMode) {
++  return GetTRRModeImpl(aTRRMode);
++}
++
++NS_IMETHODIMP
++XSLTProcessRequest::SetTRRMode(nsIRequest::TRRMode aTRRMode) {
++  return SetTRRModeImpl(aTRRMode);
++}
++
++
+ nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
+                                                 bool aCreateDataDocument) {
+   UniquePtr<txXPathNode> sourceNode(
+@@ -548,11 +622,31 @@ nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
+ 
+   txExecutionState es(mStylesheet, IsLoadDisabled());
+ 
++  Document* sourceDoc = mSource->OwnerDoc();
++  nsCOMPtr<nsILoadGroup> loadGroup = sourceDoc->GetDocumentLoadGroup();
++  if (!loadGroup) {
++    nsCOMPtr<nsPIDOMWindowInner> win = do_QueryInterface(mOwner);
++    if (win && win->IsCurrentInnerWindow()) {
++      Document* doc = win->GetDoc();
++      if (doc) {
++        loadGroup = doc->GetDocumentLoadGroup();
++      }
++    }
++
++    if (!loadGroup) {
++      return NS_ERROR_FAILURE;
++    }
++  }
++
++  RefPtr<XSLTProcessRequest> xsltProcessRequest = new XSLTProcessRequest(&es);
++  loadGroup->AddRequest(xsltProcessRequest, nullptr);
++
++
+   // XXX Need to add error observers
+ 
+   // If aResult is non-null, we're a data document
+-  txToDocHandlerFactory handlerFactory(&es, mSource->OwnerDoc(), mObserver,
+-                                       aCreateDataDocument);
++  txToDocHandlerFactory handlerFactory(&es, sourceDoc, mObserver,                                     
++                   aCreateDataDocument);
+   es.mOutputHandlerFactory = &handlerFactory;
+ 
+   nsresult rv = es.init(*sourceNode, &mVariables);
+@@ -562,6 +656,9 @@ nsresult txMozillaXSLTProcessor::TransformToDoc(Document** aResult,
+     rv = txXSLTProcessor::execute(es);
+   }
+ 
++   xsltProcessRequest->Done();
++   loadGroup->RemoveRequest(xsltProcessRequest, nullptr, NS_OK);
++  
+   nsresult endRv = es.end(rv);
+   if (NS_SUCCEEDED(rv)) {
+     rv = endRv;
+diff --git a/dom/xslt/xslt/txXSLTProcessor.cpp b/dom/xslt/xslt/txXSLTProcessor.cpp
+index dfcdeb5595..4a5117efcf 100644
+--- a/dom/xslt/xslt/txXSLTProcessor.cpp
++++ b/dom/xslt/xslt/txXSLTProcessor.cpp
+@@ -31,12 +31,21 @@ void txXSLTProcessor::shutdown() { txHandlerTable::shutdown(); }
+ 
+ /* static */
+ nsresult txXSLTProcessor::execute(txExecutionState& aEs) {
+-  nsresult rv = NS_OK;
+-  txInstruction* instr;
+-  while ((instr = aEs.getNextInstruction())) {
+-    rv = instr->execute(aEs);
+-    NS_ENSURE_SUCCESS(rv, rv);
+-  }
+-
+-  return NS_OK;
++    
++   nsresult rv;
++   do {
++     mozilla::Result<txInstruction*, nsresult> result = aEs.getNextInstruction();
++   	 if (result.isErr()) {
++      return result.unwrapErr();
++    	}
++
++      txInstruction* instr = result.unwrap();
++      if (!instr) {
++      return NS_OK;
++      }
++
++   rv = instr->execute(aEs);
++  } while (NS_SUCCEEDED(rv));    
++
++  return rv;
+ }
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 779a674..11dbbc5 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             15
+Release:             16
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -194,6 +194,7 @@ Patch651:            CVE-2023-4863-2.patch
 # https://hg.mozilla.org/mozilla-central/raw-rev/c53f5ef77b62b79af86951a7f9130e1896b695d2
 Patch652:            CVE-2023-5217.patch
 Patch653:            CVE-2023-7104.patch
+Patch654:            CVE-2022-22755.patch
 
 
 
@@ -384,6 +385,7 @@ tar -xf %{SOURCE3}
 %patch651 -p1
 %patch652 -p1
 %patch653 -p1
+%patch654 -p1
 
 
 %{__rm} -f .mozconfig
@@ -833,6 +835,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Mon Mar 04 2024 lvfei <lvfei@kylinos.cn>  - 79.0-16
+- fix CVE-2022-22755
+
 * Tue Jan 02 2024 wangkai <13474090681@163.com> - 79.0-15
 - Fix CVE-2023-7104
 
-- 
Gitee


From 261ca2fccac7b37962ff9f6cc94484ed07724077 Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Wed, 6 Mar 2024 01:42:07 +0000
Subject: [PATCH 2/2] update CVE-2022-22755.patch.

Signed-off-by: lvfei <lvfei@kylinos.cn>
---
 CVE-2022-22755.patch | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/CVE-2022-22755.patch b/CVE-2022-22755.patch
index ee76a4e..1c045eb 100644
--- a/CVE-2022-22755.patch
+++ b/CVE-2022-22755.patch
@@ -1,6 +1,6 @@
 From 309ddf3970408bb3cf21a2eeee31104452bddc67 Mon Sep 17 00:00:00 2001
-From: lvfei <lvfei@kylinos.cn>
-Date: Mon, 15 May 2023 09:52:46 +0800
+From: Peter Van der Beken <peterv@propagandism.org>
+Date: Tue, 21 Dec 2021 17:56:02 +0000 (2021-12-22)
 Subject: [PATCH] CVE-2022-22755
 
 ---
-- 
Gitee