From 9350cb564e82de05eaa4b9e9cfed48bae78a805f Mon Sep 17 00:00:00 2001
From: lvfei <lvfei@kylinos.cn>
Date: Tue, 14 May 2024 18:40:01 +0800
Subject: [PATCH] Fix CVE-2021-29946

---
 CVE-2021-29946.patch | 94 ++++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |  7 +++-
 2 files changed, 100 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-29946.patch

diff --git a/CVE-2021-29946.patch b/CVE-2021-29946.patch
new file mode 100644
index 0000000..bfbe5ef
--- /dev/null
+++ b/CVE-2021-29946.patch
@@ -0,0 +1,94 @@
+From e8f9f3b8869e7cd0db4f84d05ebb42c1ccd06395 Mon Sep 17 00:00:00 2001
+From: lvfei <lvfei@kylinos.cn>
+Date: Tue, 14 May 2024 18:34:26 +0800
+Subject: [PATCH] test
+
+---
+ netwerk/base/nsIOService.cpp     |  2 +-
+ netwerk/test/unit/test_altsvc.js | 57 ++++++++++++++++++++++++++++++++
+ 2 files changed, 58 insertions(+), 1 deletion(-)
+
+diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp
+index 79abb1310f..f72cdf02b8 100644
+--- a/netwerk/base/nsIOService.cpp
++++ b/netwerk/base/nsIOService.cpp
+@@ -1406,7 +1406,7 @@ nsIOService::AllowPort(int32_t inPort, const char* scheme, bool* _retval) {
+     return NS_OK;
+   }
+ 
+-  if (port == 0) {
++  if (port <= 0 || port >= std::numeric_limits<uint16_t>::max()) {
+     *_retval = false;
+     return NS_OK;
+   }
+diff --git a/netwerk/test/unit/test_altsvc.js b/netwerk/test/unit/test_altsvc.js
+index 57d4357cb3..4c4eaba6b6 100644
+--- a/netwerk/test/unit/test_altsvc.js
++++ b/netwerk/test/unit/test_altsvc.js
+@@ -468,6 +468,63 @@ function doTest16() {
+       do_test_finished();
+     },
+   });
++  nextTest = doTest19;
+   do_test_pending();
+   doTest();
+ }
++
++// Check we don't connect to blocked ports
++function doTest19() {
++  dump("doTest19()\n");
++  origin = httpFooOrigin;
++  nextTest = testsDone;
++  otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
++    Ci.nsIServerSocket
++  );
++  const BAD_PORT_U32 = 6667 + 65536;
++  otherServer.init(BAD_PORT_U32, true, -1);
++  Assert.ok(otherServer.port == 6667, "Trying to listen on port 6667");
++  xaltsvc = "localhost:" + BAD_PORT_U32;
++  dump("Blocked port: " + otherServer.port);
++  waitFor = 500;
++  otherServer.asyncListen({
++    onSocketAccepted() {
++      Assert.ok(false, "Got connection to socket when we didn't expect it!");
++    },
++    onStopListening() {
++      // We get closed when the entire file is done, which guarantees we get the socket accept
++      // if we do connect to the alt-svc header
++      do_test_finished();
++    },
++  });
++  nextTest = doTest20;
++  do_test_pending();
++  doTest();
++}
++function doTest20() {
++  dump("doTest20()\n");
++  origin = httpFooOrigin;
++  nextTest = testsDone;
++  otherServer = Cc["@mozilla.org/network/server-socket;1"].createInstance(
++    Ci.nsIServerSocket
++  );
++  const BAD_PORT_U64 = 6666 + 429496729;
++  otherServer.init(6666, true, -1);
++  Assert.ok(otherServer.port == 6666, "Trying to listen on port 6666");
++  xaltsvc = "localhost:" + BAD_PORT_U64;
++  dump("Blocked port: " + otherServer.port);
++  waitFor = 500;
++  otherServer.asyncListen({
++    onSocketAccepted() {
++      Assert.ok(false, "Got connection to socket when we didn't expect it!");
++    },
++    onStopListening() {
++      // We get closed when the entire file is done, which guarantees we get the socket accept
++      // if we do connect to the alt-svc header
++      do_test_finished();
++    },
++  });
++  do_test_pending();
++  doTest();
++}
++
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 4fd4134..d1e557b 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             20
+Release:             21
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -199,6 +199,7 @@ Patch655:            CVE-2022-1802.patch
 Patch656:            CVE-2023-44488.patch
 Patch657:            CVE-2020-26950.patch
 Patch658:            CVE-2020-26971.patch
+Patch659:            CVE-2021-29946.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -392,6 +393,7 @@ tar -xf %{SOURCE3}
 %patch656 -p1
 %patch657 -p1
 %patch658 -p1
+%patch659 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -840,6 +842,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Mon May 13 2024 lvfei <lvfei@kylinos.cn> - 79.0-21
+- Fix CVE-2021-29946.patch
+
 * Tue May 07 2024 lvfei <lvfei@kylinos.cn> - 79.0-20
 - Fix CVE-2020-26971
 
-- 
Gitee