From 7052929dc188bae9c7077ede33e4a0a90eae6157 Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Wed, 10 Jul 2024 15:20:59 +0800
Subject: [PATCH] Fix CVE-2022-45406

---
 CVE-2022-45406.patch | 87 ++++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |  7 +++-
 2 files changed, 93 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2022-45406.patch

diff --git a/CVE-2022-45406.patch b/CVE-2022-45406.patch
new file mode 100644
index 0000000..08da043
--- /dev/null
+++ b/CVE-2022-45406.patch
@@ -0,0 +1,87 @@
+From 8b89c26a5f451577d146b45006af87b8da51afd7 Mon Sep 17 00:00:00 2001
+From: Jon Coppeard <jcoppeard@mozilla.com>
+Date: Wed, 10 Jul 2024 15:01:49 +0800
+Subject: [PATCH] Don't sweep realms that were allocated during incremental GC r=jandem
+
+---
+ js/src/gc/GC.cpp      |  4 ++++
+ js/src/vm/Realm-inl.h | 12 +++++++++---
+ js/src/vm/Realm.cpp   |  2 ++
+ js/src/vm/Realm.h     |  3 ++-
+ 4 files changed, 17 insertions(+), 4 deletions(-)
+
+diff --git a/js/src/gc/GC.cpp b/js/src/gc/GC.cpp
+index 59b56f297a..a30e9fdbdc 100644
+--- a/js/src/gc/GC.cpp
++++ b/js/src/gc/GC.cpp
+@@ -6365,6 +6365,10 @@ void GCRuntime::finishCollection() {
+       zone->notifyObservingDebuggers();
+       zone->updateGCStartThresholds(*this, invocationKind, lock);
+       zone->arenas.checkGCStateNotInUse();
++     for (RealmsInZoneIter realm(zone); !realm.done(); realm.next()) {
++       realm->clearAllocatedDuringGC();
++     }
++
+     }
+   }
+ 
+diff --git a/js/src/vm/Realm-inl.h b/js/src/vm/Realm-inl.h
+index 4672d976ad..4f7a000f5a 100644
+--- a/js/src/vm/Realm-inl.h
++++ b/js/src/vm/Realm-inl.h
+@@ -46,9 +46,15 @@ inline bool JS::Realm::hasLiveGlobal() const {
+ }
+ 
+ inline bool JS::Realm::marked() const {
+-  // Preserve this Realm if it has a live global or if it has been entered (to
+-  // ensure we don't destroy the Realm while we're allocating its global).
+-  return hasLiveGlobal() || hasBeenEnteredIgnoringJit();
++  // The Realm survives in the following cases:
++  //  - its global is live
++  //  - it has been entered (to ensure we don't destroy the Realm while we're
++  //    allocating its global)
++  //  - it was allocated after the start of an incremental GC (as there may be
++  //    pointers to it from other GC things)
++  return hasLiveGlobal() || hasBeenEnteredIgnoringJit() ||
++         allocatedDuringIncrementalGC_;
++
+ }
+ 
+ /* static */ inline js::ObjectRealm& js::ObjectRealm::get(const JSObject* obj) {
+diff --git a/js/src/vm/Realm.cpp b/js/src/vm/Realm.cpp
+index 29a9f14d8d..64d727f191 100644
+--- a/js/src/vm/Realm.cpp
++++ b/js/src/vm/Realm.cpp
+@@ -59,6 +59,8 @@ Realm::Realm(Compartment* comp, const JS::RealmOptions& options)
+       varNames_(zone_),
+       randomKeyGenerator_(runtime_->forkRandomKeyGenerator()),
+       debuggers_(zone_),
++      allocatedDuringIncrementalGC_(zone_->isGCMarkingOrSweeping() ||
++                                    zone_->isGCFinished()),
+       wasm(runtime_) {
+   MOZ_ASSERT_IF(creationOptions_.mergeable(),
+                 creationOptions_.invisibleToDebugger());
+diff --git a/js/src/vm/Realm.h b/js/src/vm/Realm.h
+index 591ac3feab..de7b8204b2 100644
+--- a/js/src/vm/Realm.h
++++ b/js/src/vm/Realm.h
+@@ -427,7 +427,7 @@ class JS::Realm : public JS::shadow::Realm {
+ 
+   bool isSelfHostingRealm_ = false;
+   bool isSystem_ = false;
+-
++  bool allocatedDuringIncrementalGC_;
+   js::UniquePtr<js::coverage::LCovRealm> lcovRealm_ = nullptr;
+ 
+  public:
+@@ -656,6 +656,7 @@ class JS::Realm : public JS::shadow::Realm {
+   }
+ 
+   inline bool marked() const;
++  void clearAllocatedDuringGC() { allocatedDuringIncrementalGC_ = false; }
+ 
+   /*
+    * The principals associated with this realm. Note that the same several
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 4202a59..67e9387 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             24
+Release:             25
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -203,6 +203,7 @@ Patch659:            CVE-2021-29946.patch
 Patch660:            CVE-2022-34481.patch
 Patch661:            CVE-2020-26979.patch
 Patch662:            CVE-2023-6209.patch
+Patch663:            CVE-2022-45406.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -400,6 +401,7 @@ tar -xf %{SOURCE3}
 %patch660 -p1
 %patch661 -p1
 %patch662 -p1
+%patch663 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -848,6 +850,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Wed Jul 10 2024 technology208 <technology@208suo.com> - 79.0-25
+- Fix CVE-2022-45406
+
 * Wed Jun 5 2024 lvfei <lvfei@kylinos.cn> - 79.0-24
 - Fix CVE-2023-6209
 
-- 
Gitee