From aebbc1f4f497ef7fa8a2f09c6e434901b9496aba Mon Sep 17 00:00:00 2001
From: technology208 <technology@208suo.com>
Date: Thu, 18 Jul 2024 16:31:40 +0800
Subject: [PATCH] fix CVE-2021-29988

---
 CVE-2021-29988.patch | 139 +++++++++++++++++++++++++++++++++++++++++++
 firefox.spec         |   7 ++-
 2 files changed, 145 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2021-29988.patch

diff --git a/CVE-2021-29988.patch b/CVE-2021-29988.patch
new file mode 100644
index 0000000..3ceeba4
--- /dev/null
+++ b/CVE-2021-29988.patch
@@ -0,0 +1,139 @@
+From 52d20e23934d31541e8da0a0fcfc88622db6c695 Mon Sep 17 00:00:00 2001
+From: Emilio Cobos Álvarez <emilio@crisal.io>
+Date: Thu, 18 Jul 2024 16:23:41 +0800
+Subject: [PATCH] Blockify outside markers at used value time rather than at computed value time. r=jfkthame, a=pascal
+
+---
+ layout/base/nsCSSFrameConstructor.cpp         | 28 ++++++++++++++++---
+ layout/base/nsCSSFrameConstructor.h           |  5 +++-
+ .../components/style/values/specified/box.rs  |  6 ++++
+ servo/ports/geckolib/glue.rs                  | 10 +++++++
+ 4 files changed, 44 insertions(+), 5 deletions(-)
+
+diff --git a/layout/base/nsCSSFrameConstructor.cpp b/layout/base/nsCSSFrameConstructor.cpp
+index f9e5162c56..d18c1643cb 100644
+--- a/layout/base/nsCSSFrameConstructor.cpp
++++ b/layout/base/nsCSSFrameConstructor.cpp
+@@ -1613,7 +1613,8 @@ already_AddRefed<nsIContent> nsCSSFrameConstructor::CreateGeneratedContent(
+ void nsCSSFrameConstructor::CreateGeneratedContentItem(
+     nsFrameConstructorState& aState, nsContainerFrame* aParentFrame,
+     Element& aOriginatingElement, ComputedStyle& aStyle,
+-    PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems) {
++    PseudoStyleType aPseudoElement, FrameConstructionItemList& aItems,
++    ItemFlags aExtraFlags) {
+   MOZ_ASSERT(aPseudoElement == PseudoStyleType::before ||
+                  aPseudoElement == PseudoStyleType::after ||
+                  aPseudoElement == PseudoStyleType::marker,
+@@ -1720,9 +1721,11 @@ void nsCSSFrameConstructor::CreateGeneratedContentItem(
+     }
+   }
+ 
++  auto flags = ItemFlags{ItemFlag::IsGeneratedContent} + aExtraFlags;
++
+   AddFrameConstructionItemsInternal(aState, container, aParentFrame, true,
+-                                    pseudoStyle, {ItemFlag::IsGeneratedContent},
+-                                    aItems);
++                                    pseudoStyle, flags, aItems);
++
+ }
+ 
+ /****************************************************
+@@ -5268,6 +5271,17 @@ nsCSSFrameConstructor::FindElementData(const Element& aElement,
+     return &sImgData;
+   }
+ 
++  const bool shouldBlockify = aFlags.contains(ItemFlag::IsForOutsideMarker);
++  if (shouldBlockify && !aStyle.StyleDisplay()->IsBlockOutsideStyle()) {
++    // Make a temp copy of StyleDisplay and blockify its mDisplay value.
++    auto display = *aStyle.StyleDisplay();
++    bool isRootElement = false;
++    uint16_t rawDisplayValue =
++        Servo_ComputedValues_BlockifiedDisplay(&aStyle, isRootElement);
++    display.mDisplay = StyleDisplay(rawDisplayValue);
++    return FindDisplayData(display, aElement);
++  }
++
+   const auto& display = *aStyle.StyleDisplay();
+   return FindDisplayData(display, aElement);
+ }
+@@ -9522,9 +9536,15 @@ void nsCSSFrameConstructor::ProcessChildren(
+           !styleParentFrame->IsFieldSetFrame()) {
+         isOutsideMarker = computedStyle->StyleList()->mListStylePosition ==
+                           NS_STYLE_LIST_STYLE_POSITION_OUTSIDE;
++        ItemFlags extraFlags;
++        if (isOutsideMarker) {
++          extraFlags += ItemFlag::IsForOutsideMarker;
++        }
++
+         CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
+                                    *computedStyle, PseudoStyleType::marker,
+-                                   itemsToConstruct);
++                                   itemsToConstruct, extraFlags);
++
+       }
+       // Probe for generated content before
+       CreateGeneratedContentItem(aState, aFrame, *aContent->AsElement(),
+diff --git a/layout/base/nsCSSFrameConstructor.h b/layout/base/nsCSSFrameConstructor.h
+index 053674bcaf..1347eaf628 100644
+--- a/layout/base/nsCSSFrameConstructor.h
++++ b/layout/base/nsCSSFrameConstructor.h
+@@ -369,6 +369,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
+     AllowTextPathChild,
+     // The item is content created by an nsIAnonymousContentCreator frame.
+     IsAnonymousContentCreatorContent,
++    // This will be an outside ::marker.
++    IsForOutsideMarker,
+   };
+ 
+   using ItemFlags = mozilla::EnumSet<ItemFlag>;
+@@ -457,7 +459,8 @@ class nsCSSFrameConstructor final : public nsFrameManager {
+                                   nsContainerFrame* aParentFrame,
+                                   Element& aOriginatingElement, ComputedStyle&,
+                                   PseudoStyleType aPseudoElement,
+-                                  FrameConstructionItemList& aItems);
++                                  FrameConstructionItemList& aItems,
++                                  ItemFlags aExtraFlags = {});
+ 
+   // This method is called by ContentAppended() and ContentRangeInserted() when
+   // appending flowed frames to a parent's principal child list. It handles the
+diff --git a/servo/components/style/values/specified/box.rs b/servo/components/style/values/specified/box.rs
+index 6fc86b4867..a43b0e18ba 100644
+--- a/servo/components/style/values/specified/box.rs
++++ b/servo/components/style/values/specified/box.rs
+@@ -277,6 +277,12 @@ impl Display {
+         .unwrap()
+     }
+ 
++    /// Returns the raw underlying u16 value.
++    #[inline]
++    pub fn to_u16(&self) -> u16 {
++        self.0
++    }
++
+     /// Whether this is `display: inline` (or `inline list-item`).
+     #[inline]
+     pub fn is_inline_flow(&self) -> bool {
+diff --git a/servo/ports/geckolib/glue.rs b/servo/ports/geckolib/glue.rs
+index 9f89aa0cb8..eede9c0185 100644
+--- a/servo/ports/geckolib/glue.rs
++++ b/servo/ports/geckolib/glue.rs
+@@ -4017,6 +4017,16 @@ pub extern "C" fn Servo_ComputedValues_HasOverriddenAppearance(
+         })
+ }
+ 
++#[no_mangle]
++pub extern "C" fn Servo_ComputedValues_BlockifiedDisplay(
++    style: &ComputedValues,
++    is_root_element : bool,
++) -> u16 {
++    let display = style.get_box().clone_display();
++    let blockified_display = display.equivalent_block_display(is_root_element);
++    blockified_display.to_u16()
++}
++
+ #[no_mangle]
+ pub extern "C" fn Servo_StyleSet_Init(doc: &structs::Document) -> *mut RawServoStyleSet {
+     let data = Box::new(PerDocumentStyleData::new(doc));
+-- 
+2.27.0
+
diff --git a/firefox.spec b/firefox.spec
index 2fd1ce1..e92aabf 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -88,7 +88,7 @@
 Summary:             Mozilla Firefox Web browser
 Name:                firefox
 Version:             79.0
-Release:             27
+Release:             28
 URL:                 https://www.mozilla.org/firefox/
 License:             MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:             https://archive.mozilla.org/pub/firefox/releases/%{version}/source/firefox-%{version}.source.tar.xz
@@ -208,6 +208,7 @@ Patch664:            CVE-2020-15675.patch
 Patch665:            CVE-2021-23972.patch
 Patch666:            CVE-2021-23954.patch
 Patch667:            CVE-2021-29984.patch
+Patch668:            CVE-2021-29988.patch
 
 %if %{?system_nss}
 BuildRequires:       pkgconfig(nspr) >= %{nspr_version} pkgconfig(nss) >= %{nss_version}
@@ -410,6 +411,7 @@ tar -xf %{SOURCE3}
 %patch665 -p1
 %patch666 -p1
 %patch667 -p1
+%patch668 -p1
 
 %{__rm} -f .mozconfig
 %{__cp} %{SOURCE10} .mozconfig
@@ -858,6 +860,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %endif
 
 %changelog
+* Thu Jul 18 2024 technology208 <technology@208suo.com> - 79.0-28
+- Fix CVE-2021-29988
+
 * Mon Jul 15 2024 technology208 <technology@208suo.com> - 79.0-27
 - Fix CVE-2021-29984
 
-- 
Gitee