From 317ce2cfe9dcb88085a96fb8f0e7f01f33e8ffdb Mon Sep 17 00:00:00 2001
From: wangxiao65 <287608437@qq.com>
Date: Thu, 14 Jan 2021 15:54:20 +0800
Subject: [PATCH] fix CVE-2020-15969 CVE-2020-15999

---
 CVE-2020-15969.patch | 51 ++++++++++++++++++++++++++++++++++++++++++++
 CVE-2020-15999.patch | 45 ++++++++++++++++++++++++++++++++++++++
 firefox.spec         |  7 +++++-
 3 files changed, 102 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-15969.patch
 create mode 100644 CVE-2020-15999.patch

diff --git a/CVE-2020-15969.patch b/CVE-2020-15969.patch
new file mode 100644
index 0000000..9266f40
--- /dev/null
+++ b/CVE-2020-15969.patch
@@ -0,0 +1,51 @@
+# HG changeset patch
+# User Dan Minor <dminor@mozilla.com>
+# Date 1600897949 0
+#      Wed Sep 23 21:52:29 2020 +0000
+# Node ID ed2a659e965f27943d9b0c15d6e78d14e1ce9cb2
+# Parent  7b2de9e57a768d949b569ac83fe5d58147e731b5
+Bug 1666570 - Cherrypick ffed0925f27d404173c1e3e750d818f432d2c019 from usrsctp; r=drno
+
+Differential Revision: https://phabricator.services.mozilla.com/D91047
+
+diff -r 7b2de9e57a76 -r ed2a659e965f netwerk/sctp/src/netinet/sctp_indata.c
+--- a/netwerk/sctp/src/netinet/sctp_indata.c	Wed Sep 23 19:42:19 2020 +0000
++++ b/netwerk/sctp/src/netinet/sctp_indata.c	Wed Sep 23 21:52:29 2020 +0000
+@@ -1664,6 +1664,7 @@ sctp_process_a_data_chunk(struct sctp_tc
+ 	/* Process a data chunk */
+ 	/* struct sctp_tmit_chunk *chk; */
+ 	struct sctp_tmit_chunk *chk;
++	struct sctp_stream_in *strm;
+ 	uint32_t tsn, fsn, gap, mid;
+ 	struct mbuf *dmbuf;
+ 	int the_len;
+@@ -2296,12 +2297,13 @@ finish_express_del:
+ 			/* All can be removed */
+ 			TAILQ_FOREACH_SAFE(control, &asoc->pending_reply_queue, next, ncontrol) {
+ 				TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
++				strm = &asoc->strmin[control->sinfo_stream];
+ 				sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
+ 				if (*abort_flag) {
+ 					return (0);
+ 				}
+ 				if (need_reasm_check) {
+-					(void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
++					(void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
+ 					need_reasm_check = 0;
+ 				}
+ 			}
+@@ -2316,12 +2318,13 @@ finish_express_del:
+ 				 * control->sinfo_tsn > liste->tsn
+ 				 */
+ 				TAILQ_REMOVE(&asoc->pending_reply_queue, control, next);
++				strm = &asoc->strmin[control->sinfo_stream];
+ 				sctp_queue_data_to_stream(stcb, asoc, control, abort_flag, &need_reasm_check);
+ 				if (*abort_flag) {
+ 					return (0);
+ 				}
+ 				if (need_reasm_check) {
+-					(void)sctp_deliver_reasm_check(stcb, asoc, &asoc->strmin[control->sinfo_stream], SCTP_READ_LOCK_NOT_HELD);
++					(void)sctp_deliver_reasm_check(stcb, asoc, strm, SCTP_READ_LOCK_NOT_HELD);
+ 					need_reasm_check = 0;
+ 				}
+ 			}
diff --git a/CVE-2020-15999.patch b/CVE-2020-15999.patch
new file mode 100644
index 0000000..754bd38
--- /dev/null
+++ b/CVE-2020-15999.patch
@@ -0,0 +1,45 @@
+# HG changeset patch
+# User Werner Lemberg <wl@gnu.org>
+# Date 1603223819 0
+#      Tue Oct 20 19:56:59 2020 +0000
+# Node ID 5c356dd9b0f31f612ce90b1f35b14d8cdb0b4ecb
+# Parent  a2ed93bf78d53309eb234b72ce0bf60ad93a3ac3
+Bug 1672223 - [sfnt] Fix heap buffer overflow. r=jfkthame
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+Differential Revision: https://phabricator.services.mozilla.com/D94153
+
+diff -r a2ed93bf78d5 -r 5c356dd9b0f3 modules/freetype2/src/sfnt/pngshim.c
+--- a/modules/freetype2/src/sfnt/pngshim.c	Tue Oct 20 21:14:51 2020 +0000
++++ b/modules/freetype2/src/sfnt/pngshim.c	Tue Oct 20 19:56:59 2020 +0000
+@@ -328,6 +328,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
++
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -336,13 +343,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
diff --git a/firefox.spec b/firefox.spec
index fbd1a2b..920af9f 100644
--- a/firefox.spec
+++ b/firefox.spec
@@ -1,7 +1,7 @@
 Name:           firefox
 Summary:        Mozilla Firefox Web browser
 Version:        62.0.3
-Release:        7
+Release:        8
 URL:            https://www.mozilla.org/firefox/
 License:        MPLv1.1 or GPLv2+ or LGPLv2+
 Source0:        http://download-origin.cdn.mozilla.net/pub/firefox/releases/62.0.3/source/firefox-62.0.3.source.tar.xz
@@ -33,6 +33,8 @@ Patch6000:      CVE-2020-6811.patch
 Patch6001:      CVE-2020-6814-Add-FlippedOnce-class.patch
 Patch6002:      CVE-2020-6814-1.patch
 Patch6003:      CVE-2020-6814-2.patch
+Patch6004:      CVE-2020-15969.patch
+Patch6005:      CVE-2020-15999.patch
 
 BuildRequires:  pkgconfig(nspr) >= 4.19 pkgconfig(nss) >= 3.37.3 pkgconfig(libpng) pkgconfig(libffi)
 BuildRequires:  pkgconfig(zlib) pkgconfig(libIDL-2.0) pkgconfig(gtk+-3.0) pkgconfig(gtk+-2.0) pkgconfig(krb5)
@@ -320,6 +322,9 @@ gtk-update-icon-cache %{_datadir}/icons/hicolor &>/dev/null || :
 %{_datadir}/applications/firefox-wayland.desktop
 
 %changelog
+* Thu Jan 14 2021 wangxiao<wangxiao65@huawei.com> - 62.0.3-8
+- fix CVE-2020-15969 CVE-2020-15999
+
 * Fri Oct 30 2020 jialei<jialei17@huawei.com> - 62.0.3-7
 - rebuild for nss
 
-- 
Gitee