Fix a memory management / refcount problem which can lead to a DOS or

possible code injection, affecting nested iframes.
See https://bugzilla.mozilla.org/show_bug.cgi?id=334515 and
http://www.securident.com/vuln/ff.txt
bump PKGREVISION

2 files changed, 92 insertions, 0 deletions

diff --git a/www/firefox/patches/patch-fa b/www/firefox/patches/patch-fa
new file mode 100644
index 00000000000..4f8d8b4de45
--- /dev/null
+++ b/www/firefox/patches/patch-fa
@@ -0,0 +1,22 @@
+$NetBSD: patch-fa,v 1.1 2006/04/28 16:11:31 drochner Exp $
+
+--- embedding/components/commandhandler/src/nsBaseCommandController.h.orig	2006-04-28 12:43:57.000000000 +0200
++++ embedding/components/commandhandler/src/nsBaseCommandController.h
+@@ -49,6 +49,8 @@
+ #include "nsIControllerContext.h"
+ #include "nsIControllerCommandTable.h"
+ #include "nsIInterfaceRequestor.h"
++#include "nsIWeakReference.h"
++#include "nsIWeakReferenceUtils.h"
+ 
+ // The base editor controller is used for both text widgets, 
+ //   and all other text and html editing
+@@ -79,7 +81,7 @@ public:
+   
+ private:
+ 
+-   nsISupports *mCommandContext;
++   nsWeakPtr mCommandContext;
+    
+    // Our reference to the command manager
+    nsCOMPtr<nsIControllerCommandTable> mCommandTable;     
diff --git a/www/firefox/patches/patch-fb b/www/firefox/patches/patch-fb
new file mode 100644
index 00000000000..f08344952d1
--- /dev/null
+++ b/www/firefox/patches/patch-fb
@@ -0,0 +1,70 @@
+$NetBSD: patch-fb,v 1.1 2006/04/28 16:11:31 drochner Exp $
+
+--- embedding/components/commandhandler/src/nsBaseCommandController.cpp.orig	2006-04-28 12:43:57.000000000 +0200
++++ embedding/components/commandhandler/src/nsBaseCommandController.cpp
+@@ -55,7 +55,6 @@ NS_INTERFACE_MAP_BEGIN(nsBaseCommandCont
+ NS_INTERFACE_MAP_END
+ 
+ nsBaseCommandController::nsBaseCommandController()
+-: mCommandContext(nsnull)
+ {
+ }
+ 
+@@ -79,7 +78,7 @@ nsBaseCommandController::Init(nsIControl
+ NS_IMETHODIMP
+ nsBaseCommandController::SetCommandContext(nsISupports *aCommandContext)
+ {
+-  mCommandContext = aCommandContext;     // no addref  
++  mCommandContext = do_GetWeakReference(aCommandContext);
+   return NS_OK;
+ }
+ 
+@@ -113,7 +112,8 @@ nsBaseCommandController::IsCommandEnable
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+   NS_ENSURE_ARG_POINTER(aResult);
+-  return mCommandTable->IsCommandEnabled(aCommand, mCommandContext, aResult);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->IsCommandEnabled(aCommand, context, aResult);
+ }
+ 
+ NS_IMETHODIMP
+@@ -121,14 +121,16 @@ nsBaseCommandController::SupportsCommand
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+   NS_ENSURE_ARG_POINTER(aResult);
+-  return mCommandTable->SupportsCommand(aCommand, mCommandContext, aResult);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->SupportsCommand(aCommand, context, aResult);
+ }
+ 
+ NS_IMETHODIMP
+ nsBaseCommandController::DoCommand(const char *aCommand)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->DoCommand(aCommand, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->DoCommand(aCommand, context);
+ }
+ 
+ NS_IMETHODIMP
+@@ -136,7 +138,8 @@ nsBaseCommandController::DoCommandWithPa
+                                              nsICommandParams *aParams)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->DoCommandParams(aCommand, aParams, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->DoCommandParams(aCommand, aParams, context);
+ }
+ 
+ NS_IMETHODIMP
+@@ -144,7 +147,8 @@ nsBaseCommandController::GetCommandState
+                                                    nsICommandParams *aParams)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->GetCommandState(aCommand, aParams, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->GetCommandState(aCommand, aParams, context);
+ }
+ 
+ NS_IMETHODIMP