Fix a memory management / refcount problem which can lead to a DOS or

possible code injection, affecting nested iframes.
See https://bugzilla.mozilla.org/show_bug.cgi?id=334515 and
http://www.securident.com/vuln/ff.txt
bump PKGREVISION

4 files changed, 97 insertions, 3 deletions

diff --git a/www/firefox/Makefile b/www/firefox/Makefile
index 6da9135ac7b..3a9c38a292e 100644
--- a/www/firefox/Makefile
+++ b/www/firefox/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.33 2006/04/17 14:52:12 wiz Exp $
+# $NetBSD: Makefile,v 1.34 2006/04/28 16:11:31 drochner Exp $
 
 MOZILLA=		firefox
-PKGREVISION=		1
+PKGREVISION=		2
 EXTRACT_SUFX=		.tar.bz2
 COMMENT=		Lightweight gecko-based web browser
 
diff --git a/www/firefox/distinfo b/www/firefox/distinfo
index 9b2c8a0e40d..be497e6790a 100644
--- a/www/firefox/distinfo
+++ b/www/firefox/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.47 2006/04/15 14:20:31 ghen Exp $
+$NetBSD: distinfo,v 1.48 2006/04/28 16:11:31 drochner Exp $
 
 SHA1 (firefox-1.5.0.2/firefox-1.5.0.2-source.tar.bz2) = 21f5497a4cdd4b142bdcb9c3fbdfea43cae1455f
 RMD160 (firefox-1.5.0.2/firefox-1.5.0.2-source.tar.bz2) = a3128798930d069a175d278b5522cdc8e43dc352
@@ -59,3 +59,5 @@ SHA1 (patch-du) = c6e66bb420ce9ea988f89b57d1c20a247704cfcf
 SHA1 (patch-dv) = a380d261d4c2771a672d2b0f4f1f23821e3e5266
 SHA1 (patch-ea) = 14e31d17c2493e468cd01f99abfc996853a11032
 SHA1 (patch-eb) = dc9232b10075d17f7ed742e7be8ea036db2f0241
+SHA1 (patch-fa) = 64f09a71d4d3c36a42e8ccf28b2d3e43dbf8f202
+SHA1 (patch-fb) = fb32614d012565c4cb97e489ef05f3f76d75c841
diff --git a/www/firefox/patches/patch-fa b/www/firefox/patches/patch-fa
new file mode 100644
index 00000000000..4f8d8b4de45
--- /dev/null
+++ b/www/firefox/patches/patch-fa
@@ -0,0 +1,22 @@
+$NetBSD: patch-fa,v 1.1 2006/04/28 16:11:31 drochner Exp $
+
+--- embedding/components/commandhandler/src/nsBaseCommandController.h.orig	2006-04-28 12:43:57.000000000 +0200
++++ embedding/components/commandhandler/src/nsBaseCommandController.h
+@@ -49,6 +49,8 @@
+ #include "nsIControllerContext.h"
+ #include "nsIControllerCommandTable.h"
+ #include "nsIInterfaceRequestor.h"
++#include "nsIWeakReference.h"
++#include "nsIWeakReferenceUtils.h"
+ 
+ // The base editor controller is used for both text widgets, 
+ //   and all other text and html editing
+@@ -79,7 +81,7 @@ public:
+   
+ private:
+ 
+-   nsISupports *mCommandContext;
++   nsWeakPtr mCommandContext;
+    
+    // Our reference to the command manager
+    nsCOMPtr<nsIControllerCommandTable> mCommandTable;     
diff --git a/www/firefox/patches/patch-fb b/www/firefox/patches/patch-fb
new file mode 100644
index 00000000000..f08344952d1
--- /dev/null
+++ b/www/firefox/patches/patch-fb
@@ -0,0 +1,70 @@
+$NetBSD: patch-fb,v 1.1 2006/04/28 16:11:31 drochner Exp $
+
+--- embedding/components/commandhandler/src/nsBaseCommandController.cpp.orig	2006-04-28 12:43:57.000000000 +0200
++++ embedding/components/commandhandler/src/nsBaseCommandController.cpp
+@@ -55,7 +55,6 @@ NS_INTERFACE_MAP_BEGIN(nsBaseCommandCont
+ NS_INTERFACE_MAP_END
+ 
+ nsBaseCommandController::nsBaseCommandController()
+-: mCommandContext(nsnull)
+ {
+ }
+ 
+@@ -79,7 +78,7 @@ nsBaseCommandController::Init(nsIControl
+ NS_IMETHODIMP
+ nsBaseCommandController::SetCommandContext(nsISupports *aCommandContext)
+ {
+-  mCommandContext = aCommandContext;     // no addref  
++  mCommandContext = do_GetWeakReference(aCommandContext);
+   return NS_OK;
+ }
+ 
+@@ -113,7 +112,8 @@ nsBaseCommandController::IsCommandEnable
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+   NS_ENSURE_ARG_POINTER(aResult);
+-  return mCommandTable->IsCommandEnabled(aCommand, mCommandContext, aResult);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->IsCommandEnabled(aCommand, context, aResult);
+ }
+ 
+ NS_IMETHODIMP
+@@ -121,14 +121,16 @@ nsBaseCommandController::SupportsCommand
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+   NS_ENSURE_ARG_POINTER(aResult);
+-  return mCommandTable->SupportsCommand(aCommand, mCommandContext, aResult);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->SupportsCommand(aCommand, context, aResult);
+ }
+ 
+ NS_IMETHODIMP
+ nsBaseCommandController::DoCommand(const char *aCommand)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->DoCommand(aCommand, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->DoCommand(aCommand, context);
+ }
+ 
+ NS_IMETHODIMP
+@@ -136,7 +138,8 @@ nsBaseCommandController::DoCommandWithPa
+                                              nsICommandParams *aParams)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->DoCommandParams(aCommand, aParams, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->DoCommandParams(aCommand, aParams, context);
+ }
+ 
+ NS_IMETHODIMP
+@@ -144,7 +147,8 @@ nsBaseCommandController::GetCommandState
+                                                    nsICommandParams *aParams)
+ {
+   NS_ENSURE_ARG_POINTER(aCommand);
+-  return mCommandTable->GetCommandState(aCommand, aParams, mCommandContext);
++  nsCOMPtr<nsISupports> context = do_QueryReferent(mCommandContext);
++  return mCommandTable->GetCommandState(aCommand, aParams, context);
+ }
+ 
+ NS_IMETHODIMP