GitLab

at 2024-05-09T10:55:04+00:00

Bug 1871109 - generateHash in Manifest.sys.mjs should use sha256 r=peterv, a=dmeehan

Differential Revision: https://phabricator.services.mozilla.com/D204928
Bug 1890204 - Ensure font entry's unitsPerEm and font extents are initialized when gfxFont is created. r=gfx-reviewers,lsalzman

This means that by the time we potentially call GetFontExtents() when drawing,
the extents fields are guaranteed to have been been initialized, and there's no
risk of the (read-only) access here racing with setting them in UnitsPerEm().

Differential Revision: https://phabricator.services.mozilla.com/D206920
Bug 1893891 - Clear mSharedBlobData if blob creation failed.  a=dmeehan

Original Revision: https://phabricator.services.mozilla.com/D208983

Differential Revision: https://phabricator.services.mozilla.com/D209209
  * @note The generated hash is returned in base64 form.  Mind the fact base64

  * is case-sensitive if you are going to reuse this code.

  */

-function generateHash(aString) {

+function generateHash(aString, hashAlg) {

   const cryptoHash = Cc["@mozilla.org/security/hash;1"].createInstance(

     Ci.nsICryptoHash

   );

-  cryptoHash.init(Ci.nsICryptoHash.MD5);

+  cryptoHash.init(hashAlg);

   const stringStream = Cc[

     "@mozilla.org/io/string-input-stream;1"

   ].createInstance(Ci.nsIStringInputStream);

     this._manifestUrl = manifestUrl;

     // The key for this is the manifests URL that is required to be unique.

     // However arbitrary urls are not safe file paths so lets hash it.

-    const fileName = generateHash(manifestUrl) + ".json";

-    this._path = PathUtils.join(MANIFESTS_DIR, fileName);

+    const filename =

+      generateHash(manifestUrl, Ci.nsICryptoHash.SHA256) + ".json";

+    this._path = PathUtils.join(MANIFESTS_DIR, filename);

     this.browser = browser;

   }

+  /**

+   * See Bug 1871109

+   * This function is called at the beginning of initialize() to check if a given

+   * manifest has MD5 based filename, if so we remove it and migrate the content to

+   * a new file with SHA256 based name.

+   * This is done due to security concern, as MD5 is an outdated hashing algorithm and

+   * shouldn't be used anymore

+   */

+  async removeMD5BasedFilename() {

+    const filenameMD5 =

+      generateHash(this._manifestUrl, Ci.nsICryptoHash.MD5) + ".json";

+    const MD5Path = PathUtils.join(MANIFESTS_DIR, filenameMD5);

+    try {

+      await IOUtils.copy(MD5Path, this._path, { noOverwrite: true });

+    } catch (error) {

+      // we are ignoring the failures returned from copy as it should not stop us from

+      // installing a new manifest

+    }

+

+    // Remove the old MD5 based file unconditionally to ensure it's no longer used

+    try {

+      await IOUtils.remove(MD5Path);

+    } catch {

+      // ignore the error in case MD5 based file does not exist

+    }

+  }

+

   get browser() {

     return this._browser;

   }

   }

   async initialize() {

+    await this.removeMD5BasedFilename();

     this._store = new lazy.JSONFile({ path: this._path, saveDelayMs: 100 });

     await this._store.load();

   }

   return url.href;

 }

+function generateHash(aString, hashAlg) {

+  const cryptoHash = Cc["@mozilla.org/security/hash;1"].createInstance(

+    Ci.nsICryptoHash

+  );

+  cryptoHash.init(hashAlg);

+  const stringStream = Cc[

+    "@mozilla.org/io/string-input-stream;1"

+  ].createInstance(Ci.nsIStringInputStream);

+  stringStream.data = aString;

+  cryptoHash.updateFromStream(stringStream, -1);

+  // base64 allows the '/' char, but we can't use it for filenames.

+  return cryptoHash.finish(true).replace(/\//g, "-");

+}

+

+const MANIFESTS_DIR = PathUtils.join(PathUtils.profileDir, "manifests");

+

 add_task(async function () {

   const tabOptions = { gBrowser, url: makeTestURL() };

+  const filenameMD5 = generateHash(manifestUrl, Ci.nsICryptoHash.MD5) + ".json";

+  const filenameSHA =

+    generateHash(manifestUrl, Ci.nsICryptoHash.SHA256) + ".json";

+  const manifestMD5Path = PathUtils.join(MANIFESTS_DIR, filenameMD5);

+  const manifestSHAPath = PathUtils.join(MANIFESTS_DIR, filenameSHA);

+

   await BrowserTestUtils.withNewTab(tabOptions, async function (browser) {

-    let manifest = await Manifests.getManifest(browser, manifestUrl);

-    is(manifest.installed, false, "We haven't installed this manifest yet");

+    let tmpManifest = await Manifests.getManifest(browser, manifestUrl);

+    is(tmpManifest.installed, false, "We haven't installed this manifest yet");

+

+    await tmpManifest.install();

+    // making sure the manifest is actually installed before proceeding

+    await tmpManifest._store._save();

+    await IOUtils.move(tmpManifest.path, manifestMD5Path);

+

+    let exists = await IOUtils.exists(tmpManifest.path);

+    is(

+      exists,

+      false,

+      "Manually moved manifest from SHA256 based path to MD5 based path"

+    );

+    Manifests.manifestObjs.delete(manifestUrl);

+

+    let manifest = await Manifests.getManifest(browser, manifestUrl);

     await manifest.install(browser);

     is(manifest.name, "hello World", "Manifest has correct name");

     is(manifest.installed, true, "Manifest is installed");

     is(manifest.url, manifestUrl, "has correct url");

     is(manifest.browser, browser, "has correct browser");

+    is(manifest.path, manifestSHAPath, "has correct path");

+

+    exists = await IOUtils.exists(manifestMD5Path);

+    is(exists, false, "MD5 based manifest removed");

     manifest = await Manifests.getManifest(browser, manifestUrl);

     is(manifest.installed, true, "New instances are installed");

   }

   mKerningSet = HasFeatureSet(HB_TAG('k', 'e', 'r', 'n'), mKerningEnabled);

+

+  // Ensure the gfxFontEntry's unitsPerEm and extents fields are initialized,

+  // so that GetFontExtents can use them without risk of races.

+  Unused << mFontEntry->UnitsPerEm();

 }

 gfxFont::~gfxFont() {

 }

 uint16_t gfxFontEntry::UnitsPerEm() {

+  {

+    AutoReadLock lock(mLock);

+    if (mUnitsPerEm) {

+      return mUnitsPerEm;

+    }

+  }

+

+  AutoTable headTable(this, TRUETYPE_TAG('h', 'e', 'a', 'd'));

+  AutoWriteLock lock(mLock);

+

   if (!mUnitsPerEm) {

-    AutoTable headTable(this, TRUETYPE_TAG('h', 'e', 'a', 'd'));

     if (headTable) {

       uint32_t len;

       const HeadTable* head =

           reinterpret_cast<const HeadTable*>(hb_blob_get_data(headTable, &len));

       if (len >= sizeof(HeadTable)) {

-        mUnitsPerEm = head->unitsPerEm;

         if (int16_t(head->xMax) > int16_t(head->xMin) &&

             int16_t(head->yMax) > int16_t(head->yMin)) {

           mXMin = head->xMin;

           mXMax = head->xMax;

           mYMax = head->yMax;

         }

+        mUnitsPerEm = head->unitsPerEm;

       }

     }

       mUnitsPerEm = kInvalidUPEM;

     }

   }

+

   return mUnitsPerEm;

 }

 bool gfxFontEntry::HasSVGGlyph(uint32_t aGlyphId) {

-  NS_ASSERTION(mSVGInitialized,

-               "SVG data has not yet been loaded. TryGetSVGData() first.");

+  MOZ_ASSERT(mSVGInitialized,

+             "SVG data has not yet been loaded. TryGetSVGData() first.");

   return GetSVGGlyphs()->HasSVGGlyph(aGlyphId);

 }

 void gfxFontEntry::RenderSVGGlyph(gfxContext* aContext, uint32_t aGlyphId,

                                   SVGContextPaint* aContextPaint) {

-  NS_ASSERTION(mSVGInitialized,

-               "SVG data has not yet been loaded. TryGetSVGData() first.");

+  MOZ_ASSERT(mSVGInitialized,

+             "SVG data has not yet been loaded. TryGetSVGData() first.");

   GetSVGGlyphs()->RenderGlyph(aContext, aGlyphId, aContextPaint);

 }

       HB_MEMORY_MODE_READONLY, mSharedBlobData, DeleteFontTableBlobData);

   if (mBlob == hb_blob_get_empty()) {

     // The FontTableBlobData was destroyed during hb_blob_create().

-    // The (empty) blob is still be held in the hashtable with a strong

+    // The (empty) blob will still be held in the hashtable with a strong

     // reference.

+    mSharedBlobData = nullptr;

     return hb_blob_reference(mBlob);

   }

   mozilla::gfx::Rect GetFontExtents(float aFUnitScaleFactor) const {

     // Flip the y-axis here to match the orientation of Gecko's coordinates.

+    // We don't need to take a lock here because the min/max fields are inert

+    // after initialization, and we make sure to initialize them at gfxFont-

+    // creation time.

     return mozilla::gfx::Rect(float(mXMin) * aFUnitScaleFactor,

                               float(-mYMax) * aFUnitScaleFactor,

                               float(mXMax - mXMin) * aFUnitScaleFactor,

...	...	@@ -952,6 +952,10 @@ gfxFont::gfxFont(const RefPtr<UnscaledFont>& aUnscaledFont,
952	952	}
953	953
954	954	mKerningSet = HasFeatureSet(HB_TAG('k', 'e', 'r', 'n'), mKerningEnabled);
	955	+
	956	+ // Ensure the gfxFontEntry's unitsPerEm and extents fields are initialized,
	957	+ // so that GetFontExtents can use them without risk of races.
	958	+ Unused << mFontEntry->UnitsPerEm();
955	959	}
956	960
957	961	gfxFont::~gfxFont() {

ma1 pushed to branch tor-browser-115.11.0esr-13.0-1 at The Tor Project / Applications / Tor Browser

Commits:

5 changed files:

Changes: