Submitted By:            Douglas R. Reno <renodr at linuxfromscratch dot org>
Date:                    2022-03-08
Initial Package Version: 2.53.11
Origin:                  Self
Upstream Status:         Not Applied, but backport submitted
Description:             Fixes CVE-2022-26485 in Seamonkey, which is an actively
                         exploited remote code execution vulnerability in the
                         XSLT processor. This has been rated by Critical as
                         upstream, and backports the fix for this bug in Firefox.
                         I've submitted the backport as TESTED to Seamonkey's
                         upstream as well so that hopefully this gets into a new
                         release of theirs soon.

diff -Naurp seamonkey-2.53.11.orig/dom/xslt/xslt/txMozillaXSLTProcessor.cpp seamonkey-2.53.11/dom/xslt/xslt/txMozillaXSLTProcessor.cpp
--- seamonkey-2.53.11.orig/dom/xslt/xslt/txMozillaXSLTProcessor.cpp	2022-03-08 10:40:41.004997706 -0600
+++ seamonkey-2.53.11/dom/xslt/xslt/txMozillaXSLTProcessor.cpp	2022-03-08 11:16:12.660967531 -0600
@@ -238,9 +238,9 @@ txToFragmentHandlerFactory::createHandle
 class txVariable : public txIGlobalParameter
 {
 public:
-    explicit txVariable(nsIVariant* aValue) : mValue(aValue)
-    {
-        NS_ASSERTION(aValue, "missing value");
+    explicit txVariable(nsIVariant* aValue, txAExprResult* aTxValue)
+       : mValue(aValue), mTxValue(aTxValue) {
+          NS_ASSERTION(aValue && aTxValue, "missing value");
     }
     explicit txVariable(txAExprResult* aValue) : mTxValue(aValue)
     {
@@ -248,12 +248,7 @@ public:
     }
     nsresult getValue(txAExprResult** aValue) override
     {
-        NS_ASSERTION(mValue || mTxValue, "variablevalue is null");
-
-        if (!mTxValue) {
-            nsresult rv = Convert(mValue, getter_AddRefs(mTxValue));
-            NS_ENSURE_SUCCESS(rv, rv);
-        }
+        NS_ASSERTION(mTxValue, "variablevalue is null");
 
         *aValue = mTxValue;
         NS_ADDREF(*aValue);
@@ -270,11 +265,11 @@ public:
     {
         return mValue;
     }
-    void setValue(nsIVariant* aValue)
+    void setValue(nsIVariant* aValue, txAExprResult* aTxValue)
     {
-        NS_ASSERTION(aValue, "setting variablevalue to null");
+        NS_ASSERTION(aValue && aTxValue, "setting variablevalue to null");
         mValue = aValue;
-        mTxValue = nullptr;
+        mTxValue = aTxValue;
     }
     void setValue(txAExprResult* aValue)
     {
@@ -283,13 +278,14 @@ public:
         mTxValue = aValue;
     }
 
+    static nsresult Convert(nsIVariant* aValue, txAExprResult** aResult);
+
     friend void ImplCycleCollectionUnlink(txVariable& aVariable);
     friend void ImplCycleCollectionTraverse(
         nsCycleCollectionTraversalCallback& aCallback, txVariable& aVariable,
         const char* aName, uint32_t aFlags);
 
 private:
-    static nsresult Convert(nsIVariant *aValue, txAExprResult** aResult);
 
     nsCOMPtr<nsIVariant> mValue;
     RefPtr<txAExprResult> mTxValue;
@@ -950,13 +946,17 @@ txMozillaXSLTProcessor::SetParameter(con
     nsCOMPtr<nsIAtom> localName = NS_Atomize(aLocalName);
     txExpandedName varName(nsId, localName);
 
+    RefPtr<txAExprResult> txValue;
+    rv = txVariable::Convert(value, getter_AddRefs(txValue));
+    NS_ENSURE_SUCCESS(rv, rv);
+
     txVariable* var = static_cast<txVariable*>(mVariables.get(varName));
     if (var) {
-        var->setValue(value);
+        var->setValue(value, txValue);
         return NS_OK;
     }
 
-    var = new txVariable(value);
+    var = new txVariable(value, txValue);
     return mVariables.add(varName, var);
 }