nss: upgrade to 3.103

Add initialize() method to hash class: in PDFWriterImpl::emitTrailer we need to re-initialize the hash after calling finalize(), otherwise update() inside writeBuffer will fail with Assertion failure: rv == SECSuccess, at sechash.c:140 See https://lists.freedesktop.org/archives/libreoffice/2025-March/093075.html Downloaded from https://ftp.mozilla.org/pub/security/nss/releases/NSS_3_103_RTM/src/nss-3.103-with-nspr-4.35.tar.gz Change-Id: Iebf144be7bce9f45900b427adedc7465e4b2e4e3 Reviewed-on: https://gerrit.libreoffice.org/c/core/+/183075 Tested-by: Jenkins Reviewed-by: Xisco Fauli <xiscofauli@libreoffice.org>
2025-03-18 12:49:20 +01:00
parent a8ce824a21
commit c8bfafbbf8
6 changed files with 37 additions and 19 deletions
--- a/comphelper/source/misc/hash.cxx
+++ b/comphelper/source/misc/hash.cxx
@@ -105,9 +105,18 @@ struct HashImpl
            }
        }
        mpContext = HASH_Create(getNSSType());
-        HASH_Begin(mpContext);
 #elif USE_TLS_OPENSSL
        mpContext = EVP_MD_CTX_create();
+#endif
+
+        initialize();
+    }
+
+    void initialize()
+    {
+#if USE_TLS_NSS
+        HASH_Begin(mpContext);
+#elif USE_TLS_OPENSSL
        EVP_DigestInit_ex(mpContext, getOpenSSLType(), nullptr);
 #endif
    }
@@ -143,6 +152,11 @@ void Hash::update(const unsigned char* pInput, size_t length)
 #endif
 }

+void Hash::initialize()
+{
+    mpImpl->initialize();
+}
+
 std::vector<unsigned char> Hash::finalize()
 {
    std::vector<unsigned char> hash(getLength(), 0);
--- a/download.lst
+++ b/download.lst
@@ -512,8 +512,8 @@ MYTHES_TARBALL := mythes-1.2.5.tar.xz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
-NSS_SHA256SUM := ddfdec73fb4b0eedce5fc4de09de9ba14d2ddbfbf67e42372903e1510f2d3d65
-NSS_TARBALL := nss-3.102.1-with-nspr-4.35.tar.gz
+NSS_SHA256SUM := 1636c8c85794e779855183997805b6edfe2dfb43cdf5b6cf1934bf16b1b32520
+NSS_TARBALL := nss-3.103-with-nspr-4.35.tar.gz
 # three static lines
 # so that git cherry-pick
 # will not run into conflicts
--- a/external/nss/nss-android.patch.1
+++ b/external/nss/nss-android.patch.1
@@ -41,7 +41,7 @@ diff -ur nss.org/nspr/configure nss/nspr/configure
 diff -ur nss.org/nss/Makefile nss/nss/Makefile
 --- nss.org/nss/Makefile	2017-09-07 15:29:44.933245745 +0200
 +++ nss/nss/Makefile	2017-09-07 15:32:04.347181076 +0200
-@@ -65,7 +65,7 @@
+@@ -67,7 +67,7 @@
 
 ifeq ($(OS_TARGET),Android)
 NSPR_CONFIGURE_OPTS += --with-android-ndk=$(ANDROID_NDK) \
@@ -50,16 +50,14 @@ diff -ur nss.org/nss/Makefile nss/nss/Makefile
                        --with-android-version=$(OS_TARGET_RELEASE) \
                        --with-android-toolchain=$(ANDROID_TOOLCHAIN) \
                        --with-android-platform=$(ANDROID_SYSROOT)
--- nss/nss/Makefile.orig	2019-11-26 14:52:15.934561202 +0100
-+++ nss/nss/Makefile	2019-11-26 14:52:20.538559612 +0100
-@@ -140,7 +140,6 @@
- 
+@@ -143,7 +143,6 @@
+ ifndef NSS_DISABLE_NSPR_TESTS
 build_nspr: $(NSPR_CONFIG_STATUS)
 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
 -	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
- 
- install_nspr: build_nspr
- 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+ else
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
 --- nss/nss/lib/ckfw/builtins/manifest.mn.orig	2019-11-26 15:18:22.185985193 +0100
 +++ nss/nss/lib/ckfw/builtins/manifest.mn	2019-11-26 15:18:29.281982387 +0100
@@ -5,7 +5,7 @@
--- a/external/nss/nss-ios.patch
+++ b/external/nss/nss-ios.patch
@@ -16,14 +16,14 @@
 endif
 
 #
-@@ -140,7 +138,6 @@
- 
+@@ -141,7 +143,6 @@
+ ifndef NSS_DISABLE_NSPR_TESTS
 build_nspr: $(NSPR_CONFIG_STATUS)
 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
 -	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)/pr/tests
- 
- install_nspr: build_nspr
- 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME) install
+ else
+ build_nspr: $(NSPR_CONFIG_STATUS)
+ 	$(MAKE) -C $(CORE_DEPTH)/../nspr/$(OBJDIR_NAME)
 --- a/a/nss/lib/ckfw/builtins/manifest.mn
 +++ a/a/nss/lib/ckfw/builtins/manifest.mn
@@ -5,7 +5,7 @@
@@ -75,7 +75,7 @@
 #if defined(_WIN32)
         if (nssUTF8_Length(mod->dllName, NULL)) {
             wchar_t *dllNameWide = _NSSUTIL_UTF8ToWide(mod->dllName);
-@@ -507,6 +510,11 @@
+@@ -507,6 +510,10 @@
             mod->moduleDBFunc = (void *)
                 PR_FindSymbol(library, "NSS_ReturnModuleSpecData");
         }
@@ -83,11 +83,10 @@
 +        if (strcmp(mod->dllName, "NSSCKBI") == 0)
 +            fentry = NSSCKBI_C_GetFunctionList;
 +#endif
-+
         if (mod->moduleDBFunc == NULL)
             mod->isModuleDB = PR_FALSE;
         if ((ientry == NULL) && (fentry == NULL)) {
-@@ -643,10 +651,12 @@
+@@ -643,10 +650,12 @@
     }
 fail:
     mod->functionList = NULL;
--- a/include/comphelper/hash.hxx
+++ b/include/comphelper/hash.hxx
@@ -66,6 +66,8 @@ public:
        update(rInput.data(), rInput.size());
    }

+    void initialize();
+
    std::vector<unsigned char> finalize();

    static std::vector<unsigned char> calculateHash(const unsigned char* pInput, size_t length, HashType eType);
--- a/vcl/source/gdi/pdfwriter_impl.cxx
+++ b/vcl/source/gdi/pdfwriter_impl.cxx
@@ -6179,6 +6179,11 @@ bool PDFWriterImpl::emitTrailer()
        aLine.append( "]\n" );
    }

+    // After calling m_DocDigest.finalize(), we need to initialize the hash again,
+    // otherwise, m_DocDigest.update() inside writeBuffer will fail with
+    // Assertion failure: rv == SECSuccess, at sechash.c:140
+    m_DocDigest.initialize();
+
    aLine.append( ">>\n"
                  "startxref\n" );
    aLine.append( static_cast<sal_Int64>(nXRefOffset) );