Process sandbox - switch to spin mode only if images are not too big,…

… add environment var to disable sandbox limits

image/decoders/nsJPEGDecoder.cpp

@@ -903,12 +903,25 @@ nsJPEGDecoder::ReadJPEGData(const char* aData, size_t aLength)
   #if defined(PS_SANDBOX_USE_NEW_CPP_API)
     class ActiveRAIIWrapper{
       JPEGProcessSandbox* s;
+      bool a;
       public:
-      ActiveRAIIWrapper(JPEGProcessSandbox* ps) : s(ps) { s->makeActiveSandbox(); }
-      ~ActiveRAIIWrapper() { s->makeInactiveSandbox(); }
+      ActiveRAIIWrapper(JPEGProcessSandbox* ps, bool isActive) : s(ps), a(isActive) {
+        if (a) {
+          s->makeActiveSandbox();
+        }
+      }
+      void makeInactive(){
+        if (a) {
+          s->makeInactiveSandbox();
+          a = false;
+        }
+      }
+      ~ActiveRAIIWrapper() {
+        makeInactive();
+      }
     };
     #if !defined(PS_SANDBOX_DONT_USE_SPIN)
-    ActiveRAIIWrapper procSbxActivation(rlbox_jpeg->getSandbox());
+    ActiveRAIIWrapper procSbxActivation(rlbox_jpeg->getSandbox(), mImageWidth < 1000);
     #endif
   #endif
   //printf("FF Flag ReadJPEGData\n");
@@ -998,6 +1011,12 @@ nsJPEGDecoder::ReadJPEGData(const char* aData, size_t aLength)
           }
           return val; 
         });
+        mImageWidth = image_width;
+        #if defined(PS_SANDBOX_USE_NEW_CPP_API) && !defined(PS_SANDBOX_DONT_USE_SPIN)
+          if (mImageWidth >= 1000) {
+            procSbxActivation.makeInactive();
+          }
+        #endif
         auto image_height = mInfo.image_height
         #if defined(NACL_SANDBOX_USE_NEW_CPP_API) || defined(WASM_SANDBOX_USE_NEW_CPP_API) || defined(PS_SANDBOX_USE_NEW_CPP_API)
         .copyAndVerify([this](JDIMENSION val){

image/decoders/nsJPEGDecoder.h

@@ -164,6 +164,7 @@ class nsJPEGDecoder : public Decoder
     J_COLOR_SPACE m_out_color_space;
     jmp_buf m_jmpBuff;
     bool m_jmpBuffValid = FALSE; 
+    unsigned int mImageWidth = 0;
   #elif defined(NACL_SANDBOX_USE_CPP_API) || defined(PROCESS_SANDBOX_USE_CPP_API)
     unverified_data<struct jpeg_decompress_struct*> p_mInfo;
     unverified_data<struct jpeg_source_mgr*> p_mSourceMgr;

image/decoders/nsPNGDecoder.cpp

@@ -1821,6 +1821,7 @@ nsPNGDecoder::FinishedPNGData()
     freeInPngSandbox(p_params);
   #endif
 
+  // Exclude very small images as the actual impact is very small
   if(width < 100) {
     decoder->PngMaybeTooSmall = true;
   } else {
@@ -1834,10 +1835,12 @@ nsPNGDecoder::FinishedPNGData()
       // };
       // ActiveRAIIWrapper procSbxActivation(IsMetadataDecode()? nullptr : );
       if (!decoder->IsMetadataDecode()){
-        #if !defined(PS_SANDBOX_DONT_USE_SPIN)
-        (rlbox_png->getSandbox())->makeActiveSandbox();
-        #endif
-        decoder->PngSbxActivated = true;
+        if (width < 1000) {
+          #if !defined(PS_SANDBOX_DONT_USE_SPIN)
+          (rlbox_png->getSandbox())->makeActiveSandbox();
+          #endif
+          decoder->PngSbxActivated = true;
+        }
       }
     #endif
   }

image/decoders/nsPNGDecoder.h

@@ -78,12 +78,22 @@ class SandboxManager
 private:
     std::map<std::string, std::shared_ptr<T>> sandboxes;
     std::mutex sandboxMapMutex;
-    static const bool SandboxEnforceLimits = true;
+    static std::once_flag SandboxEnforceLimitsSet;
+    static bool SandboxEnforceLimits;
     //we can go to higher limits, but this seems fine
     static const int SandboxSoftLimit = 10;
 
 public:
 
+    SandboxManager(){
+      std::call_once(SandboxEnforceLimitsSet, [&](){
+        SandboxEnforceLimits = !PR_GetEnv("MOZ_RLBOX_SANDBOX_NOLIMIT");
+        if (!SandboxEnforceLimits){ 
+          printf("RLBox: Not enforcing sandbox limits!\n");
+        }
+      });
+    }
+
     inline std::shared_ptr<T> createSandbox(std::string name) {
       //use a fresh temporary sandbox if we couldn't find the origin
       if(name == "") {
@@ -142,6 +152,11 @@ class SandboxManager
     }
 };
 
+template<typename T>
+std::once_flag SandboxManager<T>::SandboxEnforceLimitsSet;
+template<typename T>
+bool SandboxManager<T>::SandboxEnforceLimits = true;
+
 struct RLBench
 {
   bool InUse = false;

netwerk/streamconv/converters/nsHTTPCompressConv.cpp

@@ -22,13 +22,16 @@
 #include "state.h"
 #include "brotli/decode.h"
 
+#include "prenv.h"
+
 #include <dirent.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <signal.h>
 #include <unistd.h>
 #include <sys/types.h>
+#include <mutex>
 
 #if defined(NACL_SANDBOX_USE_NEW_CPP_API) || defined(WASM_SANDBOX_USE_NEW_CPP_API) || defined(PS_SANDBOX_USE_NEW_CPP_API)
 // RLBoxSandbox<TRLSandbox>* rlbox_zlib = NULL;
@@ -114,7 +117,8 @@ class SandboxManager
 private:
     std::map<std::string, std::shared_ptr<T>> sandboxes;
     std::mutex sandboxMapMutex;
-    static const bool SandboxEnforceLimits = true;
+    static std::once_flag SandboxEnforceLimitsSet;
+    static bool SandboxEnforceLimits;
     //we can go to higher limits, but this seems fine
     // #if defined(PS_SANDBOX_DONT_USE_SPIN)
     // static const int SandboxSoftLimit = 100;
@@ -124,6 +128,15 @@ class SandboxManager
 
 public:
 
+    SandboxManager(){
+      std::call_once(SandboxEnforceLimitsSet, [&](){
+        SandboxEnforceLimits = !PR_GetEnv("MOZ_RLBOX_SANDBOX_NOLIMIT");
+        if (!SandboxEnforceLimits){ 
+          printf("RLBox: Not enforcing sandbox limits!\n");
+        }
+      });
+    }
+
     // inline void checkSandboxCreation(std::shared_ptr<T> ret) {
     //   auto succeeded = ret->initialize();
     //   if (succeeded) { return; }
@@ -208,6 +221,11 @@ class SandboxManager
     }
 };
 
+template<typename T>
+std::once_flag SandboxManager<T>::SandboxEnforceLimitsSet;
+template<typename T>
+bool SandboxManager<T>::SandboxEnforceLimits = true;
+
 static SandboxManager<ZLIBSandboxResource> zlibSandboxManager;
 
 }