gnu: icecat: Add fixes for CVE-2015-{4473,4482,4488,4489,4491,4492}.

WARNING: CVE-2015-4473 may not be fully addressed here, because I was unable
to backport some of the patches (for upstream bugs 1182711 and 1146213).  I
was also unable to backport CVE-2015-4484 (upstream bug 1171540) and
CVE-2015-4487 (upstream bug 1171603).  I was unable to find any commit in the
upstream repository that claims to address bug 1105914 (CVE-2015-4478).

* gnu/packages/patches/icecat-CVE-2015-4473-partial.patch,
  gnu/packages/patches/icecat-CVE-2015-4482.patch,
  gnu/packages/patches/icecat-CVE-2015-4488.patch,
  gnu/packages/patches/icecat-CVE-2015-4489.patch,
  gnu/packages/patches/icecat-CVE-2015-4491.patch,
  gnu/packages/patches/icecat-CVE-2015-4492.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

8 files changed, 325 insertions, 1 deletions

diff --git a/gnu-system.am b/gnu-system.am
index dc945c9b96..f9db6acc51 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -483,6 +483,12 @@ dist_patch_DATA =						\
   gnu/packages/patches/hwloc-gather-topology-lstopo.patch	\
   gnu/packages/patches/hydra-automake-1.15.patch		\
   gnu/packages/patches/hydra-disable-darcs-test.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4473-partial.patch	\
+  gnu/packages/patches/icecat-CVE-2015-4482.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4488.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4489.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4491.patch		\
+  gnu/packages/patches/icecat-CVE-2015-4492.patch		\
   gnu/packages/patches/icecat-CVE-2015-4495.patch		\
   gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \
   gnu/packages/patches/icecat-freetype-2.6.patch		\
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 0200039f5c..bfd1f5dc7b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -240,7 +240,13 @@ standards.")
       (sha256
        (base32
         "11wx29mb5pcg4mgk07a6vjwh52ca90k0x4m9wv0v3y5dmp88f01p"))
-      (patches (map search-patch '("icecat-CVE-2015-4495.patch"
+      (patches (map search-patch '("icecat-CVE-2015-4473-partial.patch"
+                                   "icecat-CVE-2015-4482.patch"
+                                   "icecat-CVE-2015-4488.patch"
+                                   "icecat-CVE-2015-4489.patch"
+                                   "icecat-CVE-2015-4491.patch"
+                                   "icecat-CVE-2015-4492.patch"
+                                   "icecat-CVE-2015-4495.patch"
                                    "icecat-enable-acceleration-and-webgl.patch"
                                    "icecat-freetype-2.6.patch"
                                    "icecat-libvpx-1.4.patch")))
diff --git a/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch
new file mode 100644
index 0000000000..184a8c5092
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4473-partial.patch
@@ -0,0 +1,120 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 1a7eac06fab3b8ffca09936498887f99e233bcba Mon Sep 17 00:00:00 2001
+From: Randell Jesup <rjesup@jesup.org>
+Date: Thu, 9 Jul 2015 20:18:34 -0400
+Subject: [PATCH] Bug 1178890 - Update timer arrays after sleep to account for
+ time sleeping. r=bwc, r=froydnj, a=sledru
+
+--- icecat-31.8.0/xpcom/threads/TimerThread.cpp.orig	1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/xpcom/threads/TimerThread.cpp	2015-08-12 16:38:11.789371171 -0400
+@@ -28,7 +28,8 @@
+   mShutdown(false),
+   mWaiting(false),
+   mNotified(false),
+-  mSleeping(false)
++  mSleeping(false),
++  mLastTimerEventLoopRun(TimeStamp::Now())
+ {
+ }
+ 
+@@ -222,6 +223,7 @@
+     } else {
+       waitFor = PR_INTERVAL_NO_TIMEOUT;
+       TimeStamp now = TimeStamp::Now();
++      mLastTimerEventLoopRun = now;
+       nsTimerImpl *timer = nullptr;
+ 
+       if (!mTimers.IsEmpty()) {
+@@ -411,6 +413,7 @@
+ // This function must be called from within a lock
+ int32_t TimerThread::AddTimerInternal(nsTimerImpl *aTimer)
+ {
++  mMonitor.AssertCurrentThreadOwns();
+   if (mShutdown)
+     return -1;
+ 
+@@ -434,6 +437,7 @@
+ 
+ bool TimerThread::RemoveTimerInternal(nsTimerImpl *aTimer)
+ {
++  mMonitor.AssertCurrentThreadOwns();
+   if (!mTimers.RemoveElement(aTimer))
+     return false;
+ 
+@@ -443,6 +447,10 @@
+ 
+ void TimerThread::ReleaseTimerInternal(nsTimerImpl *aTimer)
+ {
++  if (!mShutdown) {
++    // copied to a local array before releasing in shutdown
++    mMonitor.AssertCurrentThreadOwns();
++  }
+   // Order is crucial here -- see nsTimerImpl::Release.
+   aTimer->mArmed = false;
+   NS_RELEASE(aTimer);
+@@ -450,21 +458,39 @@
+ 
+ void TimerThread::DoBeforeSleep()
+ {
++  // Mainthread
++  MonitorAutoLock lock(mMonitor);
++  mLastTimerEventLoopRun = TimeStamp::Now();
+   mSleeping = true;
+ }
+ 
++// Note: wake may be notified without preceding sleep notification
+ void TimerThread::DoAfterSleep()
+ {
+-  mSleeping = true; // wake may be notified without preceding sleep notification
++  // Mainthread
++  TimeStamp now = TimeStamp::Now();
++
++  MonitorAutoLock lock(mMonitor);
++
++  // an over-estimate of time slept, usually small
++  TimeDuration slept = now - mLastTimerEventLoopRun;
++
++  // Adjust all old timers to expire roughly similar times in the future
++  // compared to when we went to sleep, by adding the time we slept to the
++  // target time. It's slightly possible a few will end up slightly in the
++  // past and fire immediately, but ordering should be preserved.  All
++  // timers retain the exact same order (and relative times) as before
++  // going to sleep.
+   for (uint32_t i = 0; i < mTimers.Length(); i ++) {
+     nsTimerImpl *timer = mTimers[i];
+-    // get and set the delay to cause its timeout to be recomputed
+-    uint32_t delay;
+-    timer->GetDelay(&delay);
+-    timer->SetDelay(delay);
++    timer->mTimeout += slept;
+   }
+-
+   mSleeping = false;
++  mLastTimerEventLoopRun = now;
++
++  // Wake up the timer thread to process the updated array
++  mNotified = true;
++  mMonitor.Notify();
+ }
+ 
+ 
+--- icecat-31.8.0/xpcom/threads/TimerThread.h.orig	1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/xpcom/threads/TimerThread.h	2015-08-12 16:38:38.542408062 -0400
+@@ -59,7 +59,7 @@
+   mozilla::Atomic<bool> mInitInProgress;
+   bool    mInitialized;
+ 
+-  // These two internal helper methods must be called while mLock is held.
++  // These two internal helper methods must be called while mMonitor is held.
+   // AddTimerInternal returns the position where the timer was added in the
+   // list, or -1 if it failed.
+   int32_t AddTimerInternal(nsTimerImpl *aTimer);
+@@ -73,6 +73,7 @@
+   bool mWaiting;
+   bool mNotified;
+   bool mSleeping;
++  TimeStamp mLastTimerEventLoopRun;
+ 
+   nsTArray<nsTimerImpl*> mTimers;
+ };
diff --git a/gnu/packages/patches/icecat-CVE-2015-4482.patch b/gnu/packages/patches/icecat-CVE-2015-4482.patch
new file mode 100644
index 0000000000..41f0a3d0fc
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4482.patch
@@ -0,0 +1,28 @@
+From 932a017c745d40d661602f6145c95c9226d8450d Mon Sep 17 00:00:00 2001
+From: Stephen Pohl <spohl.mozilla.bugs@gmail.com>
+Date: Sat, 18 Jul 2015 18:42:15 -0700
+Subject: [PATCH] Bug 1184500 - Improve handling of index names in MAR files.
+ r=rstrong, a=lmandel
+
+---
+ modules/libmar/src/mar_read.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/modules/libmar/src/mar_read.c b/modules/libmar/src/mar_read.c
+index c647370..2013b0f 100644
+--- a/modules/libmar/src/mar_read.c
++++ b/modules/libmar/src/mar_read.c
+@@ -96,6 +96,10 @@ static int mar_consume_index(MarFile *mar, char **buf, const char *buf_end) {
+     ++(*buf);
+   }
+   namelen = (*buf - name);
++  /* must ensure that namelen is valid */
++  if (namelen < 0) {
++    return -1;
++  }
+   /* consume null byte */
+   if (*buf == buf_end)
+     return -1;
+-- 
+2.4.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-4488.patch b/gnu/packages/patches/icecat-CVE-2015-4488.patch
new file mode 100644
index 0000000000..cee0905be0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4488.patch
@@ -0,0 +1,21 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 103fb14ff54753305508448ba0e374247a463552 Mon Sep 17 00:00:00 2001
+From: Daniel Holbert <dholbert@cs.stanford.edu>
+Date: Fri, 19 Jun 2015 15:56:12 -0700
+Subject: [PATCH] Bug 1176270 - Handle self-assignment in
+ StyleAnimationValue::operator=. r=dbaron, a=sledru
+
+--- icecat-31.8.0/layout/style/nsStyleAnimation.cpp.orig	1969-12-31 19:00:00.000000000 -0500
++++ icecat-31.8.0/layout/style/nsStyleAnimation.cpp	2015-08-12 16:00:39.418122049 -0400
+@@ -3517,6 +3517,10 @@
+ nsStyleAnimation::Value&
+ nsStyleAnimation::Value::operator=(const Value& aOther)
+ {
++  if (this == &aOther) {
++    return *this;
++  }
++
+   FreeValue();
+ 
+   mUnit = aOther.mUnit;
diff --git a/gnu/packages/patches/icecat-CVE-2015-4489.patch b/gnu/packages/patches/icecat-CVE-2015-4489.patch
new file mode 100644
index 0000000000..4140891e3a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4489.patch
@@ -0,0 +1,21 @@
+Backported to icecat-31.8 from the upstream esr38 branch.
+
+From 95231c1bca9c9495393b795513bea71a21a6ec2f Mon Sep 17 00:00:00 2001
+From: Birunthan Mohanathas <birunthan@mohanathas.com>
+Date: Tue, 21 Jul 2015 09:42:58 -0700
+Subject: [PATCH] Bug 1182723 - Properly handle self-assignment in
+ nsTArray::operator=. r=mccr8, a=abillings
+
+--- icecat-31.8.0/xpcom/glue/nsTArray.h.orig	2015-08-12 16:03:56.353746969 -0400
++++ icecat-31.8.0/xpcom/glue/nsTArray.h	2015-08-12 16:06:52.144553848 -0400
+@@ -811,7 +811,9 @@
+   // array.  It is optimized to reuse existing storage if possible.
+   // @param other  The array object to copy.
+   self_type& operator=(const self_type& other) {
+-    ReplaceElementsAt(0, Length(), other.Elements(), other.Length());
++    if (this != &other) {
++      ReplaceElementsAt(0, Length(), other.Elements(), other.Length());
++    }
+     return *this;
+   }
+ 
diff --git a/gnu/packages/patches/icecat-CVE-2015-4491.patch b/gnu/packages/patches/icecat-CVE-2015-4491.patch
new file mode 100644
index 0000000000..c16885cfc7
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4491.patch
@@ -0,0 +1,41 @@
+From c154557bc0aa7e310824717f3e829dd82e6726e4 Mon Sep 17 00:00:00 2001
+From: Lee Salzman <lsalzman@mozilla.com>
+Date: Tue, 21 Jul 2015 13:16:44 -0400
+Subject: [PATCH] Bug 1184009 - Limit image preview sizes. r=acomminos,
+ a=lmandel
+
+--HG--
+extra : transplant_source : %9B%86%13%60%B2%97%F1%8Fb%CB%9C%8D%FBWo%C9%EBPs1
+---
+ widget/gtk/nsFilePicker.cpp | 13 ++++++++-----
+ 1 file changed, 8 insertions(+), 5 deletions(-)
+
+diff --git a/widget/gtk/nsFilePicker.cpp b/widget/gtk/nsFilePicker.cpp
+index 0b5a8dc..3c0d543 100644
+--- a/widget/gtk/nsFilePicker.cpp
++++ b/widget/gtk/nsFilePicker.cpp
+@@ -101,13 +101,16 @@ UpdateFilePreviewWidget(GtkFileChooser *file_chooser,
+     return;
+   }
+ 
+-  GdkPixbuf *preview_pixbuf;
++  GdkPixbuf *preview_pixbuf = nullptr;
+   // Only scale down images that are too big
+   if (preview_width > MAX_PREVIEW_SIZE || preview_height > MAX_PREVIEW_SIZE) {
+-    preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename,
+-                                                      MAX_PREVIEW_SIZE,
+-                                                      MAX_PREVIEW_SIZE,
+-                                                      nullptr);
++    if (ceil(preview_width / double(MAX_PREVIEW_SIZE) + 1.0) *
++          ceil(preview_height / double(MAX_PREVIEW_SIZE) + 1.0) < 0x7FFFFF) {
++      preview_pixbuf = gdk_pixbuf_new_from_file_at_size(image_filename,
++                                                        MAX_PREVIEW_SIZE,
++                                                        MAX_PREVIEW_SIZE,
++                                                        nullptr);
++    }
+   }
+   else {
+     preview_pixbuf = gdk_pixbuf_new_from_file(image_filename, nullptr);
+-- 
+2.4.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-4492.patch b/gnu/packages/patches/icecat-CVE-2015-4492.patch
new file mode 100644
index 0000000000..5d401f5a32
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4492.patch
@@ -0,0 +1,81 @@
+From 9d5f21ee3a754d20bca4513f55553ea6694a7b25 Mon Sep 17 00:00:00 2001
+From: Andrea Marchesini <amarchesini@mozilla.com>
+Date: Wed, 29 Jul 2015 16:10:15 -0400
+Subject: [PATCH] Bug 1185820 - XMLHttpRequest::Open() in worker should count
+ the recursion using a uint32_t and not a boolean. r=khuey, a=lmandel
+
+--HG--
+extra : transplant_source : %8F%89%24%FF%A1%F7d%5B%BE%E9%FC3%C6%E1%AC%27r%5Eq%16
+extra : histedit_source : 5857f0cedf1cfb5361e6f404a094719814a2b415
+---
+ dom/workers/XMLHttpRequest.cpp | 20 +++++++++++---------
+ 1 file changed, 11 insertions(+), 9 deletions(-)
+
+diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp
+index aac97ab..7099279 100644
+--- a/dom/workers/XMLHttpRequest.cpp
++++ b/dom/workers/XMLHttpRequest.cpp
+@@ -100,6 +100,7 @@ public:
+   // Only touched on the worker thread.
+   uint32_t mOuterEventStreamId;
+   uint32_t mOuterChannelId;
++  uint32_t mOpenCount;
+   uint64_t mLastLoaded;
+   uint64_t mLastTotal;
+   uint64_t mLastUploadLoaded;
+@@ -109,7 +110,6 @@ public:
+   bool mLastUploadLengthComputable;
+   bool mSeenLoadStart;
+   bool mSeenUploadLoadStart;
+-  bool mOpening;
+ 
+   // Only touched on the main thread.
+   bool mUploadEventListenersAttached;
+@@ -122,10 +122,10 @@ public:
+   : mWorkerPrivate(nullptr), mXMLHttpRequestPrivate(aXHRPrivate),
+     mMozAnon(aMozAnon), mMozSystem(aMozSystem),
+     mInnerEventStreamId(0), mInnerChannelId(0), mOutstandingSendCount(0),
+-    mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0),
+-    mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
++    mOuterEventStreamId(0), mOuterChannelId(0), mOpenCount(0), mLastLoaded(0),
++    mLastTotal(0), mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false),
+     mLastLengthComputable(false), mLastUploadLengthComputable(false),
+-    mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false),
++    mSeenLoadStart(false), mSeenUploadLoadStart(false),
+     mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false),
+     mInOpen(false), mArrayBufferResponseWasTransferred(false)
+   { }
+@@ -1850,7 +1850,7 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody,
+   mWorkerPrivate->AssertIsOnWorkerThread();
+ 
+   // No send() calls when open is running.
+-  if (mProxy->mOpening) {
++  if (mProxy->mOpenCount) {
+     aRv.Throw(NS_ERROR_FAILURE);
+     return;
+   }
+@@ -1945,15 +1945,17 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl,
+                      mBackgroundRequest, mWithCredentials,
+                      mTimeout);
+ 
+-  mProxy->mOpening = true;
++  ++mProxy->mOpenCount;
+   if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) {
+-    mProxy->mOpening = false;
+-    ReleaseProxy();
++    if (!--mProxy->mOpenCount) {
++      ReleaseProxy();
++    }
++
+     aRv.Throw(NS_ERROR_FAILURE);
+     return;
+   }
+ 
+-  mProxy->mOpening = false;
++  --mProxy->mOpenCount;
+   mProxy->mIsSyncXHR = !aAsync;
+ }
+ 
+-- 
+2.4.3
+