aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-12-23 10:46:23 -0500
committerMark H Weaver <mhw@netris.org>2015-12-23 18:19:59 -0500
commit097190417f7eadbb02370970acfe8b05da4a619d (patch)
treeefb056bb5ce12e9b032cf472cd20ce6eafad9e4b
parentbba5de0e43e9820fae1442c4ce893c10cb945674 (diff)
downloadguix-097190417f7eadbb02370970acfe8b05da4a619d.tar
guix-097190417f7eadbb02370970acfe8b05da4a619d.tar.gz
gnu: icecat: Update to 38.5.0-gnu1.
* gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch, gnu/packages/patches/icecat-CVE-2015-7205.patch, gnu/packages/patches/icecat-CVE-2015-7210.patch, gnu/packages/patches/icecat-CVE-2015-7212.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7214.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch, gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch, gnu/packages/patches/icecat-freetype-2.6.patch: Delete files. * gnu-system.am (dist_patch_DATA): Remove them. * gnu/packages/gnuzilla.scm (icecat): Update to 38.5.0-gnu1. [source]: Remove patches.
-rw-r--r--gnu-system.am13
-rw-r--r--gnu/packages/gnuzilla.scm19
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch123
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch29
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7205.patch84
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7210.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7212.patch364
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch32
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch27
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7214.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch112
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch37
-rw-r--r--gnu/packages/patches/icecat-freetype-2.6.patch14
15 files changed, 3 insertions, 1014 deletions
diff --git a/gnu-system.am b/gnu-system.am
index df177b62d5..e1874fa6c1 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -512,20 +512,7 @@ dist_patch_DATA = \
gnu/packages/patches/hop-linker-flags.patch \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
- gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch \
- gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch \
- gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch \
- gnu/packages/patches/icecat-CVE-2015-7205.patch \
- gnu/packages/patches/icecat-CVE-2015-7210.patch \
- gnu/packages/patches/icecat-CVE-2015-7212.patch \
- gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch \
- gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch \
- gnu/packages/patches/icecat-CVE-2015-7214.patch \
- gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch \
- gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch \
- gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
- gnu/packages/patches/icecat-freetype-2.6.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 3172bc8c45..40a13e7939 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -266,7 +266,7 @@ standards.")
(define-public icecat
(package
(name "icecat")
- (version "38.4.0-gnu1")
+ (version "38.5.0-gnu1")
(source
(origin
(method url-fetch)
@@ -275,21 +275,8 @@ standards.")
name "-" version ".tar.bz2"))
(sha256
(base32
- "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp"))
- (patches (map search-patch '("icecat-CVE-2015-7210.patch"
- "icecat-CVE-2015-7205.patch"
- "icecat-CVE-2015-7201-pt1.patch"
- "icecat-CVE-2015-7201-pt2.patch"
- "icecat-CVE-2015-7212.patch"
- "icecat-CVE-2015-7213-pt1.patch"
- "icecat-CVE-2015-7213-pt2.patch"
- "icecat-CVE-2015-7222-pt1.patch"
- "icecat-CVE-2015-7222-pt2.patch"
- "icecat-CVE-2015-7222-pt3.patch"
- "icecat-CVE-2015-7214.patch"
- "icecat-CVE-2015-7201-pt3.patch"
- "icecat-avoid-bundled-includes.patch"
- "icecat-freetype-2.6.patch")))
+ "1bf20mpvx84jsa0dan2hhfc49f30v0wasikv7sh3cg8mwp62faj6"))
+ (patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
deleted file mode 100644
index 0fcfe9b409..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001
-From: Andrew Comminos <andrew@comminos.com>
-Date: Fri, 23 Oct 2015 21:35:16 -0700
-Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute
- count is exceeded on Mesa. r=jgilbert, a=ritu
-
---HG--
-extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0
-extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536
----
- dom/canvas/WebGLProgram.cpp | 28 ++++++++++++++++++----------
- dom/canvas/WebGLShader.cpp | 10 ++++++++++
- dom/canvas/WebGLShader.h | 1 +
- dom/canvas/WebGLShaderValidator.cpp | 6 ++++++
- dom/canvas/WebGLShaderValidator.h | 1 +
- 5 files changed, 36 insertions(+), 10 deletions(-)
-
-diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp
-index 78f7413..0e056e8 100644
---- a/dom/canvas/WebGLProgram.cpp
-+++ b/dom/canvas/WebGLProgram.cpp
-@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram()
- gl::GLContext* gl = mContext->gl;
- gl->MakeCurrent();
-
-- // Bug 777028: Mesa can't handle more than 16 samplers per program,
-- // counting each array entry.
-- size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
-- mFragShader->CalcNumSamplerUniforms();
- if (gl->WorkAroundDriverBugs() &&
-- mContext->mIsMesa &&
-- numSamplerUniforms_upperBound > 16)
-+ mContext->mIsMesa)
- {
-- mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
-- " Mesa drivers to avoid crashing.");
-- mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
-- return false;
-+ // Bug 777028: Mesa can't handle more than 16 samplers per program,
-+ // counting each array entry.
-+ size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
-+ mFragShader->CalcNumSamplerUniforms();
-+ if (numSamplerUniforms_upperBound > 16) {
-+ mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
-+ " Mesa drivers to avoid crashing.");
-+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
-+ return false;
-+ }
-+
-+ // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count.
-+ if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) {
-+ mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count.");
-+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
-+ return false;
-+ }
- }
-
- // Bind the attrib locations.
-diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp
-index 85a3809..bab4157 100644
---- a/dom/canvas/WebGLShader.cpp
-+++ b/dom/canvas/WebGLShader.cpp
-@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const
- return 0;
- }
-
-+size_t
-+WebGLShader::NumAttributes() const
-+{
-+ if (mValidator)
-+ return mValidator->NumAttributes();
-+
-+ // TODO
-+ return 0;
-+}
-+
- void
- WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName,
- GLuint index) const
-diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h
-index 698e30c..2c80b16a 100644
---- a/dom/canvas/WebGLShader.h
-+++ b/dom/canvas/WebGLShader.h
-@@ -45,6 +45,7 @@ public:
- // Util funcs
- bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const;
- size_t CalcNumSamplerUniforms() const;
-+ size_t NumAttributes() const;
- void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const;
- bool FindAttribUserNameByMappedName(const nsACString& mappedName,
- nsDependentCString* const out_userName) const;
-diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp
-index 80005e2..8bedf88 100644
---- a/dom/canvas/WebGLShaderValidator.cpp
-+++ b/dom/canvas/WebGLShaderValidator.cpp
-@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const
- return accum;
- }
-
-+size_t
-+ShaderValidator::NumAttributes() const
-+{
-+ return ShGetAttributes(mHandle)->size();
-+}
-+
- // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3.
- // Therefore, attrib names are always simple.
- bool
-diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h
-index 35db2f1..1f794bf0 100644
---- a/dom/canvas/WebGLShaderValidator.h
-+++ b/dom/canvas/WebGLShaderValidator.h
-@@ -41,6 +41,7 @@ public:
- void GetOutput(nsACString* out) const;
- bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const;
- size_t CalcNumSamplerUniforms() const;
-+ size_t NumAttributes() const;
-
- bool FindAttribUserNameByMappedName(const std::string& mappedName,
- const std::string** const out_userName) const;
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
deleted file mode 100644
index 3764371a11..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001
-From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com>
-Date: Tue, 8 Dec 2015 12:38:15 +0100
-Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when
- initialized from GPU texture. r=jmuizelaar, a=lizzard
-
----
- gfx/2d/SourceSurfaceSkia.cpp | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp
-index 4b95bc2..d7e0714 100644
---- a/gfx/2d/SourceSurfaceSkia.cpp
-+++ b/gfx/2d/SourceSurfaceSkia.cpp
-@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner,
- GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue);
- SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType);
- SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false);
-- mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4);
-+ mBitmap.setInfo(imgInfo);
- mBitmap.setPixelRef(texRef);
-+ mFormat = aFormat;
-+ mStride = mBitmap.rowBytes();
-
- mDrawTarget = aOwner;
- return true;
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
deleted file mode 100644
index 022ab5cc16..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001
-From: Edwin Flores <eflores@mozilla.com>
-Date: Wed, 2 Dec 2015 16:15:29 +0100
-Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth,
- a=sledru
-
----
- image/src/Downscaler.cpp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
-index 24ecfda..2a7acfd 100644
---- a/image/src/Downscaler.cpp
-+++ b/image/src/Downscaler.cpp
-@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize,
- mTargetSize.height, mYFilter.get());
-
- // Allocate the buffer, which contains scanlines of the original image.
-- mRowBuffer = MakeUnique<uint8_t[]>(mOriginalSize.width * sizeof(uint32_t));
-+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
-+ mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
- if (MOZ_UNLIKELY(!mRowBuffer)) {
- return NS_ERROR_OUT_OF_MEMORY;
- }
-
-+ // Zero buffer to keep valgrind happy.
-+ memset(mRowBuffer.get(), 0, bufferLen);
-+
-+
- // Allocate the window, which contains horizontally downscaled scanlines. (We
- // can store scanlines which are already downscale because our downscaling
- // filter is separable.)
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch
deleted file mode 100644
index 620fa0d6bd..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7205.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001
-From: Randell Jesup <rjesup@jesup.org>
-Date: Thu, 5 Nov 2015 10:17:29 -0500
-Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows.
- r=pkerr a=sylvestre
-
---HG--
-extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb
-extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997
----
- .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 26 ++++++++++++----------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-index 9334b23..80cf55a 100644
---- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
- return false;
- }
-
-- const uint8_t CSRCocts = CC * 4;
--
-- if ((ptr + CSRCocts) > _ptrRTPDataEnd) {
-- return false;
-- }
--
- header.markerBit = M;
- header.payloadType = PT;
- header.sequenceNumber = sequenceNumber;
-@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
- header.numCSRCs = CC;
- header.paddingLength = P ? *(_ptrRTPDataEnd - 1) : 0;
-
-+ // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes
-+ header.headerLength = 12 + (CC * 4);
-+ // not a full validation, just safety against underflow. Padding must
-+ // start after the header. We can have 0 payload bytes left, note.
-+ if (header.paddingLength + header.headerLength > length) {
-+ return false;
-+ }
-+
- for (unsigned int i = 0; i < CC; ++i) {
- uint32_t CSRC = *ptr++ << 24;
- CSRC += *ptr++ << 16;
-@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
- CSRC += *ptr++;
- header.arrOfCSRCs[i] = CSRC;
- }
--
-- header.headerLength = 12 + CSRCocts;
-+ assert((ptr - _ptrRTPDataBegin) == header.headerLength);
-
- // If in effect, MAY be omitted for those packets for which the offset
- // is zero.
-@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
- | header extension |
- | .... |
- */
-- const ptrdiff_t remain = _ptrRTPDataEnd - ptr;
-- if (remain < 4) {
-+ // earlier test ensures we have at least paddingLength bytes left
-+ const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength;
-+ if (remain < 4) { // minimum header extension length = 32 bits
- return false;
- }
-
-@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
- uint16_t definedByProfile = *ptr++ << 8;
- definedByProfile += *ptr++;
-
-- uint16_t XLen = *ptr++ << 8;
-+ size_t XLen = *ptr++ << 8;
- XLen += *ptr++; // in 32 bit words
- XLen *= 4; // in octs
-
-- if (remain < (4 + XLen)) {
-+ if (remain < (4 + XLen)) { // we already accounted for padding
- return false;
- }
- if (definedByProfile == kRtpOneByteHeaderExtensionId) {
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch
deleted file mode 100644
index eab57021db..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7210.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001
-From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
-Date: Wed, 28 Oct 2015 12:48:17 -0500
-Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed
- PeerConnections. r=jesup a=sylvestre
-
---HG--
-extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826
-extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6
----
- media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-index c3d8d26..fe86ff7 100644
---- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const
- NS_IMETHODIMP
- PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams)
- {
-- PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+ PC_AUTO_ENTER_API_CALL(false);
-
- #ifdef MOZILLA_INTERNAL_API
- if (mDataConnection) {
-@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters(
- nsresult
- PeerConnectionImpl::InitializeDataChannel()
- {
-- PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+ PC_AUTO_ENTER_API_CALL(false);
- CSFLogDebug(logTag, "%s", __FUNCTION__);
-
- const JsepApplicationCodecDescription* codec;
-@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel,
- uint16_t aStream,
- nsDOMDataChannel** aRetval)
- {
-- PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+ PC_AUTO_ENTER_API_CALL(false);
- MOZ_ASSERT(aRetval);
-
- #ifdef MOZILLA_INTERNAL_API
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch
deleted file mode 100644
index 7bda486ff7..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7212.patch
+++ /dev/null
@@ -1,364 +0,0 @@
-From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001
-From: Nicolas Silva <nsilva@mozilla.com>
-Date: Wed, 18 Nov 2015 16:59:11 +0100
-Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large
- textures. r=Bas, a=sylvestre
-
----
- gfx/2d/2D.h | 25 ++++++++++--
- gfx/2d/Factory.cpp | 67 ++++++++++++++++++++++++++++-----
- gfx/layers/ImageDataSerializer.cpp | 21 ++++++-----
- gfx/layers/YCbCrImageDataSerializer.cpp | 7 ++++
- gfx/layers/client/TextureClient.cpp | 12 ++++++
- gfx/thebes/gfxPlatform.cpp | 15 ++++++--
- gfx/thebes/gfxPrefs.h | 3 ++
- 7 files changed, 124 insertions(+), 26 deletions(-)
-
-diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h
-index cf35bb2..b1e0e3e 100644
---- a/gfx/2d/2D.h
-+++ b/gfx/2d/2D.h
-@@ -1082,22 +1082,41 @@ struct TileSet
- size_t mTileCount;
- };
-
-+struct Config {
-+ LogForwarder* mLogForwarder;
-+ int32_t mMaxTextureSize;
-+ int32_t mMaxAllocSize;
-+
-+ Config()
-+ : mLogForwarder(nullptr)
-+ , mMaxTextureSize(8192)
-+ , mMaxAllocSize(52000000)
-+ {}
-+};
-+
- class GFX2D_API Factory
- {
- public:
-+ static void Init(const Config& aConfig);
-+ static void ShutDown();
-+
- static bool HasSSE2();
-
- /** Make sure that the given dimensions don't overflow a 32-bit signed int
- * using 4 bytes per pixel; optionally, make sure that either dimension
- * doesn't exceed the given limit.
- */
-- static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0);
-+ static bool CheckSurfaceSize(const IntSize &sz,
-+ int32_t limit = 0,
-+ int32_t allocLimit = 0);
-
- /** Make sure the given dimension satisfies the CheckSurfaceSize and is
- * within 8k limit. The 8k value is chosen a bit randomly.
- */
- static bool ReasonableSurfaceSize(const IntSize &aSize);
-
-+ static bool AllowedSurfaceSize(const IntSize &aSize);
-+
- static TemporaryRef<DrawTarget> CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr);
-
- static TemporaryRef<DrawTarget>
-@@ -1171,10 +1190,10 @@ public:
-
- static uint32_t GetMaxSurfaceSize(BackendType aType);
-
-- static LogForwarder* GetLogForwarder() { return mLogForwarder; }
-+ static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; }
-
- private:
-- static LogForwarder* mLogForwarder;
-+ static Config* sConfig;
- public:
-
- #ifdef USE_SKIA_GPU
-diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp
-index 948d3c3..6750c28 100644
---- a/gfx/2d/Factory.cpp
-+++ b/gfx/2d/Factory.cpp
-@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device;
-
- DrawEventRecorder *Factory::mRecorder;
-
-+mozilla::gfx::Config* Factory::sConfig = nullptr;
-+
-+void
-+Factory::Init(const Config& aConfig)
-+{
-+ MOZ_ASSERT(!sConfig);
-+ sConfig = new Config(aConfig);
-+
-+ // Make sure we don't completely break rendering because of a typo in the
-+ // pref or whatnot.
-+ const int32_t kMinAllocPref = 10000000;
-+ const int32_t kMinSizePref = 2048;
-+ if (sConfig->mMaxAllocSize < kMinAllocPref) {
-+ sConfig->mMaxAllocSize = kMinAllocPref;
-+ }
-+ if (sConfig->mMaxTextureSize < kMinSizePref) {
-+ sConfig->mMaxTextureSize = kMinSizePref;
-+ }
-+}
-+
-+void
-+Factory::ShutDown()
-+{
-+ if (sConfig) {
-+ delete sConfig;
-+ sConfig = nullptr;
-+ }
-+}
-+
- bool
- Factory::HasSSE2()
- {
-@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize)
- bool
- Factory::ReasonableSurfaceSize(const IntSize &aSize)
- {
-- return Factory::CheckSurfaceSize(aSize,8192);
-+ return Factory::CheckSurfaceSize(aSize, 8192);
-+}
-+
-+bool
-+Factory::AllowedSurfaceSize(const IntSize &aSize)
-+{
-+ if (sConfig) {
-+ return Factory::CheckSurfaceSize(aSize,
-+ sConfig->mMaxTextureSize,
-+ sConfig->mMaxAllocSize);
-+ }
-+
-+ return CheckSurfaceSize(aSize);
- }
-
- bool
--Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
-+Factory::CheckSurfaceSize(const IntSize &sz,
-+ int32_t extentLimit,
-+ int32_t allocLimit)
- {
- if (sz.width <= 0 || sz.height <= 0) {
- gfxDebug() << "Surface width or height <= 0!";
-@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
- }
-
- // reject images with sides bigger than limit
-- if (limit && (sz.width > limit || sz.height > limit)) {
-- gfxDebug() << "Surface size too large (exceeds caller's limit)!";
-+ if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) {
-+ gfxDebug() << "Surface size too large (exceeds extent limit)!";
- return false;
- }
-
-@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
- return false;
- }
-
-+ if (allocLimit && allocLimit < numBytes.value()) {
-+ gfxDebug() << "Surface size too large (exceeds allocation limit)!";
-+ return false;
-+ }
-+
- return true;
- }
-
- TemporaryRef<DrawTarget>
- Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat)
- {
-- if (!CheckSurfaceSize(aSize)) {
-+ if (!AllowedSurfaceSize(aSize)) {
- gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
- return nullptr;
- }
-@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend,
- SurfaceFormat aFormat)
- {
- MOZ_ASSERT(aData);
-- if (!CheckSurfaceSize(aSize)) {
-+ if (!AllowedSurfaceSize(aSize)) {
- gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
- return nullptr;
- }
-@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize,
- SurfaceFormat aFormat,
- bool aZero)
- {
-- if (!CheckSurfaceSize(aSize)) {
-+ if (!AllowedSurfaceSize(aSize)) {
- gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
- return nullptr;
- }
-@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder)
- mRecorder = aRecorder;
- }
-
--LogForwarder* Factory::mLogForwarder = nullptr;
--
- // static
- void
- Factory::SetLogForwarder(LogForwarder* aLogFwd) {
-- mLogForwarder = aLogFwd;
-+ sConfig->mLogForwarder = aLogFwd;
- }
-
-+
- // static
- void
- CriticalLogger::OutputMessage(const std::string &aString,
-diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp
-index 5dd6aca..331dd04 100644
---- a/gfx/layers/ImageDataSerializer.cpp
-+++ b/gfx/layers/ImageDataSerializer.cpp
-@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize,
- SurfaceFormat aFormat)
- {
- MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0);
-- if (aSize.height <= 0 || aSize.width <= 0) {
-- gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height;
-+
-+ // This takes care of checking whether there could be overflow
-+ // with enough margin for the metadata.
-+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
- return 0;
- }
-
-- CheckedInt<int32_t> bufsize = ComputeStride(aFormat, aSize.width);
-- bufsize *= aSize.height;
-+ int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width)
-+ * aSize.height)
-+ + SurfaceBufferInfo::GetOffset();
-
-- if (!bufsize.isValid() || bufsize.value() <= 0) {
-- gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height;
-+ if (bufsize < 0) {
-+ // This should not be possible thanks to Factory::AllowedSurfaceSize
- return 0;
- }
-
-- return SurfaceBufferInfo::GetOffset()
-- + GetAlignedStride<16>(bufsize.value());
-+ return bufsize;
- }
-
- void
-@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate()
- }
- size_t requiredSize =
- ComputeMinBufferSize(IntSize(info->width, info->height), info->format);
-- mIsValid = requiredSize <= mDataSize;
-+
-+ mIsValid = !!requiredSize && requiredSize <= mDataSize;
- }
-
- uint8_t*
-diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
-index c8e148d..05f5ab2 100644
---- a/gfx/layers/YCbCrImageDataSerializer.cpp
-+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
-@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize,
- gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width;
- return 0;
- }
-+
-+ if (!gfx::Factory::AllowedSurfaceSize(aYSize) ||
-+ aCbCrSize.width > aYSize.width ||
-+ aCbCrSize.height > aYSize.height) {
-+ return 0;
-+ }
-+
- return ComputeOffset(aYSize.height, aYStride)
- + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride)
- + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo));
-diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp
-index 9b45ca0..6ae7cbf 100644
---- a/gfx/layers/client/TextureClient.cpp
-+++ b/gfx/layers/client/TextureClient.cpp
-@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator,
- aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend();
- }
-
-+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
-+ return nullptr;
-+ }
-+
- RefPtr<TextureClient> texture;
-
- #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN)
-@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator,
- TextureFlags aTextureFlags,
- TextureAllocationFlags aAllocFlags)
- {
-+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
-+ return nullptr;
-+ }
-+
- RefPtr<BufferTextureClient> texture =
- CreateBufferTextureClient(aAllocator, aFormat,
- aTextureFlags, aMoz2DBackend);
-@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator,
- StereoMode aStereoMode,
- TextureFlags aTextureFlags)
- {
-+ if (!gfx::Factory::AllowedSurfaceSize(aYSize)) {
-+ return nullptr;
-+ }
-+
- RefPtr<BufferTextureClient> texture;
- if (aAllocator->IsSameProcess()) {
- texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV,
-diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
-index 41e4b0c..209a0a8 100644
---- a/gfx/thebes/gfxPlatform.cpp
-+++ b/gfx/thebes/gfxPlatform.cpp
-@@ -458,13 +458,18 @@ gfxPlatform::Init()
- }
- gEverInitialized = true;
-
-- CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError");
-- mozilla::gfx::Factory::SetLogForwarder(logForwarder);
--
- // Initialize the preferences by creating the singleton.
- gfxPrefs::GetSingleton();
-
-- logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
-+ auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError");
-+ fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
-+
-+ mozilla::gfx::Config cfg;
-+ cfg.mLogForwarder = fwd;
-+ cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize();
-+ cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize();
-+
-+ gfx::Factory::Init(cfg);
-
- gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");
-
-@@ -641,6 +646,8 @@ gfxPlatform::Shutdown()
- delete mozilla::gfx::Factory::GetLogForwarder();
- mozilla::gfx::Factory::SetLogForwarder(nullptr);
-
-+ gfx::Factory::ShutDown();
-+
- delete gGfxPlatformPrefsLock;
-
- gfxPrefs::DestroySingleton();
-diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h
-index b7a5fb9..038e1ff 100644
---- a/gfx/thebes/gfxPrefs.h
-+++ b/gfx/thebes/gfxPrefs.h
-@@ -209,6 +209,9 @@ private:
- DECL_GFX_PREF(Live, "gfx.layerscope.port", LayerScopePort, int32_t, 23456);
- // Note that "gfx.logging.level" is defined in Logging.h
- DECL_GFX_PREF(Once, "gfx.logging.crash.length", GfxLoggingCrashLength, uint32_t, 6);
-+ // The maximums here are quite conservative, we can tighten them if problems show up.
-+ DECL_GFX_PREF(Once, "gfx.max-alloc-size", MaxAllocSize, int32_t, (int32_t)500000000);
-+ DECL_GFX_PREF(Once, "gfx.max-texture-size", MaxTextureSize, int32_t, (int32_t)32767);
- DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled", PerfWarnings, bool, false);
- DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs", WorkAroundDriverBugs, bool, true);
-
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
deleted file mode 100644
index 854c91b8aa..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
-From: Jean-Yves Avenard <jyavenard@mozilla.com>
-Date: Wed, 9 Dec 2015 09:54:58 +0100
-Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
- r=kentuckyfriedtakahe, a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index 22163fa..318152a 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
- CHECK_NE(err, (status_t)NO_INIT);
-
- // copy pssh data into file metadata
-- int psshsize = 0;
-+ uint64_t psshsize = 0;
- for (size_t i = 0; i < mPssh.size(); i++) {
- psshsize += 20 + mPssh[i].datalen;
- }
-+ if (psshsize > kMAX_ALLOCATION) {
-+ return ERROR_MALFORMED;
-+ }
- if (psshsize) {
- char *buf = (char*)malloc(psshsize);
- char *ptr = buf;
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
deleted file mode 100644
index 20bbd36281..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001
-From: Jean-Yves Avenard <jyavenard@mozilla.com>
-Date: Wed, 9 Dec 2015 09:55:16 +0100
-Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe,
- a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index 318152a..c6aaf1d 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() {
- }
- if (psshsize) {
- char *buf = (char*)malloc(psshsize);
-+ if (!buf) {
-+ return ERROR_MALFORMED;
-+ }
- char *ptr = buf;
- for (size_t i = 0; i < mPssh.size(); i++) {
- memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch
deleted file mode 100644
index 3a56d3d2cd..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7214.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001
-From: Bobby Holley <bobbyholley@gmail.com>
-Date: Mon, 14 Dec 2015 15:36:20 -0500
-Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz,
- a=lizzard
-
----
- dom/base/nsHostObjectURI.cpp | 9 +++++++++
- dom/base/nsHostObjectURI.h | 2 ++
- 2 files changed, 11 insertions(+)
-
-diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp
-index 94b02ff..57b0209 100644
---- a/dom/base/nsHostObjectURI.cpp
-+++ b/dom/base/nsHostObjectURI.cpp
-@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream)
- true);
- }
-
-+NS_IMETHODIMP
-+nsHostObjectURI::SetScheme(const nsACString& aScheme)
-+{
-+ // Disallow setting the scheme, since that could cause us to be associated
-+ // with a different protocol handler that doesn't expect us to be carrying
-+ // around a principal with nsIURIWithPrincipal.
-+ return NS_ERROR_FAILURE;
-+}
-+
- // nsIURI methods:
- nsresult
- nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode,
-diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h
-index b468d5d..23ff7ab 100644
---- a/dom/base/nsHostObjectURI.h
-+++ b/dom/base/nsHostObjectURI.h
-@@ -34,6 +34,8 @@ public:
- NS_DECL_NSISERIALIZABLE
- NS_DECL_NSICLASSINFO
-
-+ NS_IMETHOD SetScheme(const nsACString &aProtocol) override;
-+
- // Override CloneInternal() and EqualsInternal()
- virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode,
- nsIURI** aClone) override;
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
deleted file mode 100644
index c5d0e4ad60..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 09:59:37 +0100
-Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage -
- r=rillian, a=sylvestre
-
----
- .../av/include/media/stagefright/MetaData.h | 2 +-
- .../av/media/libstagefright/MetaData.cpp | 35 ++++++++++++++--------
- 2 files changed, 24 insertions(+), 13 deletions(-)
-
-diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-index 30d969d..0a8ff77 100644
---- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-@@ -248,7 +248,7 @@ private:
- return mSize <= sizeof(u.reservoir);
- }
-
-- void allocateStorage(size_t size);
-+ bool allocateStorage(size_t size);
- void freeStorage();
-
- void *storage() {
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-index c832c96..cba324d 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type,
- }
-
- MetaData::typed_data::typed_data()
-- : mType(0),
-+ : mType(TYPE_NONE),
- mSize(0) {
- }
-
-@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() {
- MetaData::typed_data::typed_data(const typed_data &from)
- : mType(from.mType),
- mSize(0) {
-- allocateStorage(from.mSize);
-- memcpy(storage(), from.storage(), mSize);
-+ if (allocateStorage(from.mSize)) {
-+ memcpy(storage(), from.storage(), mSize);
-+ }
- }
-
- MetaData::typed_data &MetaData::typed_data::operator=(
- const MetaData::typed_data &from) {
- if (this != &from) {
- clear();
-- mType = from.mType;
-- allocateStorage(from.mSize);
-- memcpy(storage(), from.storage(), mSize);
-+ if (allocateStorage(from.mSize)) {
-+ mType = from.mType;
-+ memcpy(storage(), from.storage(), mSize);
-+ }
- }
-
- return *this;
-@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=(
- void MetaData::typed_data::clear() {
- freeStorage();
-
-- mType = 0;
-+ mType = TYPE_NONE;
- }
-
- void MetaData::typed_data::setData(
- uint32_t type, const void *data, size_t size) {
- clear();
-
-- mType = type;
-- allocateStorage(size);
-- memcpy(storage(), data, size);
-+ if (allocateStorage(size)) {
-+ mType = type;
-+ memcpy(storage(), data, size);
-+ }
- }
-
- void MetaData::typed_data::getData(
-@@ -269,14 +272,22 @@ void MetaData::typed_data::getData(
- *data = storage();
- }
-
--void MetaData::typed_data::allocateStorage(size_t size) {
-+bool MetaData::typed_data::allocateStorage(size_t size) {
-+ // Update mSize now, as it is needed by usesReservoir() below.
-+ // (mSize will be reset if the allocation fails further below.)
- mSize = size;
-
- if (usesReservoir()) {
-- return;
-+ return true;
- }
-
- u.ext_data = malloc(mSize);
-+ if (!u.ext_data) {
-+ mType = TYPE_NONE;
-+ mSize = 0;
-+ return false;
-+ }
-+ return true;
- }
-
- void MetaData::typed_data::freeStorage() {
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
deleted file mode 100644
index 688d7f903f..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 10:00:13 +0100
-Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create
- underflow - r=rillian, a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index c6aaf1d..a69fc14 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
- if (mFileMetaData != NULL) {
- ALOGV("chunk_data_size = %lld and data_offset = %lld",
- chunk_data_size, data_offset);
-+ const int kSkipBytesOfDataBox = 16;
-+ if (chunk_data_size <= kSkipBytesOfDataBox) {
-+ return ERROR_MALFORMED;
-+ }
- sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
- if (mDataSource->readAt(
- data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
- return ERROR_IO;
- }
-- const int kSkipBytesOfDataBox = 16;
- mFileMetaData->setData(
- kKeyAlbumArt, MetaData::TYPE_NONE,
- buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
deleted file mode 100644
index 2f3c95623d..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 10:00:32 +0100
-Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
- r=rillian, a=sylvestre
-
-Found only one other use that needed better checks: the size of the pssh
-data was only checked after all items were added up; so it would be
-possible to create a set of big items such that they create an overflow,
-but the final sum looks reasonable.
-Instead each item size should be checked, and the sum should also be
-checked at each step.
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index a69fc14..413a495 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
- uint64_t psshsize = 0;
- for (size_t i = 0; i < mPssh.size(); i++) {
- psshsize += 20 + mPssh[i].datalen;
-- }
-- if (psshsize > kMAX_ALLOCATION) {
-- return ERROR_MALFORMED;
-+ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
-+ psshsize > kMAX_ALLOCATION) {
-+ return ERROR_MALFORMED;
-+ }
- }
- if (psshsize) {
- char *buf = (char*)malloc(psshsize);
---
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-freetype-2.6.patch b/gnu/packages/patches/icecat-freetype-2.6.patch
deleted file mode 100644
index ef69f2f715..0000000000
--- a/gnu/packages/patches/icecat-freetype-2.6.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Adapt to freetype 2.6. This patch copied from upstream, see:
-https://bugzilla.mozilla.org/show_bug.cgi?id=1143411
-https://hg.mozilla.org/mozilla-central/rev/afd840d66e6a
-
---- a/config/system-headers
-+++ b/config/system-headers
-@@ -415,6 +415,7 @@ freetype/ftbitmap.h
- freetype/ftxf86.h
- freetype.h
- ftcache.h
-+ftfntfmt.h
- ftglyph.h
- ftsynth.h
- ftoutln.h