diff options
| author | Mark H Weaver <mhw@netris.org> | 2016-01-28 00:22:49 -0500 |
|---|---|---|
| committer | Mark H Weaver <mhw@netris.org> | 2016-01-28 00:34:20 -0500 |
| commit | 29a780147d066d5ce218d1fa2678a0a36a1145e3 (patch) | |
| tree | 447a0dd62011ec61c4fb5b39a72612e24ae3bdf6 | |
| parent | a394c60aa381d2284e382b48af990b6bdc5f33b4 (diff) | |
| download | guix-29a780147d066d5ce218d1fa2678a0a36a1145e3.tar guix-29a780147d066d5ce218d1fa2678a0a36a1145e3.tar.gz | |
gnu: icecat: Add fixes for CVE-2016-{1930,1935} and other bugs.
* gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch,
gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch,
gnu/packages/patches/icecat-CVE-2016-1935.patch,
gnu/packages/patches/icecat-bug-1146335-pt1.patch,
gnu/packages/patches/icecat-bug-1146335-pt2.patch,
gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New
files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
21 files changed, 1770 insertions, 2 deletions
diff --git a/gnu-system.am b/gnu-system.am index 297f40a50e..45511d2eb8 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -517,7 +517,26 @@ dist_patch_DATA = \ gnu/packages/patches/hop-linker-flags.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch \ + gnu/packages/patches/icecat-CVE-2016-1935.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ + gnu/packages/patches/icecat-bug-1146335-pt1.patch \ + gnu/packages/patches/icecat-bug-1146335-pt2.patch \ + gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ gnu/packages/patches/icu4c-CVE-2015-1270.patch \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 03ca0b7ca0..62010dbf6b 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr> ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org> -;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org> +;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org> ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com> ;;; ;;; This file is part of GNU Guix. @@ -287,7 +287,27 @@ standards.") (sha256 (base32 "0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg")) - (patches (map search-patch '("icecat-avoid-bundled-includes.patch"))) + (patches (map search-patch + '("icecat-avoid-bundled-includes.patch" + "icecat-CVE-2016-1930-pt01.patch" + "icecat-CVE-2016-1930-pt02.patch" + "icecat-CVE-2016-1930-pt03.patch" + "icecat-CVE-2016-1930-pt04.patch" + "icecat-CVE-2016-1930-pt05.patch" + "icecat-CVE-2016-1930-pt06.patch" + "icecat-CVE-2016-1930-pt07.patch" + "icecat-CVE-2016-1930-pt08.patch" + "icecat-CVE-2016-1930-pt09.patch" + "icecat-CVE-2016-1930-pt10.patch" + "icecat-CVE-2016-1930-pt11.patch" + "icecat-CVE-2016-1930-pt12.patch" + "icecat-CVE-2016-1930-pt13.patch" + "icecat-bug-1146335-pt1.patch" + "icecat-bug-1146335-pt2.patch" + "icecat-CVE-2016-1935.patch" + "icecat-CVE-2016-1930-pt14.patch" + "icecat-CVE-2016-1930-pt15.patch" + "icecat-limit-max-buffers-size-for-ANGLE.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch new file mode 100644 index 0000000000..27768fa1ac --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch @@ -0,0 +1,34 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346 + +# HG changeset patch +# User Nils Ohlmeier <drno@ohlmeier.org> +# Date 1451439902 18000 +# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4 +# Parent ff8e52467d793e935b80bf22a722a71a96fe2d63 +Bug 1233346 - r=ekr a=abillings + +diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c +--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c ++++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c +@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs + + for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) { + char *c; + + if (tmpAddress->OperStatus != IfOperStatusUp) + continue; + + snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0); ++ munged_ifname[IFNAMSIZ-1] = '\0'; ++ + /* replace spaces with underscores */ + c = strchr(munged_ifname, ' '); + while (c != NULL) { + *c = '_'; + c = strchr(munged_ifname, ' '); + } + c = strchr(munged_ifname, '.'); + while (c != NULL) { + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch new file mode 100644 index 0000000000..fa1804eb82 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch @@ -0,0 +1,33 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson <karlt+@karlt.net> +# Date 1449117514 -46800 +# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0 +# Parent 925215cae26f9c0ccff07ef403a5b3194a4c45c4 +bug 1223670 assert that connected streams have the same graph r=padenot a=abillings + +diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp +--- a/dom/media/MediaStreamGraph.cpp ++++ b/dom/media/MediaStreamGraph.cpp +@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort( + unused << mPort.forget(); + } + virtual void RunDuringShutdown() + { + Run(); + } + nsRefPtr<MediaInputPort> mPort; + }; ++ MOZ_ASSERT(aStream->GraphImpl() == GraphImpl()); + nsRefPtr<MediaInputPort> port = new MediaInputPort(aStream, this, aFlags, + aInputNumber, aOutputNumber); + port->SetGraphImpl(GraphImpl()); + GraphImpl()->AppendMessage(new Message(port)); + return port.forget(); + } + + void + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch new file mode 100644 index 0000000000..cf0843b8b3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch @@ -0,0 +1,308 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson <karlt+@karlt.net> +# Date 1449764754 18000 +# Node ID f746c38d160ea29088c15cacae44f3662befaec5 +# Parent fc78180165a8262c80bbb722ed99b2e0c27b02d0 +bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings + +diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp +--- a/dom/media/webaudio/AudioContext.cpp ++++ b/dom/media/webaudio/AudioContext.cpp +@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H + aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); + return nullptr; + } + #endif + nsRefPtr<DOMMediaStream> stream = aMediaElement.MozCaptureStream(aRv); + if (aRv.Failed()) { + return nullptr; + } +- nsRefPtr<MediaElementAudioSourceNode> mediaElementAudioSourceNode = +- new MediaElementAudioSourceNode(this, stream); +- return mediaElementAudioSourceNode.forget(); ++ return MediaElementAudioSourceNode::Create(this, stream, aRv); + } + + already_AddRefed<MediaStreamAudioSourceNode> + AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream, + ErrorResult& aRv) + { + if (mIsOffline) { + aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); + return nullptr; + } +- nsRefPtr<MediaStreamAudioSourceNode> mediaStreamAudioSourceNode = +- new MediaStreamAudioSourceNode(this, &aMediaStream); +- return mediaStreamAudioSourceNode.forget(); ++ ++ return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv); + } + + already_AddRefed<GainNode> + AudioContext::CreateGain() + { + nsRefPtr<GainNode> gainNode = new GainNode(this); + return gainNode.forget(); + } +diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp +--- a/dom/media/webaudio/AudioNode.cpp ++++ b/dom/media/webaudio/AudioNode.cpp +@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont + ChannelInterpretation aChannelInterpretation) + : DOMEventTargetHelper(aContext->GetParentObject()) + , mContext(aContext) + , mChannelCount(aChannelCount) + , mChannelCountMode(aChannelCountMode) + , mChannelInterpretation(aChannelInterpretation) + , mId(gId++) + , mPassThrough(false) +-#ifdef DEBUG +- , mDemiseNotified(false) +-#endif + { + MOZ_ASSERT(aContext); + DOMEventTargetHelper::BindToOwner(aContext->GetParentObject()); + aContext->UpdateNodeCount(1); + } + + AudioNode::~AudioNode() + { + MOZ_ASSERT(mInputNodes.IsEmpty()); + MOZ_ASSERT(mOutputNodes.IsEmpty()); + MOZ_ASSERT(mOutputParams.IsEmpty()); +-#ifdef DEBUG +- MOZ_ASSERT(mDemiseNotified, ++ MOZ_ASSERT(!mStream, + "The webaudio-node-demise notification must have been sent"); +-#endif + if (mContext) { + mContext->UpdateNodeCount(-1); + } + } + + size_t + AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const + { +@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream() + mStream = nullptr; + + nsCOMPtr<nsIObserverService> obs = services::GetObserverService(); + if (obs) { + nsAutoString id; + id.AppendPrintf("%u", mId); + obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get()); + } +-#ifdef DEBUG +- mDemiseNotified = true; +-#endif + } + } + + void + AudioNode::RemoveOutputParam(AudioParam* aParam) + { + mOutputParams.RemoveElement(aParam); + } +diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h +--- a/dom/media/webaudio/AudioNode.h ++++ b/dom/media/webaudio/AudioNode.h +@@ -239,19 +239,14 @@ private: + nsTArray<nsRefPtr<AudioParam> > mOutputParams; + uint32_t mChannelCount; + ChannelCountMode mChannelCountMode; + ChannelInterpretation mChannelInterpretation; + const uint32_t mId; + // Whether the node just passes through its input. This is a devtools API that + // only works for some node types. + bool mPassThrough; +-#ifdef DEBUG +- // In debug builds, check to make sure that the node demise notification has +- // been properly sent before the node is destroyed. +- bool mDemiseNotified; +-#endif + }; + + } + } + + #endif +diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp +@@ -5,22 +5,36 @@ + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "MediaElementAudioSourceNode.h" + #include "mozilla/dom/MediaElementAudioSourceNodeBinding.h" + + namespace mozilla { + namespace dom { + +-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aStream) +- : MediaStreamAudioSourceNode(aContext, aStream) ++MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext) ++ : MediaStreamAudioSourceNode(aContext) + { + } + ++/* static */ already_AddRefed<MediaElementAudioSourceNode> ++MediaElementAudioSourceNode::Create(AudioContext* aContext, ++ DOMMediaStream* aStream, ErrorResult& aRv) ++{ ++ nsRefPtr<MediaElementAudioSourceNode> node = ++ new MediaElementAudioSourceNode(aContext); ++ ++ node->Init(aStream, aRv); ++ if (aRv.Failed()) { ++ return nullptr; ++ } ++ ++ return node.forget(); ++} ++ + JSObject* + MediaElementAudioSourceNode::WrapObject(JSContext* aCx) + { + return MediaElementAudioSourceNodeBinding::Wrap(aCx, this); + } + + } + } +diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h +--- a/dom/media/webaudio/MediaElementAudioSourceNode.h ++++ b/dom/media/webaudio/MediaElementAudioSourceNode.h +@@ -10,28 +10,30 @@ + #include "MediaStreamAudioSourceNode.h" + + namespace mozilla { + namespace dom { + + class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode + { + public: +- MediaElementAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aStream); ++ static already_AddRefed<MediaElementAudioSourceNode> ++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv); + + virtual JSObject* WrapObject(JSContext* aCx) override; + + virtual const char* NodeType() const override + { + return "MediaElementAudioSourceNode"; + } + + virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override + { + return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf); + } ++private: ++ explicit MediaElementAudioSourceNode(AudioContext* aContext); + }; + + } + } + + #endif +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_ + NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END + + NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode) + NS_INTERFACE_MAP_END_INHERITING(AudioNode) + + NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode) + NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode) + +-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aMediaStream) ++MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext) + : AudioNode(aContext, + 2, + ChannelCountMode::Max, +- ChannelInterpretation::Speakers), +- mInputStream(aMediaStream) ++ ChannelInterpretation::Speakers) + { ++} ++ ++/* static */ already_AddRefed<MediaStreamAudioSourceNode> ++MediaStreamAudioSourceNode::Create(AudioContext* aContext, ++ DOMMediaStream* aStream, ErrorResult& aRv) ++{ ++ nsRefPtr<MediaStreamAudioSourceNode> node = ++ new MediaStreamAudioSourceNode(aContext); ++ ++ node->Init(aStream, aRv); ++ if (aRv.Failed()) { ++ return nullptr; ++ } ++ ++ return node.forget(); ++} ++ ++void ++MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv) ++{ ++ mInputStream = aMediaStream; + AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this); +- mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine); ++ mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine); + ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get()); + mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(), + MediaInputPort::FLAG_BLOCK_INPUT); + mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this)); + + PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector + mInputStream->AddPrincipalChangeObserver(this); + } +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h +@@ -38,17 +38,18 @@ public: + private: + bool mEnabled; + }; + + class MediaStreamAudioSourceNode : public AudioNode, + public DOMMediaStream::PrincipalChangeObserver + { + public: +- MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream); ++ static already_AddRefed<MediaStreamAudioSourceNode> ++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv); + + NS_DECL_ISUPPORTS_INHERITED + NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode) + + virtual JSObject* WrapObject(JSContext* aCx) override; + + virtual void DestroyMediaStream() override; + +@@ -60,16 +61,18 @@ public: + } + + virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override; + virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override; + + virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override; + + protected: ++ explicit MediaStreamAudioSourceNode(AudioContext* aContext); ++ void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv); + virtual ~MediaStreamAudioSourceNode(); + + private: + nsRefPtr<MediaInputPort> mInputPort; + nsRefPtr<DOMMediaStream> mInputStream; + }; + + } + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch new file mode 100644 index 0000000000..b212a70d4a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch @@ -0,0 +1,47 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson <karlt+@karlt.net> +# Date 1451362442 -46800 +# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c +# Parent f746c38d160ea29088c15cacae44f3662befaec5 +bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings + +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio + } + + return node.forget(); + } + + void + MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv) + { ++ MOZ_ASSERT(aMediaStream); ++ MediaStream* inputStream = aMediaStream->GetStream(); ++ MediaStreamGraph* graph = Context()->Graph(); ++ if (NS_WARN_IF(graph != inputStream->Graph())) { ++ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); ++ return; ++ } ++ + mInputStream = aMediaStream; + AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this); +- mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine); ++ mStream = graph->CreateAudioNodeExternalInputStream(engine); + ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get()); +- mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(), ++ mInputPort = outputStream->AllocateInputPort(inputStream, + MediaInputPort::FLAG_BLOCK_INPUT); + mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this)); + + PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector + mInputStream->AddPrincipalChangeObserver(this); + } + + MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode() + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch new file mode 100644 index 0000000000..3e62c9c5f1 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch @@ -0,0 +1,51 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson <karlt+@karlt.net> +# Date 1449145091 -46800 +# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c +# Parent 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c +bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings + +diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h +--- a/dom/media/webaudio/AudioDestinationNode.h ++++ b/dom/media/webaudio/AudioDestinationNode.h +@@ -57,17 +57,16 @@ public: + void StartRendering(Promise* aPromise); + + void OfflineShutdown(); + + // nsIDOMEventListener - by proxy + NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override; + + AudioChannel MozAudioChannelType() const; +- void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv); + + virtual void NotifyMainThreadStateChanged() override; + void FireOfflineCompletionEvent(); + + // An amount that should be added to the MediaStream's current time to + // get the AudioContext.currentTime. + double ExtraCurrentTime(); + +@@ -86,16 +85,17 @@ public: + + void InputMuted(bool aInputMuted); + void ResolvePromise(AudioBuffer* aRenderedBuffer); + + protected: + virtual ~AudioDestinationNode(); + + private: ++ void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv); + bool CheckAudioChannelPermissions(AudioChannel aValue); + + void SetCanPlay(bool aCanPlay); + + void NotifyStableState(); + void ScheduleStableStateNotification(); + + SelfReference<AudioDestinationNode> mOfflineRenderingRef; + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch new file mode 100644 index 0000000000..ec1f479ee4 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch @@ -0,0 +1,170 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686 + +# HG changeset patch +# User Lee Salzman <lsalzman@mozilla.com> +# Date 1451932822 18000 +# Node ID 93617c30c0df35f719dead526b78649d564f5ac3 +# Parent 4f6e81673f6938719c86516606f2fda493e8c23c +Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu + +diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp +--- a/layout/base/nsLayoutUtils.cpp ++++ b/layout/base/nsLayoutUtils.cpp +@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame + nsIAtom *parentType = aFrame->GetParent()->GetType(); + return parentType == nsGkAtoms::viewportFrame || + parentType == nsGkAtoms::pageContentFrame; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr<DrawTarget>& aTarget) + { + SurfaceFromElementResult result; + nsresult rv; + + nsCOMPtr<imgIRequest> imgRequest; + rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST, + getter_AddRefs(imgRequest)); + if (NS_FAILED(rv) || !imgRequest) +@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma + result.mImageRequest = imgRequest.forget(); + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr<DrawTarget>& aTarget) + { + return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement), + aSurfaceFlags, aTarget); + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr<DrawTarget>& aTarget) + { + SurfaceFromElementResult result; + + bool* isPremultiplied = nullptr; + if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) { + isPremultiplied = &result.mIsPremultiplied; + } + + gfxIntSize size = aElement->GetSize(); + + result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied); + if (!result.mSourceSurface) { + // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just + // draw nothing, so return an empty surface. +- DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget(); ++ DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget(); + RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height), + SurfaceFormat::B8G8R8A8); + if (dt) { + result.mSourceSurface = dt->Snapshot(); + } + } else if (aTarget) { + RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface); + if (opt) { +@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa + result.mIsWriteOnly = aElement->IsWriteOnly(); + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr<DrawTarget>& aTarget) + { + SurfaceFromElementResult result; + + NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!"); + + #ifdef MOZ_EME + if (aElement->ContainsRestrictedContent()) { + return result; +@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi + result.mIsWriteOnly = false; + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(dom::Element* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr<DrawTarget>& aTarget) + { + // If it's a <canvas>, we may be able to just grab its internal surface + if (HTMLCanvasElement* canvas = + HTMLCanvasElement::FromContentOrNull(aElement)) { + return SurfaceFromElement(canvas, aSurfaceFlags, aTarget); + } + + // Maybe it's <video>? +diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h +--- a/layout/base/nsLayoutUtils.h ++++ b/layout/base/nsLayoutUtils.h +@@ -2018,33 +2018,39 @@ public: + bool mIsStillLoading; + /* Whether the element used CORS when loading. */ + bool mCORSUsed; + /* Whether the returned image contains premultiplied pixel data */ + bool mIsPremultiplied; + }; + + static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement, +- uint32_t aSurfaceFlags = 0, +- DrawTarget *aTarget = nullptr); ++ uint32_t aSurfaceFlags, ++ mozilla::RefPtr<DrawTarget>& aTarget); ++ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement, ++ uint32_t aSurfaceFlags = 0) { ++ mozilla::RefPtr<DrawTarget> target = nullptr; ++ return SurfaceFromElement(aElement, aSurfaceFlags, target); ++ } ++ + static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement, +- uint32_t aSurfaceFlags = 0, +- DrawTarget *aTarget = nullptr); ++ uint32_t aSurfaceFlags, ++ mozilla::RefPtr<DrawTarget>& aTarget); + // Need an HTMLImageElement overload, because otherwise the + // nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous + // for HTMLImageElement. + static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement, +- uint32_t aSurfaceFlags = 0, +- DrawTarget *aTarget = nullptr); ++ uint32_t aSurfaceFlags, ++ mozilla::RefPtr<DrawTarget>& aTarget); + static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement, +- uint32_t aSurfaceFlags = 0, +- DrawTarget *aTarget = nullptr); ++ uint32_t aSurfaceFlags, ++ mozilla::RefPtr<DrawTarget>& aTarget); + static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement, +- uint32_t aSurfaceFlags = 0, +- DrawTarget *aTarget = nullptr); ++ uint32_t aSurfaceFlags, ++ mozilla::RefPtr<DrawTarget>& aTarget); + + /** + * When the document is editable by contenteditable attribute of its root + * content or body content. + * + * Be aware, this returns nullptr if it's in designMode. + * + * For example: + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch new file mode 100644 index 0000000000..4f349747c0 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch @@ -0,0 +1,56 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/750e4cfc90f8 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233152 + +# HG changeset patch +# User Jan de Mooij <jdemooij@mozilla.com> +# Date 1451478493 -3600 +# Node ID 750e4cfc90f80df657e44c9c63b1865023d88682 +# Parent 93617c30c0df35f719dead526b78649d564f5ac3 +Bug 1233152 - Use PersistentRooted for ParseTask script and sourceObject. r=terrence a=abillings + +diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp +--- a/js/src/vm/HelperThreads.cpp ++++ b/js/src/vm/HelperThreads.cpp +@@ -198,17 +198,17 @@ static const JSClass parseTaskGlobalClas + + ParseTask::ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, JSContext* initCx, + const char16_t* chars, size_t length, + JS::OffThreadCompileCallback callback, void* callbackData) + : cx(cx), options(initCx), chars(chars), length(length), + alloc(JSRuntime::TEMP_LIFO_ALLOC_PRIMARY_CHUNK_SIZE), + exclusiveContextGlobal(initCx, exclusiveContextGlobal), + callback(callback), callbackData(callbackData), +- script(nullptr), errors(cx), overRecursed(false) ++ script(initCx->runtime(), nullptr), errors(cx), overRecursed(false) + { + } + + bool + ParseTask::init(JSContext* cx, const ReadOnlyCompileOptions& options) + { + if (!this->options.copy(cx, options)) + return false; +diff --git a/js/src/vm/HelperThreads.h b/js/src/vm/HelperThreads.h +--- a/js/src/vm/HelperThreads.h ++++ b/js/src/vm/HelperThreads.h +@@ -472,17 +472,17 @@ struct ParseTask + + // Callback invoked off the main thread when the parse finishes. + JS::OffThreadCompileCallback callback; + void* callbackData; + + // Holds the final script between the invocation of the callback and the + // point where FinishOffThreadScript is called, which will destroy the + // ParseTask. +- JSScript* script; ++ PersistentRootedScript script; + + // Any errors or warnings produced during compilation. These are reported + // when finishing the script. + Vector<frontend::CompileError*> errors; + bool overRecursed; + + ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, + JSContext* initCx, const char16_t* chars, size_t length, + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch new file mode 100644 index 0000000000..406ce1bf2b --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch @@ -0,0 +1,48 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4444e94a99cb +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1221385 + +# HG changeset patch +# User Jan de Mooij <jdemooij@mozilla.com> +# Date 1451478429 -3600 +# Node ID 4444e94a99cb9b00c0351cc8bf5459739cc036a5 +# Parent 750e4cfc90f80df657e44c9c63b1865023d88682 +Bug 1221385 - Handle OOM during JitRuntime initialization a bit better. r=bhackett a=abillings + +diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp +--- a/js/src/jscompartment.cpp ++++ b/js/src/jscompartment.cpp +@@ -138,28 +138,20 @@ JSRuntime::createJitRuntime(JSContext* c + + // Protect jitRuntime_ from being observed (by InterruptRunningJitCode) + // while it is being initialized. Unfortunately, initialization depends on + // jitRuntime_ being non-null, so we can't just wait to assign jitRuntime_. + JitRuntime::AutoMutateBackedges amb(jrt); + jitRuntime_ = jrt; + + if (!jitRuntime_->initialize(cx)) { +- js_ReportOutOfMemory(cx); +- +- js_delete(jitRuntime_); +- jitRuntime_ = nullptr; +- +- JSCompartment* comp = cx->runtime()->atomsCompartment(); +- if (comp->jitCompartment_) { +- js_delete(comp->jitCompartment_); +- comp->jitCompartment_ = nullptr; +- } +- +- return nullptr; ++ // Handling OOM here is complicated: if we delete jitRuntime_ now, we ++ // will destroy the ExecutableAllocator, even though there may still be ++ // JitCode instances holding references to ExecutablePools. ++ CrashAtUnhandlableOOM("OOM in createJitRuntime"); + } + + return jitRuntime_; + } + + bool + JSCompartment::ensureJitCompartmentExists(JSContext* cx) + { + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch new file mode 100644 index 0000000000..e87b95f729 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch @@ -0,0 +1,189 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925 + +# HG changeset patch +# User Jan de Mooij <jdemooij@mozilla.com> +# Date 1452110721 -3600 +# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e +# Parent 4444e94a99cb9b00c0351cc8bf5459739cc036a5 +Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu + +diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp +--- a/js/src/jit/BacktrackingAllocator.cpp ++++ b/js/src/jit/BacktrackingAllocator.cpp +@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters + // constructor calling convention. + if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) { + if (*reg0->def()->output() != *reg1->def()->output()) + return true; + } + + // Registers which might spill to the frame's argument slots can only be + // grouped with other such registers if the frame might access those +- // arguments through a lazy arguments object. ++ // arguments through a lazy arguments object or rest parameter. + if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) { +- JSScript* script = graph.mir().entryBlock()->info().script(); +- if (script && script->argumentsAliasesFormals()) { ++ if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) { + if (*reg0->def()->output() != *reg1->def()->output()) + return true; + } + } + + VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group(); + + if (!group0 && group1) +diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h +--- a/js/src/jit/CompileInfo.h ++++ b/js/src/jit/CompileInfo.h +@@ -194,16 +194,17 @@ enum AnalysisMode { + class CompileInfo + { + public: + CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing, + AnalysisMode analysisMode, bool scriptNeedsArgsObj, + InlineScriptTree* inlineScriptTree) + : script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing), + analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj), ++ mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()), + inlineScriptTree_(inlineScriptTree) + { + MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY); + + // The function here can flow in from anywhere so look up the canonical + // function to ensure that we do not try to embed a nursery pointer in + // jit-code. Precisely because it can flow in from anywhere, it's not + // guaranteed to be non-lazy. Hence, don't access its script! +@@ -222,17 +223,17 @@ class CompileInfo + fixedLexicalBegin_ = script->fixedLexicalBegin(); + nstack_ = script->nslots() - script->nfixed(); + nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_; + } + + explicit CompileInfo(unsigned nlocals) + : script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr), + constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false), +- inlineScriptTree_(nullptr) ++ mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr) + { + nimplicit_ = 0; + nargs_ = 0; + nbodyfixed_ = 0; + nlocals_ = nlocals; + nstack_ = 1; /* For FunctionCompiler::pushPhiInput/popPhiOutput */ + nslots_ = nlocals_ + nstack_; + fixedLexicalBegin_ = nlocals; +@@ -539,16 +540,20 @@ class CompileInfo + return false; + + if (needsArgsObj() && isObservableArgumentSlot(slot)) + return false; + + return true; + } + ++ bool mayReadFrameArgsDirectly() const { ++ return mayReadFrameArgsDirectly_; ++ } ++ + private: + unsigned nimplicit_; + unsigned nargs_; + unsigned nbodyfixed_; + unsigned nlocals_; + unsigned nstack_; + unsigned nslots_; + unsigned fixedLexicalBegin_; +@@ -559,15 +564,17 @@ class CompileInfo + bool constructing_; + AnalysisMode analysisMode_; + + // Whether a script needs an arguments object is unstable over compilation + // since the arguments optimization could be marked as failed on the main + // thread, so cache a value here and use it throughout for consistency. + bool scriptNeedsArgsObj_; + ++ bool mayReadFrameArgsDirectly_; ++ + InlineScriptTree* inlineScriptTree_; + }; + + } // namespace jit + } // namespace js + + #endif /* jit_CompileInfo_h */ +diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp +--- a/js/src/jit/JitFrames.cpp ++++ b/js/src/jit/JitFrames.cpp +@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF + // formal arguments is taken care of by the frame's safepoint/snapshot, + // except when the script's lazy arguments object aliases those formals, + // in which case we mark them as well. + + size_t nargs = layout->numActualArgs(); + size_t nformals = 0; + if (CalleeTokenIsFunction(layout->calleeToken())) { + JSFunction* fun = CalleeTokenToFunction(layout->calleeToken()); +- nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs(); ++ nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs(); + } + + Value* argv = layout->argv(); + + // Trace |this|. + gc::MarkValueRoot(trc, argv, "ion-thisv"); + + // Trace actual arguments beyond the formals. Note + 1 for thisv. +diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp +--- a/js/src/jsscript.cpp ++++ b/js/src/jsscript.cpp +@@ -3894,16 +3894,22 @@ JSScript::hasLoops() + JSTryNote* tnlimit = tn + trynotes()->length; + for (; tn < tnlimit; tn++) { + if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP) + return true; + } + return false; + } + ++bool ++JSScript::mayReadFrameArgsDirectly() ++{ ++ return argumentsHasVarBinding() || (function_ && function_->hasRest()); ++} ++ + static inline void + LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end, + HashNumber hashes[3]) + { + HashNumber hash = lineno; + hash = RotateLeft(hash, 4) ^ column; + hash = RotateLeft(hash, 4) ^ begin; + hash = RotateLeft(hash, 4) ^ end; +diff --git a/js/src/jsscript.h b/js/src/jsscript.h +--- a/js/src/jsscript.h ++++ b/js/src/jsscript.h +@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC + } + inline void setFunction(JSFunction* fun); + /* + * De-lazifies the canonical function. Must be called before entering code + * that expects the function to be non-lazy. + */ + inline void ensureNonLazyCanonicalFunction(JSContext* cx); + ++ // Returns true if the script may read formal arguments on the stack ++ // directly, via lazy arguments or a rest parameter. ++ bool mayReadFrameArgsDirectly(); ++ + JSFlatString* sourceData(JSContext* cx); + + static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked); + + void setSourceObject(JSObject* object); + JSObject* sourceObject() const { + return sourceObject_; + } + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch new file mode 100644 index 0000000000..b92bfa4f4e --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch @@ -0,0 +1,33 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/debff255c08e +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234571 + +# HG changeset patch +# User Randell Jesup <rjesup@jesup.org> +# Date 1451928471 18000 +# Node ID debff255c08e898be370e307e1e014f5601c20c6 +# Parent f31d643afd4159b5422ae5aebcbbea0a088e018e +Bug 1234571 - unregister encoded-frame callback when releasing codec databases. r=pkerr, a=al + +diff --git a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc +--- a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc ++++ b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc +@@ -71,16 +71,17 @@ VCMGenericEncoder::VCMGenericEncoder(Vid + VCMGenericEncoder::~VCMGenericEncoder() + { + } + + int32_t VCMGenericEncoder::Release() + { + _bitRate = 0; + _frameRate = 0; ++ _encoder.RegisterEncodeCompleteCallback(NULL); + _VCMencodedFrameCallback = NULL; + return _encoder.Release(); + } + + int32_t + VCMGenericEncoder::InitEncode(const VideoCodec* settings, + int32_t numberOfCores, + uint32_t maxPayloadSize) + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch new file mode 100644 index 0000000000..2e409d961c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch @@ -0,0 +1,183 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280 + +# HG changeset patch +# User Benjamin Bouvier <benj@benj.me> +# Date 1450947090 -3600 +# Node ID 0f7224441f2089001f7934b46ac10cb72d267606 +# Parent debff255c08e898be370e307e1e014f5601c20c6 +Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru + +diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp +--- a/js/src/jit/CodeGenerator.cpp ++++ b/js/src/jit/CodeGenerator.cpp +@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn + void + CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic) + { + LInstruction* lir = ool->lir(); + + if (ic->idempotent()) { + size_t numLocs; + CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location(); +- size_t locationBase = addCacheLocations(cacheLocs, &numLocs); ++ size_t locationBase; ++ if (!addCacheLocations(cacheLocs, &numLocs, &locationBase)) ++ return; + ic->setLocationInfo(locationBase, numLocs); + } + + saveLive(lir); + + pushArg(ic->object()); + pushArg(Imm32(ool->getCacheIndex())); + pushArg(ImmGCPtr(gen->info().script())); +diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp +--- a/js/src/jit/shared/CodeGenerator-shared.cpp ++++ b/js/src/jit/shared/CodeGenerator-shared.cpp +@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB + + masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry))); + } else { + masm.j(cond, mir->lir()->label()); + } + } + #endif + +-size_t +-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs) ++MOZ_WARN_UNUSED_RESULT bool ++CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs, ++ size_t* curIndex) + { + size_t firstIndex = runtimeData_.length(); + size_t numLocations = 0; + for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) { + // allocateData() ensures that sizeof(CacheLocation) is word-aligned. + // If this changes, we will need to pad to ensure alignment. +- size_t curIndex = allocateData(sizeof(CacheLocation)); +- new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script); ++ if (!allocateData(sizeof(CacheLocation), curIndex)) ++ return false; ++ new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script); + numLocations++; + } + MOZ_ASSERT(numLocations != 0); + *numLocs = numLocations; +- return firstIndex; ++ *curIndex = firstIndex; ++ return true; + } + + ReciprocalMulConstants + CodeGeneratorShared::computeDivisionConstants(int d) { + // In what follows, d is positive and is not a power of 2. + MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0); + + // Speeding up division by non power-of-2 constants is possible by +diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h +--- a/js/src/jit/shared/CodeGenerator-shared.h ++++ b/js/src/jit/shared/CodeGenerator-shared.h +@@ -3,16 +3,17 @@ + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #ifndef jit_shared_CodeGenerator_shared_h + #define jit_shared_CodeGenerator_shared_h + + #include "mozilla/Alignment.h" ++#include "mozilla/TypeTraits.h" + + #include "jit/JitFrames.h" + #include "jit/LIR.h" + #include "jit/MacroAssembler.h" + #include "jit/MIRGenerator.h" + #include "jit/MIRGraph.h" + #include "jit/OptimizationTracking.h" + #include "jit/Safepoints.h" +@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem + return SlotToStackOffset(a->toStackSlot()->slot()); + } + + uint32_t frameSize() const { + return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize(); + } + + protected: +- // Ensure the cache is an IonCache while expecting the size of the derived +- // class. We only need the cache list at GC time. Everyone else can just take +- // runtimeData offsets. +- size_t allocateCache(const IonCache&, size_t size) { +- size_t dataOffset = allocateData(size); +- masm.propagateOOM(cacheList_.append(dataOffset)); +- return dataOffset; +- } + + #ifdef CHECK_OSIPOINT_REGISTERS + void resetOsiPointRegs(LSafepoint* safepoint); + bool shouldVerifyOsiPointRegs(LSafepoint* safepoint); + void verifyOsiPointRegs(LSafepoint* safepoint); + #endif + + bool addNativeToBytecodeEntry(const BytecodeSite* site); +@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem + return lookup(); + } + T * operator*() { + return lookup(); + } + }; + + protected: +- +- size_t allocateData(size_t size) { ++ MOZ_WARN_UNUSED_RESULT ++ bool allocateData(size_t size, size_t* offset) { + MOZ_ASSERT(size % sizeof(void*) == 0); +- size_t dataOffset = runtimeData_.length(); ++ *offset = runtimeData_.length(); + masm.propagateOOM(runtimeData_.appendN(0, size)); +- return dataOffset; ++ return !masm.oom(); + } + ++ // Ensure the cache is an IonCache while expecting the size of the derived ++ // class. We only need the cache list at GC time. Everyone else can just take ++ // runtimeData offsets. + template <typename T> + inline size_t allocateCache(const T& cache) { +- size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>)); ++ static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache"); ++ size_t index; ++ masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index)); ++ masm.propagateOOM(cacheList_.append(index)); + if (masm.oom()) + return SIZE_MAX; + // Use the copy constructor on the allocated space. + MOZ_ASSERT(index == cacheList_.back()); + new (&runtimeData_[index]) T(cache); + return index; + } + +@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem + + void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr); + + template <class ArgSeq, class StoreOutputTo> + inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args, + const StoreOutputTo& out); + + void addCache(LInstruction* lir, size_t cacheIndex); +- size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs); ++ bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset); + ReciprocalMulConstants computeDivisionConstants(int d); + + protected: + void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir); + void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site); + bool hasOutOfLineCode() { return !outOfLineCode_.empty(); } + bool generateOutOfLineCode(); + + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch new file mode 100644 index 0000000000..7861e24c89 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch @@ -0,0 +1,91 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668 + +# HG changeset patch +# User L. David Baron <dbaron@dbaron.org> +# Date 1452248144 -39600 +# Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e +# Parent 0f7224441f2089001f7934b46ac10cb72d267606 +Bug 1230668 - Don't use frame when not in composed document. r=heycam a=sylvestre + +diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp +--- a/layout/style/nsComputedDOMStyle.cpp ++++ b/layout/style/nsComputedDOMStyle.cpp +@@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl + { + MOZ_ASSERT(aElement, "NULL element"); + // If the content has a pres shell, we must use it. Otherwise we'd + // potentially mix rule trees by using the wrong pres shell's style + // set. Using the pres shell from the content also means that any + // content that's actually *in* a document will get the style from the + // correct document. + nsIPresShell *presShell = GetPresShellForContent(aElement); ++ bool inDocWithShell = true; + if (!presShell) { ++ inDocWithShell = false; + presShell = aPresShell; + if (!presShell) + return nullptr; + } + +- // XXX the !aElement->IsHTML(nsGkAtoms::area)
+- // check is needed due to bug 135040 (to avoid using
++ // XXX the !aElement->IsHTML(nsGkAtoms::area) ++ // check is needed due to bug 135040 (to avoid using + // mPrimaryFrame). Remove it once that's fixed. +- if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) { ++ if (!aPseudo && aStyleType == eAll && inDocWithShell && ++ !aElement->IsHTML(nsGkAtoms::area)) { ++ if (!aPseudo && aStyleType == eAll && inDocWithShell && ++ !aElement->IsHTMLElement(nsGkAtoms::area)) { + nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement); + if (frame) { + nsStyleContext* result = frame->StyleContext(); + // Don't use the style context if it was influenced by + // pseudo-elements, since then it's not the primary style + // for this element. + if (!result->HasPseudoElementData()) { + // this function returns an addrefed style context +@@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl + + nsRefPtr<nsStyleContext> sc; + if (aPseudo) { + nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo); + if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) { + return nullptr; + } + nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement); +- Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr; ++ Element* pseudoElement = ++ frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr; + sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext, + pseudoElement); + } else { + sc = styleSet->ResolveStyleFor(aElement, parentContext); + } + + if (aStyleType == eDefaultOnly) { + // We really only want the user and UA rules. Filter out the other ones. +@@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo + mFlushedPendingReflows = aNeedsLayoutFlush; + #endif + + mPresShell = document->GetShell(); + if (!mPresShell || !mPresShell->GetPresContext()) { + return; + } + +- // XXX the !mContent->IsHTML(nsGkAtoms::area)
+- // check is needed due to bug 135040 (to avoid using
++ // XXX the !mContent->IsHTML(nsGkAtoms::area) ++ // check is needed due to bug 135040 (to avoid using + // mPrimaryFrame). Remove it once that's fixed. + if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) { + mOuterFrame = mContent->GetPrimaryFrame(); + mInnerFrame = mOuterFrame; + if (mOuterFrame) { + nsIAtom* type = mOuterFrame->GetType(); + if (type == nsGkAtoms::tableOuterFrame) { + // If the frame is an outer table frame then we should get the style + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch new file mode 100644 index 0000000000..0e5825becf --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch @@ -0,0 +1,34 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fceff80a84a3 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668 + +# HG changeset patch +# User Wes Kocher <wkocher@mozilla.com> +# Date 1452542163 28800 +# Node ID fceff80a84a32b68d02abc00486fe6c7b86d545b +# Parent 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e +Fix up some rebase errors in bug 1230668 r=me a=bustage + +diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp +--- a/layout/style/nsComputedDOMStyle.cpp ++++ b/layout/style/nsComputedDOMStyle.cpp +@@ -434,18 +434,16 @@ nsComputedDOMStyle::GetStyleContextForEl + return nullptr; + } + + // XXX the !aElement->IsHTML(nsGkAtoms::area) + // check is needed due to bug 135040 (to avoid using + // mPrimaryFrame). Remove it once that's fixed. + if (!aPseudo && aStyleType == eAll && inDocWithShell && + !aElement->IsHTML(nsGkAtoms::area)) { +- if (!aPseudo && aStyleType == eAll && inDocWithShell && +- !aElement->IsHTMLElement(nsGkAtoms::area)) { + nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement); + if (frame) { + nsStyleContext* result = frame->StyleContext(); + // Don't use the style context if it was influenced by + // pseudo-elements, since then it's not the primary style + // for this element. + if (!result->HasPseudoElementData()) { + // this function returns an addrefed style context + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch new file mode 100644 index 0000000000..02c1af1775 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch @@ -0,0 +1,83 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/94a95291d095 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1224200 + +# HG changeset patch +# User Timothy Nikkel <tnikkel@gmail.com> +# Date 1453303652 -3600 +# Node ID 94a95291d0958439dbed5b7dc99fae59e1318592 +# Parent 999c13acb40e1113306c65925a7d96688339d945 +Bug 1224200 - Allow downscaler to get (and ignore) new input lines after it has finished producing all output lines. r=seth, a=lizzard + +diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp +--- a/image/src/Downscaler.cpp ++++ b/image/src/Downscaler.cpp +@@ -145,43 +145,44 @@ GetFilterOffsetAndLength(UniquePtr<skia: + aFilterLengthOut); + } + + void + Downscaler::CommitRow() + { + MOZ_ASSERT(mOutputBuffer, "Should have a current frame"); + MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input"); +- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output"); + +- int32_t filterOffset = 0; +- int32_t filterLength = 0; +- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, +- &filterOffset, &filterLength); ++ if (mCurrentOutLine < mTargetSize.height) { ++ int32_t filterOffset = 0; ++ int32_t filterLength = 0; ++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, ++ &filterOffset, &filterLength); + +- int32_t inLineToRead = filterOffset + mLinesInBuffer; +- MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input"); +- if (mCurrentInLine == inLineToRead) { +- skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter, +- mWindow[mLinesInBuffer++], mHasAlpha, +- /* use_sse2 = */ true); +- } +- +- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, +- "Writing past end of output"); +- +- while (mLinesInBuffer == filterLength) { +- DownscaleInputLine(); +- +- if (mCurrentOutLine == mTargetSize.height) { +- break; // We're done. ++ int32_t inLineToRead = filterOffset + mLinesInBuffer; ++ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input"); ++ if (mCurrentInLine == inLineToRead) { ++ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter, ++ mWindow[mLinesInBuffer++], mHasAlpha, ++ /* use_sse2 = */ true); + } + +- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, +- &filterOffset, &filterLength); ++ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, ++ "Writing past end of output"); ++ ++ while (mLinesInBuffer == filterLength) { ++ DownscaleInputLine(); ++ ++ if (mCurrentOutLine == mTargetSize.height) { ++ break; // We're done. ++ } ++ ++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, ++ &filterOffset, &filterLength); ++ } + } + + mCurrentInLine += 1; + } + + bool + Downscaler::HasInvalidation() const + { + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch new file mode 100644 index 0000000000..9ebf18a5d3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch @@ -0,0 +1,35 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/ee68c3dae5f6 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230483 + +# HG changeset patch +# User JW Wang <jwwang@mozilla.com> +# Date 1450698943 -28800 +# Node ID ee68c3dae5f639fdd439f69ef2f724067fce0ea6 +# Parent 762d015e1854c28c213293ac1e9b2ab51cf201f9 +Bug 1230483 - Part 2 - LoadFromSourceChildren() should be queued at most once in an event cycle. r=roc, a=lizzard + +diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp +--- a/dom/html/HTMLMediaElement.cpp ++++ b/dom/html/HTMLMediaElement.cpp +@@ -4033,16 +4033,19 @@ void HTMLMediaElement::NotifyAddedSource + mNetworkState == nsIDOMHTMLMediaElement::NETWORK_EMPTY) + { + QueueSelectResourceTask(); + } + + // A load was paused in the resource selection algorithm, waiting for + // a new source child to be added, resume the resource selection algorithm. + if (mLoadWaitStatus == WAITING_FOR_SOURCE) { ++ // Rest the flag so we don't queue multiple LoadFromSourceTask() when ++ // multiple <source> are attached in an event loop. ++ mLoadWaitStatus = NOT_WAITING; + QueueLoadFromSourceTask(); + } + } + + nsIContent* HTMLMediaElement::GetNextSource() + { + nsCOMPtr<nsIDOMNode> thisDomNode = do_QueryObject(this); + + diff --git a/gnu/packages/patches/icecat-CVE-2016-1935.patch b/gnu/packages/patches/icecat-CVE-2016-1935.patch new file mode 100644 index 0000000000..a6db4b9b6a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1935.patch @@ -0,0 +1,77 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450 + +# HG changeset patch +# User Jeff Gilbert <jgilbert@mozilla.com> +# Date 1452570660 28800 +# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3 +# Parent c47640f24251b48c0bba9d2f0f6ee059eca58362 +Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu + +diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp +--- a/dom/canvas/WebGLContextBuffers.cpp ++++ b/dom/canvas/WebGLContextBuffers.cpp +@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target, + + if (error) { + GenerateWarning("bufferData generated error %s", ErrorName(error)); + return; + } + + boundBuffer->SetByteLength(size); + if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) { ++ boundBuffer->SetByteLength(0); + return ErrorOutOfMemory("bufferData: out of memory"); + } + } + + void + WebGLContext::BufferData(GLenum target, + const dom::Nullable<dom::ArrayBuffer>& maybeData, + GLenum usage) +@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target, + GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage); + + if (error) { + GenerateWarning("bufferData generated error %s", ErrorName(error)); + return; + } + + boundBuffer->SetByteLength(data.Length()); +- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) ++ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) { ++ boundBuffer->SetByteLength(0); + return ErrorOutOfMemory("bufferData: out of memory"); ++ } + } + + void + WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data, + GLenum usage) + { + if (IsContextLost()) + return; +@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target, + + GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage); + if (error) { + GenerateWarning("bufferData generated error %s", ErrorName(error)); + return; + } + + boundBuffer->SetByteLength(data.Length()); +- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) ++ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) { ++ boundBuffer->SetByteLength(0); + return ErrorOutOfMemory("bufferData: out of memory"); ++ } + } + + void + WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset, + const dom::Nullable<dom::ArrayBuffer>& maybeData) + { + if (IsContextLost()) + return; + diff --git a/gnu/packages/patches/icecat-bug-1146335-pt1.patch b/gnu/packages/patches/icecat-bug-1146335-pt1.patch new file mode 100644 index 0000000000..a41e638b2f --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1146335-pt1.patch @@ -0,0 +1,141 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9d14787bd10e +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335 + +# HG changeset patch +# User Seth Fowler <mark.seth.fowler@gmail.com> +# Date 1428627143 25200 +# Node ID 9d14787bd10e6f3013263a2cae0bcc78bebde1db +# Parent aaf922ae679685acb5d2b8ffa5f0bf22f1e6987a +Bug 1146335 (Part 1) - Add assertions and fix style issues in image::Downscaler. r=tn a=lizzard + +diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp +--- a/image/src/Downscaler.cpp ++++ b/image/src/Downscaler.cpp +@@ -72,23 +72,25 @@ Downscaler::BeginFrame(const nsIntSize& + mOutputBuffer = aOutputBuffer; + mHasAlpha = aHasAlpha; + + ResetForNextProgressivePass(); + ReleaseWindow(); + + auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3; + +- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.width, +- mTargetSize.width, 0, +- mTargetSize.width, mXFilter.get()); ++ skia::resize::ComputeFilters(resizeMethod, ++ mOriginalSize.width, mTargetSize.width, ++ 0, mTargetSize.width, ++ mXFilter.get()); + +- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.height, +- mTargetSize.height, 0, +- mTargetSize.height, mYFilter.get()); ++ skia::resize::ComputeFilters(resizeMethod, ++ mOriginalSize.height, mTargetSize.height, ++ 0, mTargetSize.height, ++ mYFilter.get()); + + // Allocate the buffer, which contains scanlines of the original image. + size_t bufferLen = mOriginalSize.width * sizeof(uint32_t); + mRowBuffer = MakeUnique<uint8_t[]>(bufferLen); + if (MOZ_UNLIKELY(!mRowBuffer)) { + return NS_ERROR_OUT_OF_MEMORY; + } + +@@ -126,39 +128,54 @@ void + Downscaler::ResetForNextProgressivePass() + { + mPrevInvalidatedLine = 0; + mCurrentOutLine = 0; + mCurrentInLine = 0; + mLinesInBuffer = 0; + } + ++static void ++GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter, ++ int32_t aOutputImagePosition, ++ int32_t* aFilterOffsetOut, ++ int32_t* aFilterLengthOut) ++{ ++ MOZ_ASSERT(aOutputImagePosition < aFilter->num_values()); ++ aFilter->FilterForValue(aOutputImagePosition, ++ aFilterOffsetOut, ++ aFilterLengthOut); ++} ++ + void + Downscaler::CommitRow() + { + MOZ_ASSERT(mOutputBuffer, "Should have a current frame"); + MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input"); + MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output"); + + int32_t filterOffset = 0; + int32_t filterLength = 0; +- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength); ++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, ++ &filterOffset, &filterLength); + + int32_t inLineToRead = filterOffset + mLinesInBuffer; + MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input"); + if (mCurrentInLine == inLineToRead) { + skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter, + mWindow[mLinesInBuffer++], mHasAlpha, + /* use_sse2 = */ true); + } + + while (mLinesInBuffer == filterLength && + mCurrentOutLine < mTargetSize.height) { + DownscaleInputLine(); +- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength); ++ ++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, ++ &filterOffset, &filterLength); + } + + mCurrentInLine += 1; + } + + bool + Downscaler::HasInvalidation() const + { +@@ -184,16 +201,17 @@ Downscaler::DownscaleInputLine() + { + typedef skia::ConvolutionFilter1D::Fixed FilterValue; + + MOZ_ASSERT(mOutputBuffer); + MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Writing past end of output"); + + int32_t filterOffset = 0; + int32_t filterLength = 0; ++ MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values()); + auto filterValues = + mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength); + + uint8_t* outputLine = + &mOutputBuffer[mCurrentOutLine * mTargetSize.width * sizeof(uint32_t)]; + skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues), + filterLength, mWindow.get(), mXFilter->num_values(), + outputLine, mHasAlpha, /* use_sse2 = */ true); +@@ -202,17 +220,18 @@ Downscaler::DownscaleInputLine() + + if (mCurrentOutLine == mTargetSize.height) { + // We're done. + return; + } + + int32_t newFilterOffset = 0; + int32_t newFilterLength = 0; +- mYFilter->FilterForValue(mCurrentOutLine, &newFilterOffset, &newFilterLength); ++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, ++ &newFilterOffset, &newFilterLength); + + int diff = newFilterOffset - filterOffset; + MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?"); + + // Shift the buffer. We're just moving pointers here, so this is cheap. + mLinesInBuffer -= diff; + mLinesInBuffer = max(mLinesInBuffer, 0); + for (int32_t i = 0; i < mLinesInBuffer; ++i) { + diff --git a/gnu/packages/patches/icecat-bug-1146335-pt2.patch b/gnu/packages/patches/icecat-bug-1146335-pt2.patch new file mode 100644 index 0000000000..240e0cfc66 --- /dev/null +++ b/gnu/packages/patches/icecat-bug-1146335-pt2.patch @@ -0,0 +1,43 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8bfaa27698ca +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335 + +# HG changeset patch +# User Seth Fowler <mark.seth.fowler@gmail.com> +# Date 1428627143 25200 +# Node ID 8bfaa27698ca0720d5c9f3910ab7148b38db0625 +# Parent 9d14787bd10e6f3013263a2cae0bcc78bebde1db +Bug 1146335 (Part 2) - Fix an off-by-one error in image::Downscaler. r=tn a=lizzard + +diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp +--- a/image/src/Downscaler.cpp ++++ b/image/src/Downscaler.cpp +@@ -160,20 +160,26 @@ Downscaler::CommitRow() + int32_t inLineToRead = filterOffset + mLinesInBuffer; + MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input"); + if (mCurrentInLine == inLineToRead) { + skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter, + mWindow[mLinesInBuffer++], mHasAlpha, + /* use_sse2 = */ true); + } + +- while (mLinesInBuffer == filterLength && +- mCurrentOutLine < mTargetSize.height) { ++ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, ++ "Writing past end of output"); ++ ++ while (mLinesInBuffer == filterLength) { + DownscaleInputLine(); + ++ if (mCurrentOutLine == mTargetSize.height) { ++ break; // We're done. ++ } ++ + GetFilterOffsetAndLength(mYFilter, mCurrentOutLine, + &filterOffset, &filterLength); + } + + mCurrentInLine += 1; + } + + bool + diff --git a/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch new file mode 100644 index 0000000000..5a3a934dba --- /dev/null +++ b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch @@ -0,0 +1,73 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac + +# HG changeset patch +# User Jeff Gilbert <jdashg@gmail.com> +# Date 1453320785 28800 +# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5 +# Parent ee68c3dae5f639fdd439f69ef2f724067fce0ea6 +Limit max buffers size for ANGLE. r=jrmuizel a=lizzard + +diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp +--- a/dom/canvas/WebGLContextBuffers.cpp ++++ b/dom/canvas/WebGLContextBuffers.cpp +@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target, + + if (!ValidateBufferUsageEnum(usage, "bufferData: usage")) + return; + + // careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t. + if (!CheckedInt<GLsizeiptr>(size).isValid()) + return ErrorOutOfMemory("bufferData: bad size"); + ++ if (gl->IsANGLE() && size > UINT32_MAX) ++ return ErrorOutOfMemory("bufferData: size too large"); ++ + WebGLBuffer* boundBuffer = bufferSlot.get(); + + if (!boundBuffer) + return ErrorInvalidOperation("bufferData: no buffer bound!"); + + UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1)); + if (!zeroBuffer) + return ErrorOutOfMemory("bufferData: out of memory"); +@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target, + const dom::ArrayBuffer& data = maybeData.Value(); + data.ComputeLengthAndData(); + + // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr + // is like intptr_t. + if (!CheckedInt<GLsizeiptr>(data.Length()).isValid()) + return ErrorOutOfMemory("bufferData: bad size"); + ++ if (gl->IsANGLE() && data.Length() > UINT32_MAX) ++ return ErrorOutOfMemory("bufferData: size too large"); ++ + if (!ValidateBufferUsageEnum(usage, "bufferData: usage")) + return; + + WebGLBuffer* boundBuffer = bufferSlot.get(); + + if (!boundBuffer) + return ErrorInvalidOperation("bufferData: no buffer bound!"); + +@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target, + + data.ComputeLengthAndData(); + + // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr + // is like intptr_t. + if (!CheckedInt<GLsizeiptr>(data.Length()).isValid()) + return ErrorOutOfMemory("bufferData: bad size"); + ++ if (gl->IsANGLE() && data.Length() > UINT32_MAX) ++ return ErrorOutOfMemory("bufferData: size too large"); ++ + InvalidateBufferFetching(); + MakeContextCurrent(); + + GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage); + if (error) { + GenerateWarning("bufferData generated error %s", ErrorName(error)); + return; + } + |