diff options
author | Mark H Weaver <mhw@netris.org> | 2016-10-12 09:28:14 -0400 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2016-10-12 09:28:14 -0400 |
commit | abcf4858cda9ded59671681ab9820b5358d8bb16 (patch) | |
tree | fd1b0a53affad3ad0eb9b3867a2c127228530973 /gnu/packages/patches | |
parent | 82adf4952ac1c03af3b41851ef4bbe1d2d6935a0 (diff) | |
parent | bfb48f4f33583f58392a05f1d6cbf559156293ed (diff) | |
download | guix-abcf4858cda9ded59671681ab9820b5358d8bb16.tar guix-abcf4858cda9ded59671681ab9820b5358d8bb16.tar.gz |
Merge branch 'master' into core-updates
Diffstat (limited to 'gnu/packages/patches')
34 files changed, 524 insertions, 1982 deletions
diff --git a/gnu/packages/patches/clx-remove-demo.patch b/gnu/packages/patches/clx-remove-demo.patch new file mode 100644 index 0000000000..c5fffea0d0 --- /dev/null +++ b/gnu/packages/patches/clx-remove-demo.patch @@ -0,0 +1,27 @@ +--- a/clx.asd 2016-02-16 00:06:48.161596976 -0500 ++++ b/clx.asd 2016-02-16 00:06:54.793774658 -0500 +@@ -79,24 +79,6 @@ + (:file "xtest") + (:file "screensaver") + (:file "xinerama"))) +- (:module demo +- :default-component-class example-source-file +- :components +- ((:file "bezier") +- ;; KLUDGE: this requires "bezier" for proper operation, +- ;; but we don't declare that dependency here, because +- ;; asdf doesn't load example files anyway. +- (:file "beziertest") +- (:file "clclock") +- (:file "clipboard") +- (:file "clx-demos") +- (:file "gl-test") +- ;; FIXME: compiling this generates 30-odd spurious code +- ;; deletion notes. Find out why, and either fix or +- ;; workaround the problem. +- (:file "mandel") +- (:file "menu") +- (:file "zoid"))) + (:module test + :default-component-class example-source-file + :components diff --git a/gnu/packages/patches/hdf-eos5-build-shared.patch b/gnu/packages/patches/hdf-eos5-build-shared.patch new file mode 100644 index 0000000000..f4ae5c73e3 --- /dev/null +++ b/gnu/packages/patches/hdf-eos5-build-shared.patch @@ -0,0 +1,31 @@ +Make shared library linking work. +--- + src/Makefile.in | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +diff --git a/src/Makefile.in b/src/Makefile.in +index 86880e5..24efffe 100644 +--- a/src/Makefile.in ++++ b/src/Makefile.in +@@ -72,7 +72,7 @@ LTCOMPILE = $(LIBTOOL) --mode=compile --tag=CC $(CC) $(DEFS) \ + $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) $(CPPFLAGS) \ + $(AM_CFLAGS) $(CFLAGS) -DH5_USE_16_API + CCLD = $(CC) +-LINK = $(LIBTOOL) --mode=link --tag=CC $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ ++LINK = HDF5_USE_SHLIB=yes $(LIBTOOL) --mode=link --tag=CC $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(AM_LDFLAGS) $(LDFLAGS) -o $@ + SOURCES = $(libhe5_hdfeos_la_SOURCES) + DIST_SOURCES = $(libhe5_hdfeos_la_SOURCES) +@@ -124,9 +124,6 @@ INSTALL_PROGRAM = @INSTALL_PROGRAM@ + INSTALL_SCRIPT = @INSTALL_SCRIPT@ + INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ + +-# Set LDFLAGS to allow the HDF-EOS library to use extern variables from +-# HDF5 +-LDFLAGS = -Wl,-single_module + LIBOBJS = @LIBOBJS@ + LIBS = @LIBS@ + LIBTOOL = @LIBTOOL@ +-- +2.10.0 + diff --git a/gnu/packages/patches/hdf-eos5-fix-szip.patch b/gnu/packages/patches/hdf-eos5-fix-szip.patch new file mode 100644 index 0000000000..799f542ef3 --- /dev/null +++ b/gnu/packages/patches/hdf-eos5-fix-szip.patch @@ -0,0 +1,30 @@ +Ill-placed #endif causes missing symbol errors when compiling without +szip. Reported to upstream maintainer. +--- + src/EHapi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/EHapi.c b/src/EHapi.c +index 46a9b5c..208f447 100755 +--- a/src/EHapi.c ++++ b/src/EHapi.c +@@ -11379,6 +11379,7 @@ int HE5_szip_can_encode(void ) + return(-1); + } + ++#endif /* H5_HAVE_FILTER_SZIP */ + + + /*----------------------------------------------------------------------------| +@@ -11509,8 +11510,6 @@ HE5_EHHEisHE5(char *filename) + } + } + +-#endif /* H5_HAVE_FILTER_SZIP */ +- + + #ifndef __cplusplus + +-- +2.10.0 + diff --git a/gnu/packages/patches/hdf-eos5-fortrantests.patch b/gnu/packages/patches/hdf-eos5-fortrantests.patch new file mode 100644 index 0000000000..7333056342 --- /dev/null +++ b/gnu/packages/patches/hdf-eos5-fortrantests.patch @@ -0,0 +1,156 @@ +Fix fortran line length/indentation issues in Fortran test programs. +Reported to upstream maintainer. + +diff --git a/samples/he5_gd_writedataF_32.f b/samples/he5_gd_writedataF_32.f +index 515edf9..9c86299 100755 +--- a/samples/he5_gd_writedataF_32.f ++++ b/samples/he5_gd_writedataF_32.f +@@ -77,26 +77,26 @@ c ------------------------------ + + attr4 = "ABCDEFGH" + count(1) = 8 +- status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_gdwrattr(): ',status + + attr4 = "111" + count(1) = 3 +- status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_gdwrgattr(): ',status + + attr4 = "222222" + count(1) = 6 +- status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_ehwrglatt(): ',status + + attr5 = "abcdefgh111111111111" + count(1) = 20 +- status = he5_gdwrlattr(gdid,"Vegetation","LocalAttribute_0", +- 1 HE5T_NATIVE_CHAR,count,attr5) ++ status = he5_gdwrlattr(gdid,"Vegetation" ++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count,attr5) + write(*,*) 'Status returned by he5_gdwrlattr(): ',status + + endif +diff --git a/samples/he5_gd_writedataF_64.f b/samples/he5_gd_writedataF_64.f +index eff04f5..62a7398 100755 +--- a/samples/he5_gd_writedataF_64.f ++++ b/samples/he5_gd_writedataF_64.f +@@ -77,26 +77,26 @@ c ------------------------------ + + attr4 = "ABCDEFGH" + count(1) = 8 +- status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_gdwrattr(gdid,"GLOBAL_CHAR_ATTR" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_gdwrattr(): ',status + + attr4 = "111" + count(1) = 3 +- status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_gdwrgattr(gdid,"GLOBAL_CHAR_ATTR_1" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_gdwrgattr(): ',status + + attr4 = "222222" + count(1) = 6 +- status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_ehwrglatt(gdfid,"GLOBAL_CHAR_ATTR_2" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_ehwrglatt(): ',status + + attr5 = "abcdefgh111111111111" + count(1) = 20 +- status = he5_gdwrlattr(gdid,"Vegetation","LocalAttribute_0", +- 1 HE5T_NATIVE_CHAR,count,attr5) ++ status = he5_gdwrlattr(gdid,"Vegetation" ++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count,attr5) + write(*,*) 'Status returned by he5_gdwrlattr(): ',status + + endif +diff --git a/samples/he5_sw_writedataF_32.f b/samples/he5_sw_writedataF_32.f +index 7abab9b..fedd49a 100755 +--- a/samples/he5_sw_writedataF_32.f ++++ b/samples/he5_sw_writedataF_32.f +@@ -173,20 +173,21 @@ c Write Global Attribute + c ---------------------- + attr4 = "ABCDEFGH" + count(1) = 8 +- status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_swwrattr(): ',status + + attr4 = "111" + count(1) = 3 +- status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + write(*,*) 'Status returned by he5_swwrgattr(): ',status + + attr4 = "222222" + count(1) = 6 +- status = he5_ehwrglatt(swfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_ehwrglatt(swfid ++ & ,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR ++ & ,count,attr4) + write(*,*) 'Status returned by he5_ehwrglatt(): ',status + + c Write Local Attribute +diff --git a/samples/he5_sw_writedataF_64.f b/samples/he5_sw_writedataF_64.f +index 79e34bd..e5d74cb 100755 +--- a/samples/he5_sw_writedataF_64.f ++++ b/samples/he5_sw_writedataF_64.f +@@ -162,25 +162,27 @@ c Write Global Attribute + c ---------------------- + attr4 = "ABCDEFGH" + count(1) = 8 +- status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_swwrattr(swid,"GLOBAL_CHAR_ATTR" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + + attr4 = "111" + count(1) = 3 +- status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_swwrgattr(swid,"GLOBAL_CHAR_ATTR_1" ++ & ,HE5T_NATIVE_CHAR,count,attr4) + + attr4 = "222222" + count(1) = 6 +- status = he5_ehwrglatt(swfid,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR, +- 1 count,attr4) ++ status = he5_ehwrglatt(swfid ++ & ,"GLOBAL_CHAR_ATTR_2",HE5T_NATIVE_CHAR ++ & ,count,attr4) + + c Write Local Attribute + c --------------------- + attr5 = "abababababababababab" + count(1) = 20 +- status = he5_swwrlattr(swid,"Density","LocalAttribute_0", +- 1 HE5T_NATIVE_CHAR,count,attr5) ++ status = he5_swwrlattr(swid,"Density" ++ & ,"LocalAttribute_0",HE5T_NATIVE_CHAR,count ++ & ,attr5) + + + endif +-- +2.10.0 + diff --git a/gnu/packages/patches/hdf-eos5-remove-gctp.patch b/gnu/packages/patches/hdf-eos5-remove-gctp.patch new file mode 100644 index 0000000000..3b78357129 --- /dev/null +++ b/gnu/packages/patches/hdf-eos5-remove-gctp.patch @@ -0,0 +1,55 @@ +Don't build/install/use bundled gctp code/headers. + +* cproj.h, proj.h: part of GCTP, therefore already present. +* HE5_config.h, tutils.h: used for library building and testing. + +diff --git a/Makefile.in b/Makefile.in +index f160d0d..367b537 100644 +--- a/Makefile.in ++++ b/Makefile.in +@@ -206,7 +206,7 @@ LIBGCTP = $(top_builddir)/gctp/src/libGctp.la + @TESTDRIVERS_CONDITIONAL_TRUE@TESTDRIVERS = testdrivers + @INSTALL_INCLUDE_CONDITIONAL_FALSE@INCLUDE = + @INSTALL_INCLUDE_CONDITIONAL_TRUE@INCLUDE = include +-SUBDIRS = gctp src $(INCLUDE) samples $(TESTDRIVERS) ++SUBDIRS = src $(INCLUDE) samples $(TESTDRIVERS) + all: all-recursive + + .SUFFIXES: +diff --git a/samples/Makefile.in b/samples/Makefile.in +index 59331dd..64fda89 100644 +--- a/samples/Makefile.in ++++ b/samples/Makefile.in +@@ -206,7 +206,6 @@ he5_gd_datainfo_SOURCES = he5_gd_datainfo.c + he5_gd_datainfo_OBJECTS = he5_gd_datainfo.$(OBJEXT) + he5_gd_datainfo_LDADD = $(LDADD) + am__DEPENDENCIES_1 = $(top_builddir)/src/libhe5_hdfeos.la +-am__DEPENDENCIES_2 = $(top_builddir)/gctp/src/libGctp.la + he5_gd_datainfo_DEPENDENCIES = $(am__DEPENDENCIES_1) \ + $(am__DEPENDENCIES_2) + he5_gd_defexternalfld_SOURCES = he5_gd_defexternalfld.c +@@ -1093,7 +1092,7 @@ sharedstatedir = @sharedstatedir@ + sysconfdir = @sysconfdir@ + target_alias = @target_alias@ + LIBHDFEOS5 = $(top_builddir)/src/libhe5_hdfeos.la +-LIBGCTP = $(top_builddir)/gctp/src/libGctp.la ++LIBGCTP = + + # Boilerplate definitions file + +diff --git a/include/Makefile.in b/include/Makefile.in +index a572128..64dabb5 100644 +--- a/include/Makefile.in ++++ b/include/Makefile.in +@@ -190,8 +190,7 @@ LIBGCTP = $(top_builddir)/gctp/src/libGctp.la + # Boilerplate include + + # Headers to install +-include_HEADERS = HE5_GctpFunc.h HE5_HdfEosDef.h HE5_config.h cproj.h ease.h \ +- isin.h proj.h tutils.h cfortHdf.h ++include_HEADERS = HE5_GctpFunc.h HE5_HdfEosDef.h ease.h isin.h cfortHdf.h + + all: HE5_config.h + $(MAKE) $(AM_MAKEFLAGS) all-am +-- +2.10.0 diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch deleted file mode 100644 index 57bc45f3c2..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch +++ /dev/null @@ -1,62 +0,0 @@ - changeset: 312039:4290826b078c - user: Timothy Nikkel <tnikkel@gmail.com> - Date: Fri May 13 06:09:38 2016 +0200 - summary: Bug 1261230. r=mats, a=ritu - -diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp ---- a/layout/generic/nsSubDocumentFrame.cpp Tue May 10 14:12:20 2016 +0200 -+++ b/layout/generic/nsSubDocumentFrame.cpp Fri May 13 06:09:38 2016 +0200 -@@ -132,6 +132,7 @@ - nsCOMPtr<nsIDocument> oldContainerDoc; - nsView* detachedViews = - frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); -+ frameloader->SetDetachedSubdocView(nullptr, nullptr); - if (detachedViews) { - if (oldContainerDoc == aContent->OwnerDoc()) { - // Restore stashed presentation. -@@ -142,7 +143,6 @@ - frameloader->Hide(); - } - } -- frameloader->SetDetachedSubdocView(nullptr, nullptr); - } - - nsContentUtils::AddScriptRunner(new AsyncFrameInit(this)); -@@ -936,13 +936,16 @@ - if (!mPresShell->IsDestroying()) { - mPresShell->FlushPendingNotifications(Flush_Frames); - } -+ -+ // Either the frame has been constructed by now, or it never will be, -+ // either way we want to clear the stashed views. -+ mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); -+ - nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); - if ((!frame && mHideViewerIfFrameless) || - mPresShell->IsDestroying()) { - // Either the frame element has no nsIFrame or the presshell is being -- // destroyed. Hide the nsFrameLoader, which destroys the presentation, -- // and clear our references to the stashed presentation. -- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); -+ // destroyed. Hide the nsFrameLoader, which destroys the presentation. - mFrameLoader->Hide(); - } - return NS_OK; -@@ -968,7 +971,7 @@ - // Detach the subdocument's views and stash them in the frame loader. - // We can then reattach them if we're being reframed (for example if - // the frame has been made position:fixed). -- nsFrameLoader* frameloader = FrameLoader(); -+ RefPtr<nsFrameLoader> frameloader = FrameLoader(); - if (frameloader) { - nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); - frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); -@@ -977,7 +980,7 @@ - // safely determine whether the frame is being reframed or destroyed. - nsContentUtils::AddScriptRunner( - new nsHideViewer(mContent, -- mFrameLoader, -+ frameloader, - PresContext()->PresShell(), - (mDidCreateDoc || mCallingShow))); - } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch deleted file mode 100644 index 843e2eb244..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch +++ /dev/null @@ -1,29 +0,0 @@ - changeset: 312044:09418166fd77 - user: Jon Coppeard <jcoppeard@mozilla.com> - Date: Wed May 11 10:14:45 2016 +0100 - summary: Bug 1264575 - Add missing pre-barrier in Ion r=jandem a=ritu - -diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit-test/tests/self-hosting/bug1264575.js ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/js/src/jit-test/tests/self-hosting/bug1264575.js Wed May 11 10:14:45 2016 +0100 -@@ -0,0 +1,7 @@ -+function f(x, [y]) {} -+f(0, []); -+// jsfunfuzz-generated -+let i = 0; -+for (var z of [0, 0, 0]) { -+ verifyprebarriers(); -+} -diff -r 9cc65cca1f71 -r 09418166fd77 js/src/jit/MCallOptimize.cpp ---- a/js/src/jit/MCallOptimize.cpp Mon May 16 15:11:24 2016 -0400 -+++ b/js/src/jit/MCallOptimize.cpp Wed May 11 10:14:45 2016 +0100 -@@ -2263,7 +2263,8 @@ - - callInfo.setImplicitlyUsedUnchecked(); - -- MStoreFixedSlot* store = MStoreFixedSlot::New(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2)); -+ MStoreFixedSlot* store = -+ MStoreFixedSlot::NewBarriered(alloc(), callInfo.getArg(0), slot, callInfo.getArg(2)); - current->add(store); - current->push(store); - diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch deleted file mode 100644 index fab003158c..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch +++ /dev/null @@ -1,18 +0,0 @@ - changeset: 312051:9ec3d076fbee - parents: 312049:e0a272d5e162 - user: Eric Faust <efaustbmo@gmail.com> - Date: Wed May 04 15:54:43 2016 -0700 - summary: Bug 1269729 - Handle another OOM case on ARM. (r=jolesen) a=ritu - -diff -r e0a272d5e162 -r 9ec3d076fbee js/src/jit/arm/CodeGenerator-arm.cpp ---- a/js/src/jit/arm/CodeGenerator-arm.cpp Tue May 17 08:26:37 2016 -0400 -+++ b/js/src/jit/arm/CodeGenerator-arm.cpp Wed May 04 15:54:43 2016 -0700 -@@ -1116,7 +1116,7 @@ - for (int32_t i = 0; i < cases; i++) { - CodeLabel cl; - masm.writeCodePointer(cl.dest()); -- ool->addCodeLabel(cl); -+ masm.propagateOOM(ool->addCodeLabel(cl)); - } - addOutOfLineCode(ool, mir); - } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch deleted file mode 100644 index 0973203e0f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch +++ /dev/null @@ -1,61 +0,0 @@ - changeset: 312055:b74f1ab939d2 - user: Olli Pettay <Olli.Pettay@helsinki.fi> - Date: Mon May 16 21:42:24 2016 +0300 - summary: Bug 1273202, make sure to not keep objects alive too long because of some useless event dispatching, r=jwatt a=ritu - -diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.cpp ---- a/dom/html/HTMLInputElement.cpp Sun May 15 17:03:06 2016 +0300 -+++ b/dom/html/HTMLInputElement.cpp Mon May 16 21:42:24 2016 +0300 -@@ -1168,7 +1168,7 @@ - mFileList->Disconnect(); - } - if (mNumberControlSpinnerIsSpinning) { -- StopNumberControlSpinnerSpin(); -+ StopNumberControlSpinnerSpin(eDisallowDispatchingEvents); - } - DestroyImageLoadingContent(); - FreeData(); -@@ -3721,7 +3721,7 @@ - } - - void --HTMLInputElement::StopNumberControlSpinnerSpin() -+HTMLInputElement::StopNumberControlSpinnerSpin(SpinnerStopState aState) - { - if (mNumberControlSpinnerIsSpinning) { - if (nsIPresShell::GetCapturingContent() == this) { -@@ -3732,11 +3732,16 @@ - - mNumberControlSpinnerIsSpinning = false; - -- FireChangeEventIfNeeded(); -+ if (aState == eAllowDispatchingEvents) { -+ FireChangeEventIfNeeded(); -+ } - - nsNumberControlFrame* numberControlFrame = - do_QueryFrame(GetPrimaryFrame()); - if (numberControlFrame) { -+ MOZ_ASSERT(aState == eAllowDispatchingEvents, -+ "Shouldn't have primary frame for the element when we're not " -+ "allowed to dispatch events to it anymore."); - numberControlFrame->SpinnerStateChanged(); - } - } -diff -r 072992bf176d -r b74f1ab939d2 dom/html/HTMLInputElement.h ---- a/dom/html/HTMLInputElement.h Sun May 15 17:03:06 2016 +0300 -+++ b/dom/html/HTMLInputElement.h Mon May 16 21:42:24 2016 +0300 -@@ -721,7 +721,12 @@ - HTMLInputElement* GetOwnerNumberControl(); - - void StartNumberControlSpinnerSpin(); -- void StopNumberControlSpinnerSpin(); -+ enum SpinnerStopState { -+ eAllowDispatchingEvents, -+ eDisallowDispatchingEvents -+ }; -+ void StopNumberControlSpinnerSpin(SpinnerStopState aState = -+ eAllowDispatchingEvents); - void StepNumberControlForUserEvent(int32_t aDirection); - - /** diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch deleted file mode 100644 index cd98d0b28b..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch +++ /dev/null @@ -1,266 +0,0 @@ - changeset: 312063:88bea96c802a - user: Andrea Marchesini <amarchesini@mozilla.com> - Date: Tue May 10 10:52:19 2016 +0200 - summary: Bug 1267130 - Improve the URL segment calculation, r=valentin a=ritu - -diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.cpp ---- a/netwerk/base/nsStandardURL.cpp Wed May 18 11:55:29 2016 +1200 -+++ b/netwerk/base/nsStandardURL.cpp Tue May 10 10:52:19 2016 +0200 -@@ -475,19 +475,28 @@ - } - - uint32_t --nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str, URLSegment &seg, const nsCString *escapedStr, bool useEscaped) -+nsStandardURL::AppendSegmentToBuf(char *buf, uint32_t i, const char *str, -+ const URLSegment &segInput, URLSegment &segOutput, -+ const nsCString *escapedStr, -+ bool useEscaped, int32_t *diff) - { -- if (seg.mLen > 0) { -+ MOZ_ASSERT(segInput.mLen == segOutput.mLen); -+ -+ if (diff) *diff = 0; -+ -+ if (segInput.mLen > 0) { - if (useEscaped) { -- seg.mLen = escapedStr->Length(); -- memcpy(buf + i, escapedStr->get(), seg.mLen); -+ MOZ_ASSERT(diff); -+ segOutput.mLen = escapedStr->Length(); -+ *diff = segOutput.mLen - segInput.mLen; -+ memcpy(buf + i, escapedStr->get(), segOutput.mLen); -+ } else { -+ memcpy(buf + i, str + segInput.mPos, segInput.mLen); - } -- else -- memcpy(buf + i, str + seg.mPos, seg.mLen); -- seg.mPos = i; -- i += seg.mLen; -+ segOutput.mPos = i; -+ i += segOutput.mLen; - } else { -- seg.mPos = i; -+ segOutput.mPos = i; - } - return i; - } -@@ -598,6 +607,20 @@ - } - } - -+ // We must take a copy of every single segment because they are pointing to -+ // the |spec| while we are changing their value, in case we must use -+ // encoded strings. -+ URLSegment username(mUsername); -+ URLSegment password(mPassword); -+ URLSegment host(mHost); -+ URLSegment path(mPath); -+ URLSegment filepath(mFilepath); -+ URLSegment directory(mDirectory); -+ URLSegment basename(mBasename); -+ URLSegment extension(mExtension); -+ URLSegment query(mQuery); -+ URLSegment ref(mRef); -+ - // - // generate the normalized URL string - // -@@ -607,9 +630,10 @@ - char *buf; - mSpec.BeginWriting(buf); - uint32_t i = 0; -+ int32_t diff = 0; - - if (mScheme.mLen > 0) { -- i = AppendSegmentToBuf(buf, i, spec, mScheme); -+ i = AppendSegmentToBuf(buf, i, spec, mScheme, mScheme); - net_ToLowerCase(buf + mScheme.mPos, mScheme.mLen); - i = AppendToBuf(buf, i, "://", 3); - } -@@ -619,15 +643,22 @@ - - // append authority - if (mUsername.mLen > 0) { -- i = AppendSegmentToBuf(buf, i, spec, mUsername, &encUsername, useEncUsername); -- if (mPassword.mLen >= 0) { -+ i = AppendSegmentToBuf(buf, i, spec, username, mUsername, -+ &encUsername, useEncUsername, &diff); -+ ShiftFromPassword(diff); -+ if (password.mLen >= 0) { - buf[i++] = ':'; -- i = AppendSegmentToBuf(buf, i, spec, mPassword, &encPassword, useEncPassword); -+ i = AppendSegmentToBuf(buf, i, spec, password, mPassword, -+ &encPassword, useEncPassword, &diff); -+ ShiftFromHost(diff); - } - buf[i++] = '@'; - } -- if (mHost.mLen > 0) { -- i = AppendSegmentToBuf(buf, i, spec, mHost, &encHost, useEncHost); -+ if (host.mLen > 0) { -+ i = AppendSegmentToBuf(buf, i, spec, host, mHost, &encHost, useEncHost, -+ &diff); -+ ShiftFromPath(diff); -+ - net_ToLowerCase(buf + mHost.mPos, mHost.mLen); - MOZ_ASSERT(mPort >= -1, "Invalid negative mPort"); - if (mPort != -1 && mPort != mDefaultPort) { -@@ -652,21 +683,23 @@ - } - else { - uint32_t leadingSlash = 0; -- if (spec[mPath.mPos] != '/') { -+ if (spec[path.mPos] != '/') { - LOG(("adding leading slash to path\n")); - leadingSlash = 1; - buf[i++] = '/'; - // basename must exist, even if empty (bugs 113508, 429347) - if (mBasename.mLen == -1) { -- mBasename.mPos = i; -- mBasename.mLen = 0; -+ mBasename.mPos = basename.mPos = i; -+ mBasename.mLen = basename.mLen = 0; - } - } - - // record corrected (file)path starting position - mPath.mPos = mFilepath.mPos = i - leadingSlash; - -- i = AppendSegmentToBuf(buf, i, spec, mDirectory, &encDirectory, useEncDirectory); -+ i = AppendSegmentToBuf(buf, i, spec, directory, mDirectory, -+ &encDirectory, useEncDirectory, &diff); -+ ShiftFromBasename(diff); - - // the directory must end with a '/' - if (buf[i-1] != '/') { -@@ -674,7 +707,9 @@ - mDirectory.mLen++; - } - -- i = AppendSegmentToBuf(buf, i, spec, mBasename, &encBasename, useEncBasename); -+ i = AppendSegmentToBuf(buf, i, spec, basename, mBasename, -+ &encBasename, useEncBasename, &diff); -+ ShiftFromExtension(diff); - - // make corrections to directory segment if leadingSlash - if (leadingSlash) { -@@ -687,18 +722,24 @@ - - if (mExtension.mLen >= 0) { - buf[i++] = '.'; -- i = AppendSegmentToBuf(buf, i, spec, mExtension, &encExtension, useEncExtension); -+ i = AppendSegmentToBuf(buf, i, spec, extension, mExtension, -+ &encExtension, useEncExtension, &diff); -+ ShiftFromQuery(diff); - } - // calculate corrected filepath length - mFilepath.mLen = i - mFilepath.mPos; - - if (mQuery.mLen >= 0) { - buf[i++] = '?'; -- i = AppendSegmentToBuf(buf, i, spec, mQuery, &encQuery, useEncQuery); -+ i = AppendSegmentToBuf(buf, i, spec, query, mQuery, -+ &encQuery, useEncQuery, -+ &diff); -+ ShiftFromRef(diff); - } - if (mRef.mLen >= 0) { - buf[i++] = '#'; -- i = AppendSegmentToBuf(buf, i, spec, mRef, &encRef, useEncRef); -+ i = AppendSegmentToBuf(buf, i, spec, ref, mRef, &encRef, useEncRef, -+ &diff); - } - // calculate corrected path length - mPath.mLen = i - mPath.mPos; -@@ -953,6 +994,39 @@ - #undef GOT_PREF - } - -+#define SHIFT_FROM(name, what) \ -+void \ -+nsStandardURL::name(int32_t diff) \ -+{ \ -+ if (!diff) return; \ -+ if (what.mLen >= 0) { \ -+ CheckedInt<int32_t> pos = what.mPos; \ -+ pos += diff; \ -+ MOZ_ASSERT(pos.isValid()); \ -+ what.mPos = pos.value(); \ -+ } -+ -+#define SHIFT_FROM_NEXT(name, what, next) \ -+ SHIFT_FROM(name, what) \ -+ next(diff); \ -+} -+ -+#define SHIFT_FROM_LAST(name, what) \ -+ SHIFT_FROM(name, what) \ -+} -+ -+SHIFT_FROM_NEXT(ShiftFromAuthority, mAuthority, ShiftFromUsername) -+SHIFT_FROM_NEXT(ShiftFromUsername, mUsername, ShiftFromPassword) -+SHIFT_FROM_NEXT(ShiftFromPassword, mPassword, ShiftFromHost) -+SHIFT_FROM_NEXT(ShiftFromHost, mHost, ShiftFromPath) -+SHIFT_FROM_NEXT(ShiftFromPath, mPath, ShiftFromFilepath) -+SHIFT_FROM_NEXT(ShiftFromFilepath, mFilepath, ShiftFromDirectory) -+SHIFT_FROM_NEXT(ShiftFromDirectory, mDirectory, ShiftFromBasename) -+SHIFT_FROM_NEXT(ShiftFromBasename, mBasename, ShiftFromExtension) -+SHIFT_FROM_NEXT(ShiftFromExtension, mExtension, ShiftFromQuery) -+SHIFT_FROM_NEXT(ShiftFromQuery, mQuery, ShiftFromRef) -+SHIFT_FROM_LAST(ShiftFromRef, mRef) -+ - //---------------------------------------------------------------------------- - // nsStandardURL::nsISupports - //---------------------------------------------------------------------------- -diff -r 28dcecced055 -r 88bea96c802a netwerk/base/nsStandardURL.h ---- a/netwerk/base/nsStandardURL.h Wed May 18 11:55:29 2016 +1200 -+++ b/netwerk/base/nsStandardURL.h Tue May 10 10:52:19 2016 +0200 -@@ -77,6 +77,7 @@ - - URLSegment() : mPos(0), mLen(-1) {} - URLSegment(uint32_t pos, int32_t len) : mPos(pos), mLen(len) {} -+ URLSegment(const URLSegment& aCopy) : mPos(aCopy.mPos), mLen(aCopy.mLen) {} - void Reset() { mPos = 0; mLen = -1; } - // Merge another segment following this one to it if they're contiguous - // Assumes we have something like "foo;bar" where this object is 'foo' and right -@@ -177,7 +178,10 @@ - bool NormalizeIDN(const nsCSubstring &host, nsCString &result); - void CoalescePath(netCoalesceFlags coalesceFlag, char *path); - -- uint32_t AppendSegmentToBuf(char *, uint32_t, const char *, URLSegment &, const nsCString *esc=nullptr, bool useEsc = false); -+ uint32_t AppendSegmentToBuf(char *, uint32_t, const char *, -+ const URLSegment &input, URLSegment &output, -+ const nsCString *esc=nullptr, -+ bool useEsc = false, int32_t* diff = nullptr); - uint32_t AppendToBuf(char *, uint32_t, const char *, uint32_t); - - nsresult BuildNormalizedSpec(const char *spec); -@@ -216,17 +220,17 @@ - const nsDependentCSubstring Ref() { return Segment(mRef); } - - // shift the URLSegments to the right by diff -- void ShiftFromAuthority(int32_t diff) { mAuthority.mPos += diff; ShiftFromUsername(diff); } -- void ShiftFromUsername(int32_t diff) { mUsername.mPos += diff; ShiftFromPassword(diff); } -- void ShiftFromPassword(int32_t diff) { mPassword.mPos += diff; ShiftFromHost(diff); } -- void ShiftFromHost(int32_t diff) { mHost.mPos += diff; ShiftFromPath(diff); } -- void ShiftFromPath(int32_t diff) { mPath.mPos += diff; ShiftFromFilepath(diff); } -- void ShiftFromFilepath(int32_t diff) { mFilepath.mPos += diff; ShiftFromDirectory(diff); } -- void ShiftFromDirectory(int32_t diff) { mDirectory.mPos += diff; ShiftFromBasename(diff); } -- void ShiftFromBasename(int32_t diff) { mBasename.mPos += diff; ShiftFromExtension(diff); } -- void ShiftFromExtension(int32_t diff) { mExtension.mPos += diff; ShiftFromQuery(diff); } -- void ShiftFromQuery(int32_t diff) { mQuery.mPos += diff; ShiftFromRef(diff); } -- void ShiftFromRef(int32_t diff) { mRef.mPos += diff; } -+ void ShiftFromAuthority(int32_t diff); -+ void ShiftFromUsername(int32_t diff); -+ void ShiftFromPassword(int32_t diff); -+ void ShiftFromHost(int32_t diff); -+ void ShiftFromPath(int32_t diff); -+ void ShiftFromFilepath(int32_t diff); -+ void ShiftFromDirectory(int32_t diff); -+ void ShiftFromBasename(int32_t diff); -+ void ShiftFromExtension(int32_t diff); -+ void ShiftFromQuery(int32_t diff); -+ void ShiftFromRef(int32_t diff); - - // fastload helper functions - nsresult ReadSegment(nsIBinaryInputStream *, URLSegment &); diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch deleted file mode 100644 index 143b02fa58..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch +++ /dev/null @@ -1,17 +0,0 @@ - changeset: 312067:380ddd689680 - user: Timothy Nikkel <tnikkel@gmail.com> - Date: Tue May 10 22:58:26 2016 -0500 - summary: Bug 1261752. Part 1. r=mats a=ritu - -diff -r 02df988a56ae -r 380ddd689680 view/nsViewManager.cpp ---- a/view/nsViewManager.cpp Thu May 26 10:06:15 2016 -0700 -+++ b/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500 -@@ -416,7 +416,7 @@ - if (aWidget->NeedsPaint()) { - // If an ancestor widget was hidden and then shown, we could - // have a delayed resize to handle. -- for (nsViewManager *vm = this; vm; -+ for (RefPtr<nsViewManager> vm = this; vm; - vm = vm->mRootView->GetParent() - ? vm->mRootView->GetParent()->GetViewManager() - : nullptr) { diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch deleted file mode 100644 index 23c509d6c1..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch +++ /dev/null @@ -1,33 +0,0 @@ - changeset: 312068:73cc9a2d8fc1 - user: Timothy Nikkel <tnikkel@gmail.com> - Date: Tue May 10 22:58:47 2016 -0500 - summary: Bug 1261752. Part 2. r=mats a=ritu - -diff -r 380ddd689680 -r 73cc9a2d8fc1 view/nsViewManager.cpp ---- a/view/nsViewManager.cpp Tue May 10 22:58:26 2016 -0500 -+++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 -@@ -372,7 +372,7 @@ - } - } - if (rootShell->GetViewManager() != this) { -- return; // 'this' might have been destroyed -+ return; // presentation might have been torn down - } - if (aFlushDirtyRegion) { - nsAutoScriptBlocker scriptBlocker; -@@ -1069,6 +1069,7 @@ - if (mPresShell) { - mPresShell->GetPresContext()->RefreshDriver()->RevokeViewManagerFlush(); - -+ RefPtr<nsViewManager> strongThis(this); - CallWillPaintOnObservers(); - - ProcessPendingUpdatesForView(mRootView, true); -@@ -1085,6 +1086,7 @@ - - if (mHasPendingWidgetGeometryChanges) { - mHasPendingWidgetGeometryChanges = false; -+ RefPtr<nsViewManager> strongThis(this); - ProcessPendingUpdatesForView(mRootView, false); - } - } diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch deleted file mode 100644 index ee5e54e805..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch +++ /dev/null @@ -1,267 +0,0 @@ - changeset: 312069:3c2bd9158ad3 - user: Timothy Nikkel <tnikkel@gmail.com> - Date: Tue May 10 22:58:47 2016 -0500 - summary: Bug 1261752. Part 3. r=mats a=ritu - -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 layout/forms/nsComboboxControlFrame.cpp ---- a/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/layout/forms/nsComboboxControlFrame.cpp Tue May 10 22:58:47 2016 -0500 -@@ -1417,7 +1417,11 @@ - // The popup's visibility doesn't update until the minimize animation has - // finished, so call UpdateWidgetGeometry to update it right away. - nsViewManager* viewManager = mDropdownFrame->GetView()->GetViewManager(); -- viewManager->UpdateWidgetGeometry(); -+ viewManager->UpdateWidgetGeometry(); // might destroy us -+ } -+ -+ if (!weakFrame.IsAlive()) { -+ return consume; - } - - return consume; -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 view/nsViewManager.cpp ---- a/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/view/nsViewManager.cpp Tue May 10 22:58:47 2016 -0500 -@@ -670,15 +670,16 @@ - - void nsViewManager::WillPaintWindow(nsIWidget* aWidget) - { -- if (aWidget) { -- nsView* view = nsView::GetViewFor(aWidget); -- LayerManager *manager = aWidget->GetLayerManager(); -+ RefPtr<nsIWidget> widget(aWidget); -+ if (widget) { -+ nsView* view = nsView::GetViewFor(widget); -+ LayerManager* manager = widget->GetLayerManager(); - if (view && - (view->ForcedRepaint() || !manager->NeedsWidgetInvalidation())) { - ProcessPendingUpdates(); - // Re-get the view pointer here since the ProcessPendingUpdates might have - // destroyed it during CallWillPaintOnObservers. -- view = nsView::GetViewFor(aWidget); -+ view = nsView::GetViewFor(widget); - if (view) { - view->SetForcedRepaint(false); - } -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/PuppetWidget.cpp ---- a/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/widget/PuppetWidget.cpp Tue May 10 22:58:47 2016 -0500 -@@ -823,6 +823,8 @@ - mDirtyRegion.SetEmpty(); - mPaintTask.Revoke(); - -+ RefPtr<PuppetWidget> strongThis(this); -+ - mAttachedWidgetListener->WillPaintWindow(this); - - if (mAttachedWidgetListener) { -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/cocoa/nsChildView.mm ---- a/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500 -+++ b/widget/cocoa/nsChildView.mm Tue May 10 22:58:47 2016 -0500 -@@ -3716,6 +3716,8 @@ - - - (void)viewWillDraw - { -+ nsAutoRetainCocoaObject kungFuDeathGrip(self); -+ - if (mGeckoChild) { - // The OS normally *will* draw our NSWindow, no matter what we do here. - // But Gecko can delete our parent widget(s) (along with mGeckoChild) -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gonk/nsWindow.cpp ---- a/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/widget/gonk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -@@ -196,7 +196,7 @@ - return; - } - -- nsWindow *targetWindow = (nsWindow *)sTopWindows[0]; -+ RefPtr<nsWindow> targetWindow = (nsWindow *)sTopWindows[0]; - while (targetWindow->GetLastChild()) - targetWindow = (nsWindow *)targetWindow->GetLastChild(); - -@@ -205,15 +205,15 @@ - listener->WillPaintWindow(targetWindow); - } - -- LayerManager* lm = targetWindow->GetLayerManager(); -- if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) { -- // No need to do anything, the compositor will handle drawing -- } else { -- NS_RUNTIMEABORT("Unexpected layer manager type"); -- } -- - listener = targetWindow->GetWidgetListener(); - if (listener) { -+ LayerManager* lm = targetWindow->GetLayerManager(); -+ if (mozilla::layers::LayersBackend::LAYERS_CLIENT == lm->GetBackendType()) { -+ // No need to do anything, the compositor will handle drawing -+ } else { -+ NS_RUNTIMEABORT("Unexpected layer manager type"); -+ } -+ - listener->DidPaintWindow(); - } - } -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.cpp ---- a/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/widget/gtk/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -@@ -469,6 +469,12 @@ - } - } - -+nsIWidgetListener* -+nsWindow::GetListener() -+{ -+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+} -+ - nsresult - nsWindow::DispatchEvent(WidgetGUIEvent* aEvent, nsEventStatus& aStatus) - { -@@ -481,8 +487,7 @@ - aEvent->refPoint.y = GdkCoordToDevicePixels(aEvent->refPoint.y); - - aStatus = nsEventStatus_eIgnore; -- nsIWidgetListener* listener = -- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+ nsIWidgetListener* listener = GetListener(); - if (listener) { - aStatus = listener->HandleEvent(aEvent, mUseAttachedEvents); - } -@@ -2119,8 +2124,7 @@ - if (!mGdkWindow || mIsFullyObscured || !mHasMappedToplevel) - return FALSE; - -- nsIWidgetListener *listener = -- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+ nsIWidgetListener *listener = GetListener(); - if (!listener) - return FALSE; - -@@ -2149,6 +2153,8 @@ - clientLayers->SendInvalidRegion(region); - } - -+ RefPtr<nsWindow> strongThis(this); -+ - // Dispatch WillPaintWindow notification to allow scripts etc. to run - // before we paint - { -@@ -2161,8 +2167,7 @@ - - // Re-get the listener since the will paint notification might have - // killed it. -- listener = -- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+ listener = GetListener(); - if (!listener) - return FALSE; - } -@@ -2223,6 +2228,13 @@ - // If this widget uses OMTC... - if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_CLIENT) { - listener->PaintWindow(this, region); -+ -+ // Re-get the listener since the will paint notification might have -+ // killed it. -+ listener = GetListener(); -+ if (!listener) -+ return TRUE; -+ - listener->DidPaintWindow(); - return TRUE; - } -@@ -2307,6 +2319,13 @@ - if (GetLayerManager()->GetBackendType() == LayersBackend::LAYERS_BASIC) { - AutoLayerManagerSetup setupLayerManager(this, ctx, layerBuffering); - painted = listener->PaintWindow(this, region); -+ -+ // Re-get the listener since the will paint notification might have -+ // killed it. -+ listener = GetListener(); -+ if (!listener) -+ return TRUE; -+ - } - } - -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/gtk/nsWindow.h ---- a/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500 -+++ b/widget/gtk/nsWindow.h Tue May 10 22:58:47 2016 -0500 -@@ -359,6 +359,7 @@ - GdkWindow** aWindow, gint* aButton, - gint* aRootX, gint* aRootY); - void ClearCachedResources(); -+ nsIWidgetListener* GetListener(); - - GtkWidget *mShell; - MozContainer *mContainer; -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.cpp ---- a/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/widget/qt/nsWindow.cpp Tue May 10 22:58:47 2016 -0500 -@@ -857,18 +857,28 @@ - - // EVENTS - -+nsIWidgetListener* -+nsWindow::GetPaintListener() -+{ -+ return mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+} -+ - void - nsWindow::OnPaint() - { - LOGDRAW(("nsWindow::%s [%p]\n", __FUNCTION__, (void *)this)); -- nsIWidgetListener* listener = -- mAttachedWidgetListener ? mAttachedWidgetListener : mWidgetListener; -+ nsIWidgetListener* listener = GetPaintListener(); - if (!listener) { - return; - } - - listener->WillPaintWindow(this); - -+ nsIWidgetListener* listener = GetPaintListener(); -+ if (!listener) { -+ return; -+ } -+ - switch (GetLayerManager()->GetBackendType()) { - case mozilla::layers::LayersBackend::LAYERS_CLIENT: { - nsIntRegion region(nsIntRect(0, 0, mWidget->width(), mWidget->height())); -@@ -879,6 +889,11 @@ - NS_ERROR("Invalid layer manager"); - } - -+ nsIWidgetListener* listener = GetPaintListener(); -+ if (!listener) { -+ return; -+ } -+ - listener->DidPaintWindow(); - } - -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/qt/nsWindow.h ---- a/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500 -+++ b/widget/qt/nsWindow.h Tue May 10 22:58:47 2016 -0500 -@@ -254,6 +254,7 @@ - bool needDispatch; - } MozCachedMoveEvent; - -+ nsIWidgetListener* GetPaintListener(); - bool CheckForRollup(double aMouseX, double aMouseY, bool aIsWheel); - void* SetupPluginPort(void); - nsresult SetWindowIconList(const nsTArray<nsCString> &aIconList); -diff -r 73cc9a2d8fc1 -r 3c2bd9158ad3 widget/windows/nsWindowGfx.cpp ---- a/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/widget/windows/nsWindowGfx.cpp Tue May 10 22:58:47 2016 -0500 -@@ -298,6 +298,8 @@ - clientLayerManager->SendInvalidRegion(region); - } - -+ RefPtr<nsWindow> strongThis(this); -+ - nsIWidgetListener* listener = GetPaintListener(); - if (listener) { - listener->WillPaintWindow(this); diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch deleted file mode 100644 index a72698cc0b..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch +++ /dev/null @@ -1,188 +0,0 @@ - changeset: 312075:ee870911fabb - user: Timothy Nikkel <tnikkel@gmail.com> - Date: Wed May 04 16:12:48 2016 -0500 - summary: Bug 1265577. r=mats, a=lizzard - -diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.cpp ---- a/dom/base/nsFrameLoader.cpp Thu May 26 17:07:49 2016 -0400 -+++ b/dom/base/nsFrameLoader.cpp Wed May 04 16:12:48 2016 -0500 -@@ -155,7 +155,7 @@ - nsFrameLoader::nsFrameLoader(Element* aOwner, bool aNetworkCreated) - : mOwnerContent(aOwner) - , mAppIdSentToPermissionManager(nsIScriptSecurityManager::NO_APP_ID) -- , mDetachedSubdocViews(nullptr) -+ , mDetachedSubdocFrame(nullptr) - , mIsPrerendered(false) - , mDepthTooGreat(false) - , mIsTopLevelContent(false) -@@ -2507,18 +2507,18 @@ - } - - void --nsFrameLoader::SetDetachedSubdocView(nsView* aDetachedViews, -- nsIDocument* aContainerDoc) -+nsFrameLoader::SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, -+ nsIDocument* aContainerDoc) - { -- mDetachedSubdocViews = aDetachedViews; -+ mDetachedSubdocFrame = aDetachedFrame; - mContainerDocWhileDetached = aContainerDoc; - } - --nsView* --nsFrameLoader::GetDetachedSubdocView(nsIDocument** aContainerDoc) const -+nsIFrame* -+nsFrameLoader::GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const - { - NS_IF_ADDREF(*aContainerDoc = mContainerDocWhileDetached); -- return mDetachedSubdocViews; -+ return mDetachedSubdocFrame.GetFrame(); - } - - void -diff -r 751208d22b91 -r ee870911fabb dom/base/nsFrameLoader.h ---- a/dom/base/nsFrameLoader.h Thu May 26 17:07:49 2016 -0400 -+++ b/dom/base/nsFrameLoader.h Wed May 04 16:12:48 2016 -0500 -@@ -23,6 +23,7 @@ - #include "mozilla/Attributes.h" - #include "FrameMetrics.h" - #include "nsStubMutationObserver.h" -+#include "nsIFrame.h" - - class nsIURI; - class nsSubDocumentFrame; -@@ -197,23 +198,23 @@ - void SetRemoteBrowser(nsITabParent* aTabParent); - - /** -- * Stashes a detached view on the frame loader. We do this when we're -+ * Stashes a detached nsIFrame on the frame loader. We do this when we're - * destroying the nsSubDocumentFrame. If the nsSubdocumentFrame is -- * being reframed we'll restore the detached view when it's recreated, -+ * being reframed we'll restore the detached nsIFrame when it's recreated, - * otherwise we'll discard the old presentation and set the detached -- * subdoc view to null. aContainerDoc is the document containing the -+ * subdoc nsIFrame to null. aContainerDoc is the document containing the - * the subdoc frame. This enables us to detect when the containing - * document has changed during reframe, so we can discard the presentation - * in that case. - */ -- void SetDetachedSubdocView(nsView* aDetachedView, -- nsIDocument* aContainerDoc); -+ void SetDetachedSubdocFrame(nsIFrame* aDetachedFrame, -+ nsIDocument* aContainerDoc); - - /** -- * Retrieves the detached view and the document containing the view, -- * as set by SetDetachedSubdocView(). -+ * Retrieves the detached nsIFrame and the document containing the nsIFrame, -+ * as set by SetDetachedSubdocFrame(). - */ -- nsView* GetDetachedSubdocView(nsIDocument** aContainerDoc) const; -+ nsIFrame* GetDetachedSubdocFrame(nsIDocument** aContainerDoc) const; - - /** - * Applies a new set of sandbox flags. These are merged with the sandbox -@@ -326,12 +327,12 @@ - nsRefPtr<nsFrameMessageManager> mMessageManager; - nsCOMPtr<nsIInProcessContentFrameMessageManager> mChildMessageManager; - private: -- // Stores the root view of the subdocument while the subdocument is being -+ // Stores the root frame of the subdocument while the subdocument is being - // reframed. Used to restore the presentation after reframing. -- nsView* mDetachedSubdocViews; -+ nsWeakFrame mDetachedSubdocFrame; - // Stores the containing document of the frame corresponding to this - // frame loader. This is reference is kept valid while the subframe's -- // presentation is detached and stored in mDetachedSubdocViews. This -+ // presentation is detached and stored in mDetachedSubdocFrame. This - // enables us to detect whether the frame has moved documents during - // a reframe, so that we know not to restore the presentation. - nsCOMPtr<nsIDocument> mContainerDocWhileDetached; -diff -r 751208d22b91 -r ee870911fabb layout/generic/nsSubDocumentFrame.cpp ---- a/layout/generic/nsSubDocumentFrame.cpp Thu May 26 17:07:49 2016 -0400 -+++ b/layout/generic/nsSubDocumentFrame.cpp Wed May 04 16:12:48 2016 -0500 -@@ -130,13 +130,16 @@ - nsRefPtr<nsFrameLoader> frameloader = FrameLoader(); - if (frameloader) { - nsCOMPtr<nsIDocument> oldContainerDoc; -- nsView* detachedViews = -- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); -- frameloader->SetDetachedSubdocView(nullptr, nullptr); -- if (detachedViews) { -- if (oldContainerDoc == aContent->OwnerDoc()) { -+ nsIFrame* detachedFrame = -+ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); -+ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); -+ MOZ_ASSERT(oldContainerDoc || !detachedFrame); -+ if (oldContainerDoc) { -+ nsView* detachedView = -+ detachedFrame ? detachedFrame->GetView() : nullptr; -+ if (detachedView && oldContainerDoc == aContent->OwnerDoc()) { - // Restore stashed presentation. -- ::InsertViewsInReverseOrder(detachedViews, mInnerView); -+ ::InsertViewsInReverseOrder(detachedView, mInnerView); - ::EndSwapDocShellsForViews(mInnerView->GetFirstChild()); - } else { - // Presentation is for a different document, don't restore it. -@@ -252,11 +255,12 @@ - nsRefPtr<nsFrameLoader> frameloader = FrameLoader(); - if (frameloader) { - nsCOMPtr<nsIDocument> oldContainerDoc; -- nsView* detachedViews = -- frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc)); -- if (detachedViews) { -- nsSize size = detachedViews->GetBounds().Size(); -- nsPresContext* presContext = detachedViews->GetFrame()->PresContext(); -+ nsIFrame* detachedFrame = -+ frameloader->GetDetachedSubdocFrame(getter_AddRefs(oldContainerDoc)); -+ nsView* view = detachedFrame ? detachedFrame->GetView() : nullptr; -+ if (view) { -+ nsSize size = view->GetBounds().Size(); -+ nsPresContext* presContext = detachedFrame->PresContext(); - return nsIntSize(presContext->AppUnitsToDevPixels(size.width), - presContext->AppUnitsToDevPixels(size.height)); - } -@@ -939,7 +943,7 @@ - - // Either the frame has been constructed by now, or it never will be, - // either way we want to clear the stashed views. -- mFrameLoader->SetDetachedSubdocView(nullptr, nullptr); -+ mFrameLoader->SetDetachedSubdocFrame(nullptr, nullptr); - - nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame()); - if ((!frame && mHideViewerIfFrameless) || -@@ -974,15 +978,25 @@ - RefPtr<nsFrameLoader> frameloader = FrameLoader(); - if (frameloader) { - nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild()); -- frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc()); - -- // We call nsFrameLoader::HideViewer() in a script runner so that we can -- // safely determine whether the frame is being reframed or destroyed. -- nsContentUtils::AddScriptRunner( -- new nsHideViewer(mContent, -- frameloader, -- PresContext()->PresShell(), -- (mDidCreateDoc || mCallingShow))); -+ if (detachedViews && detachedViews->GetFrame()) { -+ MOZ_ASSERT(mContent->OwnerDoc()); -+ frameloader->SetDetachedSubdocFrame( -+ detachedViews->GetFrame(), mContent->OwnerDoc()); -+ -+ // We call nsFrameLoader::HideViewer() in a script runner so that we can -+ // safely determine whether the frame is being reframed or destroyed. -+ nsContentUtils::AddScriptRunner( -+ new nsHideViewer(mContent, -+ frameloader, -+ PresContext()->PresShell(), -+ (mDidCreateDoc || mCallingShow))); -+ } else { -+ frameloader->SetDetachedSubdocFrame(nullptr, nullptr); -+ if (mDidCreateDoc || mCallingShow) { -+ frameloader->Hide(); -+ } -+ } - } - - nsLeafFrame::DestroyFrom(aDestructRoot); diff --git a/gnu/packages/patches/icecat-CVE-2016-2819.patch b/gnu/packages/patches/icecat-CVE-2016-2819.patch deleted file mode 100644 index cbb833d43d..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2819.patch +++ /dev/null @@ -1,102 +0,0 @@ - changeset: 312054:072992bf176d - user: Henri Sivonen <hsivonen@hsivonen.fi> - Date: Sun May 15 17:03:06 2016 +0300 - summary: Bug 1270381. r=wchen. a=ritu - -diff -r d30748143c21 -r 072992bf176d parser/html/javasrc/TreeBuilder.java ---- a/parser/html/javasrc/TreeBuilder.java Mon May 09 18:05:32 2016 -0700 -+++ b/parser/html/javasrc/TreeBuilder.java Sun May 15 17:03:06 2016 +0300 -@@ -39,6 +39,11 @@ - import java.util.HashMap; - import java.util.Map; - -+import org.xml.sax.ErrorHandler; -+import org.xml.sax.Locator; -+import org.xml.sax.SAXException; -+import org.xml.sax.SAXParseException; -+ - import nu.validator.htmlparser.annotation.Auto; - import nu.validator.htmlparser.annotation.Const; - import nu.validator.htmlparser.annotation.IdType; -@@ -54,11 +59,6 @@ - import nu.validator.htmlparser.common.TokenHandler; - import nu.validator.htmlparser.common.XmlViolationPolicy; - --import org.xml.sax.ErrorHandler; --import org.xml.sax.Locator; --import org.xml.sax.SAXException; --import org.xml.sax.SAXParseException; -- - public abstract class TreeBuilder<T> implements TokenHandler, - TreeBuilderState<T> { - -@@ -1924,7 +1924,6 @@ - break starttagloop; - } - generateImpliedEndTags(); -- // XXX is the next if dead code? - if (errorHandler != null && !isCurrent("table")) { - errNoCheckUnclosedElementsOnStack(); - } -@@ -2183,11 +2182,11 @@ - pop(); - } - break; -- } else if (node.isSpecial() -+ } else if (eltPos == 0 || (node.isSpecial() - && (node.ns != "http://www.w3.org/1999/xhtml" -- || (node.name != "p" -- && node.name != "address" -- && node.name != "div"))) { -+ || (node.name != "p" -+ && node.name != "address" -+ && node.name != "div")))) { - break; - } - eltPos--; -@@ -3878,7 +3877,7 @@ - pop(); - } - break endtagloop; -- } else if (node.isSpecial()) { -+ } else if (eltPos == 0 || node.isSpecial()) { - errStrayEndTag(name); - break endtagloop; - } -@@ -4745,6 +4744,7 @@ - int furthestBlockPos = formattingEltStackPos + 1; - while (furthestBlockPos <= currentPtr) { - StackNode<T> node = stack[furthestBlockPos]; // weak ref -+ assert furthestBlockPos > 0: "How is formattingEltStackPos + 1 not > 0?"; - if (node.isSpecial()) { - break; - } -diff -r d30748143c21 -r 072992bf176d parser/html/nsHtml5TreeBuilder.cpp ---- a/parser/html/nsHtml5TreeBuilder.cpp Mon May 09 18:05:32 2016 -0700 -+++ b/parser/html/nsHtml5TreeBuilder.cpp Sun May 15 17:03:06 2016 +0300 -@@ -1102,7 +1102,7 @@ - pop(); - } - break; -- } else if (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div))) { -+ } else if (!eltPos || (node->isSpecial() && (node->ns != kNameSpaceID_XHTML || (node->name != nsHtml5Atoms::p && node->name != nsHtml5Atoms::address && node->name != nsHtml5Atoms::div)))) { - break; - } - eltPos--; -@@ -2749,7 +2749,7 @@ - pop(); - } - NS_HTML5_BREAK(endtagloop); -- } else if (node->isSpecial()) { -+ } else if (!eltPos || node->isSpecial()) { - errStrayEndTag(name); - NS_HTML5_BREAK(endtagloop); - } -@@ -3593,6 +3593,7 @@ - int32_t furthestBlockPos = formattingEltStackPos + 1; - while (furthestBlockPos <= currentPtr) { - nsHtml5StackNode* node = stack[furthestBlockPos]; -+ MOZ_ASSERT(furthestBlockPos > 0, "How is formattingEltStackPos + 1 not > 0?"); - if (node->isSpecial()) { - break; - } diff --git a/gnu/packages/patches/icecat-CVE-2016-2821.patch b/gnu/packages/patches/icecat-CVE-2016-2821.patch deleted file mode 100644 index 8255d60009..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2821.patch +++ /dev/null @@ -1,16 +0,0 @@ - changeset: 312045:7aea44059251 - user: Olli Pettay <Olli.Pettay@helsinki.fi> - Date: Fri May 13 20:10:22 2016 +0300 - summary: Bug 1271460, don't leak editor created element objects, r=ehsan a=ritu - -diff -r 09418166fd77 -r 7aea44059251 editor/libeditor/nsHTMLInlineTableEditor.cpp ---- a/editor/libeditor/nsHTMLInlineTableEditor.cpp Wed May 11 10:14:45 2016 +0100 -+++ b/editor/libeditor/nsHTMLInlineTableEditor.cpp Fri May 13 20:10:22 2016 +0300 -@@ -109,7 +109,6 @@ - - // get the root content node. - nsCOMPtr<nsIContent> bodyContent = GetRoot(); -- NS_ENSURE_TRUE(bodyContent, NS_ERROR_FAILURE); - - DeleteRefToAnonymousNode(mAddColumnBeforeButton, bodyContent, ps); - mAddColumnBeforeButton = nullptr; diff --git a/gnu/packages/patches/icecat-CVE-2016-2824.patch b/gnu/packages/patches/icecat-CVE-2016-2824.patch deleted file mode 100644 index 72772ed15f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2824.patch +++ /dev/null @@ -1,85 +0,0 @@ - changeset: 312070:4b54feddf36c - user: JerryShih <hshih@mozilla.com> - Date: Wed May 25 16:27:41 2016 +0200 - summary: Bug 1248580 - strip the uploading element num according to the uniform array size. r=jgilbert a=ritu - -diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLContextValidate.cpp ---- a/dom/canvas/WebGLContextValidate.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/dom/canvas/WebGLContextValidate.cpp Wed May 25 16:27:41 2016 +0200 -@@ -1531,9 +1531,10 @@ - if (!loc->ValidateArrayLength(setterElemSize, setterArraySize, this, funcName)) - return false; - -+ MOZ_ASSERT((size_t)loc->mActiveInfo->mElemCount > loc->mArrayIndex); -+ size_t uniformElemCount = loc->mActiveInfo->mElemCount - loc->mArrayIndex; - *out_rawLoc = loc->mLoc; -- *out_numElementsToUpload = std::min((size_t)loc->mActiveInfo->mElemCount, -- setterArraySize / setterElemSize); -+ *out_numElementsToUpload = std::min(uniformElemCount, setterArraySize / setterElemSize); - return true; - } - -diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLProgram.cpp ---- a/dom/canvas/WebGLProgram.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/dom/canvas/WebGLProgram.cpp Wed May 25 16:27:41 2016 +0200 -@@ -510,8 +510,14 @@ - const NS_LossyConvertUTF16toASCII userName(userName_wide); - - nsDependentCString baseUserName; -- bool isArray; -- size_t arrayIndex; -+ bool isArray = false; -+ // GLES 2.0.25, Section 2.10, p35 -+ // If the the uniform location is an array, then the location of the first -+ // element of that array can be retrieved by either using the name of the -+ // uniform array, or the name of the uniform array appended with "[0]". -+ // The ParseName() can't recognize this rule. So always initialize -+ // arrayIndex with 0. -+ size_t arrayIndex = 0; - if (!ParseName(userName, &baseUserName, &isArray, &arrayIndex)) - return nullptr; - -@@ -536,7 +542,8 @@ - return nullptr; - - nsRefPtr<WebGLUniformLocation> locObj = new WebGLUniformLocation(mContext, LinkInfo(), -- loc, activeInfo); -+ loc, arrayIndex, -+ activeInfo); - return locObj.forget(); - } - -diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.cpp ---- a/dom/canvas/WebGLUniformLocation.cpp Tue May 10 22:58:47 2016 -0500 -+++ b/dom/canvas/WebGLUniformLocation.cpp Wed May 25 16:27:41 2016 +0200 -@@ -16,10 +16,13 @@ - - WebGLUniformLocation::WebGLUniformLocation(WebGLContext* webgl, - const webgl::LinkedProgramInfo* linkInfo, -- GLuint loc, const WebGLActiveInfo* activeInfo) -+ GLuint loc, -+ size_t arrayIndex, -+ const WebGLActiveInfo* activeInfo) - : WebGLContextBoundObject(webgl) - , mLinkInfo(linkInfo) - , mLoc(loc) -+ , mArrayIndex(arrayIndex) - , mActiveInfo(activeInfo) - { } - -diff -r 3c2bd9158ad3 -r 4b54feddf36c dom/canvas/WebGLUniformLocation.h ---- a/dom/canvas/WebGLUniformLocation.h Tue May 10 22:58:47 2016 -0500 -+++ b/dom/canvas/WebGLUniformLocation.h Wed May 25 16:27:41 2016 +0200 -@@ -41,10 +41,11 @@ - - const WeakPtr<const webgl::LinkedProgramInfo> mLinkInfo; - const GLuint mLoc; -+ const size_t mArrayIndex; - const WebGLActiveInfo* const mActiveInfo; - - WebGLUniformLocation(WebGLContext* webgl, const webgl::LinkedProgramInfo* linkInfo, -- GLuint loc, const WebGLActiveInfo* activeInfo); -+ GLuint loc, size_t arrayIndex, const WebGLActiveInfo* activeInfo); - - bool ValidateForProgram(WebGLProgram* prog, WebGLContext* webgl, - const char* funcName) const; diff --git a/gnu/packages/patches/icecat-CVE-2016-2828.patch b/gnu/packages/patches/icecat-CVE-2016-2828.patch deleted file mode 100644 index 951eb4fc46..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2828.patch +++ /dev/null @@ -1,185 +0,0 @@ - changeset: 312096:dc190bd03d24 - tag: FIREFOX_45_2_0esr_BUILD2 - tag: FIREFOX_45_2_0esr_RELEASE - user: Jeff Gilbert <jgilbert@mozilla.com> - Date: Thu Apr 14 13:50:04 2016 -0700 - summary: Bug 1224199 - Destroy SharedSurfaces before ~GLContext(). - r=jrmuizel a=lizzard - -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLBlitHelper.cpp ---- a/gfx/gl/GLBlitHelper.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/GLBlitHelper.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -172,6 +172,9 @@ - - GLBlitHelper::~GLBlitHelper() - { -+ if (!mGL->MakeCurrent()) -+ return; -+ - DeleteTexBlitProgram(); - - GLuint tex[] = { -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.cpp ---- a/gfx/gl/GLContext.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/GLContext.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -2079,12 +2079,13 @@ - if (IsDestroyed()) - return; - -+ // Null these before they're naturally nulled after dtor, as we want GLContext to -+ // still be alive in *their* dtors. -+ mScreen = nullptr; -+ mBlitHelper = nullptr; -+ mReadTexImageHelper = nullptr; -+ - if (MakeCurrent()) { -- DestroyScreenBuffer(); -- -- mBlitHelper = nullptr; -- mReadTexImageHelper = nullptr; -- - mTexGarbageBin->GLContextTeardown(); - } else { - NS_WARNING("MakeCurrent() failed during MarkDestroyed! Skipping GL object teardown."); -@@ -2328,8 +2329,6 @@ - return false; - } - -- DestroyScreenBuffer(); -- - // This will rebind to 0 (Screen) if needed when - // it falls out of scope. - ScopedBindFramebuffer autoFB(this); -@@ -2349,12 +2348,6 @@ - } - - void --GLContext::DestroyScreenBuffer() --{ -- mScreen = nullptr; --} -- --void - GLContext::ForceDirtyScreen() - { - ScopedBindFramebuffer autoFB(0); -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.h ---- a/gfx/gl/GLContext.h Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/GLContext.h Thu Apr 14 13:50:04 2016 -0700 -@@ -3492,8 +3492,6 @@ - friend class GLScreenBuffer; - UniquePtr<GLScreenBuffer> mScreen; - -- void DestroyScreenBuffer(); -- - SharedSurface* mLockedSurface; - - public: -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLReadTexImageHelper.cpp ---- a/gfx/gl/GLReadTexImageHelper.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/GLReadTexImageHelper.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -31,6 +31,9 @@ - - GLReadTexImageHelper::~GLReadTexImageHelper() - { -+ if (!mGL->MakeCurrent()) -+ return; -+ - mGL->fDeleteProgram(mPrograms[0]); - mGL->fDeleteProgram(mPrograms[1]); - mGL->fDeleteProgram(mPrograms[2]); -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceANGLE.cpp ---- a/gfx/gl/SharedSurfaceANGLE.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/SharedSurfaceANGLE.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -120,8 +120,10 @@ - { - mEGL->fDestroySurface(Display(), mPBuffer); - -+ if (!mGL->MakeCurrent()) -+ return; -+ - if (mFence) { -- mGL->MakeCurrent(); - mGL->fDeleteFences(1, &mFence); - } - } -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceEGL.cpp ---- a/gfx/gl/SharedSurfaceEGL.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/SharedSurfaceEGL.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -87,9 +87,12 @@ - { - mEGL->fDestroyImage(Display(), mImage); - -- mGL->MakeCurrent(); -- mGL->fDeleteTextures(1, &mProdTex); -- mProdTex = 0; -+ if (mSync) { -+ // We can't call this unless we have the ext, but we will always have -+ // the ext if we have something to destroy. -+ mEGL->fDestroySync(Display(), mSync); -+ mSync = 0; -+ } - - if (mConsTex) { - MOZ_ASSERT(mGarbageBin); -@@ -97,12 +100,11 @@ - mConsTex = 0; - } - -- if (mSync) { -- // We can't call this unless we have the ext, but we will always have -- // the ext if we have something to destroy. -- mEGL->fDestroySync(Display(), mSync); -- mSync = 0; -- } -+ if (!mGL->MakeCurrent()) -+ return; -+ -+ mGL->fDeleteTextures(1, &mProdTex); -+ mProdTex = 0; - } - - void -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceGralloc.cpp ---- a/gfx/gl/SharedSurfaceGralloc.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/SharedSurfaceGralloc.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -154,7 +154,9 @@ - - DEBUG_PRINT("[SharedSurface_Gralloc %p] destroyed\n", this); - -- mGL->MakeCurrent(); -+ if (!mGL->MakeCurrent()) -+ return; -+ - mGL->fDeleteTextures(1, &mProdTex); - - if (mSync) { -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceIO.cpp ---- a/gfx/gl/SharedSurfaceIO.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/SharedSurfaceIO.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -111,11 +111,10 @@ - - SharedSurface_IOSurface::~SharedSurface_IOSurface() - { -- if (mProdTex) { -- DebugOnly<bool> success = mGL->MakeCurrent(); -- MOZ_ASSERT(success); -- mGL->fDeleteTextures(1, &mProdTex); -- } -+ if (!mGL->MakeCurrent()) -+ return; -+ -+ mGL->fDeleteTextures(1, &mProdTex); - } - - //////////////////////////////////////////////////////////////////////// -diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/TextureGarbageBin.cpp ---- a/gfx/gl/TextureGarbageBin.cpp Mon Mar 07 11:51:12 2016 +0000 -+++ b/gfx/gl/TextureGarbageBin.cpp Thu Apr 14 13:50:04 2016 -0700 -@@ -36,6 +36,7 @@ - if (!mGL) - return; - -+ MOZ_RELEASE_ASSERT(mGL->IsCurrent()); - while (!mGarbageTextures.empty()) { - GLuint tex = mGarbageTextures.top(); - mGarbageTextures.pop(); diff --git a/gnu/packages/patches/icecat-CVE-2016-2831.patch b/gnu/packages/patches/icecat-CVE-2016-2831.patch deleted file mode 100644 index b99ecb6458..0000000000 --- a/gnu/packages/patches/icecat-CVE-2016-2831.patch +++ /dev/null @@ -1,120 +0,0 @@ - changeset: 312091:a3fff31b8b70 - user: Xidorn Quan <quanxunzhen@gmail.com> - Date: Thu Apr 14 17:38:13 2016 +1000 - summary: Bug 1261933 - Continue unlocking pointer even if the widget has gone. r=smaug a=lizzard - - MozReview-Commit-ID: 1siQhemFf9O - -diff -r f5e862ea4a72 -r a3fff31b8b70 dom/base/nsDocument.cpp ---- a/dom/base/nsDocument.cpp Tue May 31 18:35:26 2016 -0700 -+++ b/dom/base/nsDocument.cpp Thu Apr 14 17:38:13 2016 +1000 -@@ -12315,49 +12315,37 @@ - bool - nsDocument::SetPointerLock(Element* aElement, int aCursorStyle) - { -- // NOTE: aElement will be nullptr when unlocking. -- nsCOMPtr<nsPIDOMWindow> window = GetWindow(); -- if (!window) { -- NS_WARNING("SetPointerLock(): No Window"); -- return false; -- } -- -- nsIDocShell *docShell = window->GetDocShell(); -- if (!docShell) { -- NS_WARNING("SetPointerLock(): No DocShell (window already closed?)"); -- return false; -- } -- -- nsRefPtr<nsPresContext> presContext; -- docShell->GetPresContext(getter_AddRefs(presContext)); -- if (!presContext) { -- NS_WARNING("SetPointerLock(): Unable to get presContext in \ -- domWindow->GetDocShell()->GetPresContext()"); -+ MOZ_ASSERT(!aElement || aElement->OwnerDoc() == this, -+ "We should be either unlocking pointer (aElement is nullptr), " -+ "or locking pointer to an element in this document"); -+#ifdef DEBUG -+ if (!aElement) { -+ nsCOMPtr<nsIDocument> pointerLockedDoc = -+ do_QueryReferent(EventStateManager::sPointerLockedDoc); -+ MOZ_ASSERT(pointerLockedDoc == this); -+ } -+#endif -+ -+ nsIPresShell* shell = GetShell(); -+ if (!shell) { -+ NS_WARNING("SetPointerLock(): No PresShell"); - return false; - } -- -- nsCOMPtr<nsIPresShell> shell = presContext->PresShell(); -- if (!shell) { -- NS_WARNING("SetPointerLock(): Unable to find presContext->PresShell()"); -- return false; -- } -- -- nsIFrame* rootFrame = shell->GetRootFrame(); -- if (!rootFrame) { -- NS_WARNING("SetPointerLock(): Unable to get root frame"); -+ nsPresContext* presContext = shell->GetPresContext(); -+ if (!presContext) { -+ NS_WARNING("SetPointerLock(): Unable to get PresContext"); - return false; - } - -- nsCOMPtr<nsIWidget> widget = rootFrame->GetNearestWidget(); -- if (!widget) { -- NS_WARNING("SetPointerLock(): Unable to find widget in \ -- shell->GetRootFrame()->GetNearestWidget();"); -- return false; -- } -- -- if (aElement && (aElement->OwnerDoc() != this)) { -- NS_WARNING("SetPointerLock(): Element not in this document."); -- return false; -+ nsCOMPtr<nsIWidget> widget; -+ nsIFrame* rootFrame = shell->GetRootFrame(); -+ if (!NS_WARN_IF(!rootFrame)) { -+ widget = rootFrame->GetNearestWidget(); -+ NS_WARN_IF_FALSE(widget, "SetPointerLock(): Unable to find widget " -+ "in shell->GetRootFrame()->GetNearestWidget();"); -+ if (aElement && !widget) { -+ return false; -+ } - } - - // Hide the cursor and set pointer lock for future mouse events -diff -r f5e862ea4a72 -r a3fff31b8b70 dom/events/EventStateManager.cpp ---- a/dom/events/EventStateManager.cpp Tue May 31 18:35:26 2016 -0700 -+++ b/dom/events/EventStateManager.cpp Thu Apr 14 17:38:13 2016 +1000 -@@ -4128,10 +4128,6 @@ - // NOTE: aElement will be nullptr when unlocking. - sIsPointerLocked = !!aElement; - -- if (!aWidget) { -- return; -- } -- - // Reset mouse wheel transaction - WheelTransaction::EndTransaction(); - -@@ -4140,6 +4136,8 @@ - do_GetService("@mozilla.org/widget/dragservice;1"); - - if (sIsPointerLocked) { -+ MOZ_ASSERT(aWidget, "Locking pointer requires a widget"); -+ - // Store the last known ref point so we can reposition the pointer after unlock. - mPreLockPoint = sLastRefPoint; - -@@ -4164,7 +4162,9 @@ - // pre-pointerlock position, so that the synthetic mouse event reports - // no movement. - sLastRefPoint = mPreLockPoint; -- aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset()); -+ if (aWidget) { -+ aWidget->SynthesizeNativeMouseMove(mPreLockPoint + aWidget->WidgetToScreenOffset()); -+ } - - // Don't retarget events to this element any more. - nsIPresShell::SetCapturingContent(nullptr, CAPTURE_POINTERLOCK); diff --git a/gnu/packages/patches/icecat-avoid-bundled-includes.patch b/gnu/packages/patches/icecat-avoid-bundled-includes.patch deleted file mode 100644 index d11b528b8e..0000000000 --- a/gnu/packages/patches/icecat-avoid-bundled-includes.patch +++ /dev/null @@ -1,35 +0,0 @@ -Do not use headers from bundled libraries. - ---- icecat-38.3.0/xpcom/build/moz.build.orig 2015-10-12 19:33:43.000000000 -0400 -+++ icecat-38.3.0/xpcom/build/moz.build 2015-10-13 16:37:28.693224858 -0400 -@@ -92,10 +92,5 @@ - '/docshell/base', - ] - --if CONFIG['MOZ_VPX']: -- LOCAL_INCLUDES += [ -- '/media/libvpx', -- ] -- - if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa': - CXXFLAGS += CONFIG['TK_CFLAGS'] ---- icecat-38.3.0/storage/src/moz.build.orig 2015-10-12 19:34:45.000000000 -0400 -+++ icecat-38.3.0/storage/src/moz.build 2015-10-13 18:48:26.584724518 -0400 -@@ -66,7 +66,6 @@ - DEFINES['SQLITE_MAX_LIKE_PATTERN_LENGTH'] = 50000 - - LOCAL_INCLUDES += [ -- '/db/sqlite3/src', - '/dom/base', - ] - ---- icecat-38.3.0/dom/indexedDB/moz.build.orig 2015-10-12 19:35:00.000000000 -0400 -+++ icecat-38.3.0/dom/indexedDB/moz.build 2015-10-13 19:10:10.528756487 -0400 -@@ -91,7 +91,6 @@ - FAIL_ON_WARNINGS = True - - LOCAL_INCLUDES += [ -- '/db/sqlite3/src', - '/dom/base', - '/dom/storage', - '/dom/workers', diff --git a/gnu/packages/patches/icecat-avoid-bundled-libraries.patch b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch new file mode 100644 index 0000000000..267f7b8aac --- /dev/null +++ b/gnu/packages/patches/icecat-avoid-bundled-libraries.patch @@ -0,0 +1,50 @@ +Fixes needed when avoiding bundled libraries. + +--- icecat-45.3.0/xpcom/build/moz.build.orig ++++ icecat-45.3.0/xpcom/build/moz.build +@@ -92,10 +92,5 @@ + '/docshell/base', + ] + +-if CONFIG['MOZ_VPX']: +- LOCAL_INCLUDES += [ +- '/media/libvpx', +- ] +- + if CONFIG['MOZ_WIDGET_TOOLKIT'] == 'cocoa': + CXXFLAGS += CONFIG['TK_CFLAGS'] +--- icecat-45.3.0/storage/moz.build.orig ++++ icecat-45.3.0/storage/moz.build +@@ -108,7 +108,6 @@ + DEFINES['SQLITE_MAX_LIKE_PATTERN_LENGTH'] = 50000 + + LOCAL_INCLUDES += [ +- '/db/sqlite3/src', + '/dom/base', + ] + +--- icecat-45.3.0/dom/indexedDB/moz.build.orig ++++ icecat-45.3.0/dom/indexedDB/moz.build +@@ -96,7 +96,6 @@ + SOURCES['Key.cpp'].flags += ['-Wno-error=type-limits'] + + LOCAL_INCLUDES += [ +- '/db/sqlite3/src', + '/dom/base', + '/dom/storage', + '/dom/workers', +--- icecat-45.3.0/modules/libmar/tests/Makefile.in.orig ++++ icecat-45.3.0/modules/libmar/tests/Makefile.in +@@ -10,12 +10,5 @@ + ifndef MOZ_PROFILE_GENERATE + libs:: + $(INSTALL) ../tool/signmar$(BIN_SUFFIX) $(TESTROOT)/unit +- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nss3$(DLL_SUFFIX) $(TESTROOT)/unit +-ifndef MOZ_FOLD_LIBS +- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nssutil3$(DLL_SUFFIX) $(TESTROOT)/unit +- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)plc4$(DLL_SUFFIX) $(TESTROOT)/unit +- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)nspr4$(DLL_SUFFIX) $(TESTROOT)/unit +- $(INSTALL) $(DEPTH)/dist/bin/$(DLL_PREFIX)plds4$(DLL_SUFFIX) $(TESTROOT)/unit +-endif + endif + endif # Not Android diff --git a/gnu/packages/patches/libupnp-CVE-2016-6255.patch b/gnu/packages/patches/libupnp-CVE-2016-6255.patch new file mode 100644 index 0000000000..c9a3fa284c --- /dev/null +++ b/gnu/packages/patches/libupnp-CVE-2016-6255.patch @@ -0,0 +1,50 @@ +Fix CVE-2016-6255: + +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6255 +http://www.openwall.com/lists/oss-security/2016/07/18/13 + +Patch adapted from upstream commit: + +https://github.com/mrjimenez/pupnp/commit/d64d6a44906b5aa5306bdf1708531d698654dda5 + +The upstream change is simplified to unconditionally disable the HTTP +POST feature. + +From d64d6a44906b5aa5306bdf1708531d698654dda5 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett <mjg59@srcf.ucam.org> +Date: Tue, 23 Feb 2016 13:53:20 -0800 +Subject: [PATCH] Don't allow unhandled POSTs to write to the filesystem by + default + +If there's no registered handler for a POST request, the default behaviour +is to write it to the filesystem. Several million deployed devices appear +to have this behaviour, making it possible to (at least) store arbitrary +data on them. Add a configure option that enables this behaviour, and change +the default to just drop POSTs that aren't directly handled. + +Signed-off-by: Marcelo Roberto Jimenez <mroberto@users.sourceforge.net> +(cherry picked from commit c91a8a3903367e1163765b73eb4d43be7d7927fa) +--- + configure.ac | 9 +++++++++ + upnp/inc/upnpconfig.h.in | 9 +++++++++ + upnp/src/genlib/net/http/webserver.c | 4 ++++ + 3 files changed, 22 insertions(+) + +diff --git a/upnp/src/genlib/net/http/webserver.c b/upnp/src/genlib/net/http/webserver.c +index 26bf0f7..7ae8c1e 100644 +--- a/upnp/src/genlib/net/http/webserver.c ++++ b/upnp/src/genlib/net/http/webserver.c +@@ -1367,9 +1367,13 @@ static int http_RecvPostMessage( + if (Fp == NULL) + return HTTP_INTERNAL_SERVER_ERROR; + } else { ++#if 0 + Fp = fopen(filename, "wb"); + if (Fp == NULL) + return HTTP_UNAUTHORIZED; ++#else ++ return HTTP_NOT_FOUND; ++#endif + } + parser->position = POS_ENTITY; + do { diff --git a/gnu/packages/patches/qemu-CVE-2016-8576.patch b/gnu/packages/patches/qemu-CVE-2016-8576.patch new file mode 100644 index 0000000000..5031b59d81 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8576.patch @@ -0,0 +1,62 @@ +From 20009bdaf95d10bf748fa69b104672d3cfaceddf Mon Sep 17 00:00:00 2001 +From: Gerd Hoffmann <kraxel@redhat.com> +Date: Fri, 7 Oct 2016 10:15:29 +0200 +Subject: [PATCH] xhci: limit the number of link trbs we are willing to process + +Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> +--- + hw/usb/hcd-xhci.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/hw/usb/hcd-xhci.c b/hw/usb/hcd-xhci.c +index 726435c..ee4fa48 100644 +--- a/hw/usb/hcd-xhci.c ++++ b/hw/usb/hcd-xhci.c +@@ -54,6 +54,8 @@ + * to the specs when it gets them */ + #define ER_FULL_HACK + ++#define TRB_LINK_LIMIT 4 ++ + #define LEN_CAP 0x40 + #define LEN_OPER (0x400 + 0x10 * MAXPORTS) + #define LEN_RUNTIME ((MAXINTRS + 1) * 0x20) +@@ -1000,6 +1002,7 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + dma_addr_t *addr) + { + PCIDevice *pci_dev = PCI_DEVICE(xhci); ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1026,6 +1029,9 @@ static TRBType xhci_ring_fetch(XHCIState *xhci, XHCIRing *ring, XHCITRB *trb, + ring->dequeue += TRB_SIZE; + return type; + } else { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return 0; ++ } + ring->dequeue = xhci_mask64(trb->parameter); + if (trb->control & TRB_LK_TC) { + ring->ccs = !ring->ccs; +@@ -1043,6 +1049,7 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + bool ccs = ring->ccs; + /* hack to bundle together the two/three TDs that make a setup transfer */ + bool control_td_set = 0; ++ uint32_t link_cnt = 0; + + while (1) { + TRBType type; +@@ -1058,6 +1065,9 @@ static int xhci_ring_chain_length(XHCIState *xhci, const XHCIRing *ring) + type = TRB_TYPE(trb); + + if (type == TR_LINK) { ++ if (++link_cnt > TRB_LINK_LIMIT) { ++ return -length; ++ } + dequeue = xhci_mask64(trb.parameter); + if (trb.control & TRB_LK_TC) { + ccs = !ccs; +-- +1.8.3.1 + diff --git a/gnu/packages/patches/qemu-CVE-2016-8577.patch b/gnu/packages/patches/qemu-CVE-2016-8577.patch new file mode 100644 index 0000000000..c4132d2fb1 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8577.patch @@ -0,0 +1,36 @@ +Subject: [Qemu-devel] [PATCH] 9pfs: fix potential host memory leak in v9fs_read +From: Li Qiang <liq3ea@gmail.com> + +In 9pfs read dispatch function, it doesn't free two QEMUIOVector +object thus causing potential memory leak. This patch avoid this. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +--- + hw/9pfs/9p.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/hw/9pfs/9p.c b/hw/9pfs/9p.c +index 119ee58..543a791 100644 +--- a/hw/9pfs/9p.c ++++ b/hw/9pfs/9p.c +@@ -1826,14 +1826,15 @@ static void v9fs_read(void *opaque) + if (len < 0) { + /* IO error return the error */ + err = len; +- goto out; ++ goto out_free_iovec; + } + } while (count < max_count && len > 0); + err = pdu_marshal(pdu, offset, "d", count); + if (err < 0) { +- goto out; ++ goto out_free_iovec; + } + err += offset + count; ++out_free_iovec: + qemu_iovec_destroy(&qiov); + qemu_iovec_destroy(&qiov_full); + } else if (fidp->fid_type == P9_FID_XATTR) { +-- +1.8.3.1 + diff --git a/gnu/packages/patches/qemu-CVE-2016-8578.patch b/gnu/packages/patches/qemu-CVE-2016-8578.patch new file mode 100644 index 0000000000..92ba365727 --- /dev/null +++ b/gnu/packages/patches/qemu-CVE-2016-8578.patch @@ -0,0 +1,27 @@ +From: Li Qiang <liq3ea@gmail.com> + +In 9pfs function v9fs_iov_vunmarshal, it will not allocate space +for empty string. This will cause several NULL pointer dereference +issues. this patch fix this issue. + +Signed-off-by: Li Qiang <liq3ea@gmail.com> +--- + fsdev/9p-iov-marshal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fsdev/9p-iov-marshal.c b/fsdev/9p-iov-marshal.c +index 663cad5..1d16f8d 100644 +--- a/fsdev/9p-iov-marshal.c ++++ b/fsdev/9p-iov-marshal.c +@@ -125,7 +125,7 @@ ssize_t v9fs_iov_vunmarshal(struct iovec *out_sg, int out_num, size_t offset, + str->data = g_malloc(str->size + 1); + copied = v9fs_unpack(str->data, out_sg, out_num, offset, + str->size); +- if (copied > 0) { ++ if (copied >= 0) { + str->data[str->size] = 0; + } else { + v9fs_string_free(str); +-- +1.8.3.1 + diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch deleted file mode 100644 index 00e5b7c771..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5310.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 6b12d93d2c7428a34bfd4b3813ba339ed57b698a Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sun, 25 Oct 2015 15:45:50 +0200 -Subject: [PATCH] WNM: Ignore Key Data in WNM Sleep Mode Response frame if no - PMF in use - -WNM Sleep Mode Response frame is used to update GTK/IGTK only if PMF is -enabled. Verify that PMF is in use before using this field on station -side to avoid accepting unauthenticated key updates. (CVE-2015-5310) - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - wpa_supplicant/wnm_sta.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c -index 954de67..7d79499 100644 ---- a/wpa_supplicant/wnm_sta.c -+++ b/wpa_supplicant/wnm_sta.c -@@ -187,6 +187,12 @@ static void wnm_sleep_mode_exit_success(struct wpa_supplicant *wpa_s, - end = ptr + key_len_total; - wpa_hexdump_key(MSG_DEBUG, "WNM: Key Data", ptr, key_len_total); - -+ if (key_len_total && !wpa_sm_pmf_enabled(wpa_s->wpa)) { -+ wpa_msg(wpa_s, MSG_INFO, -+ "WNM: Ignore Key Data in WNM-Sleep Mode Response - PMF not enabled"); -+ return; -+ } -+ - while (ptr + 1 < end) { - if (ptr + 2 + ptr[1] > end) { - wpa_printf(MSG_DEBUG, "WNM: Invalid Key Data element " diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch deleted file mode 100644 index bfc4c74e95..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5314.patch +++ /dev/null @@ -1,51 +0,0 @@ -From bef802ece03f9ae9d52a21f0cf4f1bc2c5a1f8aa Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sun, 1 Nov 2015 18:24:16 +0200 -Subject: [PATCH] EAP-pwd server: Fix last fragment length validation - -All but the last fragment had their length checked against the remaining -room in the reassembly buffer. This allowed a suitably constructed last -fragment frame to try to add extra data that would go beyond the buffer. -The length validation code in wpabuf_put_data() prevents an actual -buffer write overflow from occurring, but this results in process -termination. (CVE-2015-5314) - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/eap_server/eap_server_pwd.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/src/eap_server/eap_server_pwd.c b/src/eap_server/eap_server_pwd.c -index cb83ff7..9f787ab 100644 ---- a/src/eap_server/eap_server_pwd.c -+++ b/src/eap_server/eap_server_pwd.c -@@ -970,7 +970,7 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - /* - * the first and all intermediate fragments have the M bit set - */ -- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { -+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { - if ((data->in_frag_pos + len) > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Buffer overflow " - "attack detected! (%d+%d > %d)", -@@ -981,6 +981,8 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - } - wpabuf_put_data(data->inbuf, pos, len); - data->in_frag_pos += len; -+ } -+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { - wpa_printf(MSG_DEBUG, "EAP-pwd: Got a %d byte fragment", - (int) len); - return; -@@ -990,8 +992,6 @@ static void eap_pwd_process(struct eap_sm *sm, void *priv, - * buffering fragments so that's how we know it's the last) - */ - if (data->in_frag_pos) { -- wpabuf_put_data(data->inbuf, pos, len); -- data->in_frag_pos += len; - pos = wpabuf_head_u8(data->inbuf); - len = data->in_frag_pos; - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch deleted file mode 100644 index 82c26398b6..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5315.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 8057821706784608b828e769ccefbced95591e50 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sun, 1 Nov 2015 18:18:17 +0200 -Subject: [PATCH] EAP-pwd peer: Fix last fragment length validation - -All but the last fragment had their length checked against the remaining -room in the reassembly buffer. This allowed a suitably constructed last -fragment frame to try to add extra data that would go beyond the buffer. -The length validation code in wpabuf_put_data() prevents an actual -buffer write overflow from occurring, but this results in process -termination. (CVE-2015-5315) - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/eap_peer/eap_pwd.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 1f78544..75ceef1 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -903,7 +903,7 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - /* - * buffer and ACK the fragment - */ -- if (EAP_PWD_GET_MORE_BIT(lm_exch)) { -+ if (EAP_PWD_GET_MORE_BIT(lm_exch) || data->in_frag_pos) { - data->in_frag_pos += len; - if (data->in_frag_pos > wpabuf_size(data->inbuf)) { - wpa_printf(MSG_INFO, "EAP-pwd: Buffer overflow attack " -@@ -916,7 +916,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - return NULL; - } - wpabuf_put_data(data->inbuf, pos, len); -- -+ } -+ if (EAP_PWD_GET_MORE_BIT(lm_exch)) { - resp = eap_msg_alloc(EAP_VENDOR_IETF, EAP_TYPE_PWD, - EAP_PWD_HDR_SIZE, - EAP_CODE_RESPONSE, eap_get_id(reqData)); -@@ -930,10 +931,8 @@ eap_pwd_process(struct eap_sm *sm, void *priv, struct eap_method_ret *ret, - * we're buffering and this is the last fragment - */ - if (data->in_frag_pos) { -- wpabuf_put_data(data->inbuf, pos, len); - wpa_printf(MSG_DEBUG, "EAP-pwd: Last fragment, %d bytes", - (int) len); -- data->in_frag_pos += len; - pos = wpabuf_head_u8(data->inbuf); - len = data->in_frag_pos; - } --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch b/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch deleted file mode 100644 index 3088f6a6dc..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2015-5316.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 95577884ca4fa76be91344ff7a8d5d1e6dc3da61 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <j@w1.fi> -Date: Sun, 1 Nov 2015 19:35:44 +0200 -Subject: [PATCH] EAP-pwd peer: Fix error path for unexpected Confirm message - -If the Confirm message is received from the server before the Identity -exchange has been completed, the group has not yet been determined and -data->grp is NULL. The error path in eap_pwd_perform_confirm_exchange() -did not take this corner case into account and could end up -dereferencing a NULL pointer and terminating the process if invalid -message sequence is received. (CVE-2015-5316) - -Signed-off-by: Jouni Malinen <j@w1.fi> ---- - src/eap_peer/eap_pwd.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/src/eap_peer/eap_pwd.c b/src/eap_peer/eap_pwd.c -index 75ceef1..892b590 100644 ---- a/src/eap_peer/eap_pwd.c -+++ b/src/eap_peer/eap_pwd.c -@@ -774,7 +774,8 @@ eap_pwd_perform_confirm_exchange(struct eap_sm *sm, struct eap_pwd_data *data, - wpabuf_put_data(data->outbuf, conf, SHA256_MAC_LEN); - - fin: -- bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); -+ if (data->grp) -+ bin_clear_free(cruft, BN_num_bytes(data->grp->prime)); - BN_clear_free(x); - BN_clear_free(y); - if (data->outbuf == NULL) { --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch deleted file mode 100644 index acad6be0a4..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4476.patch +++ /dev/null @@ -1,82 +0,0 @@ -From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Fri, 4 Mar 2016 17:20:18 +0200 -Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase - -WPA/WPA2-Personal passphrase is not allowed to include control -characters. Reject a Credential received from a WPS Registrar both as -STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or -WPA2PSK authentication type and includes an invalid passphrase. - -This fixes an issue where hostapd or wpa_supplicant could have updated -the configuration file PSK/passphrase parameter with arbitrary data from -an external device (Registrar) that may not be fully trusted. Should -such data include a newline character, the resulting configuration file -could become invalid and fail to be parsed. - -Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> ---- - src/utils/common.c | 12 ++++++++++++ - src/utils/common.h | 1 + - src/wps/wps_attr_process.c | 10 ++++++++++ - 3 files changed, 23 insertions(+) - -diff --git a/src/utils/common.c b/src/utils/common.c -index 450e2c6..27b7c02 100644 ---- a/src/utils/common.c -+++ b/src/utils/common.c -@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len) - } - - -+int has_ctrl_char(const u8 *data, size_t len) -+{ -+ size_t i; -+ -+ for (i = 0; i < len; i++) { -+ if (data[i] < 32 || data[i] == 127) -+ return 1; -+ } -+ return 0; -+} -+ -+ - size_t merge_byte_arrays(u8 *res, size_t res_len, - const u8 *src1, size_t src1_len, - const u8 *src2, size_t src2_len) -diff --git a/src/utils/common.h b/src/utils/common.h -index 701dbb2..a972240 100644 ---- a/src/utils/common.h -+++ b/src/utils/common.h -@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len); - - char * wpa_config_parse_string(const char *value, size_t *len); - int is_hex(const u8 *data, size_t len); -+int has_ctrl_char(const u8 *data, size_t len); - size_t merge_byte_arrays(u8 *res, size_t res_len, - const u8 *src1, size_t src1_len, - const u8 *src2, size_t src2_len); -diff --git a/src/wps/wps_attr_process.c b/src/wps/wps_attr_process.c -index eadb22f..e8c4579 100644 ---- a/src/wps/wps_attr_process.c -+++ b/src/wps/wps_attr_process.c -@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred) - cred->key_len--; - #endif /* CONFIG_WPS_STRICT */ - } -+ -+ -+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) && -+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) { -+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase"); -+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key", -+ cred->key, cred->key_len); -+ return -1; -+ } -+ - return 0; - } - --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch deleted file mode 100644 index 507a96e47c..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt1.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Fri, 4 Mar 2016 18:46:41 +0200 -Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase - character - -WPA/WPA2-Personal passphrase is not allowed to include control -characters. Reject a passphrase configuration attempt if that passphrase -includes an invalid passphrase. - -This fixes an issue where wpa_supplicant could have updated the -configuration file psk parameter with arbitrary data from the control -interface or D-Bus interface. While those interfaces are supposed to be -accessible only for trusted users/applications, it may be possible that -an untrusted user has access to a management software component that -does not validate the passphrase value before passing it to -wpa_supplicant. - -This could allow such an untrusted user to inject up to 63 characters of -almost arbitrary data into the configuration file. Such configuration -file could result in wpa_supplicant trying to load a library (e.g., -opensc_engine_path, pkcs11_engine_path, pkcs11_module_path, -load_dynamic_eap) from user controlled location when starting again. -This would allow code from that library to be executed under the -wpa_supplicant process privileges. - -Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> ---- - wpa_supplicant/config.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index b1c7870..fdd9643 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data, - } - wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)", - (u8 *) value, len); -+ if (has_ctrl_char((u8 *) value, len)) { -+ wpa_printf(MSG_ERROR, -+ "Line %d: Invalid passphrase character", -+ line); -+ return -1; -+ } - if (ssid->passphrase && os_strlen(ssid->passphrase) == len && - os_memcmp(ssid->passphrase, value, len) == 0) { - /* No change to the previously configured value */ --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch deleted file mode 100644 index 684d25de96..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt2.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001 -From: Paul Stewart <pstew@google.com> -Date: Thu, 3 Mar 2016 15:40:19 -0800 -Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network - output - -Spurious newlines output while writing the config file can corrupt the -wpa_supplicant configuration. Avoid writing these for the network block -parameters. This is a generic filter that cover cases that may not have -been explicitly addressed with a more specific commit to avoid control -characters in the psk parameter. - -Signed-off-by: Paul Stewart <pstew@google.com> ---- - src/utils/common.c | 11 +++++++++++ - src/utils/common.h | 1 + - wpa_supplicant/config.c | 15 +++++++++++++-- - 3 files changed, 25 insertions(+), 2 deletions(-) - -diff --git a/src/utils/common.c b/src/utils/common.c -index 27b7c02..9856463 100644 ---- a/src/utils/common.c -+++ b/src/utils/common.c -@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len) - } - - -+int has_newline(const char *str) -+{ -+ while (*str) { -+ if (*str == '\n' || *str == '\r') -+ return 1; -+ str++; -+ } -+ return 0; -+} -+ -+ - size_t merge_byte_arrays(u8 *res, size_t res_len, - const u8 *src1, size_t src1_len, - const u8 *src2, size_t src2_len) -diff --git a/src/utils/common.h b/src/utils/common.h -index a972240..d19927b 100644 ---- a/src/utils/common.h -+++ b/src/utils/common.h -@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len); - char * wpa_config_parse_string(const char *value, size_t *len); - int is_hex(const u8 *data, size_t len); - int has_ctrl_char(const u8 *data, size_t len); -+int has_newline(const char *str); - size_t merge_byte_arrays(u8 *res, size_t res_len, - const u8 *src1, size_t src1_len, - const u8 *src2, size_t src2_len); -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index fdd9643..eb97cd5 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var) - - for (i = 0; i < NUM_SSID_FIELDS; i++) { - const struct parse_data *field = &ssid_fields[i]; -- if (os_strcmp(var, field->name) == 0) -- return field->writer(field, ssid); -+ if (os_strcmp(var, field->name) == 0) { -+ char *ret = field->writer(field, ssid); -+ -+ if (ret && has_newline(ret)) { -+ wpa_printf(MSG_ERROR, -+ "Found newline in value for %s; not returning it", -+ var); -+ os_free(ret); -+ ret = NULL; -+ } -+ -+ return ret; -+ } - } - - return NULL; --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch deleted file mode 100644 index 2dd38fee31..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt3.patch +++ /dev/null @@ -1,62 +0,0 @@ -From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Tue, 5 Apr 2016 23:33:10 +0300 -Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the - string values - -Most of the cred block parameters are written as strings without -filtering and if there is an embedded newline character in the value, -unexpected configuration file data might be written. - -This fixes an issue where wpa_supplicant could have updated the -configuration file cred parameter with arbitrary data from the control -interface or D-Bus interface. While those interfaces are supposed to be -accessible only for trusted users/applications, it may be possible that -an untrusted user has access to a management software component that -does not validate the credential value before passing it to -wpa_supplicant. - -This could allow such an untrusted user to inject almost arbitrary data -into the configuration file. Such configuration file could result in -wpa_supplicant trying to load a library (e.g., opensc_engine_path, -pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user -controlled location when starting again. This would allow code from that -library to be executed under the wpa_supplicant process privileges. - -Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> ---- - wpa_supplicant/config.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index eb97cd5..69152ef 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, - - if (os_strcmp(var, "password") == 0 && - os_strncmp(value, "ext:", 4) == 0) { -+ if (has_newline(value)) -+ return -1; - str_clear_free(cred->password); - cred->password = os_strdup(value); - cred->ext_password = 1; -@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var, - } - - val = wpa_config_parse_string(value, &len); -- if (val == NULL) { -+ if (val == NULL || -+ (os_strcmp(var, "excluded_ssid") != 0 && -+ os_strcmp(var, "roaming_consortium") != 0 && -+ os_strcmp(var, "required_roaming_consortium") != 0 && -+ has_newline(val))) { - wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string " - "value '%s'.", line, var, value); -+ os_free(val); - return -1; - } - --- -1.9.1 - diff --git a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch b/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch deleted file mode 100644 index 5f42aa9219..0000000000 --- a/gnu/packages/patches/wpa-supplicant-CVE-2016-4477-pt4.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001 -From: Jouni Malinen <jouni@qca.qualcomm.com> -Date: Tue, 5 Apr 2016 23:55:48 +0300 -Subject: [PATCH 5/5] Reject SET commands with newline characters in the - string values - -Many of the global configuration parameters are written as strings -without filtering and if there is an embedded newline character in the -value, unexpected configuration file data might be written. - -This fixes an issue where wpa_supplicant could have updated the -configuration file global parameter with arbitrary data from the control -interface or D-Bus interface. While those interfaces are supposed to be -accessible only for trusted users/applications, it may be possible that -an untrusted user has access to a management software component that -does not validate the value of a parameter before passing it to -wpa_supplicant. - -This could allow such an untrusted user to inject almost arbitrary data -into the configuration file. Such configuration file could result in -wpa_supplicant trying to load a library (e.g., opensc_engine_path, -pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user -controlled location when starting again. This would allow code from that -library to be executed under the wpa_supplicant process privileges. - -Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> ---- - wpa_supplicant/config.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/wpa_supplicant/config.c b/wpa_supplicant/config.c -index 69152ef..d9a1603 100644 ---- a/wpa_supplicant/config.c -+++ b/wpa_supplicant/config.c -@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data, - return -1; - } - -+ if (has_newline(pos)) { -+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline", -+ line, data->name); -+ return -1; -+ } -+ - tmp = os_strdup(pos); - if (tmp == NULL) - return -1; --- -1.9.1 - |