diff options
author | Mark H Weaver <mhw@netris.org> | 2015-02-26 00:16:07 -0500 |
---|---|---|
committer | Mark H Weaver <mhw@netris.org> | 2015-02-26 00:39:31 -0500 |
commit | 8830740643397d8d38e018c728ed62d0bcb4c310 (patch) | |
tree | 5f8b08f0bdd0f5b5041e8b4dbd0e788b69c978ea /gnu | |
parent | 5be2f8844dba4aab0c134f61a830acb16b56d2c5 (diff) | |
download | guix-8830740643397d8d38e018c728ed62d0bcb4c310.tar guix-8830740643397d8d38e018c728ed62d0bcb4c310.tar.gz |
gnu: icecat: Apply fixes for CVE-2015-{0822,0827,0831,0836}.
* gnu/packages/patches/icecat-CVE-2015-0822.patch,
gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch,
gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch,
gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch,
gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch,
gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch,
gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu')
18 files changed, 1265 insertions, 1 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 06cf90a7ee..335cfd1983 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -224,7 +224,25 @@ standards.") version "/" name "-" version ".tar.bz2")) (sha256 (base32 - "0q5ilgfybcrbwf9hq9zc1cpnlhq1pddnnjmdrxrcrrg8lgx5kkc2")))) + "0q5ilgfybcrbwf9hq9zc1cpnlhq1pddnnjmdrxrcrrg8lgx5kkc2")) + (patches (map search-patch + '("icecat-CVE-2015-0822.patch" + "icecat-CVE-2015-0827-pt-1.patch" + "icecat-CVE-2015-0827-pt-2.patch" + "icecat-CVE-2015-0827-pt-3.patch" + "icecat-CVE-2015-0831-pt-1.patch" + "icecat-CVE-2015-0831-pt-2.patch" + "icecat-CVE-2015-0836-pt-01.patch" + "icecat-CVE-2015-0836-pt-02.patch" + "icecat-CVE-2015-0836-pt-03.patch" + "icecat-CVE-2015-0836-pt-04.patch" + "icecat-CVE-2015-0836-pt-05.patch" + "icecat-CVE-2015-0836-pt-06.patch" + "icecat-CVE-2015-0836-pt-07.patch" + "icecat-CVE-2015-0836-pt-08.patch" + "icecat-CVE-2015-0836-pt-09.patch" + "icecat-CVE-2015-0836-pt-10.patch" + "icecat-CVE-2015-0836-pt-11.patch"))))) (build-system gnu-build-system) (inputs `(("alsa-lib" ,alsa-lib) diff --git a/gnu/packages/patches/icecat-CVE-2015-0822.patch b/gnu/packages/patches/icecat-CVE-2015-0822.patch new file mode 100644 index 0000000000..2625151453 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0822.patch @@ -0,0 +1,154 @@ +From 0922145c255bf2503d3b2dd5f8f1e813338ba990 Mon Sep 17 00:00:00 2001 +From: Mats Palmgren <mats@mozilla.com> +Date: Sat, 24 Jan 2015 12:37:47 -0500 +Subject: [PATCH] Bug 1110557. r=mak, r=gavin, a=bkerensa + +--- + .../components/satchel/nsFormFillController.cpp | 67 +++++++++++++++------- + toolkit/components/satchel/nsFormFillController.h | 5 ++ + 2 files changed, 52 insertions(+), 20 deletions(-) + +diff --git a/toolkit/components/satchel/nsFormFillController.cpp b/toolkit/components/satchel/nsFormFillController.cpp +index 315fc68..676ad84 100644 +--- a/toolkit/components/satchel/nsFormFillController.cpp ++++ b/toolkit/components/satchel/nsFormFillController.cpp +@@ -61,6 +61,7 @@ nsFormFillController::nsFormFillController() : + mSuppressOnInput(false) + { + mController = do_GetService("@mozilla.org/autocomplete/controller;1"); ++ MOZ_ASSERT(mController); + } + + struct PwmgrInputsEnumData +@@ -104,6 +105,21 @@ nsFormFillController::AttributeChanged(nsIDocument* aDocument, + int32_t aNameSpaceID, + nsIAtom* aAttribute, int32_t aModType) + { ++ if ((aAttribute == nsGkAtoms::type || aAttribute == nsGkAtoms::readonly || ++ aAttribute == nsGkAtoms::autocomplete) && ++ aNameSpaceID == kNameSpaceID_None) { ++ nsCOMPtr<nsIDOMHTMLInputElement> focusedInput(mFocusedInput); ++ // Reset the current state of the controller, unconditionally. ++ StopControllingInput(); ++ // Then restart based on the new values. We have to delay this ++ // to avoid ending up in an endless loop due to re-registering our ++ // mutation observer (which would notify us again for *this* event). ++ nsCOMPtr<nsIRunnable> event = ++ NS_NewRunnableMethodWithArg<nsCOMPtr<nsIDOMHTMLInputElement>> ++ (this, &nsFormFillController::MaybeStartControllingInput, focusedInput); ++ NS_DispatchToCurrentThread(event); ++ } ++ + if (mListNode && mListNode->Contains(aElement)) { + RevalidateDataList(); + } +@@ -841,28 +857,26 @@ nsFormFillController::RemoveForDocumentEnumerator(const nsINode* aKey, + return PL_DHASH_NEXT; + } + +-nsresult +-nsFormFillController::Focus(nsIDOMEvent* aEvent) ++void ++nsFormFillController::MaybeStartControllingInput(nsIDOMHTMLInputElement* aInput) + { +- nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface( +- aEvent->InternalDOMEvent()->GetTarget()); +- nsCOMPtr<nsINode> inputNode = do_QueryInterface(input); ++ nsCOMPtr<nsINode> inputNode = do_QueryInterface(aInput); + if (!inputNode) +- return NS_OK; ++ return; + +- nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(input); ++ nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(aInput); + if (!formControl || !formControl->IsSingleLineTextControl(true)) +- return NS_OK; ++ return; + + bool isReadOnly = false; +- input->GetReadOnly(&isReadOnly); ++ aInput->GetReadOnly(&isReadOnly); + if (isReadOnly) +- return NS_OK; ++ return; + +- bool autocomplete = nsContentUtils::IsAutocompleteEnabled(input); ++ bool autocomplete = nsContentUtils::IsAutocompleteEnabled(aInput); + + nsCOMPtr<nsIDOMHTMLElement> datalist; +- input->GetList(getter_AddRefs(datalist)); ++ aInput->GetList(getter_AddRefs(datalist)); + bool hasList = datalist != nullptr; + + bool dummy; +@@ -871,9 +885,16 @@ nsFormFillController::Focus(nsIDOMEvent* aEvent) + isPwmgrInput = true; + + if (isPwmgrInput || hasList || autocomplete) { +- StartControllingInput(input); ++ StartControllingInput(aInput); + } ++} + ++nsresult ++nsFormFillController::Focus(nsIDOMEvent* aEvent) ++{ ++ nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface( ++ aEvent->InternalDOMEvent()->GetTarget()); ++ MaybeStartControllingInput(input); + return NS_OK; + } + +@@ -1087,6 +1108,10 @@ nsFormFillController::StartControllingInput(nsIDOMHTMLInputElement *aInput) + // Make sure we're not still attached to an input + StopControllingInput(); + ++ if (!mController) { ++ return; ++ } ++ + // Find the currently focused docShell + nsCOMPtr<nsIDocShell> docShell = GetDocShellForInput(aInput); + int32_t index = GetIndexOfDocShell(docShell); +@@ -1129,13 +1154,15 @@ nsFormFillController::StopControllingInput() + mListNode = nullptr; + } + +- // Reset the controller's input, but not if it has been switched +- // to another input already, which might happen if the user switches +- // focus by clicking another autocomplete textbox +- nsCOMPtr<nsIAutoCompleteInput> input; +- mController->GetInput(getter_AddRefs(input)); +- if (input == this) +- mController->SetInput(nullptr); ++ if (mController) { ++ // Reset the controller's input, but not if it has been switched ++ // to another input already, which might happen if the user switches ++ // focus by clicking another autocomplete textbox ++ nsCOMPtr<nsIAutoCompleteInput> input; ++ mController->GetInput(getter_AddRefs(input)); ++ if (input == this) ++ mController->SetInput(nullptr); ++ } + + if (mFocusedInputNode) { + MaybeRemoveMutationObserver(mFocusedInputNode); +diff --git a/toolkit/components/satchel/nsFormFillController.h b/toolkit/components/satchel/nsFormFillController.h +index b60d28d..8c3ba26 100644 +--- a/toolkit/components/satchel/nsFormFillController.h ++++ b/toolkit/components/satchel/nsFormFillController.h +@@ -62,6 +62,11 @@ protected: + + void StartControllingInput(nsIDOMHTMLInputElement *aInput); + void StopControllingInput(); ++ /** ++ * Checks that aElement is a type of element we want to fill, then calls ++ * StartControllingInput on it. ++ */ ++ void MaybeStartControllingInput(nsIDOMHTMLInputElement* aElement); + + nsresult PerformInputListAutoComplete(nsIAutoCompleteResult* aPreviousResult); + +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch new file mode 100644 index 0000000000..c57da755d1 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch @@ -0,0 +1,33 @@ +From 28b6204b1421aa57b3c10c43d90cb516910bc80f Mon Sep 17 00:00:00 2001 +From: Markus Stange <mstange@themasta.com> +Date: Tue, 6 Jan 2015 12:08:39 +0100 +Subject: [PATCH] Bug 1117304 - Also do the checks at the start of CopyRect in + release builds. r=Bas, a=sledru + +--- + gfx/2d/FilterNodeSoftware.cpp | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp +index 00d790f..396d0da 100644 +--- a/gfx/2d/FilterNodeSoftware.cpp ++++ b/gfx/2d/FilterNodeSoftware.cpp +@@ -253,9 +253,12 @@ CopyRect(DataSourceSurface* aSrc, DataSourceSurface* aDest, + MOZ_CRASH("we should never be getting invalid rects at this point"); + } + +- MOZ_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), "different surface formats"); +- MOZ_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), "source rect too big for source surface"); +- MOZ_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(aSrcRect - aSrcRect.TopLeft() + aDestPoint), "dest surface too small"); ++ MOZ_RELEASE_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), ++ "different surface formats"); ++ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), ++ "source rect too big for source surface"); ++ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(IntRect(aDestPoint, aSrcRect.Size())), ++ "dest surface too small"); + + if (aSrcRect.IsEmpty()) { + return; +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch new file mode 100644 index 0000000000..1ff68f4b4c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch @@ -0,0 +1,35 @@ +From 5ff75fbe51d5760a96b4e614617c9cbf35f1fbaa Mon Sep 17 00:00:00 2001 +From: Markus Stange <mstange@themasta.com> +Date: Mon, 5 Jan 2015 18:40:27 +0100 +Subject: [PATCH] Bug 1117304 - Make sure the tile filter doesn't call CopyRect + on surfaces with different formats. r=Bas, a=sledru + +--- + gfx/2d/FilterNodeSoftware.cpp | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp +index 396d0da..10d92c6 100644 +--- a/gfx/2d/FilterNodeSoftware.cpp ++++ b/gfx/2d/FilterNodeSoftware.cpp +@@ -1568,7 +1568,16 @@ FilterNodeTileSoftware::Render(const IntRect& aRect) + return nullptr; + } + } +- MOZ_ASSERT(input->GetFormat() == target->GetFormat(), "different surface formats from the same input?"); ++ ++ if (input->GetFormat() != target->GetFormat()) { ++ // Different rectangles of the input can have different formats. If ++ // that happens, just convert everything to B8G8R8A8. ++ target = FilterProcessing::ConvertToB8G8R8A8(target); ++ input = FilterProcessing::ConvertToB8G8R8A8(input); ++ if (MOZ2D_WARN_IF(!target) || MOZ2D_WARN_IF(!input)) { ++ return nullptr; ++ } ++ } + + CopyRect(input, target, srcRect - srcRect.TopLeft(), destRect.TopLeft() - aRect.TopLeft()); + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch new file mode 100644 index 0000000000..8d40126849 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch @@ -0,0 +1,56 @@ +From c91087708686ae1c47abee65e19536688e5ec8f2 Mon Sep 17 00:00:00 2001 +From: Ryan VanderMeulen <ryanvm@gmail.com> +Date: Mon, 26 Jan 2015 17:24:46 -0500 +Subject: [PATCH] Bug 1117304 - Add missing MOZ2D_WARN_IF definition to fix + bustage. r=milan, a=bustage + +--- + gfx/2d/FilterNodeSoftware.cpp | 1 + + gfx/2d/Logging.h | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+) + +diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp +index 10d92c6..48bf162 100644 +--- a/gfx/2d/FilterNodeSoftware.cpp ++++ b/gfx/2d/FilterNodeSoftware.cpp +@@ -12,6 +12,7 @@ + #include "Blur.h" + #include <map> + #include "FilterProcessing.h" ++#include "Logging.h" + #include "mozilla/PodOperations.h" + #include "mozilla/DebugOnly.h" + +diff --git a/gfx/2d/Logging.h b/gfx/2d/Logging.h +index 85e788c..d7728bb 100644 +--- a/gfx/2d/Logging.h ++++ b/gfx/2d/Logging.h +@@ -155,6 +155,25 @@ typedef Log<LOG_WARNING> WarningLog; + #define gfxWarning if (1) ; else NoLog + #endif + ++// See nsDebug.h and the NS_WARN_IF macro ++ ++#ifdef __cplusplus ++#ifdef DEBUG ++inline bool MOZ2D_warn_if_impl(bool aCondition, const char* aExpr, ++ const char* aFile, int32_t aLine) ++{ ++ if (MOZ_UNLIKELY(aCondition)) { ++ gfxWarning() << aExpr << " at " << aFile << ":" << aLine; ++ } ++ return aCondition; ++} ++#define MOZ2D_WARN_IF(condition) \ ++ MOZ2D_warn_if_impl(condition, #condition, __FILE__, __LINE__) ++#else ++#define MOZ2D_WARN_IF(condition) (bool)(condition) ++#endif ++#endif ++ + const int INDENT_PER_LEVEL = 2; + + class TreeLog +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch new file mode 100644 index 0000000000..c04d604923 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch @@ -0,0 +1,32 @@ +From c8437505a63fc2b2552b8af217d60d79abb92ba3 Mon Sep 17 00:00:00 2001 +From: Ben Turner <bent.mozilla@gmail.com> +Date: Fri, 6 Feb 2015 15:25:33 -0800 +Subject: [PATCH] Bug 1130541. r=janv, a=sledru + +--- + dom/indexedDB/IDBDatabase.cpp | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp +index 7329cec..c9c7e4f 100644 +--- a/dom/indexedDB/IDBDatabase.cpp ++++ b/dom/indexedDB/IDBDatabase.cpp +@@ -536,6 +536,7 @@ IDBDatabase::CreateObjectStore( + IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction(); + + if (!transaction || ++ transaction->Database() != this || + transaction->GetMode() != IDBTransaction::VERSION_CHANGE) { + aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR); + return nullptr; +@@ -577,6 +578,7 @@ IDBDatabase::DeleteObjectStore(const nsAString& aName, ErrorResult& aRv) + IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction(); + + if (!transaction || ++ transaction->Database() != this || + transaction->GetMode() != IDBTransaction::VERSION_CHANGE) { + aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR); + return; +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch new file mode 100644 index 0000000000..9510cd611f --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch @@ -0,0 +1,26 @@ +From 4e799e44288c951f8d9acd17e7d8c56c9ee6a7d3 Mon Sep 17 00:00:00 2001 +From: Ben Turner <bent.mozilla@gmail.com> +Date: Mon, 9 Feb 2015 14:38:26 -0800 +Subject: [PATCH] Bug 1130541 followup a=test-only + +--HG-- +extra : amend_source : 23d80353f87897fdac9c99048d12ebe4ed390f76 +--- + dom/indexedDB/test/browser_quotaPrompt.html | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/dom/indexedDB/test/browser_quotaPrompt.html b/dom/indexedDB/test/browser_quotaPrompt.html +index c139970..dbeea68 100644 +--- a/dom/indexedDB/test/browser_quotaPrompt.html ++++ b/dom/indexedDB/test/browser_quotaPrompt.html +@@ -38,6 +38,7 @@ + let request = indexedDB.open(window.location.pathname, version++); + request.onerror = errorHandler; + request.onupgradeneeded = function(event) { ++ let db = event.target.result; + db.deleteObjectStore("foo"); + db.onversionchange = function () { db.close(); }; + request.transaction.oncomplete = function(event) { +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch new file mode 100644 index 0000000000..f6e2756054 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch @@ -0,0 +1,26 @@ +From 4106ffa6ee83b814428bb07948b3595e3fa3847e Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Tue, 10 Feb 2015 09:40:46 +0100 +Subject: [PATCH] Bug 1128196 - Don't relazify scripts with a TypeScript. + r=till, a=lmandel + +--- + js/src/jsscript.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/js/src/jsscript.h b/js/src/jsscript.h +index 4d548ef..9a0cfbb 100644 +--- a/js/src/jsscript.h ++++ b/js/src/jsscript.h +@@ -1251,7 +1251,7 @@ class JSScript : public js::gc::BarrieredCell<JSScript> + } + + bool isRelazifiable() const { +- return (selfHosted() || lazyScript) && ++ return (selfHosted() || lazyScript) && !types && + !isGenerator() && !hasBaselineScript() && !hasAnyIonScript() && !hasBeenInlined(); + } + void setLazyScript(js::LazyScript *lazy) { +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch new file mode 100644 index 0000000000..c95cf23a29 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch @@ -0,0 +1,27 @@ +From 83c4bfeea2d2203f726e3bfcb7ee6fe56b4d9703 Mon Sep 17 00:00:00 2001 +From: Ryan VanderMeulen <ryanvm@gmail.com> +Date: Thu, 29 Jan 2015 10:31:25 -0500 +Subject: [PATCH] Bug 1111248. r=Waldo, a=sledru + +--- + js/src/jsbool.cpp | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/js/src/jsbool.cpp b/js/src/jsbool.cpp +index 5d88bd5..8d5d672 100644 +--- a/js/src/jsbool.cpp ++++ b/js/src/jsbool.cpp +@@ -198,7 +198,8 @@ js::ToBooleanSlow(HandleValue v) + bool + js::BooleanGetPrimitiveValueSlow(HandleObject wrappedBool) + { +- JSObject *obj = wrappedBool->as<ProxyObject>().target(); +- JS_ASSERT(obj); ++ JSObject *obj = CheckedUnwrap(wrappedBool); ++ if (!obj || !obj->is<BooleanObject>()) ++ return false; + return obj->as<BooleanObject>().unbox(); + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch new file mode 100644 index 0000000000..115cd76201 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch @@ -0,0 +1,220 @@ +From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001 +From: Tom Schuster <evilpies@gmail.com> +Date: Sun, 25 Jan 2015 21:42:10 +0100 +Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray. + r=efaust, a=abillings + +--- + browser/devtools/app-manager/app-projects.js | 2 ++ + js/public/Class.h | 5 +++- + js/src/jsarray.cpp | 9 ++++-- + js/src/jsobjinlines.h | 15 +++++++++- + js/src/json.cpp | 11 +++---- + js/src/jsproxy.cpp | 45 ++++++++++++++++++++++++++++ + 6 files changed, 78 insertions(+), 9 deletions(-) + +diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js +index d09f72f..77ca67b 100644 +--- a/browser/devtools/app-manager/app-projects.js ++++ b/browser/devtools/app-manager/app-projects.js +@@ -61,6 +61,8 @@ const IDB = { + add: function(project) { + let deferred = promise.defer(); + ++ project = JSON.parse(JSON.stringify(project)); ++ + if (!project.location) { + // We need to make sure this object has a `.location` property. + deferred.reject("Missing location property on project object."); +diff --git a/js/public/Class.h b/js/public/Class.h +index ff864b1..46f7d39 100644 +--- a/js/public/Class.h ++++ b/js/public/Class.h +@@ -521,7 +521,10 @@ Valueify(const JSClass *c) + */ + enum ESClassValue { + ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean, +- ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date ++ ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date, ++ // Special snowflake for the ES6 IsArray method. ++ // Please don't use it without calling that function. ++ ESClass_IsArray + }; + + /* +diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp +index 24da176..46f1c20 100644 +--- a/js/src/jsarray.cpp ++++ b/js/src/jsarray.cpp +@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp) + HandleValue v = HandleValue::fromMarkedLocation(&p[i]); + if (v.isObject()) { + RootedObject obj(cx, &v.toObject()); +- if (ObjectClassIs(obj, ESClass_Array, cx)) { ++ // This should be IsConcatSpreadable ++ if (IsArray(obj, cx)) { + uint32_t alength; + if (!GetLengthProperty(cx, obj, &alength)) + return false; +@@ -2870,7 +2871,11 @@ static bool + array_isArray(JSContext *cx, unsigned argc, Value *vp) + { + CallArgs args = CallArgsFromVp(argc, vp); +- bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx); ++ bool isArray = false; ++ if (args.get(0).isObject()) { ++ RootedObject obj(cx, &args[0].toObject()); ++ isArray = IsArray(obj, cx); ++ } + args.rval().setBoolean(isArray); + return true; + } +diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h +index e848ba7..557dd26 100644 +--- a/js/src/jsobjinlines.h ++++ b/js/src/jsobjinlines.h +@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx) + return Proxy::objectClassIs(obj, classValue, cx); + + switch (classValue) { +- case ESClass_Array: return obj->is<ArrayObject>(); ++ case ESClass_Array: ++ case ESClass_IsArray: ++ // There difference between those is only relevant for proxies. ++ return obj->is<ArrayObject>(); + case ESClass_Number: return obj->is<NumberObject>(); + case ESClass_String: return obj->is<StringObject>(); + case ESClass_Boolean: return obj->is<BooleanObject>(); +@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx) + return ObjectClassIs(obj, classValue, cx); + } + ++// ES6 7.2.2 ++inline bool ++IsArray(HandleObject obj, JSContext *cx) ++{ ++ if (obj->is<ArrayObject>()) ++ return true; ++ ++ return ObjectClassIs(obj, ESClass_IsArray, cx); ++} ++ + static MOZ_ALWAYS_INLINE bool + NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata) + { +diff --git a/js/src/json.cpp b/js/src/json.cpp +index 6e45bfd..81a99a6 100644 +--- a/js/src/json.cpp ++++ b/js/src/json.cpp +@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx) + Maybe<AutoIdVector> ids; + const AutoIdVector *props; + if (scx->replacer && !scx->replacer->isCallable()) { +- JS_ASSERT(JS_IsArrayObject(cx, scx->replacer)); ++ JS_ASSERT(IsArray(scx->replacer, cx)); + props = &scx->propertyList; + } else { + JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0); +@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx) + + scx->depth++; + bool ok; +- if (ObjectClassIs(obj, ESClass_Array, cx)) ++ if (IsArray(obj, cx)) + ok = JA(cx, obj, scx); + else + ok = JO(cx, obj, scx); +@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp + if (replacer) { + if (replacer->isCallable()) { + /* Step 4a(i): use replacer to transform values. */ +- } else if (ObjectClassIs(replacer, ESClass_Array, cx)) { ++ } else if (IsArray(replacer, cx)) { + /* + * Step 4b: The spec algorithm is unhelpfully vague about the exact + * steps taken when the replacer is an array, regarding the exact +@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp + + /* Step 4b(ii). */ + uint32_t len; +- JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len)); ++ if (!GetLengthProperty(cx, replacer, &len)) ++ return false; + if (replacer->is<ArrayObject>() && !replacer->isIndexed()) + len = Min(len, replacer->getDenseInitializedLength()); + +@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut + if (val.isObject()) { + RootedObject obj(cx, &val.toObject()); + +- if (ObjectClassIs(obj, ESClass_Array, cx)) { ++ if (IsArray(obj, cx)) { + /* Step 2a(ii). */ + uint32_t length; + if (!GetLengthProperty(cx, obj, &length)) +diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp +index 7644da1..7453103 100644 +--- a/js/src/jsproxy.cpp ++++ b/js/src/jsproxy.cpp +@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler { + virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE; + + /* Spidermonkey extensions. */ ++ // A scripted proxy should not be treated as generic in most contexts. ++ virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, ++ CallArgs args) MOZ_OVERRIDE; ++ virtual bool objectClassIs(HandleObject obj, ESClassValue classValue, ++ JSContext *cx) MOZ_OVERRIDE; ++ virtual bool regexp_toShared(JSContext *cx, HandleObject proxy, ++ RegExpGuard *g) MOZ_OVERRIDE; ++ + virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE; + virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE; + virtual bool isScripted() MOZ_OVERRIDE { return true; } +@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C + return true; + } + ++bool ++ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl, ++ CallArgs args) ++{ ++ ReportIncompatible(cx, args); ++ return false; ++} ++ ++bool ++ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue, ++ JSContext *cx) ++{ ++ // Special case IsArray. In every other instance ES wants to have exactly ++ // one object type and not a proxy around it, so return false. ++ if (classValue != ESClass_IsArray) ++ return false; ++ ++ // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here. ++ // The reason for this is that we have proxies for which looking at the target might ++ // be impossible. So instead we use our little objectClassIs function that just works ++ // already across different wrappers. ++ RootedObject target(cx, proxy->as<ProxyObject>().target()); ++ if (!target) ++ return false; ++ ++ return IsArray(target, cx); ++} ++ ++bool ++ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy, ++ RegExpGuard *g) ++{ ++ MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared"); ++ return false; ++} ++ ++ + ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton; + + #define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall) \ +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch new file mode 100644 index 0000000000..58e61d080c --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch @@ -0,0 +1,89 @@ +From 97ba04bf95606b409b1b3035504a41c274ecffe2 Mon Sep 17 00:00:00 2001 +From: Shu-yu Guo <shu@rfrn.org> +Date: Mon, 26 Jan 2015 18:26:25 -0800 +Subject: [PATCH] Bug 1119579 - Don't GC while iterating compartments in + findAllGlobals. r=sfink, a=abillings + +--- + js/src/vm/Debugger.cpp | 56 ++++++++++++++++++++++++++++++-------------------- + 1 file changed, 34 insertions(+), 22 deletions(-) + +diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp +index 27e993d..a8decef 100644 +--- a/js/src/vm/Debugger.cpp ++++ b/js/src/vm/Debugger.cpp +@@ -2825,37 +2825,49 @@ Debugger::findAllGlobals(JSContext *cx, unsigned argc, Value *vp) + { + THIS_DEBUGGER(cx, argc, vp, "findAllGlobals", args, dbg); + +- RootedObject result(cx, NewDenseEmptyArray(cx)); +- if (!result) +- return false; ++ AutoObjectVector globals(cx); + +- for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) { +- if (c->options().invisibleToDebugger()) +- continue; ++ { ++ // Accumulate the list of globals before wrapping them, because ++ // wrapping can GC and collect compartments from under us, while ++ // iterating. + +- c->zone()->scheduledForDestruction = false; ++ for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) { ++ if (c->options().invisibleToDebugger()) ++ continue; + +- GlobalObject *global = c->maybeGlobal(); ++ c->zone()->scheduledForDestruction = false; + +- if (cx->runtime()->isSelfHostingGlobal(global)) +- continue; ++ GlobalObject *global = c->maybeGlobal(); + +- if (global) { +- /* +- * We pulled |global| out of nowhere, so it's possible that it was +- * marked gray by XPConnect. Since we're now exposing it to JS code, +- * we need to mark it black. +- */ +- JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT); ++ if (cx->runtime()->isSelfHostingGlobal(global)) ++ continue; + +- RootedValue globalValue(cx, ObjectValue(*global)); +- if (!dbg->wrapDebuggeeValue(cx, &globalValue)) +- return false; +- if (!NewbornArrayPush(cx, result, globalValue)) +- return false; ++ if (global) { ++ /* ++ * We pulled |global| out of nowhere, so it's possible that it was ++ * marked gray by XPConnect. Since we're now exposing it to JS code, ++ * we need to mark it black. ++ */ ++ JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT); ++ if (!globals.append(global)) ++ return false; ++ } + } + } + ++ RootedObject result(cx, NewDenseEmptyArray(cx)); ++ if (!result) ++ return false; ++ ++ for (size_t i = 0; i < globals.length(); i++) { ++ RootedValue globalValue(cx, ObjectValue(*globals[i])); ++ if (!dbg->wrapDebuggeeValue(cx, &globalValue)) ++ return false; ++ if (!NewbornArrayPush(cx, result, globalValue)) ++ return false; ++ } ++ + args.rval().setObject(*result); + return true; + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch new file mode 100644 index 0000000000..3e4ed17598 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch @@ -0,0 +1,25 @@ +From 746ddf19ff532b8abc90d3a91322a04b462ebfa8 Mon Sep 17 00:00:00 2001 +From: Brian Hackett <bhackett1024@gmail.com> +Date: Mon, 26 Jan 2015 13:14:34 -0500 +Subject: [PATCH] Bug 1124018 - Null the allocation site table if + initialization fails. r=jonco, a=bkerensa + +--- + js/src/jsinfer.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp +index b62ad1f..4019b16 100644 +--- a/js/src/jsinfer.cpp ++++ b/js/src/jsinfer.cpp +@@ -2035,6 +2035,7 @@ TypeCompartment::addAllocationSiteTypeObject(JSContext *cx, AllocationSiteKey ke + allocationSiteTable = cx->new_<AllocationSiteTable>(); + if (!allocationSiteTable || !allocationSiteTable->init()) { + js_delete(allocationSiteTable); ++ allocationSiteTable = nullptr; + return nullptr; + } + } +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch new file mode 100644 index 0000000000..181f9243e3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch @@ -0,0 +1,41 @@ +From 0758363d982b0b3e6cf021c164715a028a345b9e Mon Sep 17 00:00:00 2001 +From: "Byron Campen [:bwc]" <docfaraday@gmail.com> +Date: Wed, 21 Jan 2015 08:56:36 -0800 +Subject: [PATCH] Bug 1123882 - Fix case where offset != 0. r=derf, a=bkerensa + +--- + content/media/MediaDecoderStateMachine.cpp | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/content/media/MediaDecoderStateMachine.cpp b/content/media/MediaDecoderStateMachine.cpp +index ce5870f..4ed496c 100644 +--- a/content/media/MediaDecoderStateMachine.cpp ++++ b/content/media/MediaDecoderStateMachine.cpp +@@ -328,6 +328,8 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio, + if (offset >= aAudio->mFrames) + return; + ++ size_t framesToWrite = aAudio->mFrames - offset; ++ + aAudio->EnsureAudioBuffer(); + nsRefPtr<SharedBuffer> buffer = aAudio->mAudioBuffer; + AudioDataValue* bufferData = static_cast<AudioDataValue*>(buffer->Data()); +@@ -335,10 +337,11 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio, + for (uint32_t i = 0; i < aAudio->mChannels; ++i) { + channels.AppendElement(bufferData + i*aAudio->mFrames + offset); + } +- aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames); +- VERBOSE_LOG("writing %d frames of data to MediaStream for AudioData at %lld", +- aAudio->mFrames - int32_t(offset), aAudio->mTime); +- aStream->mAudioFramesWritten += aAudio->mFrames - int32_t(offset); ++ aOutput->AppendFrames(buffer.forget(), channels, framesToWrite); ++ VERBOSE_LOG("writing %u frames of data to MediaStream for AudioData at %lld", ++ static_cast<unsigned>(framesToWrite), ++ aAudio->mTime); ++ aStream->mAudioFramesWritten += framesToWrite; + } + + static void WriteVideoToMediaStream(layers::Image* aImage, +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch new file mode 100644 index 0000000000..818d369b26 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch @@ -0,0 +1,54 @@ +From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001 +From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com> +Date: Mon, 26 Jan 2015 16:07:00 -0500 +Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values. + r=jmuizelaar, a=abillings + +--- + image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp +index acaa835..8e6bc2d 100644 +--- a/image/decoders/nsPNGDecoder.cpp ++++ b/image/decoders/nsPNGDecoder.cpp +@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr) + png_set_expand(png_ptr); + + if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) { +- int sample_max = (1 << bit_depth); + png_color_16p trans_values; + png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values); + /* libpng doesn't reject a tRNS chunk with out-of-range samples + so we check it here to avoid setting up a useless opacity +- channel or producing unexpected transparent pixels when using +- libpng-1.2.19 through 1.2.26 (bug #428045) */ +- if ((color_type == PNG_COLOR_TYPE_GRAY && +- (int)trans_values->gray > sample_max) || +- (color_type == PNG_COLOR_TYPE_RGB && +- ((int)trans_values->red > sample_max || +- (int)trans_values->green > sample_max || +- (int)trans_values->blue > sample_max))) ++ channel or producing unexpected transparent pixels (bug #428045) */ ++ if (bit_depth < 16) { ++ png_uint_16 sample_max = (1 << bit_depth) - 1; ++ if ((color_type == PNG_COLOR_TYPE_GRAY && ++ trans_values->gray > sample_max) || ++ (color_type == PNG_COLOR_TYPE_RGB && ++ (trans_values->red > sample_max || ++ trans_values->green > sample_max || ++ trans_values->blue > sample_max))) + { + /* clear the tRNS valid flag and release tRNS memory */ + png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0); ++ num_trans = 0; + } +- else ++ } ++ if (num_trans != 0) + png_set_expand(png_ptr); + } + +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch new file mode 100644 index 0000000000..685e3a6d43 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch @@ -0,0 +1,53 @@ +From 4920c5c447d1153dffa623dd70d8b535b9ca6795 Mon Sep 17 00:00:00 2001 +From: Jan de Mooij <jdemooij@mozilla.com> +Date: Mon, 26 Jan 2015 12:59:47 +0100 +Subject: [PATCH] Bug 1115776 - Fix LApplyArgsGeneric to always emit the + has-script check. r=shu, a=sledru + +--- + js/src/jit/CodeGenerator.cpp | 24 ++++++++---------------- + 1 file changed, 8 insertions(+), 16 deletions(-) + +diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp +index ba14f86..0669692 100644 +--- a/js/src/jit/CodeGenerator.cpp ++++ b/js/src/jit/CodeGenerator.cpp +@@ -2448,27 +2448,19 @@ CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply) + + masm.checkStackAlignment(); + +- // If the function is known to be uncompilable, only emit the call to InvokeFunction. ++ // If the function is native, only emit the call to InvokeFunction. + ExecutionMode executionMode = gen->info().executionMode(); +- if (apply->hasSingleTarget()) { +- JSFunction *target = apply->getSingleTarget(); +- if (target->isNative()) { +- if (!emitCallInvokeFunction(apply, copyreg)) +- return false; +- emitPopArguments(apply, copyreg); +- return true; +- } ++ if (apply->hasSingleTarget() && apply->getSingleTarget()->isNative()) { ++ if (!emitCallInvokeFunction(apply, copyreg)) ++ return false; ++ emitPopArguments(apply, copyreg); ++ return true; + } + + Label end, invoke; + +- // Guard that calleereg is an interpreted function with a JSScript: +- if (!apply->hasSingleTarget()) { +- masm.branchIfFunctionHasNoScript(calleereg, &invoke); +- } else { +- // Native single targets are handled by LCallNative. +- JS_ASSERT(!apply->getSingleTarget()->isNative()); +- } ++ // Guard that calleereg is an interpreted function with a JSScript. ++ masm.branchIfFunctionHasNoScript(calleereg, &invoke); + + // Knowing that calleereg is a non-native function, load the JSScript. + masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg); +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch new file mode 100644 index 0000000000..d067d8133d --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch @@ -0,0 +1,52 @@ +From f7d24f37425d3d9054a7e5657815440a07166d3f Mon Sep 17 00:00:00 2001 +From: Kartikaya Gupta <kgupta@mozilla.com> +Date: Tue, 20 Jan 2015 10:33:27 -0500 +Subject: [PATCH] Bug 1107009 - Additional locking needed for esr31 backport. + r=BenWa a=sledru + +--- + gfx/layers/ipc/CompositorParent.cpp | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp +index 97c8693..cb03e71 100644 +--- a/gfx/layers/ipc/CompositorParent.cpp ++++ b/gfx/layers/ipc/CompositorParent.cpp +@@ -1286,13 +1286,19 @@ CrossProcessCompositorParent::ShadowLayersUpdated( + { + uint64_t id = aLayerTree->GetId(); + MOZ_ASSERT(id != 0); ++ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id); ++ if (!state) { ++ return; ++ } ++ MOZ_ASSERT(state->mParent); ++ + Layer* shadowRoot = aLayerTree->GetRoot(); + if (shadowRoot) { + SetShadowProperties(shadowRoot); + } + UpdateIndirectTree(id, shadowRoot, aTargetConfig); + +- sIndirectLayerTrees[id].mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite); ++ state->mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite); + } + + void +@@ -1329,7 +1335,12 @@ AsyncCompositionManager* + CrossProcessCompositorParent::GetCompositionManager(LayerTransactionParent* aLayerTree) + { + uint64_t id = aLayerTree->GetId(); +- return sIndirectLayerTrees[id].mParent->GetCompositionManager(aLayerTree); ++ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id); ++ if (!state) { ++ return nullptr; ++ } ++ MOZ_ASSERT(state->mParent); ++ return state->mParent->GetCompositionManager(aLayerTree); + } + + void +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch new file mode 100644 index 0000000000..9a4668b2dc --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch @@ -0,0 +1,219 @@ +From 66e65b2138c6db20288ef4cf78d15995f382a7e2 Mon Sep 17 00:00:00 2001 +From: Kartikaya Gupta <kgupta@mozilla.com> +Date: Tue, 13 Jan 2015 13:26:26 -0500 +Subject: [PATCH] Bug 1107009. r=BenWa, a=sledru + +--- + gfx/layers/ipc/CompositorParent.cpp | 57 ++++++++++++++++++++++++++++++------- + 1 file changed, 46 insertions(+), 11 deletions(-) + +diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp +index ce50277..cbbb2ef 100644 +--- a/gfx/layers/ipc/CompositorParent.cpp ++++ b/gfx/layers/ipc/CompositorParent.cpp +@@ -22,6 +22,7 @@ + #include "gfxPrefs.h" // for gfxPrefs + #include "ipc/ShadowLayersManager.h" // for ShadowLayersManager + #include "mozilla/AutoRestore.h" // for AutoRestore ++#include "mozilla/ClearOnShutdown.h" // for ClearOnShutdown + #include "mozilla/DebugOnly.h" // for DebugOnly + #include "mozilla/gfx/2D.h" // for DrawTarget + #include "mozilla/gfx/Point.h" // for IntSize +@@ -70,6 +71,16 @@ CompositorParent::LayerTreeState::LayerTreeState() + + typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap; + static LayerTreeMap sIndirectLayerTrees; ++static StaticAutoPtr<mozilla::Monitor> sIndirectLayerTreesLock; ++ ++static void EnsureLayerTreeMapReady() ++{ ++ MOZ_ASSERT(NS_IsMainThread()); ++ if (!sIndirectLayerTreesLock) { ++ sIndirectLayerTreesLock = new Monitor("IndirectLayerTree"); ++ mozilla::ClearOnShutdown(&sIndirectLayerTreesLock); ++ } ++} + + // FIXME/bug 774386: we're assuming that there's only one + // CompositorParent, but that's not always true. This assumption only +@@ -132,6 +143,7 @@ void CompositorParent::StartUp() + return; + } + MOZ_ASSERT(!sCompositorLoop); ++ EnsureLayerTreeMapReady(); + CreateCompositorMap(); + CreateThread(); + sMainLoop = MessageLoop::current(); +@@ -206,7 +218,11 @@ CompositorParent::CompositorParent(nsIWidget* aWidget, + this, &mCompositorID)); + + mRootLayerTreeID = AllocateLayerTreeId(); +- sIndirectLayerTrees[mRootLayerTreeID].mParent = this; ++ ++ { // scope lock ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); ++ sIndirectLayerTrees[mRootLayerTreeID].mParent = this; ++ } + + mApzcTreeManager = new APZCTreeManager(); + ++sCompositorThreadRefCount; +@@ -249,7 +265,10 @@ CompositorParent::Destroy() + mCompositionManager = nullptr; + mApzcTreeManager->ClearTree(); + mApzcTreeManager = nullptr; +- sIndirectLayerTrees.erase(mRootLayerTreeID); ++ { // scope lock ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); ++ sIndirectLayerTrees.erase(mRootLayerTreeID); ++ } + } + + void +@@ -266,6 +285,7 @@ CompositorParent::RecvWillStop() + + // Ensure that the layer manager is destroyed before CompositorChild. + if (mLayerManager) { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin(); + it != sIndirectLayerTrees.end(); it++) + { +@@ -380,7 +400,10 @@ CompositorParent::ActorDestroy(ActorDestroyReason why) + if (mLayerManager) { + mLayerManager->Destroy(); + mLayerManager = nullptr; +- sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr; ++ { // scope lock ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); ++ sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr; ++ } + mCompositionManager = nullptr; + mCompositor = nullptr; + } +@@ -696,6 +719,7 @@ CompositorParent::DidComposite() + { + unused << SendDidComposite(0); + ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin(); + it != sIndirectLayerTrees.end(); it++) { + LayerTreeState* lts = &it->second; +@@ -867,6 +891,7 @@ CompositorParent::InitializeLayerManager(const nsTArray<LayersBackend>& aBackend + mLayerManager = layerManager; + MOZ_ASSERT(compositor); + mCompositor = compositor; ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = layerManager; + return; + } +@@ -969,6 +994,7 @@ CompositorParent::RecvNotifyChildCreated(const uint64_t& child) + void + CompositorParent::NotifyChildCreated(uint64_t aChild) + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[aChild].mParent = this; + sIndirectLayerTrees[aChild].mLayerManager = mLayerManager; + } +@@ -985,6 +1011,7 @@ CompositorParent::AllocateLayerTreeId() + static void + EraseLayerState(uint64_t aId) + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees.erase(aId); + } + +@@ -1001,6 +1028,7 @@ UpdateControllerForLayersId(uint64_t aLayersId, + GeckoContentController* aController) + { + // Adopt ref given to us by SetControllerForLayerTree() ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[aLayersId].mController = + already_AddRefed<GeckoContentController>(aController); + } +@@ -1010,12 +1038,15 @@ ScopedLayerTreeRegistration::ScopedLayerTreeRegistration(uint64_t aLayersId, + GeckoContentController* aController) + : mLayersId(aLayersId) + { ++ EnsureLayerTreeMapReady(); ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[aLayersId].mRoot = aRoot; + sIndirectLayerTrees[aLayersId].mController = aController; + } + + ScopedLayerTreeRegistration::~ScopedLayerTreeRegistration() + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees.erase(mLayersId); + } + +@@ -1175,6 +1206,7 @@ CompositorParent::CloneToplevel(const InfallibleTArray<mozilla::ipc::ProtocolFdM + static void + UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig) + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[aId].mRoot = aRoot; + sIndirectLayerTrees[aId].mTargetConfig = aTargetConfig; + } +@@ -1182,6 +1214,7 @@ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig + /* static */ const CompositorParent::LayerTreeState* + CompositorParent::GetIndirectShadowTree(uint64_t aId) + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + LayerTreeMap::const_iterator cit = sIndirectLayerTrees.find(aId); + if (sIndirectLayerTrees.end() == cit) { + return nullptr; +@@ -1189,12 +1222,6 @@ CompositorParent::GetIndirectShadowTree(uint64_t aId) + return &cit->second; + } + +-static void +-RemoveIndirectTree(uint64_t aId) +-{ +- sIndirectLayerTrees.erase(aId); +-} +- + void + CrossProcessCompositorParent::ActorDestroy(ActorDestroyReason aWhy) + { +@@ -1211,6 +1238,8 @@ CrossProcessCompositorParent::AllocPLayerTransactionParent(const nsTArray<Layers + { + MOZ_ASSERT(aId != 0); + ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); ++ + if (sIndirectLayerTrees[aId].mLayerManager) { + sIndirectLayerTrees[aId].mCrossProcessParent = this; + LayerManagerComposite* lm = sIndirectLayerTrees[aId].mLayerManager; +@@ -1234,7 +1263,7 @@ bool + CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionParent* aLayers) + { + LayerTransactionParent* slp = static_cast<LayerTransactionParent*>(aLayers); +- RemoveIndirectTree(slp->GetId()); ++ EraseLayerState(slp->GetId()); + static_cast<LayerTransactionParent*>(aLayers)->ReleaseIPDLReference(); + return true; + } +@@ -1242,6 +1271,7 @@ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionPa + bool + CrossProcessCompositorParent::RecvNotifyChildCreated(const uint64_t& child) + { ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); + sIndirectLayerTrees[child].mParent->NotifyChildCreated(child); + return true; + } +@@ -1269,7 +1299,12 @@ CrossProcessCompositorParent::ForceComposite(LayerTransactionParent* aLayerTree) + { + uint64_t id = aLayerTree->GetId(); + MOZ_ASSERT(id != 0); +- sIndirectLayerTrees[id].mParent->ForceComposite(aLayerTree); ++ CompositorParent* parent; ++ { // scope lock ++ MonitorAutoLock lock(*sIndirectLayerTreesLock); ++ parent = sIndirectLayerTrees[id].mParent; ++ } ++ parent->ForceComposite(aLayerTree); + } + + bool +-- +2.2.1 + diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch new file mode 100644 index 0000000000..869feaf7c6 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch @@ -0,0 +1,104 @@ +From 3f0f685829445ae82974d61f6017fdb67349c32b Mon Sep 17 00:00:00 2001 +From: Dan Gohman <sunfish@mozilla.com> +Date: Fri, 9 Jan 2015 09:04:12 -0500 +Subject: [PATCH] Bug 1096138 - IonMonkey: Augment Nops with Mops to avoid + collisions with fixed live ranges. r=jandem, a=sledru + +--- + js/src/jit/CodeGenerator.cpp | 6 ++++++ + js/src/jit/CodeGenerator.h | 1 + + js/src/jit/LIR-Common.h | 6 ++++++ + js/src/jit/LOpcodes.h | 1 + + js/src/jit/Lowering.cpp | 12 ++++++++++++ + 5 files changed, 26 insertions(+) + +diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp +index 4f07524..ba14f86 100644 +--- a/js/src/jit/CodeGenerator.cpp ++++ b/js/src/jit/CodeGenerator.cpp +@@ -1077,6 +1077,12 @@ CodeGenerator::visitNop(LNop *lir) + } + + bool ++CodeGenerator::visitMop(LMop *lir) ++{ ++ return true; ++} ++ ++bool + CodeGenerator::visitOsiPoint(LOsiPoint *lir) + { + // Note: markOsiPoint ensures enough space exists between the last +diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h +index 03677a5..dce095d 100644 +--- a/js/src/jit/CodeGenerator.h ++++ b/js/src/jit/CodeGenerator.h +@@ -58,6 +58,7 @@ class CodeGenerator : public CodeGeneratorSpecific + + bool visitLabel(LLabel *lir); + bool visitNop(LNop *lir); ++ bool visitMop(LMop *lir); + bool visitOsiPoint(LOsiPoint *lir); + bool visitGoto(LGoto *lir); + bool visitTableSwitch(LTableSwitch *ins); +diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h +index c90aef9..e7a0e4c 100644 +--- a/js/src/jit/LIR-Common.h ++++ b/js/src/jit/LIR-Common.h +@@ -42,6 +42,12 @@ class LNop : public LInstructionHelper<0, 0, 0> + LIR_HEADER(Nop) + }; + ++class LMop : public LInstructionHelper<0, 0, 0> ++{ ++ public: ++ LIR_HEADER(Mop) ++}; ++ + // An LOsiPoint captures a snapshot after a call and ensures enough space to + // patch in a call to the invalidation mechanism. + // +diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h +index a32d64f..cd7eef8 100644 +--- a/js/src/jit/LOpcodes.h ++++ b/js/src/jit/LOpcodes.h +@@ -10,6 +10,7 @@ + #define LIR_COMMON_OPCODE_LIST(_) \ + _(Label) \ + _(Nop) \ ++ _(Mop) \ + _(OsiPoint) \ + _(MoveGroup) \ + _(Integer) \ +diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp +index d5f8227..48b7fa9 100644 +--- a/js/src/jit/Lowering.cpp ++++ b/js/src/jit/Lowering.cpp +@@ -3616,12 +3616,24 @@ LIRGenerator::visitInstruction(MInstruction *ins) + ins->setInWorklistUnchecked(); + #endif + ++ // If we added a Nop for this instruction, we'll also add a Mop, so that ++ // that live-ranges for fixed register defs, which with LSRA extend through ++ // the Nop so that they can extend through the OsiPoint don't, with their ++ // one-extra extension, extend into a position where they use the input ++ // move group for the following instruction. ++ bool needsMop = !current->instructions().empty() && current->rbegin()->isNop(); ++ + // If no safepoint was created, there's no need for an OSI point. + if (LOsiPoint *osiPoint = popOsiPoint()) { + if (!add(osiPoint)) + return false; + } + ++ if (needsMop) { ++ if (!add(new(alloc()) LMop)) ++ return false; ++ } ++ + return true; + } + +-- +2.2.1 + |