aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gnu-system.am19
-rw-r--r--gnu/packages/gnuzilla.scm24
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch308
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch51
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch170
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch56
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch48
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch189
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch183
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch91
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch83
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-1935.patch77
-rw-r--r--gnu/packages/patches/icecat-bug-1146335-pt1.patch141
-rw-r--r--gnu/packages/patches/icecat-bug-1146335-pt2.patch43
-rw-r--r--gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch73
21 files changed, 1770 insertions, 2 deletions
diff --git a/gnu-system.am b/gnu-system.am
index 297f40a50e..45511d2eb8 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -517,7 +517,26 @@ dist_patch_DATA = \
gnu/packages/patches/hop-linker-flags.patch \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch \
+ gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch \
+ gnu/packages/patches/icecat-CVE-2016-1935.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
+ gnu/packages/patches/icecat-bug-1146335-pt1.patch \
+ gnu/packages/patches/icecat-bug-1146335-pt2.patch \
+ gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 03ca0b7ca0..62010dbf6b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
;;;
;;; This file is part of GNU Guix.
@@ -287,7 +287,27 @@ standards.")
(sha256
(base32
"0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg"))
- (patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
+ (patches (map search-patch
+ '("icecat-avoid-bundled-includes.patch"
+ "icecat-CVE-2016-1930-pt01.patch"
+ "icecat-CVE-2016-1930-pt02.patch"
+ "icecat-CVE-2016-1930-pt03.patch"
+ "icecat-CVE-2016-1930-pt04.patch"
+ "icecat-CVE-2016-1930-pt05.patch"
+ "icecat-CVE-2016-1930-pt06.patch"
+ "icecat-CVE-2016-1930-pt07.patch"
+ "icecat-CVE-2016-1930-pt08.patch"
+ "icecat-CVE-2016-1930-pt09.patch"
+ "icecat-CVE-2016-1930-pt10.patch"
+ "icecat-CVE-2016-1930-pt11.patch"
+ "icecat-CVE-2016-1930-pt12.patch"
+ "icecat-CVE-2016-1930-pt13.patch"
+ "icecat-bug-1146335-pt1.patch"
+ "icecat-bug-1146335-pt2.patch"
+ "icecat-CVE-2016-1935.patch"
+ "icecat-CVE-2016-1930-pt14.patch"
+ "icecat-CVE-2016-1930-pt15.patch"
+ "icecat-limit-max-buffers-size-for-ANGLE.patch")))
(modules '((guix build utils)))
(snippet
'(begin
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
new file mode 100644
index 0000000000..27768fa1ac
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346
+
+# HG changeset patch
+# User Nils Ohlmeier <drno@ohlmeier.org>
+# Date 1451439902 18000
+# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4
+# Parent ff8e52467d793e935b80bf22a722a71a96fe2d63
+Bug 1233346 - r=ekr a=abillings
+
+diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c
++++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs
+
+ for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) {
+ char *c;
+
+ if (tmpAddress->OperStatus != IfOperStatusUp)
+ continue;
+
+ snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0);
++ munged_ifname[IFNAMSIZ-1] = '\0';
++
+ /* replace spaces with underscores */
+ c = strchr(munged_ifname, ' ');
+ while (c != NULL) {
+ *c = '_';
+ c = strchr(munged_ifname, ' ');
+ }
+ c = strchr(munged_ifname, '.');
+ while (c != NULL) {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
new file mode 100644
index 0000000000..fa1804eb82
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449117514 -46800
+# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0
+# Parent 925215cae26f9c0ccff07ef403a5b3194a4c45c4
+bug 1223670 assert that connected streams have the same graph r=padenot a=abillings
+
+diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
+--- a/dom/media/MediaStreamGraph.cpp
++++ b/dom/media/MediaStreamGraph.cpp
+@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort(
+ unused << mPort.forget();
+ }
+ virtual void RunDuringShutdown()
+ {
+ Run();
+ }
+ nsRefPtr<MediaInputPort> mPort;
+ };
++ MOZ_ASSERT(aStream->GraphImpl() == GraphImpl());
+ nsRefPtr<MediaInputPort> port = new MediaInputPort(aStream, this, aFlags,
+ aInputNumber, aOutputNumber);
+ port->SetGraphImpl(GraphImpl());
+ GraphImpl()->AppendMessage(new Message(port));
+ return port.forget();
+ }
+
+ void
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
new file mode 100644
index 0000000000..cf0843b8b3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
@@ -0,0 +1,308 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449764754 18000
+# Node ID f746c38d160ea29088c15cacae44f3662befaec5
+# Parent fc78180165a8262c80bbb722ed99b2e0c27b02d0
+bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp
+--- a/dom/media/webaudio/AudioContext.cpp
++++ b/dom/media/webaudio/AudioContext.cpp
+@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H
+ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+ return nullptr;
+ }
+ #endif
+ nsRefPtr<DOMMediaStream> stream = aMediaElement.MozCaptureStream(aRv);
+ if (aRv.Failed()) {
+ return nullptr;
+ }
+- nsRefPtr<MediaElementAudioSourceNode> mediaElementAudioSourceNode =
+- new MediaElementAudioSourceNode(this, stream);
+- return mediaElementAudioSourceNode.forget();
++ return MediaElementAudioSourceNode::Create(this, stream, aRv);
+ }
+
+ already_AddRefed<MediaStreamAudioSourceNode>
+ AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream,
+ ErrorResult& aRv)
+ {
+ if (mIsOffline) {
+ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+ return nullptr;
+ }
+- nsRefPtr<MediaStreamAudioSourceNode> mediaStreamAudioSourceNode =
+- new MediaStreamAudioSourceNode(this, &aMediaStream);
+- return mediaStreamAudioSourceNode.forget();
++
++ return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv);
+ }
+
+ already_AddRefed<GainNode>
+ AudioContext::CreateGain()
+ {
+ nsRefPtr<GainNode> gainNode = new GainNode(this);
+ return gainNode.forget();
+ }
+diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp
+--- a/dom/media/webaudio/AudioNode.cpp
++++ b/dom/media/webaudio/AudioNode.cpp
+@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont
+ ChannelInterpretation aChannelInterpretation)
+ : DOMEventTargetHelper(aContext->GetParentObject())
+ , mContext(aContext)
+ , mChannelCount(aChannelCount)
+ , mChannelCountMode(aChannelCountMode)
+ , mChannelInterpretation(aChannelInterpretation)
+ , mId(gId++)
+ , mPassThrough(false)
+-#ifdef DEBUG
+- , mDemiseNotified(false)
+-#endif
+ {
+ MOZ_ASSERT(aContext);
+ DOMEventTargetHelper::BindToOwner(aContext->GetParentObject());
+ aContext->UpdateNodeCount(1);
+ }
+
+ AudioNode::~AudioNode()
+ {
+ MOZ_ASSERT(mInputNodes.IsEmpty());
+ MOZ_ASSERT(mOutputNodes.IsEmpty());
+ MOZ_ASSERT(mOutputParams.IsEmpty());
+-#ifdef DEBUG
+- MOZ_ASSERT(mDemiseNotified,
++ MOZ_ASSERT(!mStream,
+ "The webaudio-node-demise notification must have been sent");
+-#endif
+ if (mContext) {
+ mContext->UpdateNodeCount(-1);
+ }
+ }
+
+ size_t
+ AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const
+ {
+@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream()
+ mStream = nullptr;
+
+ nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+ if (obs) {
+ nsAutoString id;
+ id.AppendPrintf("%u", mId);
+ obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get());
+ }
+-#ifdef DEBUG
+- mDemiseNotified = true;
+-#endif
+ }
+ }
+
+ void
+ AudioNode::RemoveOutputParam(AudioParam* aParam)
+ {
+ mOutputParams.RemoveElement(aParam);
+ }
+diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h
+--- a/dom/media/webaudio/AudioNode.h
++++ b/dom/media/webaudio/AudioNode.h
+@@ -239,19 +239,14 @@ private:
+ nsTArray<nsRefPtr<AudioParam> > mOutputParams;
+ uint32_t mChannelCount;
+ ChannelCountMode mChannelCountMode;
+ ChannelInterpretation mChannelInterpretation;
+ const uint32_t mId;
+ // Whether the node just passes through its input. This is a devtools API that
+ // only works for some node types.
+ bool mPassThrough;
+-#ifdef DEBUG
+- // In debug builds, check to make sure that the node demise notification has
+- // been properly sent before the node is destroyed.
+- bool mDemiseNotified;
+-#endif
+ };
+
+ }
+ }
+
+ #endif
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+@@ -5,22 +5,36 @@
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ #include "MediaElementAudioSourceNode.h"
+ #include "mozilla/dom/MediaElementAudioSourceNodeBinding.h"
+
+ namespace mozilla {
+ namespace dom {
+
+-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext,
+- DOMMediaStream* aStream)
+- : MediaStreamAudioSourceNode(aContext, aStream)
++MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext)
++ : MediaStreamAudioSourceNode(aContext)
+ {
+ }
+
++/* static */ already_AddRefed<MediaElementAudioSourceNode>
++MediaElementAudioSourceNode::Create(AudioContext* aContext,
++ DOMMediaStream* aStream, ErrorResult& aRv)
++{
++ nsRefPtr<MediaElementAudioSourceNode> node =
++ new MediaElementAudioSourceNode(aContext);
++
++ node->Init(aStream, aRv);
++ if (aRv.Failed()) {
++ return nullptr;
++ }
++
++ return node.forget();
++}
++
+ JSObject*
+ MediaElementAudioSourceNode::WrapObject(JSContext* aCx)
+ {
+ return MediaElementAudioSourceNodeBinding::Wrap(aCx, this);
+ }
+
+ }
+ }
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.h
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.h
+@@ -10,28 +10,30 @@
+ #include "MediaStreamAudioSourceNode.h"
+
+ namespace mozilla {
+ namespace dom {
+
+ class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode
+ {
+ public:
+- MediaElementAudioSourceNode(AudioContext* aContext,
+- DOMMediaStream* aStream);
++ static already_AddRefed<MediaElementAudioSourceNode>
++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+
+ virtual JSObject* WrapObject(JSContext* aCx) override;
+
+ virtual const char* NodeType() const override
+ {
+ return "MediaElementAudioSourceNode";
+ }
+
+ virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override
+ {
+ return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
+ }
++private:
++ explicit MediaElementAudioSourceNode(AudioContext* aContext);
+ };
+
+ }
+ }
+
+ #endif
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_
+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+
+ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode)
+ NS_INTERFACE_MAP_END_INHERITING(AudioNode)
+
+ NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+
+-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext,
+- DOMMediaStream* aMediaStream)
++MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext)
+ : AudioNode(aContext,
+ 2,
+ ChannelCountMode::Max,
+- ChannelInterpretation::Speakers),
+- mInputStream(aMediaStream)
++ ChannelInterpretation::Speakers)
+ {
++}
++
++/* static */ already_AddRefed<MediaStreamAudioSourceNode>
++MediaStreamAudioSourceNode::Create(AudioContext* aContext,
++ DOMMediaStream* aStream, ErrorResult& aRv)
++{
++ nsRefPtr<MediaStreamAudioSourceNode> node =
++ new MediaStreamAudioSourceNode(aContext);
++
++ node->Init(aStream, aRv);
++ if (aRv.Failed()) {
++ return nullptr;
++ }
++
++ return node.forget();
++}
++
++void
++MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
++{
++ mInputStream = aMediaStream;
+ AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+- mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine);
++ mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
+ ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+ mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
+ MediaInputPort::FLAG_BLOCK_INPUT);
+ mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+
+ PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+ mInputStream->AddPrincipalChangeObserver(this);
+ }
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+@@ -38,17 +38,18 @@ public:
+ private:
+ bool mEnabled;
+ };
+
+ class MediaStreamAudioSourceNode : public AudioNode,
+ public DOMMediaStream::PrincipalChangeObserver
+ {
+ public:
+- MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream);
++ static already_AddRefed<MediaStreamAudioSourceNode>
++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+
+ NS_DECL_ISUPPORTS_INHERITED
+ NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+
+ virtual JSObject* WrapObject(JSContext* aCx) override;
+
+ virtual void DestroyMediaStream() override;
+
+@@ -60,16 +61,18 @@ public:
+ }
+
+ virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override;
+ virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override;
+
+ virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override;
+
+ protected:
++ explicit MediaStreamAudioSourceNode(AudioContext* aContext);
++ void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv);
+ virtual ~MediaStreamAudioSourceNode();
+
+ private:
+ nsRefPtr<MediaInputPort> mInputPort;
+ nsRefPtr<DOMMediaStream> mInputStream;
+ };
+
+ }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
new file mode 100644
index 0000000000..b212a70d4a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
@@ -0,0 +1,47 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1451362442 -46800
+# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+# Parent f746c38d160ea29088c15cacae44f3662befaec5
+bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings
+
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio
+ }
+
+ return node.forget();
+ }
+
+ void
+ MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
+ {
++ MOZ_ASSERT(aMediaStream);
++ MediaStream* inputStream = aMediaStream->GetStream();
++ MediaStreamGraph* graph = Context()->Graph();
++ if (NS_WARN_IF(graph != inputStream->Graph())) {
++ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
++ return;
++ }
++
+ mInputStream = aMediaStream;
+ AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+- mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
++ mStream = graph->CreateAudioNodeExternalInputStream(engine);
+ ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+- mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
++ mInputPort = outputStream->AllocateInputPort(inputStream,
+ MediaInputPort::FLAG_BLOCK_INPUT);
+ mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+
+ PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+ mInputStream->AddPrincipalChangeObserver(this);
+ }
+
+ MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode()
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
new file mode 100644
index 0000000000..3e62c9c5f1
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
@@ -0,0 +1,51 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449145091 -46800
+# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c
+# Parent 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h
+--- a/dom/media/webaudio/AudioDestinationNode.h
++++ b/dom/media/webaudio/AudioDestinationNode.h
+@@ -57,17 +57,16 @@ public:
+ void StartRendering(Promise* aPromise);
+
+ void OfflineShutdown();
+
+ // nsIDOMEventListener - by proxy
+ NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override;
+
+ AudioChannel MozAudioChannelType() const;
+- void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+
+ virtual void NotifyMainThreadStateChanged() override;
+ void FireOfflineCompletionEvent();
+
+ // An amount that should be added to the MediaStream's current time to
+ // get the AudioContext.currentTime.
+ double ExtraCurrentTime();
+
+@@ -86,16 +85,17 @@ public:
+
+ void InputMuted(bool aInputMuted);
+ void ResolvePromise(AudioBuffer* aRenderedBuffer);
+
+ protected:
+ virtual ~AudioDestinationNode();
+
+ private:
++ void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+ bool CheckAudioChannelPermissions(AudioChannel aValue);
+
+ void SetCanPlay(bool aCanPlay);
+
+ void NotifyStableState();
+ void ScheduleStableStateNotification();
+
+ SelfReference<AudioDestinationNode> mOfflineRenderingRef;
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
new file mode 100644
index 0000000000..ec1f479ee4
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
@@ -0,0 +1,170 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686
+
+# HG changeset patch
+# User Lee Salzman <lsalzman@mozilla.com>
+# Date 1451932822 18000
+# Node ID 93617c30c0df35f719dead526b78649d564f5ac3
+# Parent 4f6e81673f6938719c86516606f2fda493e8c23c
+Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu
+
+diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
+--- a/layout/base/nsLayoutUtils.cpp
++++ b/layout/base/nsLayoutUtils.cpp
+@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame
+ nsIAtom *parentType = aFrame->GetParent()->GetType();
+ return parentType == nsGkAtoms::viewportFrame ||
+ parentType == nsGkAtoms::pageContentFrame;
+ }
+
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement,
+ uint32_t aSurfaceFlags,
+- DrawTarget* aTarget)
++ RefPtr<DrawTarget>& aTarget)
+ {
+ SurfaceFromElementResult result;
+ nsresult rv;
+
+ nsCOMPtr<imgIRequest> imgRequest;
+ rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
+ getter_AddRefs(imgRequest));
+ if (NS_FAILED(rv) || !imgRequest)
+@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma
+ result.mImageRequest = imgRequest.forget();
+
+ return result;
+ }
+
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement,
+ uint32_t aSurfaceFlags,
+- DrawTarget* aTarget)
++ RefPtr<DrawTarget>& aTarget)
+ {
+ return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement),
+ aSurfaceFlags, aTarget);
+ }
+
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement,
+ uint32_t aSurfaceFlags,
+- DrawTarget* aTarget)
++ RefPtr<DrawTarget>& aTarget)
+ {
+ SurfaceFromElementResult result;
+
+ bool* isPremultiplied = nullptr;
+ if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) {
+ isPremultiplied = &result.mIsPremultiplied;
+ }
+
+ gfxIntSize size = aElement->GetSize();
+
+ result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied);
+ if (!result.mSourceSurface) {
+ // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just
+ // draw nothing, so return an empty surface.
+- DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
++ DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
+ RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height),
+ SurfaceFormat::B8G8R8A8);
+ if (dt) {
+ result.mSourceSurface = dt->Snapshot();
+ }
+ } else if (aTarget) {
+ RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface);
+ if (opt) {
+@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa
+ result.mIsWriteOnly = aElement->IsWriteOnly();
+
+ return result;
+ }
+
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement,
+ uint32_t aSurfaceFlags,
+- DrawTarget* aTarget)
++ RefPtr<DrawTarget>& aTarget)
+ {
+ SurfaceFromElementResult result;
+
+ NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!");
+
+ #ifdef MOZ_EME
+ if (aElement->ContainsRestrictedContent()) {
+ return result;
+@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi
+ result.mIsWriteOnly = false;
+
+ return result;
+ }
+
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(dom::Element* aElement,
+ uint32_t aSurfaceFlags,
+- DrawTarget* aTarget)
++ RefPtr<DrawTarget>& aTarget)
+ {
+ // If it's a <canvas>, we may be able to just grab its internal surface
+ if (HTMLCanvasElement* canvas =
+ HTMLCanvasElement::FromContentOrNull(aElement)) {
+ return SurfaceFromElement(canvas, aSurfaceFlags, aTarget);
+ }
+
+ // Maybe it's <video>?
+diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h
+--- a/layout/base/nsLayoutUtils.h
++++ b/layout/base/nsLayoutUtils.h
+@@ -2018,33 +2018,39 @@ public:
+ bool mIsStillLoading;
+ /* Whether the element used CORS when loading. */
+ bool mCORSUsed;
+ /* Whether the returned image contains premultiplied pixel data */
+ bool mIsPremultiplied;
+ };
+
+ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
+- uint32_t aSurfaceFlags = 0,
+- DrawTarget *aTarget = nullptr);
++ uint32_t aSurfaceFlags,
++ mozilla::RefPtr<DrawTarget>& aTarget);
++ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
++ uint32_t aSurfaceFlags = 0) {
++ mozilla::RefPtr<DrawTarget> target = nullptr;
++ return SurfaceFromElement(aElement, aSurfaceFlags, target);
++ }
++
+ static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement,
+- uint32_t aSurfaceFlags = 0,
+- DrawTarget *aTarget = nullptr);
++ uint32_t aSurfaceFlags,
++ mozilla::RefPtr<DrawTarget>& aTarget);
+ // Need an HTMLImageElement overload, because otherwise the
+ // nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous
+ // for HTMLImageElement.
+ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement,
+- uint32_t aSurfaceFlags = 0,
+- DrawTarget *aTarget = nullptr);
++ uint32_t aSurfaceFlags,
++ mozilla::RefPtr<DrawTarget>& aTarget);
+ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement,
+- uint32_t aSurfaceFlags = 0,
+- DrawTarget *aTarget = nullptr);
++ uint32_t aSurfaceFlags,
++ mozilla::RefPtr<DrawTarget>& aTarget);
+ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement,
+- uint32_t aSurfaceFlags = 0,
+- DrawTarget *aTarget = nullptr);
++ uint32_t aSurfaceFlags,
++ mozilla::RefPtr<DrawTarget>& aTarget);
+
+ /**
+ * When the document is editable by contenteditable attribute of its root
+ * content or body content.
+ *
+ * Be aware, this returns nullptr if it's in designMode.
+ *
+ * For example:
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
new file mode 100644
index 0000000000..4f349747c0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
@@ -0,0 +1,56 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/750e4cfc90f8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233152
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478493 -3600
+# Node ID 750e4cfc90f80df657e44c9c63b1865023d88682
+# Parent 93617c30c0df35f719dead526b78649d564f5ac3
+Bug 1233152 - Use PersistentRooted for ParseTask script and sourceObject. r=terrence a=abillings
+
+diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
+--- a/js/src/vm/HelperThreads.cpp
++++ b/js/src/vm/HelperThreads.cpp
+@@ -198,17 +198,17 @@ static const JSClass parseTaskGlobalClas
+
+ ParseTask::ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, JSContext* initCx,
+ const char16_t* chars, size_t length,
+ JS::OffThreadCompileCallback callback, void* callbackData)
+ : cx(cx), options(initCx), chars(chars), length(length),
+ alloc(JSRuntime::TEMP_LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
+ exclusiveContextGlobal(initCx, exclusiveContextGlobal),
+ callback(callback), callbackData(callbackData),
+- script(nullptr), errors(cx), overRecursed(false)
++ script(initCx->runtime(), nullptr), errors(cx), overRecursed(false)
+ {
+ }
+
+ bool
+ ParseTask::init(JSContext* cx, const ReadOnlyCompileOptions& options)
+ {
+ if (!this->options.copy(cx, options))
+ return false;
+diff --git a/js/src/vm/HelperThreads.h b/js/src/vm/HelperThreads.h
+--- a/js/src/vm/HelperThreads.h
++++ b/js/src/vm/HelperThreads.h
+@@ -472,17 +472,17 @@ struct ParseTask
+
+ // Callback invoked off the main thread when the parse finishes.
+ JS::OffThreadCompileCallback callback;
+ void* callbackData;
+
+ // Holds the final script between the invocation of the callback and the
+ // point where FinishOffThreadScript is called, which will destroy the
+ // ParseTask.
+- JSScript* script;
++ PersistentRootedScript script;
+
+ // Any errors or warnings produced during compilation. These are reported
+ // when finishing the script.
+ Vector<frontend::CompileError*> errors;
+ bool overRecursed;
+
+ ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal,
+ JSContext* initCx, const char16_t* chars, size_t length,
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
new file mode 100644
index 0000000000..406ce1bf2b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
@@ -0,0 +1,48 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4444e94a99cb
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1221385
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478429 -3600
+# Node ID 4444e94a99cb9b00c0351cc8bf5459739cc036a5
+# Parent 750e4cfc90f80df657e44c9c63b1865023d88682
+Bug 1221385 - Handle OOM during JitRuntime initialization a bit better. r=bhackett a=abillings
+
+diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
+--- a/js/src/jscompartment.cpp
++++ b/js/src/jscompartment.cpp
+@@ -138,28 +138,20 @@ JSRuntime::createJitRuntime(JSContext* c
+
+ // Protect jitRuntime_ from being observed (by InterruptRunningJitCode)
+ // while it is being initialized. Unfortunately, initialization depends on
+ // jitRuntime_ being non-null, so we can't just wait to assign jitRuntime_.
+ JitRuntime::AutoMutateBackedges amb(jrt);
+ jitRuntime_ = jrt;
+
+ if (!jitRuntime_->initialize(cx)) {
+- js_ReportOutOfMemory(cx);
+-
+- js_delete(jitRuntime_);
+- jitRuntime_ = nullptr;
+-
+- JSCompartment* comp = cx->runtime()->atomsCompartment();
+- if (comp->jitCompartment_) {
+- js_delete(comp->jitCompartment_);
+- comp->jitCompartment_ = nullptr;
+- }
+-
+- return nullptr;
++ // Handling OOM here is complicated: if we delete jitRuntime_ now, we
++ // will destroy the ExecutableAllocator, even though there may still be
++ // JitCode instances holding references to ExecutablePools.
++ CrashAtUnhandlableOOM("OOM in createJitRuntime");
+ }
+
+ return jitRuntime_;
+ }
+
+ bool
+ JSCompartment::ensureJitCompartmentExists(JSContext* cx)
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
new file mode 100644
index 0000000000..e87b95f729
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
@@ -0,0 +1,189 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1452110721 -3600
+# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e
+# Parent 4444e94a99cb9b00c0351cc8bf5459739cc036a5
+Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu
+
+diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
+--- a/js/src/jit/BacktrackingAllocator.cpp
++++ b/js/src/jit/BacktrackingAllocator.cpp
+@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters
+ // constructor calling convention.
+ if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) {
+ if (*reg0->def()->output() != *reg1->def()->output())
+ return true;
+ }
+
+ // Registers which might spill to the frame's argument slots can only be
+ // grouped with other such registers if the frame might access those
+- // arguments through a lazy arguments object.
++ // arguments through a lazy arguments object or rest parameter.
+ if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) {
+- JSScript* script = graph.mir().entryBlock()->info().script();
+- if (script && script->argumentsAliasesFormals()) {
++ if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) {
+ if (*reg0->def()->output() != *reg1->def()->output())
+ return true;
+ }
+ }
+
+ VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group();
+
+ if (!group0 && group1)
+diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h
+--- a/js/src/jit/CompileInfo.h
++++ b/js/src/jit/CompileInfo.h
+@@ -194,16 +194,17 @@ enum AnalysisMode {
+ class CompileInfo
+ {
+ public:
+ CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing,
+ AnalysisMode analysisMode, bool scriptNeedsArgsObj,
+ InlineScriptTree* inlineScriptTree)
+ : script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing),
+ analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj),
++ mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()),
+ inlineScriptTree_(inlineScriptTree)
+ {
+ MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY);
+
+ // The function here can flow in from anywhere so look up the canonical
+ // function to ensure that we do not try to embed a nursery pointer in
+ // jit-code. Precisely because it can flow in from anywhere, it's not
+ // guaranteed to be non-lazy. Hence, don't access its script!
+@@ -222,17 +223,17 @@ class CompileInfo
+ fixedLexicalBegin_ = script->fixedLexicalBegin();
+ nstack_ = script->nslots() - script->nfixed();
+ nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_;
+ }
+
+ explicit CompileInfo(unsigned nlocals)
+ : script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr),
+ constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false),
+- inlineScriptTree_(nullptr)
++ mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr)
+ {
+ nimplicit_ = 0;
+ nargs_ = 0;
+ nbodyfixed_ = 0;
+ nlocals_ = nlocals;
+ nstack_ = 1; /* For FunctionCompiler::pushPhiInput/popPhiOutput */
+ nslots_ = nlocals_ + nstack_;
+ fixedLexicalBegin_ = nlocals;
+@@ -539,16 +540,20 @@ class CompileInfo
+ return false;
+
+ if (needsArgsObj() && isObservableArgumentSlot(slot))
+ return false;
+
+ return true;
+ }
+
++ bool mayReadFrameArgsDirectly() const {
++ return mayReadFrameArgsDirectly_;
++ }
++
+ private:
+ unsigned nimplicit_;
+ unsigned nargs_;
+ unsigned nbodyfixed_;
+ unsigned nlocals_;
+ unsigned nstack_;
+ unsigned nslots_;
+ unsigned fixedLexicalBegin_;
+@@ -559,15 +564,17 @@ class CompileInfo
+ bool constructing_;
+ AnalysisMode analysisMode_;
+
+ // Whether a script needs an arguments object is unstable over compilation
+ // since the arguments optimization could be marked as failed on the main
+ // thread, so cache a value here and use it throughout for consistency.
+ bool scriptNeedsArgsObj_;
+
++ bool mayReadFrameArgsDirectly_;
++
+ InlineScriptTree* inlineScriptTree_;
+ };
+
+ } // namespace jit
+ } // namespace js
+
+ #endif /* jit_CompileInfo_h */
+diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
+--- a/js/src/jit/JitFrames.cpp
++++ b/js/src/jit/JitFrames.cpp
+@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF
+ // formal arguments is taken care of by the frame's safepoint/snapshot,
+ // except when the script's lazy arguments object aliases those formals,
+ // in which case we mark them as well.
+
+ size_t nargs = layout->numActualArgs();
+ size_t nformals = 0;
+ if (CalleeTokenIsFunction(layout->calleeToken())) {
+ JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+- nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs();
++ nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs();
+ }
+
+ Value* argv = layout->argv();
+
+ // Trace |this|.
+ gc::MarkValueRoot(trc, argv, "ion-thisv");
+
+ // Trace actual arguments beyond the formals. Note + 1 for thisv.
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -3894,16 +3894,22 @@ JSScript::hasLoops()
+ JSTryNote* tnlimit = tn + trynotes()->length;
+ for (; tn < tnlimit; tn++) {
+ if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP)
+ return true;
+ }
+ return false;
+ }
+
++bool
++JSScript::mayReadFrameArgsDirectly()
++{
++ return argumentsHasVarBinding() || (function_ && function_->hasRest());
++}
++
+ static inline void
+ LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end,
+ HashNumber hashes[3])
+ {
+ HashNumber hash = lineno;
+ hash = RotateLeft(hash, 4) ^ column;
+ hash = RotateLeft(hash, 4) ^ begin;
+ hash = RotateLeft(hash, 4) ^ end;
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC
+ }
+ inline void setFunction(JSFunction* fun);
+ /*
+ * De-lazifies the canonical function. Must be called before entering code
+ * that expects the function to be non-lazy.
+ */
+ inline void ensureNonLazyCanonicalFunction(JSContext* cx);
+
++ // Returns true if the script may read formal arguments on the stack
++ // directly, via lazy arguments or a rest parameter.
++ bool mayReadFrameArgsDirectly();
++
+ JSFlatString* sourceData(JSContext* cx);
+
+ static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked);
+
+ void setSourceObject(JSObject* object);
+ JSObject* sourceObject() const {
+ return sourceObject_;
+ }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
new file mode 100644
index 0000000000..b92bfa4f4e
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/debff255c08e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234571
+
+# HG changeset patch
+# User Randell Jesup <rjesup@jesup.org>
+# Date 1451928471 18000
+# Node ID debff255c08e898be370e307e1e014f5601c20c6
+# Parent f31d643afd4159b5422ae5aebcbbea0a088e018e
+Bug 1234571 - unregister encoded-frame callback when releasing codec databases. r=pkerr, a=al
+
+diff --git a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+--- a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
++++ b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+@@ -71,16 +71,17 @@ VCMGenericEncoder::VCMGenericEncoder(Vid
+ VCMGenericEncoder::~VCMGenericEncoder()
+ {
+ }
+
+ int32_t VCMGenericEncoder::Release()
+ {
+ _bitRate = 0;
+ _frameRate = 0;
++ _encoder.RegisterEncodeCompleteCallback(NULL);
+ _VCMencodedFrameCallback = NULL;
+ return _encoder.Release();
+ }
+
+ int32_t
+ VCMGenericEncoder::InitEncode(const VideoCodec* settings,
+ int32_t numberOfCores,
+ uint32_t maxPayloadSize)
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
new file mode 100644
index 0000000000..2e409d961c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
@@ -0,0 +1,183 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280
+
+# HG changeset patch
+# User Benjamin Bouvier <benj@benj.me>
+# Date 1450947090 -3600
+# Node ID 0f7224441f2089001f7934b46ac10cb72d267606
+# Parent debff255c08e898be370e307e1e014f5601c20c6
+Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn
+ void
+ CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic)
+ {
+ LInstruction* lir = ool->lir();
+
+ if (ic->idempotent()) {
+ size_t numLocs;
+ CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
+- size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
++ size_t locationBase;
++ if (!addCacheLocations(cacheLocs, &numLocs, &locationBase))
++ return;
+ ic->setLocationInfo(locationBase, numLocs);
+ }
+
+ saveLive(lir);
+
+ pushArg(ic->object());
+ pushArg(Imm32(ool->getCacheIndex()));
+ pushArg(ImmGCPtr(gen->info().script()));
+diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
+--- a/js/src/jit/shared/CodeGenerator-shared.cpp
++++ b/js/src/jit/shared/CodeGenerator-shared.cpp
+@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB
+
+ masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry)));
+ } else {
+ masm.j(cond, mir->lir()->label());
+ }
+ }
+ #endif
+
+-size_t
+-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs)
++MOZ_WARN_UNUSED_RESULT bool
++CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs,
++ size_t* curIndex)
+ {
+ size_t firstIndex = runtimeData_.length();
+ size_t numLocations = 0;
+ for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) {
+ // allocateData() ensures that sizeof(CacheLocation) is word-aligned.
+ // If this changes, we will need to pad to ensure alignment.
+- size_t curIndex = allocateData(sizeof(CacheLocation));
+- new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script);
++ if (!allocateData(sizeof(CacheLocation), curIndex))
++ return false;
++ new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script);
+ numLocations++;
+ }
+ MOZ_ASSERT(numLocations != 0);
+ *numLocs = numLocations;
+- return firstIndex;
++ *curIndex = firstIndex;
++ return true;
+ }
+
+ ReciprocalMulConstants
+ CodeGeneratorShared::computeDivisionConstants(int d) {
+ // In what follows, d is positive and is not a power of 2.
+ MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0);
+
+ // Speeding up division by non power-of-2 constants is possible by
+diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
+--- a/js/src/jit/shared/CodeGenerator-shared.h
++++ b/js/src/jit/shared/CodeGenerator-shared.h
+@@ -3,16 +3,17 @@
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+ #ifndef jit_shared_CodeGenerator_shared_h
+ #define jit_shared_CodeGenerator_shared_h
+
+ #include "mozilla/Alignment.h"
++#include "mozilla/TypeTraits.h"
+
+ #include "jit/JitFrames.h"
+ #include "jit/LIR.h"
+ #include "jit/MacroAssembler.h"
+ #include "jit/MIRGenerator.h"
+ #include "jit/MIRGraph.h"
+ #include "jit/OptimizationTracking.h"
+ #include "jit/Safepoints.h"
+@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem
+ return SlotToStackOffset(a->toStackSlot()->slot());
+ }
+
+ uint32_t frameSize() const {
+ return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize();
+ }
+
+ protected:
+- // Ensure the cache is an IonCache while expecting the size of the derived
+- // class. We only need the cache list at GC time. Everyone else can just take
+- // runtimeData offsets.
+- size_t allocateCache(const IonCache&, size_t size) {
+- size_t dataOffset = allocateData(size);
+- masm.propagateOOM(cacheList_.append(dataOffset));
+- return dataOffset;
+- }
+
+ #ifdef CHECK_OSIPOINT_REGISTERS
+ void resetOsiPointRegs(LSafepoint* safepoint);
+ bool shouldVerifyOsiPointRegs(LSafepoint* safepoint);
+ void verifyOsiPointRegs(LSafepoint* safepoint);
+ #endif
+
+ bool addNativeToBytecodeEntry(const BytecodeSite* site);
+@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem
+ return lookup();
+ }
+ T * operator*() {
+ return lookup();
+ }
+ };
+
+ protected:
+-
+- size_t allocateData(size_t size) {
++ MOZ_WARN_UNUSED_RESULT
++ bool allocateData(size_t size, size_t* offset) {
+ MOZ_ASSERT(size % sizeof(void*) == 0);
+- size_t dataOffset = runtimeData_.length();
++ *offset = runtimeData_.length();
+ masm.propagateOOM(runtimeData_.appendN(0, size));
+- return dataOffset;
++ return !masm.oom();
+ }
+
++ // Ensure the cache is an IonCache while expecting the size of the derived
++ // class. We only need the cache list at GC time. Everyone else can just take
++ // runtimeData offsets.
+ template <typename T>
+ inline size_t allocateCache(const T& cache) {
+- size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>));
++ static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache");
++ size_t index;
++ masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index));
++ masm.propagateOOM(cacheList_.append(index));
+ if (masm.oom())
+ return SIZE_MAX;
+ // Use the copy constructor on the allocated space.
+ MOZ_ASSERT(index == cacheList_.back());
+ new (&runtimeData_[index]) T(cache);
+ return index;
+ }
+
+@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem
+
+ void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr);
+
+ template <class ArgSeq, class StoreOutputTo>
+ inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args,
+ const StoreOutputTo& out);
+
+ void addCache(LInstruction* lir, size_t cacheIndex);
+- size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs);
++ bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset);
+ ReciprocalMulConstants computeDivisionConstants(int d);
+
+ protected:
+ void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir);
+ void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site);
+ bool hasOutOfLineCode() { return !outOfLineCode_.empty(); }
+ bool generateOutOfLineCode();
+
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
new file mode 100644
index 0000000000..7861e24c89
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
@@ -0,0 +1,91 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User L. David Baron <dbaron@dbaron.org>
+# Date 1452248144 -39600
+# Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+# Parent 0f7224441f2089001f7934b46ac10cb72d267606
+Bug 1230668 - Don't use frame when not in composed document. r=heycam a=sylvestre
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl
+ {
+ MOZ_ASSERT(aElement, "NULL element");
+ // If the content has a pres shell, we must use it. Otherwise we'd
+ // potentially mix rule trees by using the wrong pres shell's style
+ // set. Using the pres shell from the content also means that any
+ // content that's actually *in* a document will get the style from the
+ // correct document.
+ nsIPresShell *presShell = GetPresShellForContent(aElement);
++ bool inDocWithShell = true;
+ if (!presShell) {
++ inDocWithShell = false;
+ presShell = aPresShell;
+ if (!presShell)
+ return nullptr;
+ }
+
+- // XXX the !aElement->IsHTML(nsGkAtoms::area)
+- // check is needed due to bug 135040 (to avoid using
++ // XXX the !aElement->IsHTML(nsGkAtoms::area)
++ // check is needed due to bug 135040 (to avoid using
+ // mPrimaryFrame). Remove it once that's fixed.
+- if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) {
++ if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++ !aElement->IsHTML(nsGkAtoms::area)) {
++ if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++ !aElement->IsHTMLElement(nsGkAtoms::area)) {
+ nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+ if (frame) {
+ nsStyleContext* result = frame->StyleContext();
+ // Don't use the style context if it was influenced by
+ // pseudo-elements, since then it's not the primary style
+ // for this element.
+ if (!result->HasPseudoElementData()) {
+ // this function returns an addrefed style context
+@@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl
+
+ nsRefPtr<nsStyleContext> sc;
+ if (aPseudo) {
+ nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo);
+ if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) {
+ return nullptr;
+ }
+ nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+- Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr;
++ Element* pseudoElement =
++ frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr;
+ sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext,
+ pseudoElement);
+ } else {
+ sc = styleSet->ResolveStyleFor(aElement, parentContext);
+ }
+
+ if (aStyleType == eDefaultOnly) {
+ // We really only want the user and UA rules. Filter out the other ones.
+@@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo
+ mFlushedPendingReflows = aNeedsLayoutFlush;
+ #endif
+
+ mPresShell = document->GetShell();
+ if (!mPresShell || !mPresShell->GetPresContext()) {
+ return;
+ }
+
+- // XXX the !mContent->IsHTML(nsGkAtoms::area)
+- // check is needed due to bug 135040 (to avoid using
++ // XXX the !mContent->IsHTML(nsGkAtoms::area)
++ // check is needed due to bug 135040 (to avoid using
+ // mPrimaryFrame). Remove it once that's fixed.
+ if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) {
+ mOuterFrame = mContent->GetPrimaryFrame();
+ mInnerFrame = mOuterFrame;
+ if (mOuterFrame) {
+ nsIAtom* type = mOuterFrame->GetType();
+ if (type == nsGkAtoms::tableOuterFrame) {
+ // If the frame is an outer table frame then we should get the style
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
new file mode 100644
index 0000000000..0e5825becf
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fceff80a84a3
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User Wes Kocher <wkocher@mozilla.com>
+# Date 1452542163 28800
+# Node ID fceff80a84a32b68d02abc00486fe6c7b86d545b
+# Parent 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+Fix up some rebase errors in bug 1230668 r=me a=bustage
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -434,18 +434,16 @@ nsComputedDOMStyle::GetStyleContextForEl
+ return nullptr;
+ }
+
+ // XXX the !aElement->IsHTML(nsGkAtoms::area)
+ // check is needed due to bug 135040 (to avoid using
+ // mPrimaryFrame). Remove it once that's fixed.
+ if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+ !aElement->IsHTML(nsGkAtoms::area)) {
+- if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+- !aElement->IsHTMLElement(nsGkAtoms::area)) {
+ nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+ if (frame) {
+ nsStyleContext* result = frame->StyleContext();
+ // Don't use the style context if it was influenced by
+ // pseudo-elements, since then it's not the primary style
+ // for this element.
+ if (!result->HasPseudoElementData()) {
+ // this function returns an addrefed style context
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
new file mode 100644
index 0000000000..02c1af1775
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
@@ -0,0 +1,83 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/94a95291d095
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1224200
+
+# HG changeset patch
+# User Timothy Nikkel <tnikkel@gmail.com>
+# Date 1453303652 -3600
+# Node ID 94a95291d0958439dbed5b7dc99fae59e1318592
+# Parent 999c13acb40e1113306c65925a7d96688339d945
+Bug 1224200 - Allow downscaler to get (and ignore) new input lines after it has finished producing all output lines. r=seth, a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -145,43 +145,44 @@ GetFilterOffsetAndLength(UniquePtr<skia:
+ aFilterLengthOut);
+ }
+
+ void
+ Downscaler::CommitRow()
+ {
+ MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+ MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+
+- int32_t filterOffset = 0;
+- int32_t filterLength = 0;
+- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+- &filterOffset, &filterLength);
++ if (mCurrentOutLine < mTargetSize.height) {
++ int32_t filterOffset = 0;
++ int32_t filterLength = 0;
++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++ &filterOffset, &filterLength);
+
+- int32_t inLineToRead = filterOffset + mLinesInBuffer;
+- MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+- if (mCurrentInLine == inLineToRead) {
+- skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+- mWindow[mLinesInBuffer++], mHasAlpha,
+- /* use_sse2 = */ true);
+- }
+-
+- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+- "Writing past end of output");
+-
+- while (mLinesInBuffer == filterLength) {
+- DownscaleInputLine();
+-
+- if (mCurrentOutLine == mTargetSize.height) {
+- break; // We're done.
++ int32_t inLineToRead = filterOffset + mLinesInBuffer;
++ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
++ if (mCurrentInLine == inLineToRead) {
++ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
++ mWindow[mLinesInBuffer++], mHasAlpha,
++ /* use_sse2 = */ true);
+ }
+
+- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+- &filterOffset, &filterLength);
++ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++ "Writing past end of output");
++
++ while (mLinesInBuffer == filterLength) {
++ DownscaleInputLine();
++
++ if (mCurrentOutLine == mTargetSize.height) {
++ break; // We're done.
++ }
++
++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++ &filterOffset, &filterLength);
++ }
+ }
+
+ mCurrentInLine += 1;
+ }
+
+ bool
+ Downscaler::HasInvalidation() const
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
new file mode 100644
index 0000000000..9ebf18a5d3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
@@ -0,0 +1,35 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/ee68c3dae5f6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230483
+
+# HG changeset patch
+# User JW Wang <jwwang@mozilla.com>
+# Date 1450698943 -28800
+# Node ID ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+# Parent 762d015e1854c28c213293ac1e9b2ab51cf201f9
+Bug 1230483 - Part 2 - LoadFromSourceChildren() should be queued at most once in an event cycle. r=roc, a=lizzard
+
+diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
+--- a/dom/html/HTMLMediaElement.cpp
++++ b/dom/html/HTMLMediaElement.cpp
+@@ -4033,16 +4033,19 @@ void HTMLMediaElement::NotifyAddedSource
+ mNetworkState == nsIDOMHTMLMediaElement::NETWORK_EMPTY)
+ {
+ QueueSelectResourceTask();
+ }
+
+ // A load was paused in the resource selection algorithm, waiting for
+ // a new source child to be added, resume the resource selection algorithm.
+ if (mLoadWaitStatus == WAITING_FOR_SOURCE) {
++ // Rest the flag so we don't queue multiple LoadFromSourceTask() when
++ // multiple <source> are attached in an event loop.
++ mLoadWaitStatus = NOT_WAITING;
+ QueueLoadFromSourceTask();
+ }
+ }
+
+ nsIContent* HTMLMediaElement::GetNextSource()
+ {
+ nsCOMPtr<nsIDOMNode> thisDomNode = do_QueryObject(this);
+
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1935.patch b/gnu/packages/patches/icecat-CVE-2016-1935.patch
new file mode 100644
index 0000000000..a6db4b9b6a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1935.patch
@@ -0,0 +1,77 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450
+
+# HG changeset patch
+# User Jeff Gilbert <jgilbert@mozilla.com>
+# Date 1452570660 28800
+# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
+# Parent c47640f24251b48c0bba9d2f0f6ee059eca58362
+Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target,
+
+ if (error) {
+ GenerateWarning("bufferData generated error %s", ErrorName(error));
+ return;
+ }
+
+ boundBuffer->SetByteLength(size);
+ if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
++ boundBuffer->SetByteLength(0);
+ return ErrorOutOfMemory("bufferData: out of memory");
+ }
+ }
+
+ void
+ WebGLContext::BufferData(GLenum target,
+ const dom::Nullable<dom::ArrayBuffer>& maybeData,
+ GLenum usage)
+@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
+ GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+
+ if (error) {
+ GenerateWarning("bufferData generated error %s", ErrorName(error));
+ return;
+ }
+
+ boundBuffer->SetByteLength(data.Length());
+- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++ boundBuffer->SetByteLength(0);
+ return ErrorOutOfMemory("bufferData: out of memory");
++ }
+ }
+
+ void
+ WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
+ GLenum usage)
+ {
+ if (IsContextLost())
+ return;
+@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target,
+
+ GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+ if (error) {
+ GenerateWarning("bufferData generated error %s", ErrorName(error));
+ return;
+ }
+
+ boundBuffer->SetByteLength(data.Length());
+- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++ boundBuffer->SetByteLength(0);
+ return ErrorOutOfMemory("bufferData: out of memory");
++ }
+ }
+
+ void
+ WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
+ const dom::Nullable<dom::ArrayBuffer>& maybeData)
+ {
+ if (IsContextLost())
+ return;
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt1.patch b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
new file mode 100644
index 0000000000..a41e638b2f
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
@@ -0,0 +1,141 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9d14787bd10e
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 9d14787bd10e6f3013263a2cae0bcc78bebde1db
+# Parent aaf922ae679685acb5d2b8ffa5f0bf22f1e6987a
+Bug 1146335 (Part 1) - Add assertions and fix style issues in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -72,23 +72,25 @@ Downscaler::BeginFrame(const nsIntSize&
+ mOutputBuffer = aOutputBuffer;
+ mHasAlpha = aHasAlpha;
+
+ ResetForNextProgressivePass();
+ ReleaseWindow();
+
+ auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3;
+
+- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.width,
+- mTargetSize.width, 0,
+- mTargetSize.width, mXFilter.get());
++ skia::resize::ComputeFilters(resizeMethod,
++ mOriginalSize.width, mTargetSize.width,
++ 0, mTargetSize.width,
++ mXFilter.get());
+
+- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.height,
+- mTargetSize.height, 0,
+- mTargetSize.height, mYFilter.get());
++ skia::resize::ComputeFilters(resizeMethod,
++ mOriginalSize.height, mTargetSize.height,
++ 0, mTargetSize.height,
++ mYFilter.get());
+
+ // Allocate the buffer, which contains scanlines of the original image.
+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
+ mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
+ if (MOZ_UNLIKELY(!mRowBuffer)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+@@ -126,39 +128,54 @@ void
+ Downscaler::ResetForNextProgressivePass()
+ {
+ mPrevInvalidatedLine = 0;
+ mCurrentOutLine = 0;
+ mCurrentInLine = 0;
+ mLinesInBuffer = 0;
+ }
+
++static void
++GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter,
++ int32_t aOutputImagePosition,
++ int32_t* aFilterOffsetOut,
++ int32_t* aFilterLengthOut)
++{
++ MOZ_ASSERT(aOutputImagePosition < aFilter->num_values());
++ aFilter->FilterForValue(aOutputImagePosition,
++ aFilterOffsetOut,
++ aFilterLengthOut);
++}
++
+ void
+ Downscaler::CommitRow()
+ {
+ MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+ MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+
+ int32_t filterOffset = 0;
+ int32_t filterLength = 0;
+- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++ &filterOffset, &filterLength);
+
+ int32_t inLineToRead = filterOffset + mLinesInBuffer;
+ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+ if (mCurrentInLine == inLineToRead) {
+ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+ mWindow[mLinesInBuffer++], mHasAlpha,
+ /* use_sse2 = */ true);
+ }
+
+ while (mLinesInBuffer == filterLength &&
+ mCurrentOutLine < mTargetSize.height) {
+ DownscaleInputLine();
+- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++
++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++ &filterOffset, &filterLength);
+ }
+
+ mCurrentInLine += 1;
+ }
+
+ bool
+ Downscaler::HasInvalidation() const
+ {
+@@ -184,16 +201,17 @@ Downscaler::DownscaleInputLine()
+ {
+ typedef skia::ConvolutionFilter1D::Fixed FilterValue;
+
+ MOZ_ASSERT(mOutputBuffer);
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Writing past end of output");
+
+ int32_t filterOffset = 0;
+ int32_t filterLength = 0;
++ MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values());
+ auto filterValues =
+ mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+
+ uint8_t* outputLine =
+ &mOutputBuffer[mCurrentOutLine * mTargetSize.width * sizeof(uint32_t)];
+ skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues),
+ filterLength, mWindow.get(), mXFilter->num_values(),
+ outputLine, mHasAlpha, /* use_sse2 = */ true);
+@@ -202,17 +220,18 @@ Downscaler::DownscaleInputLine()
+
+ if (mCurrentOutLine == mTargetSize.height) {
+ // We're done.
+ return;
+ }
+
+ int32_t newFilterOffset = 0;
+ int32_t newFilterLength = 0;
+- mYFilter->FilterForValue(mCurrentOutLine, &newFilterOffset, &newFilterLength);
++ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++ &newFilterOffset, &newFilterLength);
+
+ int diff = newFilterOffset - filterOffset;
+ MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?");
+
+ // Shift the buffer. We're just moving pointers here, so this is cheap.
+ mLinesInBuffer -= diff;
+ mLinesInBuffer = max(mLinesInBuffer, 0);
+ for (int32_t i = 0; i < mLinesInBuffer; ++i) {
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt2.patch b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
new file mode 100644
index 0000000000..240e0cfc66
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
@@ -0,0 +1,43 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8bfaa27698ca
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 8bfaa27698ca0720d5c9f3910ab7148b38db0625
+# Parent 9d14787bd10e6f3013263a2cae0bcc78bebde1db
+Bug 1146335 (Part 2) - Fix an off-by-one error in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -160,20 +160,26 @@ Downscaler::CommitRow()
+ int32_t inLineToRead = filterOffset + mLinesInBuffer;
+ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+ if (mCurrentInLine == inLineToRead) {
+ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+ mWindow[mLinesInBuffer++], mHasAlpha,
+ /* use_sse2 = */ true);
+ }
+
+- while (mLinesInBuffer == filterLength &&
+- mCurrentOutLine < mTargetSize.height) {
++ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++ "Writing past end of output");
++
++ while (mLinesInBuffer == filterLength) {
+ DownscaleInputLine();
+
++ if (mCurrentOutLine == mTargetSize.height) {
++ break; // We're done.
++ }
++
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
+ }
+
+ mCurrentInLine += 1;
+ }
+
+ bool
+
diff --git a/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
new file mode 100644
index 0000000000..5a3a934dba
--- /dev/null
+++ b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
@@ -0,0 +1,73 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac
+
+# HG changeset patch
+# User Jeff Gilbert <jdashg@gmail.com>
+# Date 1453320785 28800
+# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5
+# Parent ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+Limit max buffers size for ANGLE. r=jrmuizel a=lizzard
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target,
+
+ if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+ return;
+
+ // careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
+ if (!CheckedInt<GLsizeiptr>(size).isValid())
+ return ErrorOutOfMemory("bufferData: bad size");
+
++ if (gl->IsANGLE() && size > UINT32_MAX)
++ return ErrorOutOfMemory("bufferData: size too large");
++
+ WebGLBuffer* boundBuffer = bufferSlot.get();
+
+ if (!boundBuffer)
+ return ErrorInvalidOperation("bufferData: no buffer bound!");
+
+ UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1));
+ if (!zeroBuffer)
+ return ErrorOutOfMemory("bufferData: out of memory");
+@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target,
+ const dom::ArrayBuffer& data = maybeData.Value();
+ data.ComputeLengthAndData();
+
+ // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+ // is like intptr_t.
+ if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+ return ErrorOutOfMemory("bufferData: bad size");
+
++ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++ return ErrorOutOfMemory("bufferData: size too large");
++
+ if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+ return;
+
+ WebGLBuffer* boundBuffer = bufferSlot.get();
+
+ if (!boundBuffer)
+ return ErrorInvalidOperation("bufferData: no buffer bound!");
+
+@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target,
+
+ data.ComputeLengthAndData();
+
+ // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+ // is like intptr_t.
+ if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+ return ErrorOutOfMemory("bufferData: bad size");
+
++ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++ return ErrorOutOfMemory("bufferData: size too large");
++
+ InvalidateBufferFetching();
+ MakeContextCurrent();
+
+ GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+ if (error) {
+ GenerateWarning("bufferData generated error %s", ErrorName(error));
+ return;
+ }
+