From 29a780147d066d5ce218d1fa2678a0a36a1145e3 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 28 Jan 2016 00:22:49 -0500 Subject: [PATCH] gnu: icecat: Add fixes for CVE-2016-{1930,1935} and other bugs. * gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch, gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch, gnu/packages/patches/icecat-CVE-2016-1935.patch, gnu/packages/patches/icecat-bug-1146335-pt1.patch, gnu/packages/patches/icecat-bug-1146335-pt2.patch, gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches. --- gnu-system.am | 19 ++ gnu/packages/gnuzilla.scm | 24 +- .../patches/icecat-CVE-2016-1930-pt01.patch | 34 ++ .../patches/icecat-CVE-2016-1930-pt02.patch | 33 ++ .../patches/icecat-CVE-2016-1930-pt03.patch | 308 ++++++++++++++++++ .../patches/icecat-CVE-2016-1930-pt04.patch | 47 +++ .../patches/icecat-CVE-2016-1930-pt05.patch | 51 +++ .../patches/icecat-CVE-2016-1930-pt06.patch | 170 ++++++++++ .../patches/icecat-CVE-2016-1930-pt07.patch | 56 ++++ .../patches/icecat-CVE-2016-1930-pt08.patch | 48 +++ .../patches/icecat-CVE-2016-1930-pt09.patch | 189 +++++++++++ .../patches/icecat-CVE-2016-1930-pt10.patch | 33 ++ .../patches/icecat-CVE-2016-1930-pt11.patch | 183 +++++++++++ .../patches/icecat-CVE-2016-1930-pt12.patch | 91 ++++++ .../patches/icecat-CVE-2016-1930-pt13.patch | 34 ++ .../patches/icecat-CVE-2016-1930-pt14.patch | 83 +++++ .../patches/icecat-CVE-2016-1930-pt15.patch | 35 ++ .../patches/icecat-CVE-2016-1935.patch | 77 +++++ .../patches/icecat-bug-1146335-pt1.patch | 141 ++++++++ .../patches/icecat-bug-1146335-pt2.patch | 43 +++ ...cat-limit-max-buffers-size-for-ANGLE.patch | 73 +++++ 21 files changed, 1770 insertions(+), 2 deletions(-) create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch create mode 100644 gnu/packages/patches/icecat-CVE-2016-1935.patch create mode 100644 gnu/packages/patches/icecat-bug-1146335-pt1.patch create mode 100644 gnu/packages/patches/icecat-bug-1146335-pt2.patch create mode 100644 gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch diff --git a/gnu-system.am b/gnu-system.am index 297f40a50e..45511d2eb8 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -517,7 +517,26 @@ dist_patch_DATA = \ gnu/packages/patches/hop-linker-flags.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch \ + gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch \ + gnu/packages/patches/icecat-CVE-2016-1935.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ + gnu/packages/patches/icecat-bug-1146335-pt1.patch \ + gnu/packages/patches/icecat-bug-1146335-pt2.patch \ + gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ gnu/packages/patches/icu4c-CVE-2015-1270.patch \ gnu/packages/patches/icu4c-CVE-2015-4760.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 03ca0b7ca0..62010dbf6b 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -1,7 +1,7 @@ ;;; GNU Guix --- Functional package management for GNU ;;; Copyright © 2013, 2015 Andreas Enge ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès -;;; Copyright © 2014, 2015 Mark H Weaver +;;; Copyright © 2014, 2015, 2016 Mark H Weaver ;;; Copyright © 2015 Sou Bunnbu ;;; ;;; This file is part of GNU Guix. @@ -287,7 +287,27 @@ (define-public icecat (sha256 (base32 "0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg")) - (patches (map search-patch '("icecat-avoid-bundled-includes.patch"))) + (patches (map search-patch + '("icecat-avoid-bundled-includes.patch" + "icecat-CVE-2016-1930-pt01.patch" + "icecat-CVE-2016-1930-pt02.patch" + "icecat-CVE-2016-1930-pt03.patch" + "icecat-CVE-2016-1930-pt04.patch" + "icecat-CVE-2016-1930-pt05.patch" + "icecat-CVE-2016-1930-pt06.patch" + "icecat-CVE-2016-1930-pt07.patch" + "icecat-CVE-2016-1930-pt08.patch" + "icecat-CVE-2016-1930-pt09.patch" + "icecat-CVE-2016-1930-pt10.patch" + "icecat-CVE-2016-1930-pt11.patch" + "icecat-CVE-2016-1930-pt12.patch" + "icecat-CVE-2016-1930-pt13.patch" + "icecat-bug-1146335-pt1.patch" + "icecat-bug-1146335-pt2.patch" + "icecat-CVE-2016-1935.patch" + "icecat-CVE-2016-1930-pt14.patch" + "icecat-CVE-2016-1930-pt15.patch" + "icecat-limit-max-buffers-size-for-ANGLE.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch new file mode 100644 index 0000000000..27768fa1ac --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch @@ -0,0 +1,34 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346 + +# HG changeset patch +# User Nils Ohlmeier +# Date 1451439902 18000 +# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4 +# Parent ff8e52467d793e935b80bf22a722a71a96fe2d63 +Bug 1233346 - r=ekr a=abillings + +diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c +--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c ++++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c +@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs + + for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) { + char *c; + + if (tmpAddress->OperStatus != IfOperStatusUp) + continue; + + snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0); ++ munged_ifname[IFNAMSIZ-1] = '\0'; ++ + /* replace spaces with underscores */ + c = strchr(munged_ifname, ' '); + while (c != NULL) { + *c = '_'; + c = strchr(munged_ifname, ' '); + } + c = strchr(munged_ifname, '.'); + while (c != NULL) { + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch new file mode 100644 index 0000000000..fa1804eb82 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch @@ -0,0 +1,33 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson +# Date 1449117514 -46800 +# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0 +# Parent 925215cae26f9c0ccff07ef403a5b3194a4c45c4 +bug 1223670 assert that connected streams have the same graph r=padenot a=abillings + +diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp +--- a/dom/media/MediaStreamGraph.cpp ++++ b/dom/media/MediaStreamGraph.cpp +@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort( + unused << mPort.forget(); + } + virtual void RunDuringShutdown() + { + Run(); + } + nsRefPtr mPort; + }; ++ MOZ_ASSERT(aStream->GraphImpl() == GraphImpl()); + nsRefPtr port = new MediaInputPort(aStream, this, aFlags, + aInputNumber, aOutputNumber); + port->SetGraphImpl(GraphImpl()); + GraphImpl()->AppendMessage(new Message(port)); + return port.forget(); + } + + void + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch new file mode 100644 index 0000000000..cf0843b8b3 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch @@ -0,0 +1,308 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson +# Date 1449764754 18000 +# Node ID f746c38d160ea29088c15cacae44f3662befaec5 +# Parent fc78180165a8262c80bbb722ed99b2e0c27b02d0 +bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings + +diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp +--- a/dom/media/webaudio/AudioContext.cpp ++++ b/dom/media/webaudio/AudioContext.cpp +@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H + aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); + return nullptr; + } + #endif + nsRefPtr stream = aMediaElement.MozCaptureStream(aRv); + if (aRv.Failed()) { + return nullptr; + } +- nsRefPtr mediaElementAudioSourceNode = +- new MediaElementAudioSourceNode(this, stream); +- return mediaElementAudioSourceNode.forget(); ++ return MediaElementAudioSourceNode::Create(this, stream, aRv); + } + + already_AddRefed + AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream, + ErrorResult& aRv) + { + if (mIsOffline) { + aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); + return nullptr; + } +- nsRefPtr mediaStreamAudioSourceNode = +- new MediaStreamAudioSourceNode(this, &aMediaStream); +- return mediaStreamAudioSourceNode.forget(); ++ ++ return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv); + } + + already_AddRefed + AudioContext::CreateGain() + { + nsRefPtr gainNode = new GainNode(this); + return gainNode.forget(); + } +diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp +--- a/dom/media/webaudio/AudioNode.cpp ++++ b/dom/media/webaudio/AudioNode.cpp +@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont + ChannelInterpretation aChannelInterpretation) + : DOMEventTargetHelper(aContext->GetParentObject()) + , mContext(aContext) + , mChannelCount(aChannelCount) + , mChannelCountMode(aChannelCountMode) + , mChannelInterpretation(aChannelInterpretation) + , mId(gId++) + , mPassThrough(false) +-#ifdef DEBUG +- , mDemiseNotified(false) +-#endif + { + MOZ_ASSERT(aContext); + DOMEventTargetHelper::BindToOwner(aContext->GetParentObject()); + aContext->UpdateNodeCount(1); + } + + AudioNode::~AudioNode() + { + MOZ_ASSERT(mInputNodes.IsEmpty()); + MOZ_ASSERT(mOutputNodes.IsEmpty()); + MOZ_ASSERT(mOutputParams.IsEmpty()); +-#ifdef DEBUG +- MOZ_ASSERT(mDemiseNotified, ++ MOZ_ASSERT(!mStream, + "The webaudio-node-demise notification must have been sent"); +-#endif + if (mContext) { + mContext->UpdateNodeCount(-1); + } + } + + size_t + AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const + { +@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream() + mStream = nullptr; + + nsCOMPtr obs = services::GetObserverService(); + if (obs) { + nsAutoString id; + id.AppendPrintf("%u", mId); + obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get()); + } +-#ifdef DEBUG +- mDemiseNotified = true; +-#endif + } + } + + void + AudioNode::RemoveOutputParam(AudioParam* aParam) + { + mOutputParams.RemoveElement(aParam); + } +diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h +--- a/dom/media/webaudio/AudioNode.h ++++ b/dom/media/webaudio/AudioNode.h +@@ -239,19 +239,14 @@ private: + nsTArray > mOutputParams; + uint32_t mChannelCount; + ChannelCountMode mChannelCountMode; + ChannelInterpretation mChannelInterpretation; + const uint32_t mId; + // Whether the node just passes through its input. This is a devtools API that + // only works for some node types. + bool mPassThrough; +-#ifdef DEBUG +- // In debug builds, check to make sure that the node demise notification has +- // been properly sent before the node is destroyed. +- bool mDemiseNotified; +-#endif + }; + + } + } + + #endif +diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp +@@ -5,22 +5,36 @@ + * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ + + #include "MediaElementAudioSourceNode.h" + #include "mozilla/dom/MediaElementAudioSourceNodeBinding.h" + + namespace mozilla { + namespace dom { + +-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aStream) +- : MediaStreamAudioSourceNode(aContext, aStream) ++MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext) ++ : MediaStreamAudioSourceNode(aContext) + { + } + ++/* static */ already_AddRefed ++MediaElementAudioSourceNode::Create(AudioContext* aContext, ++ DOMMediaStream* aStream, ErrorResult& aRv) ++{ ++ nsRefPtr node = ++ new MediaElementAudioSourceNode(aContext); ++ ++ node->Init(aStream, aRv); ++ if (aRv.Failed()) { ++ return nullptr; ++ } ++ ++ return node.forget(); ++} ++ + JSObject* + MediaElementAudioSourceNode::WrapObject(JSContext* aCx) + { + return MediaElementAudioSourceNodeBinding::Wrap(aCx, this); + } + + } + } +diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h +--- a/dom/media/webaudio/MediaElementAudioSourceNode.h ++++ b/dom/media/webaudio/MediaElementAudioSourceNode.h +@@ -10,28 +10,30 @@ + #include "MediaStreamAudioSourceNode.h" + + namespace mozilla { + namespace dom { + + class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode + { + public: +- MediaElementAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aStream); ++ static already_AddRefed ++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv); + + virtual JSObject* WrapObject(JSContext* aCx) override; + + virtual const char* NodeType() const override + { + return "MediaElementAudioSourceNode"; + } + + virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override + { + return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf); + } ++private: ++ explicit MediaElementAudioSourceNode(AudioContext* aContext); + }; + + } + } + + #endif +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_ + NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END + + NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode) + NS_INTERFACE_MAP_END_INHERITING(AudioNode) + + NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode) + NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode) + +-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext, +- DOMMediaStream* aMediaStream) ++MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext) + : AudioNode(aContext, + 2, + ChannelCountMode::Max, +- ChannelInterpretation::Speakers), +- mInputStream(aMediaStream) ++ ChannelInterpretation::Speakers) + { ++} ++ ++/* static */ already_AddRefed ++MediaStreamAudioSourceNode::Create(AudioContext* aContext, ++ DOMMediaStream* aStream, ErrorResult& aRv) ++{ ++ nsRefPtr node = ++ new MediaStreamAudioSourceNode(aContext); ++ ++ node->Init(aStream, aRv); ++ if (aRv.Failed()) { ++ return nullptr; ++ } ++ ++ return node.forget(); ++} ++ ++void ++MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv) ++{ ++ mInputStream = aMediaStream; + AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this); +- mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine); ++ mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine); + ProcessedMediaStream* outputStream = static_cast(mStream.get()); + mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(), + MediaInputPort::FLAG_BLOCK_INPUT); + mInputStream->AddConsumerToKeepAlive(static_cast(this)); + + PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector + mInputStream->AddPrincipalChangeObserver(this); + } +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h +@@ -38,17 +38,18 @@ public: + private: + bool mEnabled; + }; + + class MediaStreamAudioSourceNode : public AudioNode, + public DOMMediaStream::PrincipalChangeObserver + { + public: +- MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream); ++ static already_AddRefed ++ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv); + + NS_DECL_ISUPPORTS_INHERITED + NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode) + + virtual JSObject* WrapObject(JSContext* aCx) override; + + virtual void DestroyMediaStream() override; + +@@ -60,16 +61,18 @@ public: + } + + virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override; + virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override; + + virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override; + + protected: ++ explicit MediaStreamAudioSourceNode(AudioContext* aContext); ++ void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv); + virtual ~MediaStreamAudioSourceNode(); + + private: + nsRefPtr mInputPort; + nsRefPtr mInputStream; + }; + + } + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch new file mode 100644 index 0000000000..b212a70d4a --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch @@ -0,0 +1,47 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson +# Date 1451362442 -46800 +# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c +# Parent f746c38d160ea29088c15cacae44f3662befaec5 +bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings + +diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp ++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp +@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio + } + + return node.forget(); + } + + void + MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv) + { ++ MOZ_ASSERT(aMediaStream); ++ MediaStream* inputStream = aMediaStream->GetStream(); ++ MediaStreamGraph* graph = Context()->Graph(); ++ if (NS_WARN_IF(graph != inputStream->Graph())) { ++ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR); ++ return; ++ } ++ + mInputStream = aMediaStream; + AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this); +- mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine); ++ mStream = graph->CreateAudioNodeExternalInputStream(engine); + ProcessedMediaStream* outputStream = static_cast(mStream.get()); +- mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(), ++ mInputPort = outputStream->AllocateInputPort(inputStream, + MediaInputPort::FLAG_BLOCK_INPUT); + mInputStream->AddConsumerToKeepAlive(static_cast(this)); + + PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector + mInputStream->AddPrincipalChangeObserver(this); + } + + MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode() + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch new file mode 100644 index 0000000000..3e62c9c5f1 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch @@ -0,0 +1,51 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69 +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670 + +# HG changeset patch +# User Karl Tomlinson +# Date 1449145091 -46800 +# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c +# Parent 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c +bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings + +diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h +--- a/dom/media/webaudio/AudioDestinationNode.h ++++ b/dom/media/webaudio/AudioDestinationNode.h +@@ -57,17 +57,16 @@ public: + void StartRendering(Promise* aPromise); + + void OfflineShutdown(); + + // nsIDOMEventListener - by proxy + NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override; + + AudioChannel MozAudioChannelType() const; +- void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv); + + virtual void NotifyMainThreadStateChanged() override; + void FireOfflineCompletionEvent(); + + // An amount that should be added to the MediaStream's current time to + // get the AudioContext.currentTime. + double ExtraCurrentTime(); + +@@ -86,16 +85,17 @@ public: + + void InputMuted(bool aInputMuted); + void ResolvePromise(AudioBuffer* aRenderedBuffer); + + protected: + virtual ~AudioDestinationNode(); + + private: ++ void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv); + bool CheckAudioChannelPermissions(AudioChannel aValue); + + void SetCanPlay(bool aCanPlay); + + void NotifyStableState(); + void ScheduleStableStateNotification(); + + SelfReference mOfflineRenderingRef; + diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch new file mode 100644 index 0000000000..ec1f479ee4 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch @@ -0,0 +1,170 @@ +Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df +Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/ +Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686 + +# HG changeset patch +# User Lee Salzman +# Date 1451932822 18000 +# Node ID 93617c30c0df35f719dead526b78649d564f5ac3 +# Parent 4f6e81673f6938719c86516606f2fda493e8c23c +Bug 1230686 - use RefPtr& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu + +diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp +--- a/layout/base/nsLayoutUtils.cpp ++++ b/layout/base/nsLayoutUtils.cpp +@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame + nsIAtom *parentType = aFrame->GetParent()->GetType(); + return parentType == nsGkAtoms::viewportFrame || + parentType == nsGkAtoms::pageContentFrame; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr& aTarget) + { + SurfaceFromElementResult result; + nsresult rv; + + nsCOMPtr imgRequest; + rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST, + getter_AddRefs(imgRequest)); + if (NS_FAILED(rv) || !imgRequest) +@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma + result.mImageRequest = imgRequest.forget(); + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr& aTarget) + { + return SurfaceFromElement(static_cast(aElement), + aSurfaceFlags, aTarget); + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr& aTarget) + { + SurfaceFromElementResult result; + + bool* isPremultiplied = nullptr; + if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) { + isPremultiplied = &result.mIsPremultiplied; + } + + gfxIntSize size = aElement->GetSize(); + + result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied); + if (!result.mSourceSurface) { + // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just + // draw nothing, so return an empty surface. +- DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget(); ++ DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget(); + RefPtr dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height), + SurfaceFormat::B8G8R8A8); + if (dt) { + result.mSourceSurface = dt->Snapshot(); + } + } else if (aTarget) { + RefPtr opt = aTarget->OptimizeSourceSurface(result.mSourceSurface); + if (opt) { +@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa + result.mIsWriteOnly = aElement->IsWriteOnly(); + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr& aTarget) + { + SurfaceFromElementResult result; + + NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!"); + + #ifdef MOZ_EME + if (aElement->ContainsRestrictedContent()) { + return result; +@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi + result.mIsWriteOnly = false; + + return result; + } + + nsLayoutUtils::SurfaceFromElementResult + nsLayoutUtils::SurfaceFromElement(dom::Element* aElement, + uint32_t aSurfaceFlags, +- DrawTarget* aTarget) ++ RefPtr& aTarget) + { + // If it's a , we may be able to just grab its internal surface + if (HTMLCanvasElement* canvas = + HTMLCanvasElement::FromContentOrNull(aElement)) { + return SurfaceFromElement(canvas, aSurfaceFlags, aTarget); + } + + // Maybe it's