diff --git a/gnu-system.am b/gnu-system.am index fc6517ceae..78a7750b05 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -470,22 +470,7 @@ dist_patch_DATA = \ gnu/packages/patches/hwloc-gather-topology-lstopo.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ - gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch \ - gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch \ - gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch \ - gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch \ - gnu/packages/patches/icecat-CVE-2015-2735.patch \ - gnu/packages/patches/icecat-CVE-2015-2736.patch \ - gnu/packages/patches/icecat-CVE-2015-2738.patch \ - gnu/packages/patches/icecat-CVE-2015-2739.patch \ - gnu/packages/patches/icecat-CVE-2015-2740.patch \ - gnu/packages/patches/icecat-CVE-2015-2743.patch \ + gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch \ gnu/packages/patches/icecat-libvpx-1.4.patch \ gnu/packages/patches/irrlicht-mesa-10.patch \ gnu/packages/patches/jbig2dec-ignore-testtest.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index d76bf93b8f..8be3d48871 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -230,7 +230,7 @@ (define-public nss (define-public icecat (package (name "icecat") - (version "31.7.0-gnu1") + (version "31.8.0-gnu1") (source (origin (method url-fetch) @@ -239,7 +239,7 @@ (define-public icecat name "-" version ".tar.bz2")) (sha256 (base32 - "0a25jp5afla2dxzj7i4cyvqpa5smsn7ns3xvpzqw6pc7naixkpap")) + "11wx29mb5pcg4mgk07a6vjwh52ca90k0x4m9wv0v3y5dmp88f01p")) (modules '((guix build utils))) (snippet '(begin @@ -278,22 +278,7 @@ (define-public icecat "js/src/ctypes/libffi" "db/sqlite3")) #t)) - (patches (map search-patch '("icecat-CVE-2015-2724-pt1.patch" - "icecat-CVE-2015-2743.patch" - "icecat-CVE-2015-2722-pt1.patch" - "icecat-CVE-2015-2722-pt2.patch" - "icecat-CVE-2015-2724-pt2.patch" - "icecat-CVE-2015-2739.patch" - "icecat-CVE-2015-2724-pt3.patch" - "icecat-CVE-2015-2735.patch" - "icecat-CVE-2015-2736.patch" - "icecat-CVE-2015-2733-pt1.patch" - "icecat-CVE-2015-2728-pt1.patch" - "icecat-CVE-2015-2728-pt2.patch" - "icecat-CVE-2015-2724-pt4.patch" - "icecat-CVE-2015-2733-pt2.patch" - "icecat-CVE-2015-2738.patch" - "icecat-CVE-2015-2740.patch" + (patches (map search-patch '("icecat-enable-acceleration-and-webgl.patch" "icecat-libvpx-1.4.patch"))))) (build-system gnu-build-system) (inputs diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch deleted file mode 100644 index e2c44ccaf8..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2722-pt1.patch +++ /dev/null @@ -1,77 +0,0 @@ -From 7805485b75d06915bcb018b8fe5cb7de4ddebddb Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Wed, 27 May 2015 14:21:44 -0700 -Subject: [PATCH] Bug 1166924 part 0 r=bent a=lizzard - ---HG-- -extra : source : 36bf5bcceb272fc9e303996f8dfe7350984a5e96 ---- - dom/workers/XMLHttpRequest.cpp | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp -index 748fd39..8e4200a 100644 ---- a/dom/workers/XMLHttpRequest.cpp -+++ b/dom/workers/XMLHttpRequest.cpp -@@ -113,6 +113,7 @@ public: - bool mLastUploadLengthComputable; - bool mSeenLoadStart; - bool mSeenUploadLoadStart; -+ bool mOpening; - - // Only touched on the main thread. - bool mUploadEventListenersAttached; -@@ -127,7 +128,7 @@ public: - mOuterEventStreamId(0), mOuterChannelId(0), mLastLoaded(0), mLastTotal(0), - mLastUploadLoaded(0), mLastUploadTotal(0), mIsSyncXHR(false), - mLastLengthComputable(false), mLastUploadLengthComputable(false), -- mSeenLoadStart(false), mSeenUploadLoadStart(false), -+ mSeenLoadStart(false), mSeenUploadLoadStart(false), mOpening(false), - mUploadEventListenersAttached(false), mMainThreadSeenLoadStart(false), - mInOpen(false) - { } -@@ -1498,7 +1499,11 @@ SendRunnable::MainThreadRun() - variant = wvariant; - } - -- MOZ_ASSERT(!mProxy->mWorkerPrivate); -+ // Send() has been already called. -+ if (mProxy->mWorkerPrivate) { -+ return NS_ERROR_FAILURE; -+ } -+ - mProxy->mWorkerPrivate = mWorkerPrivate; - - MOZ_ASSERT(!mProxy->mSyncLoopTarget); -@@ -1789,6 +1794,12 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody, - { - mWorkerPrivate->AssertIsOnWorkerThread(); - -+ // No send() calls when open is running. -+ if (mProxy->mOpening) { -+ aRv.Throw(NS_ERROR_FAILURE); -+ return; -+ } -+ - bool hasUploadListeners = mUpload ? mUpload->HasListeners() : false; - - MaybePin(aRv); -@@ -1874,12 +1885,15 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl, - mBackgroundRequest, mWithCredentials, - mTimeout); - -+ mProxy->mOpening = true; - if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) { - ReleaseProxy(); -+ mProxy->mOpening = false; - aRv.Throw(NS_ERROR_FAILURE); - return; - } - -+ mProxy->mOpening = false; - mProxy->mIsSyncXHR = !aAsync; - } - --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch deleted file mode 100644 index c82d0f7e6f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2722-pt2.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 6eb772aa6a0c1b21aafcfa606cc3bf07659b53b9 Mon Sep 17 00:00:00 2001 -From: Wes Kocher -Date: Wed, 27 May 2015 14:33:22 -0700 -Subject: [PATCH] Bug 1166924 part 1 r=baku a=lizzard - ---HG-- -extra : source : 528d47773256bfee72e7adedc78b89c9fa573b7b ---- - dom/workers/XMLHttpRequest.cpp | 20 ++++++++++++-------- - 1 file changed, 12 insertions(+), 8 deletions(-) - -diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp -index 8e4200a..bf0cd3f 100644 ---- a/dom/workers/XMLHttpRequest.cpp -+++ b/dom/workers/XMLHttpRequest.cpp -@@ -140,7 +140,7 @@ public: - Init(); - - void -- Teardown(); -+ Teardown(bool aSendUnpin); - - bool - AddRemoveEventListeners(bool aUpload, bool aAdd); -@@ -308,7 +308,9 @@ private: - { - AssertIsOnMainThread(); - -- mProxy->Teardown(); -+ // This means the XHR was GC'd, so we can't be pinned, and we don't need to -+ // try to unpin. -+ mProxy->Teardown(/* aSendUnpin */ false); - mProxy = nullptr; - - return NS_OK; -@@ -563,7 +565,7 @@ private: - virtual nsresult - MainThreadRun() MOZ_OVERRIDE - { -- mProxy->Teardown(); -+ mProxy->Teardown(/* aSendUnpin */ true); - MOZ_ASSERT(!mProxy->mSyncLoopTarget); - return NS_OK; - } -@@ -935,7 +937,7 @@ Proxy::Init() - } - - void --Proxy::Teardown() -+Proxy::Teardown(bool aSendUnpin) - { - AssertIsOnMainThread(); - -@@ -948,10 +950,12 @@ Proxy::Teardown() - mXHR->Abort(); - - if (mOutstandingSendCount) { -- nsRefPtr runnable = -- new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate); -- if (!runnable->Dispatch(nullptr)) { -- NS_RUNTIMEABORT("We're going to hang at shutdown anyways."); -+ if (aSendUnpin) { -+ nsRefPtr runnable = -+ new XHRUnpinRunnable(mWorkerPrivate, mXMLHttpRequestPrivate); -+ if (!runnable->Dispatch(nullptr)) { -+ NS_RUNTIMEABORT("We're going to hang at shutdown anyways."); -+ } - } - - if (mSyncLoopTarget) { --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch deleted file mode 100644 index 0b91b1ec86..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2724-pt1.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 6465a9f57b13fdf3d21016a41973f13d1e7f447c Mon Sep 17 00:00:00 2001 -From: Bobby Holley -Date: Wed, 13 May 2015 11:08:30 -0700 -Subject: [PATCH] Bug 1164567 - Grab the principal when we need it in - MediaDecodeTask. r=jww, a=sledru - ---- - content/media/webaudio/MediaBufferDecoder.cpp | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/content/media/webaudio/MediaBufferDecoder.cpp b/content/media/webaudio/MediaBufferDecoder.cpp -index b9409ad..ee6538c 100644 ---- a/content/media/webaudio/MediaBufferDecoder.cpp -+++ b/content/media/webaudio/MediaBufferDecoder.cpp -@@ -101,13 +101,6 @@ public: - { - MOZ_ASSERT(aBuffer); - MOZ_ASSERT(NS_IsMainThread()); -- -- nsCOMPtr pWindow = do_QueryInterface(mDecodeJob.mContext->GetParentObject()); -- nsCOMPtr scriptPrincipal = -- do_QueryInterface(pWindow); -- if (scriptPrincipal) { -- mPrincipal = scriptPrincipal->GetPrincipal(); -- } - } - - NS_IMETHOD Run(); -@@ -150,7 +143,6 @@ private: - WebAudioDecodeJob& mDecodeJob; - PhaseEnum mPhase; - nsCOMPtr mThreadPool; -- nsCOMPtr mPrincipal; - nsRefPtr mBufferDecoder; - nsAutoPtr mDecoderReader; - }; -@@ -179,9 +171,16 @@ MediaDecodeTask::CreateReader() - { - MOZ_ASSERT(NS_IsMainThread()); - -+ -+ nsCOMPtr principal; -+ nsCOMPtr sop = do_QueryInterface(mDecodeJob.mContext->GetParentObject()); -+ if (sop) { -+ principal = sop->GetPrincipal(); -+ } -+ - nsRefPtr resource = - new BufferMediaResource(static_cast (mBuffer), -- mLength, mPrincipal, mContentType); -+ mLength, principal, mContentType); - - MOZ_ASSERT(!mBufferDecoder); - mBufferDecoder = new BufferDecoder(resource); --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch deleted file mode 100644 index 486e92c66d..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2724-pt2.patch +++ /dev/null @@ -1,391 +0,0 @@ -From 99641aa4446dc9df04dcfeede8b49ff03abcac42 Mon Sep 17 00:00:00 2001 -From: Jan de Mooij -Date: Thu, 28 May 2015 10:16:24 +0200 -Subject: [PATCH] Bug 1160884 - Add KeepAlive instructions after elements/slots - uses. r=nbp, a=abillings - ---- - js/src/jit/CodeGenerator.cpp | 7 ++ - js/src/jit/CodeGenerator.h | 1 + - js/src/jit/Ion.cpp | 7 ++ - js/src/jit/IonAnalysis.cpp | 112 ++++++++++++++++++++++++++++++++ - js/src/jit/IonAnalysis.h | 3 + - js/src/jit/LIR-Common.h | 14 ++++ - js/src/jit/LOpcodes.h | 1 + - js/src/jit/Lowering.cpp | 9 +++ - js/src/jit/Lowering.h | 1 + - js/src/jit/MIR.h | 26 ++++++++ - js/src/jit/MOpcodes.h | 1 + - js/src/jit/ParallelSafetyAnalysis.cpp | 1 + - js/src/jit/shared/Lowering-shared-inl.h | 8 ++- - js/src/jit/shared/Lowering-shared.h | 1 + - js/src/vm/TraceLogging.h | 3 +- - 15 files changed, 193 insertions(+), 2 deletions(-) - -diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp -index 5dff9df..7364178 100644 ---- a/js/src/jit/CodeGenerator.cpp -+++ b/js/src/jit/CodeGenerator.cpp -@@ -1476,6 +1476,13 @@ CodeGenerator::visitPointer(LPointer* lir) - } - - bool -+CodeGenerator::visitKeepAliveObject(LKeepAliveObject* lir) -+{ -+ // No-op. -+ return true; -+} -+ -+bool - CodeGenerator::visitSlots(LSlots* lir) - { - Address slots(ToRegister(lir->object()), JSObject::offsetOfSlots()); -diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h -index 95fb33b..e3b4fd7 100644 ---- a/js/src/jit/CodeGenerator.h -+++ b/js/src/jit/CodeGenerator.h -@@ -106,6 +106,7 @@ class CodeGenerator : public CodeGeneratorSpecific - bool visitLambdaForSingleton(LLambdaForSingleton* lir); - bool visitLambdaPar(LLambdaPar* lir); - bool visitPointer(LPointer* lir); -+ bool visitKeepAliveObject(LKeepAliveObject* lir); - bool visitSlots(LSlots* lir); - bool visitStoreSlotV(LStoreSlotV* store); - bool visitElements(LElements* lir); -diff --git a/js/src/jit/Ion.cpp b/js/src/jit/Ion.cpp -index 015d387..1551a80 100644 ---- a/js/src/jit/Ion.cpp -+++ b/js/src/jit/Ion.cpp -@@ -1536,6 +1536,13 @@ OptimizeMIR(MIRGenerator* mir) - AssertGraphCoherency(graph); - } - -+ if (!mir->compilingAsmJS()) { -+ AutoTraceLog log(logger, TraceLogger::AddKeepAliveInstructions); -+ AddKeepAliveInstructions(graph); -+ IonSpewPass("Add KeepAlive Instructions"); -+ AssertGraphCoherency(graph); -+ } -+ - return true; - } - -diff --git a/js/src/jit/IonAnalysis.cpp b/js/src/jit/IonAnalysis.cpp -index 8965724..af58aae 100644 ---- a/js/src/jit/IonAnalysis.cpp -+++ b/js/src/jit/IonAnalysis.cpp -@@ -1971,6 +1971,118 @@ jit::UnsplitEdges(LIRGraph* lir) - return true; - } - -+static bool -+NeedsKeepAlive(MInstruction* slotsOrElements, MInstruction* use) -+{ -+ MOZ_ASSERT(slotsOrElements->type() == MIRType_Elements || -+ slotsOrElements->type() == MIRType_Slots); -+ -+ if (slotsOrElements->block() != use->block()) -+ return true; -+ -+ MBasicBlock* block = use->block(); -+ MInstructionIterator iter(block->begin(slotsOrElements)); -+ MOZ_ASSERT(*iter == slotsOrElements); -+ ++iter; -+ -+ while (true) { -+ if (*iter == use) -+ return false; -+ -+ switch (iter->op()) { -+ case MDefinition::Op_Nop: -+ case MDefinition::Op_Constant: -+ case MDefinition::Op_KeepAliveObject: -+ case MDefinition::Op_Unbox: -+ case MDefinition::Op_LoadSlot: -+ case MDefinition::Op_StoreSlot: -+ case MDefinition::Op_LoadFixedSlot: -+ case MDefinition::Op_StoreFixedSlot: -+ case MDefinition::Op_LoadElement: -+ case MDefinition::Op_StoreElement: -+ case MDefinition::Op_InitializedLength: -+ case MDefinition::Op_ArrayLength: -+ case MDefinition::Op_BoundsCheck: -+ iter++; -+ break; -+ default: -+ return true; -+ } -+ } -+ -+ MOZ_CRASH("Unreachable"); -+} -+ -+void -+jit::AddKeepAliveInstructions(MIRGraph& graph) -+{ -+ for (MBasicBlockIterator i(graph.begin()); i != graph.end(); i++) { -+ MBasicBlock* block = *i; -+ -+ for (MInstructionIterator insIter(block->begin()); insIter != block->end(); insIter++) { -+ MInstruction* ins = *insIter; -+ if (ins->type() != MIRType_Elements && ins->type() != MIRType_Slots) -+ continue; -+ -+ MDefinition* ownerObject; -+ switch (ins->op()) { -+ case MDefinition::Op_ConstantElements: -+ case MDefinition::Op_NewSlots: -+ continue; -+ case MDefinition::Op_ConvertElementsToDoubles: -+ // EliminateRedundantChecks should have replaced all uses. -+ MOZ_ASSERT(!ins->hasUses()); -+ continue; -+ case MDefinition::Op_Elements: -+ case MDefinition::Op_TypedArrayElements: -+ case MDefinition::Op_TypedObjectElements: -+ MOZ_ASSERT(ins->numOperands() == 1); -+ ownerObject = ins->getOperand(0); -+ break; -+ case MDefinition::Op_Slots: -+ ownerObject = ins->toSlots()->object(); -+ break; -+ default: -+ MOZ_CRASH("Unexpected op"); -+ } -+ -+ MOZ_ASSERT(ownerObject->type() == MIRType_Object); -+ -+ if (ownerObject->isConstant()) { -+ // Constants are kept alive by other pointers, for instance -+ // ImmGCPtr in JIT code. -+ continue; -+ } -+ -+ for (MUseDefIterator uses(ins); uses; uses++) { -+ MInstruction* use = uses.def()->toInstruction(); -+ -+ if (use->isStoreElementHole()) { -+ // StoreElementHole has an explicit object operand. If GVN -+ // is disabled, we can get different unbox instructions with -+ // the same object as input, so we check for that case. -+ MOZ_ASSERT_IF(!use->toStoreElementHole()->object()->isUnbox() && !ownerObject->isUnbox(), -+ use->toStoreElementHole()->object() == ownerObject); -+ continue; -+ } -+ -+ if (use->isInArray()) { -+ // See StoreElementHole case above. -+ MOZ_ASSERT_IF(!use->toInArray()->object()->isUnbox() && !ownerObject->isUnbox(), -+ use->toInArray()->object() == ownerObject); -+ continue; -+ } -+ -+ if (!NeedsKeepAlive(ins, use)) -+ continue; -+ -+ MKeepAliveObject* keepAlive = MKeepAliveObject::New(graph.alloc(), ownerObject); -+ use->block()->insertAfter(use, keepAlive); -+ } -+ } -+ } -+} -+ - bool - LinearSum::multiply(int32_t scale) - { -diff --git a/js/src/jit/IonAnalysis.h b/js/src/jit/IonAnalysis.h -index aabf835..a320418 100644 ---- a/js/src/jit/IonAnalysis.h -+++ b/js/src/jit/IonAnalysis.h -@@ -64,6 +64,9 @@ AssertExtendedGraphCoherency(MIRGraph& graph); - bool - EliminateRedundantChecks(MIRGraph& graph); - -+void -+AddKeepAliveInstructions(MIRGraph& graph); -+ - bool - UnsplitEdges(LIRGraph* lir); - -diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h -index 5fe0ee9..6b03a42 100644 ---- a/js/src/jit/LIR-Common.h -+++ b/js/src/jit/LIR-Common.h -@@ -3591,6 +3591,20 @@ class LImplicitThis : public LInstructionHelper - } - }; - -+class LKeepAliveObject : public LInstructionHelper<0, 1, 0> -+{ -+ public: -+ LIR_HEADER(KeepAliveObject) -+ -+ explicit LKeepAliveObject(const LAllocation& object) { -+ setOperand(0, object); -+ } -+ -+ const LAllocation* object() { -+ return getOperand(0); -+ } -+}; -+ - // Load the "slots" member out of a JSObject. - // Input: JSObject pointer - // Output: slots pointer -diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h -index cd7eef8..424b22c 100644 ---- a/js/src/jit/LOpcodes.h -+++ b/js/src/jit/LOpcodes.h -@@ -166,6 +166,7 @@ - _(LambdaForSingleton) \ - _(LambdaPar) \ - _(ImplicitThis) \ -+ _(KeepAliveObject) \ - _(Slots) \ - _(Elements) \ - _(ConvertElementsToDoubles) \ -diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp -index d671fd4..c0d434e 100644 ---- a/js/src/jit/Lowering.cpp -+++ b/js/src/jit/Lowering.cpp -@@ -2110,6 +2110,15 @@ LIRGenerator::visitImplicitThis(MImplicitThis* ins) - } - - bool -+LIRGenerator::visitKeepAliveObject(MKeepAliveObject* ins) -+{ -+ MDefinition* obj = ins->object(); -+ MOZ_ASSERT(obj->type() == MIRType_Object); -+ -+ return add(new(alloc()) LKeepAliveObject(useKeepalive(obj)), ins); -+} -+ -+bool - LIRGenerator::visitSlots(MSlots* ins) - { - return define(new(alloc()) LSlots(useRegisterAtStart(ins->object())), ins); -diff --git a/js/src/jit/Lowering.h b/js/src/jit/Lowering.h -index ea50cab..a60dc30 100644 ---- a/js/src/jit/Lowering.h -+++ b/js/src/jit/Lowering.h -@@ -160,6 +160,7 @@ class LIRGenerator : public LIRGeneratorSpecific - bool visitLambdaArrow(MLambdaArrow* ins); - bool visitLambdaPar(MLambdaPar* ins); - bool visitImplicitThis(MImplicitThis* ins); -+ bool visitKeepAliveObject(MKeepAliveObject* ins); - bool visitSlots(MSlots* ins); - bool visitElements(MElements* ins); - bool visitConstantElements(MConstantElements* ins); -diff --git a/js/src/jit/MIR.h b/js/src/jit/MIR.h -index 48e1dfb..a6060a2 100644 ---- a/js/src/jit/MIR.h -+++ b/js/src/jit/MIR.h -@@ -5790,6 +5790,32 @@ class MSetTypedObjectOffset - } - }; - -+class MKeepAliveObject -+ : public MUnaryInstruction, -+ public SingleObjectPolicy -+{ -+ explicit MKeepAliveObject(MDefinition* object) -+ : MUnaryInstruction(object) -+ { -+ setResultType(MIRType_None); -+ setGuard(); -+ } -+ -+ public: -+ INSTRUCTION_HEADER(KeepAliveObject) -+ -+ static MKeepAliveObject* New(TempAllocator& alloc, MDefinition* object) { -+ return new(alloc) MKeepAliveObject(object); -+ } -+ -+ MDefinition* object() const { -+ return getOperand(0); -+ } -+ TypePolicy* typePolicy() { -+ return this; -+ } -+}; -+ - // Perform !-operation - class MNot - : public MUnaryInstruction, -diff --git a/js/src/jit/MOpcodes.h b/js/src/jit/MOpcodes.h -index 83b9e63..cfc3895 100644 ---- a/js/src/jit/MOpcodes.h -+++ b/js/src/jit/MOpcodes.h -@@ -110,6 +110,7 @@ namespace jit { - _(Lambda) \ - _(LambdaArrow) \ - _(ImplicitThis) \ -+ _(KeepAliveObject) \ - _(Slots) \ - _(Elements) \ - _(ConstantElements) \ -diff --git a/js/src/jit/ParallelSafetyAnalysis.cpp b/js/src/jit/ParallelSafetyAnalysis.cpp -index a6a1202..13c577b 100644 ---- a/js/src/jit/ParallelSafetyAnalysis.cpp -+++ b/js/src/jit/ParallelSafetyAnalysis.cpp -@@ -199,6 +199,7 @@ class ParallelSafetyVisitor : public MInstructionVisitor - CUSTOM_OP(Lambda) - UNSAFE_OP(LambdaArrow) - UNSAFE_OP(ImplicitThis) -+ SAFE_OP(KeepAliveObject) - SAFE_OP(Slots) - SAFE_OP(Elements) - SAFE_OP(ConstantElements) -diff --git a/js/src/jit/shared/Lowering-shared-inl.h b/js/src/jit/shared/Lowering-shared-inl.h -index 17bb74a..832cc61 100644 ---- a/js/src/jit/shared/Lowering-shared-inl.h -+++ b/js/src/jit/shared/Lowering-shared-inl.h -@@ -372,11 +372,17 @@ LIRGeneratorShared::useStorableAtStart(MDefinition* mir) - #endif - - LAllocation -+LIRGeneratorShared::useKeepalive(MDefinition* mir) -+{ -+ return use(mir, LUse(LUse::KEEPALIVE)); -+} -+ -+LAllocation - LIRGeneratorShared::useKeepaliveOrConstant(MDefinition* mir) - { - if (mir->isConstant()) - return LAllocation(mir->toConstant()->vp()); -- return use(mir, LUse(LUse::KEEPALIVE)); -+ return useKeepalive(mir); - } - - LUse -diff --git a/js/src/jit/shared/Lowering-shared.h b/js/src/jit/shared/Lowering-shared.h -index 4bd13b0..b23d20e 100644 ---- a/js/src/jit/shared/Lowering-shared.h -+++ b/js/src/jit/shared/Lowering-shared.h -@@ -85,6 +85,7 @@ class LIRGeneratorShared : public MInstructionVisitorWithDefaults - // this is a generic "things we can expect to write into memory in 1 instruction" - inline LAllocation useStorable(MDefinition* mir); - inline LAllocation useStorableAtStart(MDefinition* mir); -+ inline LAllocation useKeepalive(MDefinition* mir); - inline LAllocation useKeepaliveOrConstant(MDefinition* mir); - inline LAllocation useRegisterOrConstant(MDefinition* mir); - inline LAllocation useRegisterOrConstantAtStart(MDefinition* mir); -diff --git a/js/src/vm/TraceLogging.h b/js/src/vm/TraceLogging.h -index 4c2ebfe..8447679 100644 ---- a/js/src/vm/TraceLogging.h -+++ b/js/src/vm/TraceLogging.h -@@ -145,7 +145,8 @@ namespace jit { - _(EffectiveAddressAnalysis) \ - _(EliminateDeadCode) \ - _(EdgeCaseAnalysis) \ -- _(EliminateRedundantChecks) -+ _(EliminateRedundantChecks) \ -+ _(AddKeepAliveInstructions) - - class AutoTraceLog; - --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch deleted file mode 100644 index 4b31bf1c6e..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2724-pt3.patch +++ /dev/null @@ -1,90 +0,0 @@ -From 5da8e2ffd63deac27c0faca7dabee3623867dd6e Mon Sep 17 00:00:00 2001 -From: Steven Michaud -Date: Wed, 3 Jun 2015 11:18:25 -0500 -Subject: [PATCH] Bug 1154876 - Block calls to hooked methods off the plugin - thread. r=spohl a=abillings - ---- - dom/plugins/ipc/PluginInterposeOSX.mm | 17 ++++++++--------- - 1 file changed, 8 insertions(+), 9 deletions(-) - -diff --git a/dom/plugins/ipc/PluginInterposeOSX.mm b/dom/plugins/ipc/PluginInterposeOSX.mm -index f43192b..cfd8e57 100644 ---- a/dom/plugins/ipc/PluginInterposeOSX.mm -+++ b/dom/plugins/ipc/PluginInterposeOSX.mm -@@ -38,8 +38,7 @@ - #import - #import - --using mozilla::plugins::PluginModuleChild; --using mozilla::plugins::AssertPluginThread; -+using namespace mozilla::plugins; - - namespace mac_plugin_interposing { - -@@ -544,7 +543,7 @@ void NSCursorInfo::SetCustomImageData(uint8_t* aData, uint32_t aDataLength) - bool NSCursorInfo::GetNativeCursorsSupported() - { - if (mNativeCursorsSupported == -1) { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD(false); - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) { - bool result = pmc->GetNativeCursorsSupported(); -@@ -689,7 +688,7 @@ void FocusPluginProcess() { - - void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds, - bool modal) { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) -@@ -697,7 +696,7 @@ void NotifyBrowserOfPluginShowWindow(uint32_t window_id, CGRect bounds, - } - - void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) -@@ -706,7 +705,7 @@ void NotifyBrowserOfPluginHideWindow(uint32_t window_id, CGRect bounds) { - - void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo) - { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) { - pmc->SetCursor(aCursorInfo); -@@ -715,7 +714,7 @@ void NotifyBrowserOfSetCursor(NSCursorInfo& aCursorInfo) - - void NotifyBrowserOfShowCursor(bool show) - { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) { - pmc->ShowCursor(show); -@@ -724,7 +723,7 @@ void NotifyBrowserOfShowCursor(bool show) - - void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo) - { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) { - pmc->PushCursor(aCursorInfo); -@@ -733,7 +732,7 @@ void NotifyBrowserOfPushCursor(NSCursorInfo& aCursorInfo) - - void NotifyBrowserOfPopCursor() - { -- AssertPluginThread(); -+ ENSURE_PLUGIN_THREAD_VOID(); - PluginModuleChild *pmc = PluginModuleChild::current(); - if (pmc) { - pmc->PopCursor(); --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch b/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch deleted file mode 100644 index 90c15e663e..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2724-pt4.patch +++ /dev/null @@ -1,65 +0,0 @@ -From 96dc9518fab0929293a8fc388f6a4a64d05b0f6f Mon Sep 17 00:00:00 2001 -From: Jan de Mooij -Date: Wed, 10 Jun 2015 18:01:09 +0200 -Subject: [PATCH] Bug 1143679 - Make TryNoteIterIon behave more like - Baseline/interpreter iterators. r=shu, a=lizzard - ---HG-- -extra : transplant_source : W%D0%1FGe%29%2A%E2%BC%0C%09%3BH%92%2A%A0%5CO%FD%89 ---- - js/src/jit/IonFrames.cpp | 20 +++++++++++++++++--- - 1 file changed, 17 insertions(+), 3 deletions(-) - -diff --git a/js/src/jit/IonFrames.cpp b/js/src/jit/IonFrames.cpp -index 51f4301..3e41c0a 100644 ---- a/js/src/jit/IonFrames.cpp -+++ b/js/src/jit/IonFrames.cpp -@@ -356,14 +356,20 @@ JitFrameIterator::machineState() const - return machine; - } - -+static uint32_t -+NumArgAndLocalSlots(const InlineFrameIterator& frame) -+{ -+ JSScript* script = frame.script(); -+ return CountArgSlots(script, frame.maybeCallee()) + script->nfixed(); -+} -+ - static void --CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t localSlot) -+CloseLiveIterator(JSContext* cx, const InlineFrameIterator& frame, uint32_t stackSlot) - { - SnapshotIterator si = frame.snapshotIterator(); - - // Skip stack slots until we reach the iterator object. -- uint32_t base = CountArgSlots(frame.script(), frame.maybeCallee()) + frame.script()->nfixed(); -- uint32_t skipSlots = base + localSlot - 1; -+ uint32_t skipSlots = NumArgAndLocalSlots(frame) + stackSlot - 1; - - for (unsigned i = 0; i < skipSlots; i++) - si.skip(); -@@ -407,6 +413,11 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx - if (!script->hasTrynotes()) - return; - -+ uint32_t base = NumArgAndLocalSlots(frame); -+ SnapshotIterator si = frame.snapshotIterator(); -+ JS_ASSERT(si.numAllocations() >= base); -+ const uint32_t stackDepth = si.numAllocations() - base; -+ - JSTryNote* tn = script->trynotes()->vector; - JSTryNote* tnEnd = tn + script->trynotes()->length; - -@@ -417,6 +428,9 @@ HandleExceptionIon(JSContext* cx, const InlineFrameIterator& frame, ResumeFromEx - if (pcOffset >= tn->start + tn->length) - continue; - -+ if (tn->stackDepth > stackDepth) -+ continue; -+ - switch (tn->kind) { - case JSTRY_ITER: { - JS_ASSERT(JSOp(*(script->main() + tn->start + tn->length)) == JSOP_ENDITER); --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch deleted file mode 100644 index 8bcae6177a..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2728-pt1.patch +++ /dev/null @@ -1,95 +0,0 @@ -From 81ce99255a0ef65c98eaac300d90c1dc161efc54 Mon Sep 17 00:00:00 2001 -From: Ben Turner -Date: Tue, 9 Jun 2015 09:46:58 -0400 -Subject: [PATCH] Bug 1142210. r=khuey, a=dveditz CLOSED TREE - ---HG-- -extra : amend_source : 5626188ba4b79f7c25286d4f29c63dc387e63c75 -extra : transplant_source : %F0%A1%D6F%E6%1B%1FJO%BFH%29%FFo%97%2A%89%03%ECm ---- - dom/indexedDB/IDBRequest.cpp | 5 +++++ - dom/indexedDB/IDBRequest.h | 3 +++ - dom/indexedDB/IndexedDatabaseManager.cpp | 22 +++++++++++++++++----- - 3 files changed, 25 insertions(+), 5 deletions(-) - -diff --git a/dom/indexedDB/IDBRequest.cpp b/dom/indexedDB/IDBRequest.cpp -index 36e8a96..695f2ee 100644 ---- a/dom/indexedDB/IDBRequest.cpp -+++ b/dom/indexedDB/IDBRequest.cpp -@@ -35,6 +35,8 @@ - - namespace { - -+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID); -+ - #ifdef MOZ_ENABLE_PROFILER_SPS - uint64_t gNextRequestSerialNumber = 1; - #endif -@@ -382,6 +384,9 @@ NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(IDBRequest, IDBWrapperCache) - NS_IMPL_CYCLE_COLLECTION_TRACE_END - - NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(IDBRequest) -+ if (aIID.Equals(kIDBRequestIID)) { -+ foundInterface = this; -+ } else - NS_INTERFACE_MAP_END_INHERITING(IDBWrapperCache) - - NS_IMPL_ADDREF_INHERITED(IDBRequest, IDBWrapperCache) -diff --git a/dom/indexedDB/IDBRequest.h b/dom/indexedDB/IDBRequest.h -index c835ae8..c8d1081 100644 ---- a/dom/indexedDB/IDBRequest.h -+++ b/dom/indexedDB/IDBRequest.h -@@ -19,6 +19,9 @@ - - #include "mozilla/dom/indexedDB/IDBWrapperCache.h" - -+#define PRIVATE_IDBREQUEST_IID \ -+ {0xe68901e5, 0x1d50, 0x4ee9, {0xaf, 0x49, 0x90, 0x99, 0x4a, 0xff, 0xc8, 0x39}} -+ - class nsIScriptContext; - class nsPIDOMWindow; - -diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp -index 466d0ff..820dfa6 100644 ---- a/dom/indexedDB/IndexedDatabaseManager.cpp -+++ b/dom/indexedDB/IndexedDatabaseManager.cpp -@@ -318,19 +318,31 @@ IndexedDatabaseManager::FireWindowOnError(nsPIDOMWindow* aOwner, - return NS_OK; - } - -+ Event* internalEvent = aVisitor.mDOMEvent->InternalDOMEvent(); -+ MOZ_ASSERT(internalEvent); -+ -+ if (!internalEvent->IsTrusted()) { -+ return NS_OK; -+ } -+ - nsString type; -- nsresult rv = aVisitor.mDOMEvent->GetType(type); -+ nsresult rv = internalEvent->GetType(type); - NS_ENSURE_SUCCESS(rv, rv); - - if (!type.EqualsLiteral(ERROR_EVT_STR)) { - return NS_OK; - } - -- nsCOMPtr eventTarget = -- aVisitor.mDOMEvent->InternalDOMEvent()->GetTarget(); -+ nsCOMPtr eventTarget = internalEvent->GetTarget(); -+ MOZ_ASSERT(eventTarget); - -- IDBRequest* request = static_cast(eventTarget.get()); -- NS_ENSURE_TRUE(request, NS_ERROR_UNEXPECTED); -+ // Only mess with events that were originally targeted to an IDBRequest. -+ nsRefPtr request; -+ if (NS_FAILED(eventTarget->QueryInterface(kIDBRequestIID, -+ getter_AddRefs(request))) || -+ !request) { -+ return NS_OK; -+ } - - ErrorResult ret; - nsRefPtr error = request->GetError(ret); --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch deleted file mode 100644 index 5097cd0aef..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2728-pt2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From ecb3805b4425165d35b82874d4f9c55b75fb5390 Mon Sep 17 00:00:00 2001 -From: Ryan VanderMeulen -Date: Tue, 9 Jun 2015 12:12:13 -0400 -Subject: [PATCH] Bug 1142210 - Bustage follow-up on a CLOSED TREE. - ---HG-- -extra : transplant_source : %06B%8EGN%40%985%DC%D5%0E%DD%13%29%8AC%BF%1A%BA%B6 ---- - dom/indexedDB/IndexedDatabaseManager.cpp | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/dom/indexedDB/IndexedDatabaseManager.cpp b/dom/indexedDB/IndexedDatabaseManager.cpp -index 820dfa6..eabfe09 100644 ---- a/dom/indexedDB/IndexedDatabaseManager.cpp -+++ b/dom/indexedDB/IndexedDatabaseManager.cpp -@@ -108,6 +108,8 @@ END_INDEXEDDB_NAMESPACE - - namespace { - -+NS_DEFINE_IID(kIDBRequestIID, PRIVATE_IDBREQUEST_IID); -+ - mozilla::StaticRefPtr gDBManager; - - mozilla::Atomic gInitialized(false); --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch deleted file mode 100644 index 261d3e0e2c..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2733-pt1.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bfad3fb6fc3ab05819be144567ad99921c0c87be Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Thu, 4 Jun 2015 15:04:09 +0100 -Subject: [PATCH] Bug 1169867 - nsXMLHttpRequest should use and free mProxy - correctly. r=ehsan, a=abillings - ---HG-- -extra : transplant_source : 7%D0%8A%F8G%3E%E3%D5%07%5B%7F%D4%2Ct%A6v%CCk%A1%F5 ---- - dom/workers/XMLHttpRequest.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp -index bf0cd3f..5690af5 100644 ---- a/dom/workers/XMLHttpRequest.cpp -+++ b/dom/workers/XMLHttpRequest.cpp -@@ -1891,8 +1891,8 @@ XMLHttpRequest::Open(const nsACString& aMethod, const nsAString& aUrl, - - mProxy->mOpening = true; - if (!runnable->Dispatch(mWorkerPrivate->GetJSContext())) { -- ReleaseProxy(); - mProxy->mOpening = false; -+ ReleaseProxy(); - aRv.Throw(NS_ERROR_FAILURE); - return; - } --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch deleted file mode 100644 index cc74a33871..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2733-pt2.patch +++ /dev/null @@ -1,31 +0,0 @@ -From 72cd6e97ae12b89659cd59788bad08cd2f514eff Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Fri, 12 Jun 2015 10:06:19 -0400 -Subject: [PATCH] Bug 1169867 - XMLHttpRequest::SendInternal should not unpin - itself when the worker goes away. r=bent, a=abillings - ---HG-- -extra : transplant_source : %28%B3%BD%9D%E2p%F3%BE%94S%CCD%08%8B%07%8A%CC%17%B0%7B ---- - dom/workers/XMLHttpRequest.cpp | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/dom/workers/XMLHttpRequest.cpp b/dom/workers/XMLHttpRequest.cpp -index 5690af5..d425eac 100644 ---- a/dom/workers/XMLHttpRequest.cpp -+++ b/dom/workers/XMLHttpRequest.cpp -@@ -1829,6 +1829,11 @@ XMLHttpRequest::SendInternal(const nsAString& aStringBody, - new SendRunnable(mWorkerPrivate, mProxy, aStringBody, Move(aBody), - aClonedObjects, syncLoopTarget, hasUploadListeners); - if (!runnable->Dispatch(cx)) { -+ // Dispatch() may have spun the event loop and we may have already unrooted. -+ // If so we don't want autoUnpin to try again. -+ if (!mRooted) { -+ autoUnpin.Clear(); -+ } - aRv.Throw(NS_ERROR_FAILURE); - return; - } --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2735.patch b/gnu/packages/patches/icecat-CVE-2015-2735.patch deleted file mode 100644 index fd39bde113..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2735.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 8c8a52d7c05d75c3c608e4deed4bb33ab90883b0 Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Thu, 4 Jun 2015 15:04:10 +0100 -Subject: [PATCH] Bug 1166900 - Better string length check in - nsZipArchive::GetDataOffset. r+a=dveditz - ---- - dom/file/ArchiveZipFile.cpp | 6 ++++-- - modules/libjar/nsZipArchive.cpp | 15 +++++++++------ - 2 files changed, 13 insertions(+), 8 deletions(-) - -diff --git a/dom/file/ArchiveZipFile.cpp b/dom/file/ArchiveZipFile.cpp -index c206b64..d28b5ba 100644 ---- a/dom/file/ArchiveZipFile.cpp -+++ b/dom/file/ArchiveZipFile.cpp -@@ -102,7 +102,8 @@ ArchiveInputStream::Init() - uint32_t offset = ArchiveZipItem::StrToInt32(mCentral.localhdr_offset); - - // The file is corrupt -- if (offset + ZIPLOCAL_SIZE > mData.parentSize) { -+ if (mData.parentSize < ZIPLOCAL_SIZE || -+ offset > mData.parentSize - ZIPLOCAL_SIZE) { - return NS_ERROR_UNEXPECTED; - } - -@@ -137,7 +138,8 @@ ArchiveInputStream::Init() - ArchiveZipItem::StrToInt16(local.extrafield_len); - - // The file is corrupt if there is not enough data -- if (offset + mData.sizeToBeRead > mData.parentSize) { -+ if (mData.parentSize < mData.sizeToBeRead || -+ offset > mData.parentSize - mData.sizeToBeRead) { - return NS_ERROR_UNEXPECTED; - } - -diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp -index f8af715..5ec8225 100644 ---- a/modules/libjar/nsZipArchive.cpp -+++ b/modules/libjar/nsZipArchive.cpp -@@ -637,18 +637,20 @@ MOZ_WIN_MEM_TRY_BEGIN - uint16_t namelen = xtoint(central->filename_len); - uint16_t extralen = xtoint(central->extrafield_len); - uint16_t commentlen = xtoint(central->commentfield_len); -- -- // Point to the next item at the top of loop -- buf += ZIPCENTRAL_SIZE + namelen + extralen + commentlen; -+ uint32_t diff = ZIPCENTRAL_SIZE + namelen + extralen + commentlen; - - // Sanity check variable sizes and refuse to deal with - // anything too big: it's likely a corrupt archive. - if (namelen < 1 || - namelen > kMaxNameLength || -- buf >= endp) { -+ buf >= buf + diff || // No overflow -+ buf >= endp - diff) { - return NS_ERROR_FILE_CORRUPTED; - } - -+ // Point to the next item at the top of loop -+ buf += diff; -+ - nsZipItem* item = CreateZipItem(); - if (!item) - return NS_ERROR_OUT_OF_MEMORY; -@@ -779,7 +781,7 @@ MOZ_WIN_MEM_TRY_BEGIN - uint32_t len = mFd->mLen; - const uint8_t* data = mFd->mFileData; - uint32_t offset = aItem->LocalOffset(); -- if (offset + ZIPLOCAL_SIZE > len) -+ if (len < ZIPLOCAL_SIZE || offset > len - ZIPLOCAL_SIZE) - return nullptr; - - // -- check signature before using the structure, in case the zip file is corrupt -@@ -795,7 +797,8 @@ MOZ_WIN_MEM_TRY_BEGIN - xtoint(Local->extrafield_len); - - // -- check if there is enough source data in the file -- if (offset + aItem->Size() > len) -+ if (len < aItem->Size() || -+ offset > len - aItem->Size()) - return nullptr; - - return data + offset; --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2736.patch b/gnu/packages/patches/icecat-CVE-2015-2736.patch deleted file mode 100644 index a59cc64d10..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2736.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 6daa986c7fdf27835a0f5d897c88f6b8dc42b8db Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Thu, 4 Jun 2015 15:04:10 +0100 -Subject: [PATCH] Bug 1167888 - Better string length check in - nsZipArchive::BuildFileList. r=smaug, a=dveditz - ---HG-- -extra : transplant_source : %5E6%3E%84%B6a%7F%1F%D21zGc%BD%E1%80%EF%0C%B5%F0 ---- - modules/libjar/nsZipArchive.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp -index cb3e5d0..f8af715 100644 ---- a/modules/libjar/nsZipArchive.cpp -+++ b/modules/libjar/nsZipArchive.cpp -@@ -617,8 +617,13 @@ MOZ_WIN_MEM_TRY_BEGIN - if (!centralOffset) - return NS_ERROR_FILE_CORRUPTED; - -- //-- Read the central directory headers - buf = startp + centralOffset; -+ -+ // avoid overflow of startp + centralOffset. -+ if (buf < startp) -+ return NS_ERROR_FILE_CORRUPTED; -+ -+ //-- Read the central directory headers - uint32_t sig = 0; - while (buf + int32_t(sizeof(uint32_t)) <= endp && - (sig = xtolong(buf)) == CENTRALSIG) { --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2738.patch b/gnu/packages/patches/icecat-CVE-2015-2738.patch deleted file mode 100644 index beb784c615..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2738.patch +++ /dev/null @@ -1,151 +0,0 @@ -From cda807c21650d0678761d6af8fd324ce622962d6 Mon Sep 17 00:00:00 2001 -From: Andrew Comminos -Date: Fri, 19 Jun 2015 11:32:17 -0400 -Subject: [PATCH] Bug 1167356 - Handle return value of DataSourceSurface::Map - wherever possible. r=Bas, a=abillings CLOSED TREE - ---- - gfx/2d/SourceSurfaceD2D1.cpp | 11 +++++++++-- - gfx/gl/GLScreenBuffer.cpp | 5 ++++- - gfx/gl/SharedSurfaceGL.cpp | 5 ++++- - gfx/layers/YCbCrImageDataSerializer.cpp | 4 +++- - gfx/layers/opengl/CompositorOGL.cpp | 6 +++++- - gfx/thebes/gfxPlatform.cpp | 6 ++++-- - widget/gtk/nsImageToPixbuf.cpp | 4 +++- - 7 files changed, 32 insertions(+), 9 deletions(-) - -diff --git a/gfx/2d/SourceSurfaceD2D1.cpp b/gfx/2d/SourceSurfaceD2D1.cpp -index fc64327..01f3a67 100644 ---- a/gfx/2d/SourceSurfaceD2D1.cpp -+++ b/gfx/2d/SourceSurfaceD2D1.cpp -@@ -5,6 +5,7 @@ - - #include "SourceSurfaceD2D1.h" - #include "DrawTargetD2D1.h" -+#include "Logging.h" - #include "Tools.h" - - namespace mozilla { -@@ -156,7 +157,10 @@ DataSourceSurfaceD2D1::Map(MapType aMapType, MappedSurface *aMappedSurface) - } - - D2D1_MAPPED_RECT map; -- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map); -+ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &map))) { -+ gfxCriticalError() << "Failed to map bitmap."; -+ return false; -+ } - aMappedSurface->mData = map.bits; - aMappedSurface->mStride = map.pitch; - -@@ -189,7 +193,10 @@ DataSourceSurfaceD2D1::EnsureMapped() - if (mMapped) { - return; - } -- mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap); -+ if (FAILED(mBitmap->Map(D2D1_MAP_OPTIONS_READ, &mMap))) { -+ gfxCriticalError() << "Failed to map bitmap."; -+ return; -+ } - mMapped = true; - } - -diff --git a/gfx/gl/GLScreenBuffer.cpp b/gfx/gl/GLScreenBuffer.cpp -index 432bdbc..d31e848 100755 ---- a/gfx/gl/GLScreenBuffer.cpp -+++ b/gfx/gl/GLScreenBuffer.cpp -@@ -483,7 +483,10 @@ GLScreenBuffer::Readback(SharedSurface_GL* src, DataSourceSurface* dest) - { - MOZ_ASSERT(src && dest); - DataSourceSurface::MappedSurface ms; -- dest->Map(DataSourceSurface::MapType::READ, &ms); -+ if (!dest->Map(DataSourceSurface::MapType::READ, &ms)) { -+ NS_ERROR("Failed to map surface for reading."); -+ return; -+ } - nsRefPtr wrappedDest = - new gfxImageSurface(ms.mData, - ThebesIntSize(dest->GetSize()), -diff --git a/gfx/gl/SharedSurfaceGL.cpp b/gfx/gl/SharedSurfaceGL.cpp -index 1aab56f..1f80c28 100644 ---- a/gfx/gl/SharedSurfaceGL.cpp -+++ b/gfx/gl/SharedSurfaceGL.cpp -@@ -326,7 +326,10 @@ SharedSurface_Basic::Fence() - ScopedBindFramebuffer autoFB(mGL, mFB); - - DataSourceSurface::MappedSurface map; -- mData->Map(DataSourceSurface::MapType::WRITE, &map); -+ if (!mData->Map(DataSourceSurface::MapType::WRITE, &map)) { -+ NS_ERROR("Failed to map surface for writing."); -+ return; -+ } - nsRefPtr wrappedData = - new gfxImageSurface(map.mData, - ThebesIntSize(mData->GetSize()), -diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp -index e16db18..6e7a908 100644 ---- a/gfx/layers/YCbCrImageDataSerializer.cpp -+++ b/gfx/layers/YCbCrImageDataSerializer.cpp -@@ -278,7 +278,9 @@ YCbCrImageDataDeserializer::ToDataSourceSurface() - Factory::CreateDataSourceSurface(GetYSize(), gfx::SurfaceFormat::B8G8R8X8); - - DataSourceSurface::MappedSurface map; -- result->Map(DataSourceSurface::MapType::WRITE, &map); -+ if (NS_WARN_IF(!result->Map(DataSourceSurface::MapType::WRITE, &map))) { -+ return nullptr; -+ } - - gfx::ConvertYCbCrToRGB32(GetYData(), GetCbData(), GetCrData(), - map.mData, -diff --git a/gfx/layers/opengl/CompositorOGL.cpp b/gfx/layers/opengl/CompositorOGL.cpp -index 92432c3..2e0b51e 100644 ---- a/gfx/layers/opengl/CompositorOGL.cpp -+++ b/gfx/layers/opengl/CompositorOGL.cpp -@@ -1346,7 +1346,11 @@ CompositorOGL::CopyToTarget(DrawTarget *aTarget, const gfx::Matrix& aTransform) - Factory::CreateDataSourceSurface(rect.Size(), gfx::SurfaceFormat::B8G8R8A8); - - DataSourceSurface::MappedSurface map; -- source->Map(DataSourceSurface::MapType::WRITE, &map); -+ if (!source->Map(DataSourceSurface::MapType::WRITE, &map)) { -+ NS_ERROR("Failed to map surface for writing!"); -+ return; -+ } -+ - // XXX we should do this properly one day without using the gfxImageSurface - nsRefPtr surf = - new gfxImageSurface(map.mData, -diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp -index c869e53..8a2122c 100644 ---- a/gfx/thebes/gfxPlatform.cpp -+++ b/gfx/thebes/gfxPlatform.cpp -@@ -662,8 +662,10 @@ CopySurface(gfxASurface* aSurface) - } - - DataSourceSurface::MappedSurface map; -- DebugOnly result = data->Map(DataSourceSurface::WRITE, &map); -- MOZ_ASSERT(result, "Should always succeed mapping raw data surfaces!"); -+ if (!data->Map(DataSourceSurface::WRITE, &map)) { -+ NS_ERROR("Failed to map surface for reading!"); -+ return nullptr; -+ } - - nsRefPtr image = new gfxImageSurface(map.mData, size, map.mStride, format); - nsRefPtr ctx = new gfxContext(image); -diff --git a/widget/gtk/nsImageToPixbuf.cpp b/widget/gtk/nsImageToPixbuf.cpp -index ca05b3b..a83a570 100644 ---- a/widget/gtk/nsImageToPixbuf.cpp -+++ b/widget/gtk/nsImageToPixbuf.cpp -@@ -75,7 +75,9 @@ nsImageToPixbuf::SourceSurfaceToPixbuf(SourceSurface* aSurface, - - RefPtr dataSurface = aSurface->GetDataSurface(); - DataSourceSurface::MappedSurface map; -- dataSurface->Map(DataSourceSurface::MapType::READ, &map); -+ if (!dataSurface->Map(DataSourceSurface::MapType::READ, &map)) -+ return nullptr; -+ - uint8_t* srcData = map.mData; - int32_t srcStride = map.mStride; - --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2739.patch b/gnu/packages/patches/icecat-CVE-2015-2739.patch deleted file mode 100644 index 9f70db8cf9..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2739.patch +++ /dev/null @@ -1,66 +0,0 @@ -From 55d0298956b8a3cfbd5b70fe32fb07e120d364c2 Mon Sep 17 00:00:00 2001 -From: Boris Zbarsky -Date: Mon, 1 Jun 2015 16:59:26 -0700 -Subject: [PATCH] Bug 1168207. Be a bit more careful with overflow checking in - XHR. r=baku a=lizzard - ---- - content/base/src/nsXMLHttpRequest.cpp | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - -diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp -index 58a9ee0..56d1aa3 100644 ---- a/content/base/src/nsXMLHttpRequest.cpp -+++ b/content/base/src/nsXMLHttpRequest.cpp -@@ -7,6 +7,7 @@ - #include "nsXMLHttpRequest.h" - - #include "mozilla/ArrayUtils.h" -+#include "mozilla/CheckedInt.h" - #include "mozilla/dom/XMLHttpRequestUploadBinding.h" - #include "mozilla/EventDispatcher.h" - #include "mozilla/EventListenerManager.h" -@@ -3897,26 +3898,30 @@ bool - ArrayBufferBuilder::append(const uint8_t *aNewData, uint32_t aDataLen, - uint32_t aMaxGrowth) - { -+ CheckedUint32 neededCapacity = mLength; -+ neededCapacity += aDataLen; -+ if (!neededCapacity.isValid()) { -+ return false; -+ } - if (mLength + aDataLen > mCapacity) { -- uint32_t newcap; -+ CheckedUint32 newcap = mCapacity; - // Double while under aMaxGrowth or if not specified. - if (!aMaxGrowth || mCapacity < aMaxGrowth) { -- newcap = mCapacity * 2; -+ newcap *= 2; - } else { -- newcap = mCapacity + aMaxGrowth; -+ newcap += aMaxGrowth; - } - -- // But make sure there's always enough to satisfy our request. -- if (newcap < mLength + aDataLen) { -- newcap = mLength + aDataLen; -+ if (!newcap.isValid()) { -+ return false; - } - -- // Did we overflow? -- if (newcap < mCapacity) { -- return false; -+ // But make sure there's always enough to satisfy our request. -+ if (newcap.value() < neededCapacity.value()) { -+ newcap = neededCapacity; - } - -- if (!setCapacity(newcap)) { -+ if (!setCapacity(newcap.value())) { - return false; - } - } --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2740.patch b/gnu/packages/patches/icecat-CVE-2015-2740.patch deleted file mode 100644 index caafa52a23..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2740.patch +++ /dev/null @@ -1,52 +0,0 @@ -From ccbae7ff07c2e72c48e0676adaa3e798990f33a1 Mon Sep 17 00:00:00 2001 -From: Andrea Marchesini -Date: Tue, 23 Jun 2015 10:47:38 -0400 -Subject: [PATCH] Bug 1170809 - Improve the buffer size check in - nsXMLHttpRequest::AppendToResponseText. r=ehsan, r=bz, a=abillings - ---- - content/base/src/nsXMLHttpRequest.cpp | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/content/base/src/nsXMLHttpRequest.cpp b/content/base/src/nsXMLHttpRequest.cpp -index 56d1aa3..86425d7 100644 ---- a/content/base/src/nsXMLHttpRequest.cpp -+++ b/content/base/src/nsXMLHttpRequest.cpp -@@ -655,13 +655,18 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer, - &destBufferLen); - NS_ENSURE_SUCCESS(rv, rv); - -- if (!mResponseText.SetCapacity(mResponseText.Length() + destBufferLen, fallible_t())) { -+ uint32_t size = mResponseText.Length() + destBufferLen; -+ if (size < (uint32_t)destBufferLen) { -+ return NS_ERROR_OUT_OF_MEMORY; -+ } -+ -+ if (!mResponseText.SetCapacity(size, fallible_t())) { - return NS_ERROR_OUT_OF_MEMORY; - } - - char16_t* destBuffer = mResponseText.BeginWriting() + mResponseText.Length(); - -- int32_t totalChars = mResponseText.Length(); -+ CheckedInt32 totalChars = mResponseText.Length(); - - // This code here is basically a copy of a similar thing in - // nsScanner::Append(const char* aBuffer, uint32_t aLen). -@@ -674,9 +679,11 @@ nsXMLHttpRequest::AppendToResponseText(const char * aSrcBuffer, - MOZ_ASSERT(NS_SUCCEEDED(rv)); - - totalChars += destlen; -+ if (!totalChars.isValid()) { -+ return NS_ERROR_OUT_OF_MEMORY; -+ } - -- mResponseText.SetLength(totalChars); -- -+ mResponseText.SetLength(totalChars.value()); - return NS_OK; - } - --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-2743.patch b/gnu/packages/patches/icecat-CVE-2015-2743.patch deleted file mode 100644 index a74fe7b270..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-2743.patch +++ /dev/null @@ -1,73 +0,0 @@ -From 9ed97d606aaaf79776b0e19a73ba30d8ad0685b5 Mon Sep 17 00:00:00 2001 -From: Ben Turner -Date: Tue, 26 May 2015 17:27:01 -0400 -Subject: [PATCH] Bug 1163109 - Restrict the resource:// weirdness in workers - to loads from a system principal. r=bzbarsky, a=lizzard - ---HG-- -extra : transplant_source : sQUdu%7C%ED%84%CA%5B%91%89/%1B2%25%CFY%B0%C3 ---- - dom/workers/ScriptLoader.cpp | 37 ++++++++++++++++--------------------- - 1 file changed, 16 insertions(+), 21 deletions(-) - -diff --git a/dom/workers/ScriptLoader.cpp b/dom/workers/ScriptLoader.cpp -index 0dfe625..3335c3e 100644 ---- a/dom/workers/ScriptLoader.cpp -+++ b/dom/workers/ScriptLoader.cpp -@@ -509,22 +509,6 @@ private: - rv = ssm->GetChannelPrincipal(channel, getter_AddRefs(channelPrincipal)); - NS_ENSURE_SUCCESS(rv, rv); - -- // See if this is a resource URI. Since JSMs usually come from resource:// -- // URIs we're currently considering all URIs with the URI_IS_UI_RESOURCE -- // flag as valid for creating privileged workers. -- if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) { -- bool isResource; -- rv = NS_URIChainHasFlags(finalURI, -- nsIProtocolHandler::URI_IS_UI_RESOURCE, -- &isResource); -- NS_ENSURE_SUCCESS(rv, rv); -- -- if (isResource) { -- rv = ssm->GetSystemPrincipal(getter_AddRefs(channelPrincipal)); -- NS_ENSURE_SUCCESS(rv, rv); -- } -- } -- - // If the load principal is the system principal then the channel - // principal must also be the system principal (we do not allow chrome - // code to create workers with non-chrome scripts). Otherwise this channel -@@ -532,14 +516,25 @@ private: - // here in case redirects changed the location of the script). - if (nsContentUtils::IsSystemPrincipal(loadPrincipal)) { - if (!nsContentUtils::IsSystemPrincipal(channelPrincipal)) { -- return NS_ERROR_DOM_BAD_URI; -+ // See if this is a resource URI. Since JSMs usually come from -+ // resource:// URIs we're currently considering all URIs with the -+ // URI_IS_UI_RESOURCE flag as valid for creating privileged workers. -+ bool isResource; -+ rv = NS_URIChainHasFlags(finalURI, -+ nsIProtocolHandler::URI_IS_UI_RESOURCE, -+ &isResource); -+ NS_ENSURE_SUCCESS(rv, rv); -+ -+ if (isResource) { -+ // Assign the system principal to the resource:// worker only if it -+ // was loaded from code using the system principal. -+ channelPrincipal = loadPrincipal; -+ } else { -+ return NS_ERROR_DOM_BAD_URI; -+ } - } - } - else { -- nsCString scheme; -- rv = finalURI->GetScheme(scheme); -- NS_ENSURE_SUCCESS(rv, rv); -- - // We exempt data urls and other URI's that inherit their - // principal again. - if (NS_FAILED(loadPrincipal->CheckMayLoad(finalURI, false, true))) { --- -2.4.3 - diff --git a/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch b/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch new file mode 100644 index 0000000000..3d3c4c592a --- /dev/null +++ b/gnu/packages/patches/icecat-enable-acceleration-and-webgl.patch @@ -0,0 +1,12 @@ +Re-enable hardware acceleration and WebGL. + +--- icecat-31.8.0/browser/app/profile/icecat.js.orig 2015-07-13 18:14:27.000000000 -0400 ++++ icecat-31.8.0/browser/app/profile/icecat.js 2015-07-15 13:55:39.273124982 -0400 +@@ -1756,7 +1756,3 @@ + pref("security.ssl3.dhe_rsa_aes_256_sha", false); + pref("security.ssl3.dhe_dss_aes_128_sha", false); + pref("security.ssl3.dhe_rsa_des_ede3_sha", false); +- +-// Disable hardware acceleration and WebGL +-pref("layers.acceleration.disabled", true); +-pref("webgl.disabled", true);