ryan77627/guix
1
0
Fork 0
mirror of https://git.in.rschanz.org/ryan77627/guix.git synced 2024-11-07 07:26:13 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

gnu: icecat: Add several security fixes.

Browse source 
* gnu/packages/patches/icecat-CVE-2015-4477.patch,
gnu/packages/patches/icecat-CVE-2015-7207.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch,
gnu/packages/patches/icecat-CVE-2016-1954.patch,
gnu/packages/patches/icecat-CVE-2016-1960.patch,
gnu/packages/patches/icecat-CVE-2016-1961.patch,
gnu/packages/patches/icecat-CVE-2016-1962.patch,
gnu/packages/patches/icecat-CVE-2016-1964.patch,
gnu/packages/patches/icecat-CVE-2016-1965.patch,
gnu/packages/patches/icecat-CVE-2016-1966.patch,
gnu/packages/patches/icecat-CVE-2016-1974.patch,
gnu/packages/patches/icecat-bug-1248851.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
This commit is contained in:
Mark H Weaver 2016-03-10 02:57:05 -05:00
parent ec278439f3
commit c3499ad6b8
19 changed files with 2802 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
gnu-system.am
View file

@ -528,6 +528,23 @@ dist_patch_DATA = \
gnu/packages/patches/icecat-update-graphite2.patch \
gnu/packages/patches/icecat-update-graphite2-pt2.patch \
gnu/packages/patches/icecat-re-enable-DHE-cipher-suites.patch \
gnu/packages/patches/icecat-CVE-2015-4477.patch \
gnu/packages/patches/icecat-CVE-2015-7207.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch \
gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch \
gnu/packages/patches/icecat-CVE-2016-1954.patch \
gnu/packages/patches/icecat-CVE-2016-1960.patch \
gnu/packages/patches/icecat-CVE-2016-1961.patch \
gnu/packages/patches/icecat-CVE-2016-1962.patch \
gnu/packages/patches/icecat-CVE-2016-1964.patch \
gnu/packages/patches/icecat-CVE-2016-1965.patch \
gnu/packages/patches/icecat-CVE-2016-1966.patch \
gnu/packages/patches/icecat-CVE-2016-1974.patch \
gnu/packages/patches/icecat-bug-1248851.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \

19
gnu/packages/gnuzilla.scm
View file

@ -291,7 +291,24 @@ (define-public icecat
'("icecat-avoid-bundled-includes.patch"
"icecat-re-enable-DHE-cipher-suites.patch"
"icecat-update-graphite2.patch"
"icecat-update-graphite2-pt2.patch")))
"icecat-update-graphite2-pt2.patch"
"icecat-CVE-2015-4477.patch"
"icecat-CVE-2015-7207.patch"
"icecat-CVE-2016-1952-pt01.patch"
"icecat-CVE-2016-1952-pt02.patch"
"icecat-CVE-2016-1952-pt03.patch"
"icecat-CVE-2016-1952-pt04.patch"
"icecat-CVE-2016-1952-pt05.patch"
"icecat-CVE-2016-1952-pt06.patch"
"icecat-CVE-2016-1954.patch"
"icecat-CVE-2016-1960.patch"
"icecat-CVE-2016-1961.patch"
"icecat-CVE-2016-1962.patch"
"icecat-CVE-2016-1964.patch"
"icecat-CVE-2016-1965.patch"
"icecat-CVE-2016-1966.patch"
"icecat-CVE-2016-1974.patch"
"icecat-bug-1248851.patch")))
(modules '((guix build utils)))
(snippet
'(begin

37
gnu/packages/patches/icecat-CVE-2015-4477.patch Normal file
View file

@ -0,0 +1,37 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/beae8783b8c2
# HG changeset patch
# User Paul Adenot <paul@paul.cx>
# Date 1456422965 0
# Node ID beae8783b8c2c672da12a95c70ae663cbd0d5016
# Parent 3a606f8182c82480f8f350b622ab55a170ec1eb6
Bug 1179484. r=roc
MozReview-Commit-ID: HNaYLyMe3sM
diff --git a/dom/media/webaudio/MediaStreamAudioDestinationNode.cpp b/dom/media/webaudio/MediaStreamAudioDestinationNode.cpp
--- a/dom/media/webaudio/MediaStreamAudioDestinationNode.cpp
+++ b/dom/media/webaudio/MediaStreamAudioDestinationNode.cpp
@@ -69,16 +69,20 @@ MediaStreamAudioDestinationNode::MediaSt
ChannelInterpretation::Speakers)
, mDOMStream(DOMAudioNodeMediaStream::CreateTrackUnionStream(GetOwner(),
this))
{
TrackUnionStream* tus = static_cast<TrackUnionStream*>(mDOMStream->GetStream());
MOZ_ASSERT(tus == mDOMStream->GetStream()->AsProcessedStream());
tus->SetTrackIDFilter(FilterAudioNodeStreamTrack);
+ if (aContext->Graph() != tus->Graph()) {
+ return;
+ }
+
MediaStreamDestinationEngine* engine = new MediaStreamDestinationEngine(this, tus);
mStream = aContext->Graph()->CreateAudioNodeStream(engine, MediaStreamGraph::INTERNAL_STREAM);
mPort = tus->AllocateInputPort(mStream, 0);
nsIDocument* doc = aContext->GetParentObject()->GetExtantDoc();
if (doc) {
mDOMStream->CombineWithPrincipal(doc->NodePrincipal());
}

1140
gnu/packages/patches/icecat-CVE-2015-7207.patch Normal file
View file

File diff suppressed because it is too large Load diff

356
gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch Normal file
View file

@ -0,0 +1,356 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/c1d67bd4c993
# HG changeset patch
# User Timothy Nikkel <tnikkel@gmail.com>
# Date 1454023801 21600
# Node ID c1d67bd4c993b9e344c68954e6f0392c82b81e38
# Parent 530559abe159d3c23f078d673d30ff03d9c244e2
Bug 1224979 - Check if we compute usable filters for the downscaler, and if not put the downscaler in error state so it's not used. r=edwin, a=al
diff --git a/image/Downscaler.cpp b/image/Downscaler.cpp
new file mode 100644
--- /dev/null
+++ b/image/Downscaler.cpp
@@ -0,0 +1,340 @@
+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 2 -*-
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "Downscaler.h"
+
+#include <algorithm>
+#include <ctime>
+#include "gfxPrefs.h"
+#include "image_operations.h"
+#include "mozilla/SSE.h"
+#include "convolver.h"
+#include "skia/include/core/SkTypes.h"
+
+using std::max;
+using std::swap;
+
+namespace mozilla {
+namespace image {
+
+Downscaler::Downscaler(const nsIntSize& aTargetSize)
+ : mTargetSize(aTargetSize)
+ , mOutputBuffer(nullptr)
+ , mXFilter(MakeUnique<skia::ConvolutionFilter1D>())
+ , mYFilter(MakeUnique<skia::ConvolutionFilter1D>())
+ , mWindowCapacity(0)
+ , mHasAlpha(true)
+ , mFlipVertically(false)
+{
+ MOZ_ASSERT(gfxPrefs::ImageDownscaleDuringDecodeEnabled(),
+ "Downscaling even though downscale-during-decode is disabled?");
+ MOZ_ASSERT(mTargetSize.width > 0 && mTargetSize.height > 0,
+ "Invalid target size");
+}
+
+Downscaler::~Downscaler()
+{
+ ReleaseWindow();
+}
+
+void
+Downscaler::ReleaseWindow()
+{
+ if (!mWindow) {
+ return;
+ }
+
+ for (int32_t i = 0; i < mWindowCapacity; ++i) {
+ delete[] mWindow[i];
+ }
+
+ mWindow = nullptr;
+ mWindowCapacity = 0;
+}
+
+nsresult
+Downscaler::BeginFrame(const nsIntSize& aOriginalSize,
+ const Maybe<nsIntRect>& aFrameRect,
+ uint8_t* aOutputBuffer,
+ bool aHasAlpha,
+ bool aFlipVertically /* = false */)
+{
+ MOZ_ASSERT(aOutputBuffer);
+ MOZ_ASSERT(mTargetSize != aOriginalSize,
+ "Created a downscaler, but not downscaling?");
+ MOZ_ASSERT(mTargetSize.width <= aOriginalSize.width,
+ "Created a downscaler, but width is larger");
+ MOZ_ASSERT(mTargetSize.height <= aOriginalSize.height,
+ "Created a downscaler, but height is larger");
+ MOZ_ASSERT(aOriginalSize.width > 0 && aOriginalSize.height > 0,
+ "Invalid original size");
+
+ mFrameRect = aFrameRect.valueOr(nsIntRect(nsIntPoint(), aOriginalSize));
+ MOZ_ASSERT(mFrameRect.x >= 0 && mFrameRect.y >= 0 &&
+ mFrameRect.width >= 0 && mFrameRect.height >= 0,
+ "Frame rect must have non-negative components");
+ MOZ_ASSERT(nsIntRect(0, 0, aOriginalSize.width, aOriginalSize.height)
+ .Contains(mFrameRect),
+ "Frame rect must fit inside image");
+ MOZ_ASSERT_IF(!nsIntRect(0, 0, aOriginalSize.width, aOriginalSize.height)
+ .IsEqualEdges(mFrameRect),
+ aHasAlpha);
+
+ mOriginalSize = aOriginalSize;
+ mScale = gfxSize(double(mOriginalSize.width) / mTargetSize.width,
+ double(mOriginalSize.height) / mTargetSize.height);
+ mOutputBuffer = aOutputBuffer;
+ mHasAlpha = aHasAlpha;
+ mFlipVertically = aFlipVertically;
+
+ ReleaseWindow();
+
+ auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3;
+
+ skia::resize::ComputeFilters(resizeMethod,
+ mOriginalSize.width, mTargetSize.width,
+ 0, mTargetSize.width,
+ mXFilter.get());
+
+ if (mXFilter->max_filter() <= 0 || mXFilter->num_values() != mTargetSize.width) {
+ NS_WARNING("Failed to compute filters for image downscaling");
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ skia::resize::ComputeFilters(resizeMethod,
+ mOriginalSize.height, mTargetSize.height,
+ 0, mTargetSize.height,
+ mYFilter.get());
+
+ if (mYFilter->max_filter() <= 0 || mYFilter->num_values() != mTargetSize.height) {
+ NS_WARNING("Failed to compute filters for image downscaling");
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ // Allocate the buffer, which contains scanlines of the original image.
+ // pad by 15 to handle overreads by the simd code
+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t) + 15;
+ mRowBuffer.reset(new (fallible) uint8_t[bufferLen]);
+ if (MOZ_UNLIKELY(!mRowBuffer)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ // Zero buffer to keep valgrind happy.
+ memset(mRowBuffer.get(), 0, bufferLen);
+
+ // Allocate the window, which contains horizontally downscaled scanlines. (We
+ // can store scanlines which are already downscale because our downscaling
+ // filter is separable.)
+ mWindowCapacity = mYFilter->max_filter();
+ mWindow.reset(new (fallible) uint8_t*[mWindowCapacity]);
+ if (MOZ_UNLIKELY(!mWindow)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ bool anyAllocationFailed = false;
+ // pad by 15 to handle overreads by the simd code
+ const int rowSize = mTargetSize.width * sizeof(uint32_t) + 15;
+ for (int32_t i = 0; i < mWindowCapacity; ++i) {
+ mWindow[i] = new (fallible) uint8_t[rowSize];
+ anyAllocationFailed = anyAllocationFailed || mWindow[i] == nullptr;
+ }
+
+ if (MOZ_UNLIKELY(anyAllocationFailed)) {
+ // We intentionally iterate through the entire array even if an allocation
+ // fails, to ensure that all the pointers in it are either valid or nullptr.
+ // That in turn ensures that ReleaseWindow() can clean up correctly.
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
+
+ ResetForNextProgressivePass();
+
+ return NS_OK;
+}
+
+void
+Downscaler::SkipToRow(int32_t aRow)
+{
+ if (mCurrentInLine < aRow) {
+ ClearRow();
+ do {
+ CommitRow();
+ } while (mCurrentInLine < aRow);
+ }
+}
+
+void
+Downscaler::ResetForNextProgressivePass()
+{
+ mPrevInvalidatedLine = 0;
+ mCurrentOutLine = 0;
+ mCurrentInLine = 0;
+ mLinesInBuffer = 0;
+
+ if (mFrameRect.IsEmpty()) {
+ // Our frame rect is zero size; commit rows until the end of the image.
+ SkipToRow(mOriginalSize.height - 1);
+ } else {
+ // If we have a vertical offset, commit rows to shift us past it.
+ SkipToRow(mFrameRect.y);
+ }
+}
+
+static void
+GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter,
+ int32_t aOutputImagePosition,
+ int32_t* aFilterOffsetOut,
+ int32_t* aFilterLengthOut)
+{
+ MOZ_ASSERT(aOutputImagePosition < aFilter->num_values());
+ aFilter->FilterForValue(aOutputImagePosition,
+ aFilterOffsetOut,
+ aFilterLengthOut);
+}
+
+void
+Downscaler::ClearRow(uint32_t aStartingAtCol)
+{
+ MOZ_ASSERT(int64_t(mOriginalSize.width) > int64_t(aStartingAtCol));
+ uint32_t bytesToClear = (mOriginalSize.width - aStartingAtCol)
+ * sizeof(uint32_t);
+ memset(mRowBuffer.get() + (aStartingAtCol * sizeof(uint32_t)),
+ 0, bytesToClear);
+}
+
+void
+Downscaler::CommitRow()
+{
+ MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+ MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+
+ if (mCurrentOutLine < mTargetSize.height) {
+ int32_t filterOffset = 0;
+ int32_t filterLength = 0;
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
+
+ int32_t inLineToRead = filterOffset + mLinesInBuffer;
+ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+ if (mCurrentInLine == inLineToRead) {
+ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+ mWindow[mLinesInBuffer++], mHasAlpha,
+ supports_sse2());
+ }
+
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+ "Writing past end of output");
+
+ while (mLinesInBuffer == filterLength) {
+ DownscaleInputLine();
+
+ if (mCurrentOutLine == mTargetSize.height) {
+ break; // We're done.
+ }
+
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
+ }
+ }
+
+ mCurrentInLine += 1;
+
+ // If we're at the end of the part of the original image that has data, commit
+ // rows to shift us to the end.
+ if (mCurrentInLine == (mFrameRect.y + mFrameRect.height)) {
+ SkipToRow(mOriginalSize.height - 1);
+ }
+}
+
+bool
+Downscaler::HasInvalidation() const
+{
+ return mCurrentOutLine > mPrevInvalidatedLine;
+}
+
+DownscalerInvalidRect
+Downscaler::TakeInvalidRect()
+{
+ if (MOZ_UNLIKELY(!HasInvalidation())) {
+ return DownscalerInvalidRect();
+ }
+
+ DownscalerInvalidRect invalidRect;
+
+ // Compute the target size invalid rect.
+ if (mFlipVertically) {
+ // We need to flip it. This will implicitly flip the original size invalid
+ // rect, since we compute it by scaling this rect.
+ invalidRect.mTargetSizeRect =
+ IntRect(0, mTargetSize.height - mCurrentOutLine,
+ mTargetSize.width, mCurrentOutLine - mPrevInvalidatedLine);
+ } else {
+ invalidRect.mTargetSizeRect =
+ IntRect(0, mPrevInvalidatedLine,
+ mTargetSize.width, mCurrentOutLine - mPrevInvalidatedLine);
+ }
+
+ mPrevInvalidatedLine = mCurrentOutLine;
+
+ // Compute the original size invalid rect.
+ invalidRect.mOriginalSizeRect = invalidRect.mTargetSizeRect;
+ invalidRect.mOriginalSizeRect.ScaleRoundOut(mScale.width, mScale.height);
+
+ return invalidRect;
+}
+
+void
+Downscaler::DownscaleInputLine()
+{
+ typedef skia::ConvolutionFilter1D::Fixed FilterValue;
+
+ MOZ_ASSERT(mOutputBuffer);
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+ "Writing past end of output");
+
+ int32_t filterOffset = 0;
+ int32_t filterLength = 0;
+ MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values());
+ auto filterValues =
+ mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+
+ int32_t currentOutLine = mFlipVertically
+ ? mTargetSize.height - (mCurrentOutLine + 1)
+ : mCurrentOutLine;
+ MOZ_ASSERT(currentOutLine >= 0);
+
+ uint8_t* outputLine =
+ &mOutputBuffer[currentOutLine * mTargetSize.width * sizeof(uint32_t)];
+ skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues),
+ filterLength, mWindow.get(), mXFilter->num_values(),
+ outputLine, mHasAlpha, supports_sse2());
+
+ mCurrentOutLine += 1;
+
+ if (mCurrentOutLine == mTargetSize.height) {
+ // We're done.
+ return;
+ }
+
+ int32_t newFilterOffset = 0;
+ int32_t newFilterLength = 0;
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &newFilterOffset, &newFilterLength);
+
+ int diff = newFilterOffset - filterOffset;
+ MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?");
+
+ // Shift the buffer. We're just moving pointers here, so this is cheap.
+ mLinesInBuffer -= diff;
+ mLinesInBuffer = max(mLinesInBuffer, 0);
+ for (int32_t i = 0; i < mLinesInBuffer; ++i) {
+ swap(mWindow[i], mWindow[filterLength - mLinesInBuffer + i]);
+ }
+}
+
+
+
+} // namespace image
+} // namespace mozilla

58
gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch Normal file
View file

@ -0,0 +1,58 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/9719b71d72dd
# HG changeset patch
# User Byron Campen [:bwc] <docfaraday@gmail.com>
# Date 1454100887 21600
# Node ID 9719b71d72dd2a3c5ee12ace156af2a63d9595ac
# Parent b68673d974a10f65390f80b36d4307eb31e44669
Bug 1234578 - Assert if PCM is destroyed improperly. r=rjesup, a=sylvestre
diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.cpp
@@ -712,16 +712,18 @@ PeerConnectionMedia::SelfDestruct_m()
{
CSFLogDebug(logTag, "%s: ", __FUNCTION__);
ASSERT_ON_THREAD(mMainThread);
mLocalSourceStreams.Clear();
mRemoteSourceStreams.Clear();
+ mMainThread = nullptr;
+
// Final self-destruct.
this->Release();
}
void
PeerConnectionMedia::ShutdownMediaTransport_s()
{
ASSERT_ON_THREAD(mSTSThread);
diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.h b/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.h
--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.h
+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionMedia.h
@@ -210,17 +210,20 @@ class RemoteSourceStreamInfo : public So
std::vector<std::string> mTrackIdMap;
// True iff SetPullEnabled(true) has been called on the DOMMediaStream. This
// happens when offer/answer concludes.
bool mReceiving;
};
class PeerConnectionMedia : public sigslot::has_slots<> {
- ~PeerConnectionMedia() {}
+ ~PeerConnectionMedia()
+ {
+ MOZ_RELEASE_ASSERT(!mMainThread);
+ }
public:
explicit PeerConnectionMedia(PeerConnectionImpl *parent);
PeerConnectionImpl* GetPC() { return mParent; }
nsresult Init(const std::vector<NrIceStunServer>& stun_servers,
const std::vector<NrIceTurnServer>& turn_servers);
// WARNING: This destroys the object!

60
gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch Normal file
View file

@ -0,0 +1,60 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/2839062f84fb
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1455119320 -3600
# Node ID 2839062f84fb6cba2781ea8d59150f13d4813ddc
# Parent 185b233ea03f3811404e3979b65ec86b29d13555
Bug 1242279 - r=bhackett1024 a=sylvestre
diff --git a/js/src/vm/TypeInference.cpp b/js/src/vm/TypeInference.cpp
--- a/js/src/vm/TypeInference.cpp
+++ b/js/src/vm/TypeInference.cpp
@@ -3961,16 +3961,22 @@ JSScript::maybeSweepTypes(AutoClearTypeI
unsigned num = TypeScript::NumTypeSets(this);
StackTypeSet* typeArray = types_->typeArray();
// Remove constraints and references to dead objects from stack type sets.
for (unsigned i = 0; i < num; i++)
typeArray[i].sweep(zone(), *oom);
+ if (oom->hadOOM()) {
+ // It's possible we OOM'd while copying freeze constraints, so they
+ // need to be regenerated.
+ hasFreezeConstraints_ = false;
+ }
+
// Update the recompile indexes in any IonScripts still on the script.
if (hasIonScript())
ionScript()->recompileInfoRef().shouldSweep(types);
}
void
TypeScript::destroy()
{
diff --git a/js/src/vm/TypeInference.h b/js/src/vm/TypeInference.h
--- a/js/src/vm/TypeInference.h
+++ b/js/src/vm/TypeInference.h
@@ -566,16 +566,19 @@ class AutoClearTypeInferenceStateOnOOM
: zone(zone), oom(false)
{}
~AutoClearTypeInferenceStateOnOOM();
void setOOM() {
oom = true;
}
+ bool hadOOM() const {
+ return oom;
+ }
};
/* Superclass common to stack and heap type sets. */
class ConstraintTypeSet : public TypeSet
{
public:
/* Chain of constraints which propagate changes out from this type set. */
TypeConstraint* constraintList;

53
gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch Normal file
View file

@ -0,0 +1,53 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/9dd60e798819
# HG changeset patch
# User Olli Pettay <bugs@pettay.fi>
# Date 1455204078 -3600
# Node ID 9dd60e798819fe2ebf1e5bd36aa9006ecd2f82c9
# Parent c1d67bd4c993b9e344c68954e6f0392c82b81e38
Bug 1244250 - r=mats, a=al
diff --git a/layout/style/nsAnimationManager.cpp b/layout/style/nsAnimationManager.cpp
--- a/layout/style/nsAnimationManager.cpp
+++ b/layout/style/nsAnimationManager.cpp
@@ -715,16 +715,17 @@ nsAnimationManager::FlushAnimations(Flus
}
DispatchEvents(); // may destroy us
}
void
nsAnimationManager::DoDispatchEvents()
{
+ nsRefPtr<nsAnimationManager> kungFuDeathGrip(this);
EventArray events;
mPendingEvents.SwapElements(events);
for (uint32_t i = 0, i_end = events.Length(); i < i_end; ++i) {
AnimationEventInfo &info = events[i];
EventDispatcher::Dispatch(info.mElement, mPresContext, &info.mEvent);
if (!mPresContext) {
break;
diff --git a/layout/style/nsTransitionManager.cpp b/layout/style/nsTransitionManager.cpp
--- a/layout/style/nsTransitionManager.cpp
+++ b/layout/style/nsTransitionManager.cpp
@@ -753,16 +753,17 @@ nsTransitionManager::FlushTransitions(Fl
}
}
}
if (didThrottle) {
mPresContext->Document()->SetNeedStyleFlush();
}
+ nsRefPtr<nsTransitionManager> kungFuDeathGrip(this);
for (uint32_t i = 0, i_end = events.Length(); i < i_end; ++i) {
TransitionEventInfo &info = events[i];
EventDispatcher::Dispatch(info.mElement, mPresContext, &info.mEvent);
if (!mPresContext) {
break;
}
}

32
gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch Normal file
View file

@ -0,0 +1,32 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/1dd0ca8e70bd
# HG changeset patch
# User Nicolas B. Pierron <nicolas.b.pierron@mozilla.com>
# Date 1456161361 0
# Node ID 1dd0ca8e70bd77b6fd93f36cc4e9c2cebfe8ba0a
# Parent 95ff874886905ef46a7bbc760981d15ad0831096
Bug 1221872 - ValueNumbering: Set the dominator index of fixup blocks when they are created. r=sunfish, a=ritu
diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp
--- a/js/src/jit/ValueNumbering.cpp
+++ b/js/src/jit/ValueNumbering.cpp
@@ -433,16 +433,17 @@ ValueNumberer::fixupOSROnlyLoop(MBasicBl
MBasicBlock* fake = MBasicBlock::NewAsmJS(graph_, block->info(),
nullptr, MBasicBlock::NORMAL);
if (fake == nullptr)
return false;
graph_.insertBlockBefore(block, fake);
fake->setImmediateDominator(fake);
fake->addNumDominated(1);
+ fake->setDomIndex(fake->id());
// Create zero-input phis to use as inputs for any phis in |block|.
// Again, this is a little odd, but it's the least-odd thing we can do
// without significant complexity.
for (MPhiIterator iter(block->phisBegin()), end(block->phisEnd()); iter != end; ++iter) {
MPhi* phi = *iter;
MPhi* fakePhi = MPhi::New(graph_.alloc(), phi->type());
fake->addPhi(fakePhi);

103
gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch Normal file
View file

@ -0,0 +1,103 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/6f4d51302387
# HG changeset patch
# User Andrew McCreight <continuation@gmail.com>
# Date 1456273423 28800
# Node ID 6f4d5130238790fa5810c76ffeb9eccc65efa8c9
# Parent 70f6c59d9d73a5edefd216b48ca74a931da12cf1
Bug 1249685 - Use more nsCOMPtrs for stack variables in DOM code. r=smaug, a=ritu
diff --git a/dom/base/nsRange.cpp b/dom/base/nsRange.cpp
--- a/dom/base/nsRange.cpp
+++ b/dom/base/nsRange.cpp
@@ -1985,17 +1985,17 @@ nsRange::CutContents(DocumentFragment**
rv = closestAncestor ? PrependChild(closestAncestor, nodeToResult)
: PrependChild(commonCloneAncestor, nodeToResult);
NS_ENSURE_SUCCESS(rv, rv);
NS_ENSURE_STATE(!guard.Mutated(parent ? 2 : 1) ||
ValidateCurrentNode(this, iter));
} else if (nodeToResult) {
nsMutationGuard guard;
nsCOMPtr<nsINode> node = nodeToResult;
- nsINode* parent = node->GetParentNode();
+ nsCOMPtr<nsINode> parent = node->GetParentNode();
if (parent) {
mozilla::ErrorResult error;
parent->RemoveChild(*node, error);
NS_ENSURE_FALSE(error.Failed(), error.ErrorCode());
}
NS_ENSURE_STATE(!guard.Mutated(1) ||
ValidateCurrentNode(this, iter));
}
diff --git a/dom/base/nsTreeSanitizer.cpp b/dom/base/nsTreeSanitizer.cpp
--- a/dom/base/nsTreeSanitizer.cpp
+++ b/dom/base/nsTreeSanitizer.cpp
@@ -1423,18 +1423,18 @@ nsTreeSanitizer::SanitizeChildren(nsINod
mAllowStyles,
false);
}
node = node->GetNextNonChildNode(aRoot);
continue;
}
if (MustFlatten(ns, localName)) {
RemoveAllAttributes(node);
- nsIContent* next = node->GetNextNode(aRoot);
- nsIContent* parent = node->GetParent();
+ nsCOMPtr<nsIContent> next = node->GetNextNode(aRoot);
+ nsCOMPtr<nsIContent> parent = node->GetParent();
nsCOMPtr<nsIContent> child; // Must keep the child alive during move
ErrorResult rv;
while ((child = node->GetFirstChild())) {
parent->InsertBefore(*child, node, rv);
if (rv.Failed()) {
break;
}
}
diff --git a/dom/html/HTMLSelectElement.cpp b/dom/html/HTMLSelectElement.cpp
--- a/dom/html/HTMLSelectElement.cpp
+++ b/dom/html/HTMLSelectElement.cpp
@@ -624,17 +624,17 @@ HTMLSelectElement::Add(nsGenericHTMLElem
{
if (!aBefore) {
Element::AppendChild(aElement, aError);
return;
}
// Just in case we're not the parent, get the parent of the reference
// element
- nsINode* parent = aBefore->Element::GetParentNode();
+ nsCOMPtr<nsINode> parent = aBefore->Element::GetParentNode();
if (!parent || !nsContentUtils::ContentIsDescendantOf(parent, this)) {
// NOT_FOUND_ERR: Raised if before is not a descendant of the SELECT
// element.
aError.Throw(NS_ERROR_DOM_NOT_FOUND_ERR);
return;
}
// If the before parameter is not null, we are equivalent to the
diff --git a/dom/html/HTMLTableElement.cpp b/dom/html/HTMLTableElement.cpp
--- a/dom/html/HTMLTableElement.cpp
+++ b/dom/html/HTMLTableElement.cpp
@@ -516,18 +516,18 @@ HTMLTableElement::InsertRow(int32_t aInd
if (rowCount > 0) {
if (refIndex == rowCount || aIndex == -1) {
// we set refIndex to the last row so we can get the last row's
// parent we then do an AppendChild below if (rowCount<aIndex)
refIndex = rowCount - 1;
}
- Element* refRow = rows->Item(refIndex);
- nsINode* parent = refRow->GetParentNode();
+ RefPtr<Element> refRow = rows->Item(refIndex);
+ nsCOMPtr<nsINode> parent = refRow->GetParentNode();
// create the row
nsRefPtr<mozilla::dom::NodeInfo> nodeInfo;
nsContentUtils::NameChanged(mNodeInfo, nsGkAtoms::tr,
getter_AddRefs(nodeInfo));
newRow = NS_NewHTMLTableRowElement(nodeInfo.forget());

32
gnu/packages/patches/icecat-CVE-2016-1954.patch Normal file
View file

@ -0,0 +1,32 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/a5c4c18849b4
# HG changeset patch
# User Christoph Kerschbaumer <mozilla@christophkerschbaumer.com>
# Date 1456157874 28800
# Node ID a5c4c18849b486ef8693e20421b69239a2cbe574
# Parent e93aeb25e2a44df8d22f5a065b4410620e2c8730
Bug 1243178: CSP - Skip sending reports for non http schemes (r=dveditz) a=ritu
diff --git a/dom/security/nsCSPContext.cpp b/dom/security/nsCSPContext.cpp
--- a/dom/security/nsCSPContext.cpp
+++ b/dom/security/nsCSPContext.cpp
@@ -798,16 +798,17 @@ nsCSPContext::SendReports(nsISupports* a
(NS_SUCCEEDED(reportURI->SchemeIs("https", &isHttpScheme)) && isHttpScheme);
if (!isHttpScheme) {
const char16_t* params[] = { reportURIs[r].get() };
CSP_LogLocalizedStr(NS_LITERAL_STRING("reportURInotHttpsOrHttp2").get(),
params, ArrayLength(params),
aSourceFile, aScriptSample, aLineNum, 0,
nsIScriptError::errorFlag, "CSP", mInnerWindowID);
+ continue;
}
// make sure this is an anonymous request (no cookies) so in case the
// policy URI is injected, it can't be abused for CSRF.
nsLoadFlags flags;
rv = reportChannel->GetLoadFlags(&flags);
NS_ENSURE_SUCCESS(rv, rv);
flags |= nsIRequest::LOAD_ANONYMOUS;

55
gnu/packages/patches/icecat-CVE-2016-1960.patch Normal file
View file

@ -0,0 +1,55 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/185b233ea03f
# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1455100746 -7200
# Node ID 185b233ea03f3811404e3979b65ec86b29d13555
# Parent 271e3a5a53d96871141e89271f611033b512e3e4
Bug 1246014. r=wchen. a=sylvestre
diff --git a/parser/html/javasrc/TreeBuilder.java b/parser/html/javasrc/TreeBuilder.java
--- a/parser/html/javasrc/TreeBuilder.java
+++ b/parser/html/javasrc/TreeBuilder.java
@@ -4437,17 +4437,17 @@ public abstract class TreeBuilder<T> imp
return TreeBuilder.NOT_FOUND_ON_STACK;
}
private void clearStackBackTo(int eltPos) throws SAXException {
int eltGroup = stack[eltPos].getGroup();
while (currentPtr > eltPos) { // > not >= intentional
if (stack[currentPtr].ns == "http://www.w3.org/1999/xhtml"
&& stack[currentPtr].getGroup() == TEMPLATE
- && (eltGroup == TABLE || eltGroup == TBODY_OR_THEAD_OR_TFOOT|| eltGroup == TR || eltGroup == HTML)) {
+ && (eltGroup == TABLE || eltGroup == TBODY_OR_THEAD_OR_TFOOT|| eltGroup == TR || eltPos == 0)) {
return;
}
pop();
}
}
private void resetTheInsertionMode() {
StackNode<T> node;
diff --git a/parser/html/nsHtml5TreeBuilder.cpp b/parser/html/nsHtml5TreeBuilder.cpp
--- a/parser/html/nsHtml5TreeBuilder.cpp
+++ b/parser/html/nsHtml5TreeBuilder.cpp
@@ -3301,17 +3301,17 @@ nsHtml5TreeBuilder::findLastInTableScope
return NS_HTML5TREE_BUILDER_NOT_FOUND_ON_STACK;
}
void
nsHtml5TreeBuilder::clearStackBackTo(int32_t eltPos)
{
int32_t eltGroup = stack[eltPos]->getGroup();
while (currentPtr > eltPos) {
- if (stack[currentPtr]->ns == kNameSpaceID_XHTML && stack[currentPtr]->getGroup() == NS_HTML5TREE_BUILDER_TEMPLATE && (eltGroup == NS_HTML5TREE_BUILDER_TABLE || eltGroup == NS_HTML5TREE_BUILDER_TBODY_OR_THEAD_OR_TFOOT || eltGroup == NS_HTML5TREE_BUILDER_TR || eltGroup == NS_HTML5TREE_BUILDER_HTML)) {
+ if (stack[currentPtr]->ns == kNameSpaceID_XHTML && stack[currentPtr]->getGroup() == NS_HTML5TREE_BUILDER_TEMPLATE && (eltGroup == NS_HTML5TREE_BUILDER_TABLE || eltGroup == NS_HTML5TREE_BUILDER_TBODY_OR_THEAD_OR_TFOOT || eltGroup == NS_HTML5TREE_BUILDER_TR || !eltPos)) {
return;
}
pop();
}
}
void
nsHtml5TreeBuilder::resetTheInsertionMode()

33
gnu/packages/patches/icecat-CVE-2016-1961.patch Normal file
View file

@ -0,0 +1,33 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/e93aeb25e2a4
# HG changeset patch
# User Andrew McCreight <continuation@gmail.com>
# Date 1455891967 28800
# Node ID e93aeb25e2a44df8d22f5a065b4410620e2c8730
# Parent 221de852fda32714a9e484774ceafafb450ea73c
Bug 1249377 - Hold a strong reference to |root| in nsHTMLDocument::SetBody. r=bz, a=sylvestre
diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp
--- a/dom/html/nsHTMLDocument.cpp
+++ b/dom/html/nsHTMLDocument.cpp
@@ -1044,17 +1044,17 @@ nsHTMLDocument::SetBody(nsIDOMHTMLElemen
ErrorResult rv;
SetBody(static_cast<nsGenericHTMLElement*>(newBody.get()), rv);
return rv.ErrorCode();
}
void
nsHTMLDocument::SetBody(nsGenericHTMLElement* newBody, ErrorResult& rv)
{
- Element* root = GetRootElement();
+ nsCOMPtr<Element> root = GetRootElement();
// The body element must be either a body tag or a frameset tag. And we must
// have a html root tag, otherwise GetBody will not return the newly set
// body.
if (!newBody || !(newBody->Tag() == nsGkAtoms::body ||
newBody->Tag() == nsGkAtoms::frameset) ||
!root || !root->IsHTML() ||
root->Tag() != nsGkAtoms::html) {

107
gnu/packages/patches/icecat-CVE-2016-1962.patch Normal file
View file

@ -0,0 +1,107 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/221de852fda3
# HG changeset patch
# User Randell Jesup <rjesup@jesup.org>
# Date 1455862087 18000
# Node ID 221de852fda32714a9e484774ceafafb450ea73c
# Parent b03db72e32f6e3acdc9f8705371cb222d7e6c456
Bug 1240760: Update DataChannel::Close() r=mcmanus, a=ritu
MozReview-Commit-ID: 7nN9h3M3O8w
diff --git a/netwerk/sctp/datachannel/DataChannel.cpp b/netwerk/sctp/datachannel/DataChannel.cpp
--- a/netwerk/sctp/datachannel/DataChannel.cpp
+++ b/netwerk/sctp/datachannel/DataChannel.cpp
@@ -1771,17 +1771,17 @@ DataChannelConnection::HandleStreamReset
}
NS_DispatchToMainThread(new DataChannelOnMessageAvailable(
DataChannelOnMessageAvailable::ON_CHANNEL_CLOSED, this,
channel));
mStreams[channel->mStream] = nullptr;
LOG(("Disconnected DataChannel %p from connection %p",
(void *) channel.get(), (void *) channel->mConnection.get()));
- channel->Destroy();
+ channel->DestroyLocked();
// At this point when we leave here, the object is a zombie held alive only by the DOM object
} else {
LOG(("Can't find incoming channel %d",i));
}
}
}
}
@@ -2498,17 +2498,17 @@ DataChannelConnection::CloseInt(DataChan
mStreams[channel->mStream] = nullptr;
} else {
SendOutgoingStreamReset();
}
}
aChannel->mState = CLOSING;
if (mState == CLOSED) {
// we're not going to hang around waiting
- channel->Destroy();
+ channel->DestroyLocked();
}
// At this point when we leave here, the object is a zombie held alive only by the DOM object
}
void DataChannelConnection::CloseAll()
{
LOG(("Closing all channels (connection %p)", (void*) this));
// Don't need to lock here
@@ -2552,23 +2552,25 @@ DataChannel::~DataChannel()
// wrong, nothing bad happens. A worst it's a leak.
NS_ASSERTION(mState == CLOSED || mState == CLOSING, "unexpected state in ~DataChannel");
}
void
DataChannel::Close()
{
ENSURE_DATACONNECTION;
+ RefPtr<DataChannelConnection> connection(mConnection);
mConnection->Close(this);
}
// Used when disconnecting from the DataChannelConnection
void
-DataChannel::Destroy()
+DataChannel::DestroyLocked()
{
+ mConnection->mLock.AssertCurrentThreadOwns();
ENSURE_DATACONNECTION;
LOG(("Destroying Data channel %u", mStream));
MOZ_ASSERT_IF(mStream != INVALID_STREAM,
!mConnection->FindChannelByStream(mStream));
mStream = INVALID_STREAM;
mState = CLOSED;
mConnection = nullptr;
diff --git a/netwerk/sctp/datachannel/DataChannel.h b/netwerk/sctp/datachannel/DataChannel.h
--- a/netwerk/sctp/datachannel/DataChannel.h
+++ b/netwerk/sctp/datachannel/DataChannel.h
@@ -331,19 +331,20 @@ public:
{
NS_ASSERTION(mConnection,"NULL connection");
}
private:
~DataChannel();
public:
- void Destroy(); // when we disconnect from the connection after stream RESET
+ NS_INLINE_DECL_THREADSAFE_REFCOUNTING(DataChannel)
- NS_INLINE_DECL_THREADSAFE_REFCOUNTING(DataChannel)
+ // when we disconnect from the connection after stream RESET
+ void DestroyLocked();
// Close this DataChannel. Can be called multiple times. MUST be called
// before destroying the DataChannel (state must be CLOSED or CLOSING).
void Close();
// Set the listener (especially for channels created from the other side)
void SetListener(DataChannelListener *aListener, nsISupports *aContext);

54
gnu/packages/patches/icecat-CVE-2016-1964.patch Normal file
View file

@ -0,0 +1,54 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/a653013e7b50
# HG changeset patch
# User Peter Van der Beken <peterv@propagandism.org>
# Date 1454340035 -3600
# Node ID a653013e7b503912a32621e8da64a37171316588
# Parent 0d0d7e8292f7ecf5f1149d528c0524f04447c4ad
Bug 1243335 - report bad QName. r=sicking, a=sylvestre
diff --git a/dom/xslt/xslt/txInstructions.cpp b/dom/xslt/xslt/txInstructions.cpp
--- a/dom/xslt/xslt/txInstructions.cpp
+++ b/dom/xslt/xslt/txInstructions.cpp
@@ -93,16 +93,19 @@ txAttribute::txAttribute(nsAutoPtr<Expr>
txNamespaceMap* aMappings)
: mName(Move(aName)), mNamespace(Move(aNamespace)), mMappings(aMappings)
{
}
nsresult
txAttribute::execute(txExecutionState& aEs)
{
+ nsAutoPtr<txTextHandler> handler(
+ static_cast<txTextHandler*>(aEs.popResultHandler()));
+
nsAutoString name;
nsresult rv = mName->evaluateToString(aEs.getEvalContext(), name);
NS_ENSURE_SUCCESS(rv, rv);
const char16_t* colon;
if (!XMLUtils::isValidQName(name, &colon) ||
TX_StringEqualsAtom(name, nsGkAtoms::xmlns)) {
return NS_OK;
@@ -125,19 +128,16 @@ txAttribute::execute(txExecutionState& a
if (!nspace.IsEmpty()) {
nsId = txNamespaceManager::getNamespaceID(nspace);
}
}
else if (colon) {
nsId = mMappings->lookupNamespace(prefix);
}
- nsAutoPtr<txTextHandler> handler(
- static_cast<txTextHandler*>(aEs.popResultHandler()));
-
// add attribute if everything was ok
return nsId != kNameSpaceID_Unknown ?
aEs.mResultHandler->attribute(prefix, Substring(name, lnameStart),
nsId, handler->mValue) :
NS_OK;
}
txCallTemplate::txCallTemplate(const txExpandedName& aName)

44
gnu/packages/patches/icecat-CVE-2016-1965.patch Normal file
View file

@ -0,0 +1,44 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/b4467681abd6
# HG changeset patch
# User Gijs Kruitbosch <gijskruitbosch@gmail.com>
# Date 1455276061 0
# Node ID b4467681abd676cd5575cbdf922927f8f54d2ad9
# Parent 8c1d40e45a72c6432e879137a0afa519dc6c9841
Bug 1245264 - r=bz, r=ritu
MozReview-Commit-ID: I0sVdritpD3
diff --git a/dom/base/nsLocation.cpp b/dom/base/nsLocation.cpp
--- a/dom/base/nsLocation.cpp
+++ b/dom/base/nsLocation.cpp
@@ -735,16 +735,27 @@ nsLocation::SetProtocol(const nsAString&
return rv;
}
rv = uri->SetScheme(NS_ConvertUTF16toUTF8(aProtocol));
if (NS_WARN_IF(NS_FAILED(rv))) {
return rv;
}
+ nsAutoCString newSpec;
+ rv = uri->GetSpec(newSpec);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+ // We may want a new URI class for the new URI, so recreate it:
+ rv = NS_NewURI(getter_AddRefs(uri), newSpec);
+ if (NS_FAILED(rv)) {
+ return rv;
+ }
+
return SetURI(uri);
}
void
nsLocation::GetUsername(nsAString& aUsername, ErrorResult& aError)
{
if (!CallerSubsumes()) {
aError.Throw(NS_ERROR_DOM_SECURITY_ERR);

36
gnu/packages/patches/icecat-CVE-2016-1966.patch Normal file
View file

@ -0,0 +1,36 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/291c2f31c48c
# HG changeset patch
# User Nicholas Nethercote <nnethercote@mozilla.com>
# Date 1454650565 -39600
# Node ID 291c2f31c48c7e96b1884b55273355970fa0fc30
# Parent 11e6614756551cfd7291e73eefb90c52873a8480
Bug 1246054 - Fix an erroneous nsNPObjWrapper assertion. r=froydnj. a=ritu
diff --git a/dom/plugins/base/nsJSNPRuntime.cpp b/dom/plugins/base/nsJSNPRuntime.cpp
--- a/dom/plugins/base/nsJSNPRuntime.cpp
+++ b/dom/plugins/base/nsJSNPRuntime.cpp
@@ -1915,18 +1915,19 @@ nsNPObjWrapper::GetNewOrUsed(NPP npp, JS
// No existing JSObject, create one.
JS::Rooted<JSObject*> obj(cx, ::JS_NewObject(cx, js::Jsvalify(&sNPObjectJSWrapperClass)));
if (generation != sNPObjWrappers.Generation()) {
// Reload entry if the JS_NewObject call caused a GC and reallocated
// the table (see bug 445229). This is guaranteed to succeed.
- NS_ASSERTION(PL_DHashTableSearch(&sNPObjWrappers, npobj),
- "Hashtable didn't find what we just added?");
+ entry = static_cast<NPObjWrapperHashEntry*>
+ (PL_DHashTableSearch(&sNPObjWrappers, npobj));
+ NS_ASSERTION(entry, "Hashtable didn't find what we just added?");
}
if (!obj) {
// OOM? Remove the stale entry from the hash.
PL_DHashTableRawRemove(&sNPObjWrappers, entry);
return nullptr;

530
gnu/packages/patches/icecat-CVE-2016-1974.patch Normal file
View file

@ -0,0 +1,530 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/271e3a5a53d9
# HG changeset patch
# User Henri Sivonen <hsivonen@hsivonen.fi>
# Date 1455014759 -7200
# Node ID 271e3a5a53d96871141e89271f611033b512e3e4
# Parent 9719b71d72dd2a3c5ee12ace156af2a63d9595ac
Bug 1228103. r=smaug. a=sylvestre
diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp
--- a/parser/htmlparser/nsExpatDriver.cpp
+++ b/parser/htmlparser/nsExpatDriver.cpp
@@ -1127,22 +1127,28 @@ nsExpatDriver::ConsumeToken(nsScanner& a
XML_Size lastLineLength = XML_GetCurrentColumnNumber(mExpatParser);
if (lastLineLength <= consumed) {
// The length of the last line was less than what expat consumed, so
// there was at least one line break in the consumed data. Store the
// last line until the point where we stopped parsing.
nsScannerIterator startLastLine = currentExpatPosition;
startLastLine.advance(-((ptrdiff_t)lastLineLength));
- CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine);
+ if (!CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine)) {
+ return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
+ }
}
else {
// There was no line break in the consumed data, append the consumed
// data.
- AppendUnicodeTo(oldExpatPosition, currentExpatPosition, mLastLine);
+ if (!AppendUnicodeTo(oldExpatPosition,
+ currentExpatPosition,
+ mLastLine)) {
+ return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
+ }
}
}
mExpatBuffered += length - consumed;
if (BlockedOrInterrupted()) {
PR_LOG(GetExpatDriverLog(), PR_LOG_DEBUG,
("Blocked or interrupted parser (probably for loading linked "
diff --git a/parser/htmlparser/nsParser.cpp b/parser/htmlparser/nsParser.cpp
--- a/parser/htmlparser/nsParser.cpp
+++ b/parser/htmlparser/nsParser.cpp
@@ -1508,17 +1508,19 @@ nsParser::ResumeParse(bool allowIteratio
DidBuildModel(mStreamStatus);
return NS_OK;
}
} else {
CParserContext* theContext = PopContext();
if (theContext) {
theIterationIsOk = allowIteration && theContextIsStringBased;
if (theContext->mCopyUnused) {
- theContext->mScanner->CopyUnusedData(mUnusedInput);
+ if (!theContext->mScanner->CopyUnusedData(mUnusedInput)) {
+ mInternalState = NS_ERROR_OUT_OF_MEMORY;
+ }
}
delete theContext;
}
result = mInternalState;
aIsFinalChunk = mParserContext &&
mParserContext->mStreamListenerState == eOnStop;
diff --git a/parser/htmlparser/nsScanner.cpp b/parser/htmlparser/nsScanner.cpp
--- a/parser/htmlparser/nsScanner.cpp
+++ b/parser/htmlparser/nsScanner.cpp
@@ -379,17 +379,19 @@ nsresult nsScanner::Peek(nsAString& aStr
if (mCountRemaining < uint32_t(aNumChars + aOffset)) {
end = mEndPosition;
}
else {
end = start;
end.advance(aNumChars);
}
- CopyUnicodeTo(start, end, aStr);
+ if (!CopyUnicodeTo(start, end, aStr)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
return NS_OK;
}
/**
* Skip whitespace on scanner input stream
*
@@ -542,17 +544,19 @@ nsresult nsScanner::ReadTagIdentifier(ns
if (!found) {
++current;
}
}
// Don't bother appending nothing.
if (current != mCurrentPosition) {
- AppendUnicodeTo(mCurrentPosition, current, aString);
+ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
}
SetPosition(current);
if (current == end) {
result = kEOF;
}
//DoErrTest(aString);
@@ -597,26 +601,30 @@ nsresult nsScanner::ReadEntityIdentifier
default:
found = ('a'<=theChar && theChar<='z') ||
('A'<=theChar && theChar<='Z') ||
('0'<=theChar && theChar<='9');
break;
}
if(!found) {
- AppendUnicodeTo(mCurrentPosition, current, aString);
+ if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
break;
}
}
++current;
}
SetPosition(current);
if (current == end) {
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
return kEOF;
}
//DoErrTest(aString);
return result;
}
@@ -646,26 +654,30 @@ nsresult nsScanner::ReadNumber(nsString&
while(current != end) {
theChar=*current;
if(theChar) {
done = (theChar < '0' || theChar > '9') &&
((aBase == 16)? (theChar < 'A' || theChar > 'F') &&
(theChar < 'a' || theChar > 'f')
:true);
if(done) {
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
break;
}
}
++current;
}
SetPosition(current);
if (current == end) {
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
return kEOF;
}
//DoErrTest(aString);
return result;
}
@@ -712,37 +724,43 @@ nsresult nsScanner::ReadWhitespace(nsSca
char16_t thePrevChar = theChar;
theChar = (++current != end) ? *current : '\0';
if ((thePrevChar == '\r' && theChar == '\n') ||
(thePrevChar == '\n' && theChar == '\r')) {
theChar = (++current != end) ? *current : '\0'; // CRLF == LFCR => LF
haveCR = true;
} else if (thePrevChar == '\r') {
// Lone CR becomes CRLF; callers should know to remove extra CRs
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
aString.writable().Append(char16_t('\n'));
origin = current;
haveCR = true;
}
}
break;
case ' ' :
case '\t':
theChar = (++current != end) ? *current : '\0';
break;
default:
done = true;
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
break;
}
}
SetPosition(current);
if (current == end) {
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
result = kEOF;
}
aHaveCR = haveCR;
return result;
}
//XXXbz callers of this have to manage their lone '\r' themselves if they want
@@ -846,34 +864,38 @@ nsresult nsScanner::ReadUntil(nsAString&
if(!(theChar & aEndCondition.mFilter)) {
// They were. Do a thorough check.
setcurrent = setstart;
while (*setcurrent) {
if (*setcurrent == theChar) {
if(addTerminal)
++current;
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
SetPosition(current);
//DoErrTest(aString);
return NS_OK;
}
++setcurrent;
}
}
++current;
}
// If we are here, we didn't find any terminator in the string and
// current = mEndPosition
SetPosition(current);
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
return kEOF;
}
nsresult nsScanner::ReadUntil(nsScannerSharedSubstring& aString,
const nsReadEndCondition& aEndCondition,
bool addTerminal)
{
if (!mSlidingBuffer) {
@@ -906,34 +928,38 @@ nsresult nsScanner::ReadUntil(nsScannerS
if(!(theChar & aEndCondition.mFilter)) {
// They were. Do a thorough check.
setcurrent = setstart;
while (*setcurrent) {
if (*setcurrent == theChar) {
if(addTerminal)
++current;
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
SetPosition(current);
//DoErrTest(aString);
return NS_OK;
}
++setcurrent;
}
}
++current;
}
// If we are here, we didn't find any terminator in the string and
// current = mEndPosition
SetPosition(current);
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
return kEOF;
}
nsresult nsScanner::ReadUntil(nsScannerIterator& aStart,
nsScannerIterator& aEnd,
const nsReadEndCondition &aEndCondition,
bool addTerminal)
{
@@ -1025,26 +1051,30 @@ nsresult nsScanner::ReadUntil(nsAString&
if (theChar == '\0') {
ReplaceCharacter(current, sInvalid);
theChar = sInvalid;
}
if (aTerminalChar == theChar) {
if(addTerminal)
++current;
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
SetPosition(current);
return NS_OK;
}
++current;
}
// If we are here, we didn't find any terminator in the string and
// current = mEndPosition
- AppendUnicodeTo(origin, current, aString);
+ if (!AppendUnicodeTo(origin, current, aString)) {
+ return NS_ERROR_OUT_OF_MEMORY;
+ }
SetPosition(current);
return kEOF;
}
void nsScanner::BindSubstring(nsScannerSubstring& aSubstring, const nsScannerIterator& aStart, const nsScannerIterator& aEnd)
{
aSubstring.Rebind(*mSlidingBuffer, aStart, aEnd);
@@ -1142,29 +1172,29 @@ bool nsScanner::AppendToBuffer(nsScanner
}
/**
* call this to copy bytes out of the scanner that have not yet been consumed
* by the tokenization process.
*
* @update gess 5/12/98
* @param aCopyBuffer is where the scanner buffer will be copied to
- * @return nada
+ * @return true if OK or false on OOM
*/
-void nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
+bool nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
if (!mSlidingBuffer) {
aCopyBuffer.Truncate();
- return;
+ return true;
}
nsScannerIterator start, end;
start = mCurrentPosition;
end = mEndPosition;
- CopyUnicodeTo(start, end, aCopyBuffer);
+ return CopyUnicodeTo(start, end, aCopyBuffer);
}
/**
* Retrieve the name of the file that the scanner is reading from.
* In some cases, it's just a given name, because the scanner isn't
* really reading from a file.
*
* @update gess 5/12/98
diff --git a/parser/htmlparser/nsScanner.h b/parser/htmlparser/nsScanner.h
--- a/parser/htmlparser/nsScanner.h
+++ b/parser/htmlparser/nsScanner.h
@@ -204,19 +204,19 @@ class nsScanner {
nsIRequest *aRequest);
/**
* Call this to copy bytes out of the scanner that have not yet been consumed
* by the tokenization process.
*
* @update gess 5/12/98
* @param aCopyBuffer is where the scanner buffer will be copied to
- * @return nada
+ * @return true if OK or false on OOM
*/
- void CopyUnusedData(nsString& aCopyBuffer);
+ bool CopyUnusedData(nsString& aCopyBuffer);
/**
* Retrieve the name of the file that the scanner is reading from.
* In some cases, it's just a given name, because the scanner isn't
* really reading from a file.
*
* @update gess 5/12/98
* @return
diff --git a/parser/htmlparser/nsScannerString.cpp b/parser/htmlparser/nsScannerString.cpp
--- a/parser/htmlparser/nsScannerString.cpp
+++ b/parser/htmlparser/nsScannerString.cpp
@@ -461,61 +461,63 @@ copy_multifragment_string( nsScannerIter
sink_traits::write(result, source_traits::read(first), distance);
NS_ASSERTION(distance > 0, "|copy_multifragment_string| will never terminate");
source_traits::advance(first, distance);
}
return result;
}
-void
+bool
CopyUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsAString& aDest )
{
nsAString::iterator writer;
if (!aDest.SetLength(Distance(aSrcStart, aSrcEnd), mozilla::fallible)) {
aDest.Truncate();
- return; // out of memory
+ return false; // out of memory
}
aDest.BeginWriting(writer);
nsScannerIterator fromBegin(aSrcStart);
copy_multifragment_string(fromBegin, aSrcEnd, writer);
+ return true;
}
-void
+bool
AppendUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsScannerSharedSubstring& aDest )
{
// Check whether we can just create a dependent string.
if (aDest.str().IsEmpty()) {
// We can just make |aDest| point to the buffer.
// This will take care of copying if the buffer spans fragments.
aDest.Rebind(aSrcStart, aSrcEnd);
- } else {
- // The dest string is not empty, so it can't be a dependent substring.
- AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
+ return true;
}
+ // The dest string is not empty, so it can't be a dependent substring.
+ return AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
}
-void
+bool
AppendUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsAString& aDest )
{
nsAString::iterator writer;
uint32_t oldLength = aDest.Length();
if (!aDest.SetLength(oldLength + Distance(aSrcStart, aSrcEnd), mozilla::fallible))
- return; // out of memory
+ return false; // out of memory
aDest.BeginWriting(writer).advance(oldLength);
nsScannerIterator fromBegin(aSrcStart);
copy_multifragment_string(fromBegin, aSrcEnd, writer);
+ return true;
}
bool
FindCharInReadable( char16_t aChar,
nsScannerIterator& aSearchStart,
const nsScannerIterator& aSearchEnd )
{
while ( aSearchStart != aSearchEnd )
diff --git a/parser/htmlparser/nsScannerString.h b/parser/htmlparser/nsScannerString.h
--- a/parser/htmlparser/nsScannerString.h
+++ b/parser/htmlparser/nsScannerString.h
@@ -539,43 +539,43 @@ nsScannerBufferList::Position::operator=
inline
size_t
Distance( const nsScannerIterator& aStart, const nsScannerIterator& aEnd )
{
typedef nsScannerBufferList::Position Position;
return Position::Distance(Position(aStart), Position(aEnd));
}
-void
+bool
CopyUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsAString& aDest );
inline
-void
+bool
CopyUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
{
nsScannerIterator begin, end;
- CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+ return CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
}
-void
+bool
AppendUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsAString& aDest );
inline
-void
+bool
AppendUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
{
nsScannerIterator begin, end;
- AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+ return AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
}
-void
+bool
AppendUnicodeTo( const nsScannerIterator& aSrcStart,
const nsScannerIterator& aSrcEnd,
nsScannerSharedSubstring& aDest );
bool
FindCharInReadable( char16_t aChar,
nsScannerIterator& aStart,
const nsScannerIterator& aEnd );

37
gnu/packages/patches/icecat-bug-1248851.patch Normal file
View file

@ -0,0 +1,37 @@
Copied from upstream:
https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/8c1d40e45a72
# HG changeset patch
# User Xidorn Quan <quanxunzhen@gmail.com>
# Date 1456199544 -28800
# Node ID 8c1d40e45a72c6432e879137a0afa519dc6c9841
# Parent 1dd0ca8e70bd77b6fd93f36cc4e9c2cebfe8ba0a
Bug 1248851 - r=sicking, a=ritu
diff --git a/dom/indexedDB/ActorsParent.cpp b/dom/indexedDB/ActorsParent.cpp
--- a/dom/indexedDB/ActorsParent.cpp
+++ b/dom/indexedDB/ActorsParent.cpp
@@ -14823,22 +14823,19 @@ ObjectStoreAddOrPutRequestOp::DoDatabase
}
snappy::RawCompress(uncompressed, uncompressedLength, compressed,
&compressedLength);
uint8_t* dataBuffer = reinterpret_cast<uint8_t*>(compressed);
size_t dataBufferLength = compressedLength;
- // If this call succeeds, | compressed | is now owned by the statement, and
- // we are no longer responsible for it.
rv = stmt->BindAdoptedBlobByName(NS_LITERAL_CSTRING("data"), dataBuffer,
dataBufferLength);
if (NS_WARN_IF(NS_FAILED(rv))) {
- moz_free(compressed);
return rv;
}
}
nsCOMPtr<nsIFile> fileDirectory;
nsCOMPtr<nsIFile> journalDirectory;
if (mFileManager) {