From b9fa245fcd962a5ae9039ca395e7347718f4cb42 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Fri, 4 Dec 2015 15:50:08 -0500 Subject: [PATCH] gnu: icecat: Update to 38.4.0-gnu1. * gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch, gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch, gnu/packages/patches/icecat-CVE-2015-7188.patch, gnu/packages/patches/icecat-CVE-2015-7189.patch, gnu/packages/patches/icecat-CVE-2015-7193.patch, gnu/packages/patches/icecat-CVE-2015-7194.patch, gnu/packages/patches/icecat-CVE-2015-7196.patch, gnu/packages/patches/icecat-CVE-2015-7197.patch, gnu/packages/patches/icecat-CVE-2015-7198.patch, gnu/packages/patches/icecat-CVE-2015-7199.patch: Delete files. * gnu-system.am (dist_patch_DATA): Remove them. * gnu/packages/gnuzilla.scm (icecat): Update to 38.4.0-gnu1. Remove the obsolete patches. --- gnu-system.am | 19 - gnu/packages/gnuzilla.scm | 25 +- .../patches/icecat-CVE-2015-4513-pt01.patch | 36 -- .../patches/icecat-CVE-2015-4513-pt02.patch | 103 ---- .../patches/icecat-CVE-2015-4513-pt03.patch | 48 -- .../patches/icecat-CVE-2015-4513-pt04.patch | 50 -- .../patches/icecat-CVE-2015-4513-pt05.patch | 25 - .../patches/icecat-CVE-2015-4513-pt06.patch | 461 ------------------ .../patches/icecat-CVE-2015-4513-pt07.patch | 93 ---- .../patches/icecat-CVE-2015-4513-pt08.patch | 41 -- .../patches/icecat-CVE-2015-4513-pt09.patch | 65 --- .../patches/icecat-CVE-2015-4513-pt10.patch | 110 ----- .../patches/icecat-CVE-2015-4513-pt11.patch | 42 -- .../patches/icecat-CVE-2015-7188.patch | 143 ------ .../patches/icecat-CVE-2015-7189.patch | 143 ------ .../patches/icecat-CVE-2015-7193.patch | 397 --------------- .../patches/icecat-CVE-2015-7194.patch | 32 -- .../patches/icecat-CVE-2015-7196.patch | 27 - .../patches/icecat-CVE-2015-7197.patch | 70 --- .../patches/icecat-CVE-2015-7198.patch | 27 - .../patches/icecat-CVE-2015-7199.patch | 84 ---- 21 files changed, 3 insertions(+), 2038 deletions(-) delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7188.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7189.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7193.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7194.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7196.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7197.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7198.patch delete mode 100644 gnu/packages/patches/icecat-CVE-2015-7199.patch diff --git a/gnu-system.am b/gnu-system.am index ee7fcc185b..ae3b3d24d6 100644 --- a/gnu-system.am +++ b/gnu-system.am @@ -510,25 +510,6 @@ dist_patch_DATA = \ gnu/packages/patches/hop-linker-flags.patch \ gnu/packages/patches/hydra-automake-1.15.patch \ gnu/packages/patches/hydra-disable-darcs-test.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch \ - gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch \ - gnu/packages/patches/icecat-CVE-2015-7188.patch \ - gnu/packages/patches/icecat-CVE-2015-7189.patch \ - gnu/packages/patches/icecat-CVE-2015-7193.patch \ - gnu/packages/patches/icecat-CVE-2015-7194.patch \ - gnu/packages/patches/icecat-CVE-2015-7196.patch \ - gnu/packages/patches/icecat-CVE-2015-7197.patch \ - gnu/packages/patches/icecat-CVE-2015-7198.patch \ - gnu/packages/patches/icecat-CVE-2015-7199.patch \ gnu/packages/patches/icecat-avoid-bundled-includes.patch \ gnu/packages/patches/icecat-freetype-2.6.patch \ gnu/packages/patches/icu4c-CVE-2014-6585.patch \ diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index f32c947f3c..6d134a89c7 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -266,7 +266,7 @@ standards.") (define-public icecat (package (name "icecat") - (version "38.3.0-gnu1") + (version "38.4.0-gnu1") (source (origin (method url-fetch) @@ -275,28 +275,9 @@ standards.") name "-" version ".tar.bz2")) (sha256 (base32 - "0vm6f7f1i5vkq2713mgzjdfnm8rpz9l0q8sv4s123vsam0j9gzh8")) + "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp")) (patches (map search-patch '("icecat-avoid-bundled-includes.patch" - "icecat-freetype-2.6.patch" - "icecat-CVE-2015-4513-pt01.patch" - "icecat-CVE-2015-4513-pt02.patch" - "icecat-CVE-2015-4513-pt03.patch" - "icecat-CVE-2015-4513-pt04.patch" - "icecat-CVE-2015-4513-pt05.patch" - "icecat-CVE-2015-4513-pt06.patch" - "icecat-CVE-2015-4513-pt07.patch" - "icecat-CVE-2015-4513-pt08.patch" - "icecat-CVE-2015-4513-pt09.patch" - "icecat-CVE-2015-4513-pt10.patch" - "icecat-CVE-2015-4513-pt11.patch" - "icecat-CVE-2015-7188.patch" - "icecat-CVE-2015-7189.patch" - "icecat-CVE-2015-7193.patch" - "icecat-CVE-2015-7194.patch" - "icecat-CVE-2015-7196.patch" - "icecat-CVE-2015-7197.patch" - "icecat-CVE-2015-7198.patch" - "icecat-CVE-2015-7199.patch"))) + "icecat-freetype-2.6.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch deleted file mode 100644 index f003e3cf68..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 3df141cb85a530d7ddc3a7555d44235e49341837 Mon Sep 17 00:00:00 2001 -From: Karl Tomlinson -Date: Sat, 19 Sep 2015 00:51:03 +1200 -Subject: [PATCH] Bug 1206564 - skip copying of listeners. r=roc, a=sylvestre - ---HG-- -extra : source : ddd169d6bd65771a6811a3bb223a4a385b101690 ---- - widget/gtk/nsWindow.cpp | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/widget/gtk/nsWindow.cpp b/widget/gtk/nsWindow.cpp -index dd1895b..d8e8e42 100644 ---- a/widget/gtk/nsWindow.cpp -+++ b/widget/gtk/nsWindow.cpp -@@ -461,12 +461,11 @@ nsWindow::DispatchDeactivateEvent(void) - void - nsWindow::DispatchResized(int32_t aWidth, int32_t aHeight) - { -- nsIWidgetListener *listeners[] = -- { mWidgetListener, mAttachedWidgetListener }; -- for (size_t i = 0; i < ArrayLength(listeners); ++i) { -- if (listeners[i]) { -- listeners[i]->WindowResized(this, aWidth, aHeight); -- } -+ if (mWidgetListener) { -+ mWidgetListener->WindowResized(this, aWidth, aHeight); -+ } -+ if (mAttachedWidgetListener) { -+ mAttachedWidgetListener->WindowResized(this, aWidth, aHeight); - } - } - --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch deleted file mode 100644 index 9a77ed908b..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch +++ /dev/null @@ -1,103 +0,0 @@ -From d463cb5f0374bfc7c62ae5f1c89edd3ca35084e5 Mon Sep 17 00:00:00 2001 -From: Olli Pettay -Date: Thu, 24 Sep 2015 03:53:31 +0300 -Subject: [PATCH] Bug 1204669 - optimize out hashtable lookups caused by extra - GetPrototypeBinding call, r=bz,waldo, a=al - ---HG-- -extra : source : 91657db26f49f885f2338cb8c9302cdf18999f1f ---- - dom/xbl/nsXBLPrototypeBinding.h | 9 +++++++-- - dom/xbl/nsXBLService.cpp | 6 +++--- - mfbt/WeakPtr.h | 8 +++++++- - 3 files changed, 17 insertions(+), 6 deletions(-) - -diff --git a/dom/xbl/nsXBLPrototypeBinding.h b/dom/xbl/nsXBLPrototypeBinding.h -index be2cb5a..1aaa07f 100644 ---- a/dom/xbl/nsXBLPrototypeBinding.h -+++ b/dom/xbl/nsXBLPrototypeBinding.h -@@ -17,6 +17,7 @@ - #include "nsXBLProtoImplMethod.h" - #include "nsXBLPrototypeHandler.h" - #include "nsXBLPrototypeResources.h" -+#include "mozilla/WeakPtr.h" - - class nsIAtom; - class nsIContent; -@@ -35,9 +36,12 @@ class CSSStyleSheet; - // Instances of this class are owned by the nsXBLDocumentInfo object returned - // by XBLDocumentInfo(). Consumers who want to refcount things should refcount - // that. --class nsXBLPrototypeBinding final -+class nsXBLPrototypeBinding final : -+ public mozilla::SupportsWeakPtr - { - public: -+ MOZ_DECLARE_WEAKREFERENCE_TYPENAME(nsXBLPrototypeBinding) -+ - nsIContent* GetBindingElement() const { return mBinding; } - void SetBindingElement(nsIContent* aElement); - -@@ -289,7 +293,8 @@ protected: - nsXBLProtoImpl* mImplementation; // Our prototype implementation (includes methods, properties, fields, - // the constructor, and the destructor). - -- nsXBLPrototypeBinding* mBaseBinding; // Weak. The docinfo will own our base binding. -+ // Weak. The docinfo will own our base binding. -+ mozilla::WeakPtr mBaseBinding; - bool mInheritStyle; - bool mCheckedBaseProto; - bool mKeyHandlersRegistered; -diff --git a/dom/xbl/nsXBLService.cpp b/dom/xbl/nsXBLService.cpp -index 2204520..978c6fc 100644 ---- a/dom/xbl/nsXBLService.cpp -+++ b/dom/xbl/nsXBLService.cpp -@@ -732,7 +732,8 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, - if (!docInfo) - return NS_ERROR_FAILURE; - -- nsXBLPrototypeBinding* protoBinding = docInfo->GetPrototypeBinding(ref); -+ WeakPtr protoBinding = -+ docInfo->GetPrototypeBinding(ref); - - if (!protoBinding) { - #ifdef DEBUG -@@ -783,7 +784,7 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, - NS_ENSURE_SUCCESS(rv, rv); - - nsCOMPtr baseBindingURI; -- nsXBLPrototypeBinding* baseProto = protoBinding->GetBasePrototype(); -+ WeakPtr baseProto = protoBinding->GetBasePrototype(); - if (baseProto) { - baseBindingURI = baseProto->BindingURI(); - } -@@ -828,7 +829,6 @@ nsXBLService::GetBinding(nsIContent* aBoundElement, nsIURI* aURI, - - if (!aPeekOnly) { - // Make a new binding -- protoBinding = docInfo->GetPrototypeBinding(ref); - NS_ENSURE_STATE(protoBinding); - nsXBLBinding *newBinding = new nsXBLBinding(protoBinding); - -diff --git a/mfbt/WeakPtr.h b/mfbt/WeakPtr.h -index 6e5de43..22ba20e 100644 ---- a/mfbt/WeakPtr.h -+++ b/mfbt/WeakPtr.h -@@ -172,7 +172,13 @@ public: - - WeakPtr& operator=(T* aOther) - { -- return *this = aOther->SelfReferencingWeakPtr(); -+ if (aOther) { -+ *this = aOther->SelfReferencingWeakPtr(); -+ } else if (!mRef || mRef->get()) { -+ // Ensure that mRef is dereferenceable in the uninitialized state. -+ mRef = new WeakReference(nullptr); -+ } -+ return *this; - } - - MOZ_IMPLICIT WeakPtr(T* aOther) --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch deleted file mode 100644 index 4f86629068..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 88312d4d167aba886fdbd563afcfd5cc96a9d813 Mon Sep 17 00:00:00 2001 -From: Boris Zbarsky -Date: Fri, 11 Sep 2015 21:59:43 -0400 -Subject: [PATCH] Bug 1191942 - Make sure to not schedule - requestAnimationFrame callbacks if animations are paused. r=roc, a=ritu - ---HG-- -extra : source : ed8a6af1508ac68a28d017e26935e7a12dbda864 -extra : intermediate-source : 254e3cb723ed279f68b0c88ad30dc35b6a93ce84 ---- - dom/base/nsDocument.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/dom/base/nsDocument.cpp b/dom/base/nsDocument.cpp -index 47f611e..087501c 100644 ---- a/dom/base/nsDocument.cpp -+++ b/dom/base/nsDocument.cpp -@@ -3928,7 +3928,7 @@ void - nsDocument::DeleteShell() - { - mExternalResourceMap.HideViewers(); -- if (IsEventHandlingEnabled()) { -+ if (IsEventHandlingEnabled() && !AnimationsPaused()) { - RevokeAnimationFrameNotifications(); - } - -@@ -4687,7 +4687,7 @@ nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject *aScriptGlobalObject) - // our layout history state now. - mLayoutHistoryState = GetLayoutHistoryState(); - -- if (mPresShell && !EventHandlingSuppressed()) { -+ if (mPresShell && !EventHandlingSuppressed() && !AnimationsPaused()) { - RevokeAnimationFrameNotifications(); - } - -@@ -10276,7 +10276,8 @@ nsIDocument::ScheduleFrameRequestCallback(const FrameRequestCallbackHolder& aCal - DebugOnly request = - mFrameRequestCallbacks.AppendElement(FrameRequest(aCallback, newHandle)); - NS_ASSERTION(request, "This is supposed to be infallible!"); -- if (!alreadyRegistered && mPresShell && IsEventHandlingEnabled()) { -+ if (!alreadyRegistered && mPresShell && IsEventHandlingEnabled() && -+ !AnimationsPaused()) { - mPresShell->GetPresContext()->RefreshDriver()-> - ScheduleFrameRequestCallbacks(this); - } --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch deleted file mode 100644 index f6f3cd3585..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 97bd3ada2a0ac6eff0e03e6eec8d2012af3bb57d Mon Sep 17 00:00:00 2001 -From: Jan de Mooij -Date: Mon, 28 Sep 2015 13:30:42 +0200 -Subject: [PATCH] Bug 1205707 part 1 - Clean up some is-TypedArrayObject code - in Ion. r=Waldo, a=sylvestre - ---- - js/src/jit/MCallOptimize.cpp | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp -index 7fdede8..2c6a533 100644 ---- a/js/src/jit/MCallOptimize.cpp -+++ b/js/src/jit/MCallOptimize.cpp -@@ -2122,6 +2122,19 @@ IonBuilder::inlineIsTypedArray(CallInfo& callInfo) - return InliningStatus_Inlined; - } - -+static bool -+IsTypedArrayObject(CompilerConstraintList* constraints, MDefinition* def) -+{ -+ MOZ_ASSERT(def->type() == MIRType_Object); -+ -+ TemporaryTypeSet* types = def->resultTypeSet(); -+ if (!types) -+ return false; -+ -+ return types->forAllClasses(constraints, IsTypedArrayClass) == -+ TemporaryTypeSet::ForAllResult::ALL_TRUE; -+} -+ - IonBuilder::InliningStatus - IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) - { -@@ -2132,8 +2145,10 @@ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo) - if (getInlineReturnType() != MIRType_Int32) - return InliningStatus_NotInlined; - -- // We assume that when calling this function we always -- // have a TypedArray. The native asserts that as well. -+ // Note that the argument we see here is not necessarily a typed array. -+ // If it's not, this call should be unreachable though. -+ if (!IsTypedArrayObject(constraints(), callInfo.getArg(0))) -+ return InliningStatus_NotInlined; - - MInstruction* length = addTypedArrayLength(callInfo.getArg(0)); - current->push(length); --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch deleted file mode 100644 index b25f2231a7..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch +++ /dev/null @@ -1,25 +0,0 @@ -From d91a58cb0094d0421439a915be0b4879a45d20d4 Mon Sep 17 00:00:00 2001 -From: Brian Hackett -Date: Mon, 12 Oct 2015 17:15:12 -0600 -Subject: [PATCH] Bug 1209471 - Fix group used for Array.concat result, - r=jandem. a=al - ---- - js/src/jsarray.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp -index 3d574d5..b4ff057 100644 ---- a/js/src/jsarray.cpp -+++ b/js/src/jsarray.cpp -@@ -2661,6 +2661,7 @@ js::array_concat(JSContext* cx, unsigned argc, Value* vp) - narr = NewDenseEmptyArray(cx); - if (!narr) - return false; -+ TryReuseArrayGroup(aobj, narr); - args.rval().setObject(*narr); - length = 0; - } --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch deleted file mode 100644 index 33dbf68f2c..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch +++ /dev/null @@ -1,461 +0,0 @@ -From 13b2b587c183e85618868752e05ec46bd5a0af86 Mon Sep 17 00:00:00 2001 -From: Jon Coppeard -Date: Tue, 13 Oct 2015 11:09:12 +0200 -Subject: [PATCH] Bug 1208665 - r=Waldo a=abillings a=sylvestre - ---- - js/public/Utility.h | 49 +++++++++++++++++++++++++++++++++++++-------- - js/src/ds/LifoAlloc.h | 13 ++++++------ - js/src/jit/FixedList.h | 10 +++++---- - js/src/jit/JitAllocPolicy.h | 19 ++++++++++-------- - js/src/jit/LIR.cpp | 3 +-- - js/src/jit/MIRGenerator.h | 7 ++++--- - js/src/jit/MIRGraph.cpp | 2 +- - js/src/jsalloc.h | 14 ++++++++++--- - js/src/vm/MallocProvider.h | 39 ++++++++++++++++-------------------- - js/src/vm/Runtime.h | 10 +++++---- - 10 files changed, 105 insertions(+), 61 deletions(-) - -diff --git a/js/public/Utility.h b/js/public/Utility.h -index 40b5d90..6b750c3 100644 ---- a/js/public/Utility.h -+++ b/js/public/Utility.h -@@ -217,6 +217,36 @@ static inline char* js_strdup(const char* s) - - JS_DECLARE_NEW_METHODS(js_new, js_malloc, static MOZ_ALWAYS_INLINE) - -+namespace js { -+ -+/* -+ * Calculate the number of bytes needed to allocate |numElems| contiguous -+ * instances of type |T|. Return false if the calculation overflowed. -+ */ -+template -+MOZ_WARN_UNUSED_RESULT inline bool -+CalculateAllocSize(size_t numElems, size_t* bytesOut) -+{ -+ *bytesOut = numElems * sizeof(T); -+ return (numElems & mozilla::tl::MulOverflowMask::value) == 0; -+} -+ -+/* -+ * Calculate the number of bytes needed to allocate a single instance of type -+ * |T| followed by |numExtra| contiguous instances of type |Extra|. Return -+ * false if the calculation overflowed. -+ */ -+template -+MOZ_WARN_UNUSED_RESULT inline bool -+CalculateAllocSizeWithExtra(size_t numExtra, size_t* bytesOut) -+{ -+ *bytesOut = sizeof(T) + numExtra * sizeof(Extra); -+ return (numExtra & mozilla::tl::MulOverflowMask::value) == 0 && -+ *bytesOut >= sizeof(T); -+} -+ -+} /* namespace js */ -+ - template - static MOZ_ALWAYS_INLINE void - js_delete(T* p) -@@ -242,32 +272,34 @@ template - static MOZ_ALWAYS_INLINE T* - js_pod_malloc() - { -- return (T*)js_malloc(sizeof(T)); -+ return static_cast(js_malloc(sizeof(T))); - } - - template - static MOZ_ALWAYS_INLINE T* - js_pod_calloc() - { -- return (T*)js_calloc(sizeof(T)); -+ return static_cast(js_calloc(sizeof(T))); - } - - template - static MOZ_ALWAYS_INLINE T* - js_pod_malloc(size_t numElems) - { -- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) - return nullptr; -- return (T*)js_malloc(numElems * sizeof(T)); -+ return static_cast(js_malloc(bytes)); - } - - template - static MOZ_ALWAYS_INLINE T* - js_pod_calloc(size_t numElems) - { -- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) - return nullptr; -- return (T*)js_calloc(numElems * sizeof(T)); -+ return static_cast(js_calloc(bytes)); - } - - template -@@ -275,9 +307,10 @@ static MOZ_ALWAYS_INLINE T* - js_pod_realloc(T* prior, size_t oldSize, size_t newSize) - { - MOZ_ASSERT(!(oldSize & mozilla::tl::MulOverflowMask::value)); -- if (MOZ_UNLIKELY(newSize & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!js::CalculateAllocSize(newSize, &bytes))) - return nullptr; -- return (T*)js_realloc(prior, newSize * sizeof(T)); -+ return static_cast(js_realloc(prior, bytes)); - } - - namespace js { -diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h -index 9dc68c1..35cdc72 100644 ---- a/js/src/ds/LifoAlloc.h -+++ b/js/src/ds/LifoAlloc.h -@@ -310,9 +310,10 @@ class LifoAlloc - // The caller is responsible for initialization. - template - T* newArrayUninitialized(size_t count) { -- if (MOZ_UNLIKELY(count & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(count, &bytes))) - return nullptr; -- return static_cast(alloc(sizeof(T) * count)); -+ return static_cast(alloc(bytes)); - } - - class Mark { -@@ -527,16 +528,16 @@ class LifoAllocPolicy - {} - template - T* pod_malloc(size_t numElems) { -- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) - return nullptr; -- size_t bytes = numElems * sizeof(T); - void* p = fb == Fallible ? alloc_.alloc(bytes) : alloc_.allocInfallible(bytes); - return static_cast(p); - } - template - T* pod_calloc(size_t numElems) { - T* p = pod_malloc(numElems); -- if (fb == Fallible && !p) -+ if (MOZ_UNLIKELY(!p)) - return nullptr; - memset(p, 0, numElems * sizeof(T)); - return p; -@@ -544,7 +545,7 @@ class LifoAllocPolicy - template - T* pod_realloc(T* p, size_t oldSize, size_t newSize) { - T* n = pod_malloc(newSize); -- if (fb == Fallible && !n) -+ if (MOZ_UNLIKELY(!n)) - return nullptr; - MOZ_ASSERT(!(oldSize & mozilla::tl::MulOverflowMask::value)); - memcpy(n, p, Min(oldSize * sizeof(T), newSize * sizeof(T))); -diff --git a/js/src/jit/FixedList.h b/js/src/jit/FixedList.h -index 9cea3a8..b6b37bb 100644 ---- a/js/src/jit/FixedList.h -+++ b/js/src/jit/FixedList.h -@@ -37,9 +37,10 @@ class FixedList - if (length == 0) - return true; - -- if (MOZ_UNLIKELY(length & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(length, &bytes))) - return false; -- list_ = (T*)alloc.allocate(length * sizeof(T)); -+ list_ = (T*)alloc.allocate(bytes); - return list_ != nullptr; - } - -@@ -60,9 +61,10 @@ class FixedList - size_t newlength = length_ + num; - if (newlength < length_) - return false; -- if (MOZ_UNLIKELY(newlength & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(newlength, &bytes))) - return false; -- T* list = (T*)alloc.allocate((length_ + num) * sizeof(T)); -+ T* list = (T*)alloc.allocate(bytes); - if (MOZ_UNLIKELY(!list)) - return false; - -diff --git a/js/src/jit/JitAllocPolicy.h b/js/src/jit/JitAllocPolicy.h -index 4bbd1a3..fca4b3f 100644 ---- a/js/src/jit/JitAllocPolicy.h -+++ b/js/src/jit/JitAllocPolicy.h -@@ -48,12 +48,13 @@ class TempAllocator - return p; - } - -- template -- void* allocateArray(size_t n) -+ template -+ T* allocateArray(size_t n) - { -- if (MOZ_UNLIKELY(n & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(n, &bytes))) - return nullptr; -- void* p = lifoScope_.alloc().alloc(n * ElemSize); -+ T* p = static_cast(lifoScope_.alloc().alloc(bytes)); - if (MOZ_UNLIKELY(!ensureBallast())) - return nullptr; - return p; -@@ -79,9 +80,10 @@ class JitAllocPolicy - {} - template - T* pod_malloc(size_t numElems) { -- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) - return nullptr; -- return static_cast(alloc_.allocate(numElems * sizeof(T))); -+ return static_cast(alloc_.allocate(bytes)); - } - template - T* pod_calloc(size_t numElems) { -@@ -112,9 +114,10 @@ class OldJitAllocPolicy - {} - template - T* pod_malloc(size_t numElems) { -- if (MOZ_UNLIKELY(numElems & mozilla::tl::MulOverflowMask::value)) -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) - return nullptr; -- return static_cast(GetJitContext()->temp->allocate(numElems * sizeof(T))); -+ return static_cast(GetJitContext()->temp->allocate(bytes)); - } - void free_(void* p) { - } -diff --git a/js/src/jit/LIR.cpp b/js/src/jit/LIR.cpp -index 70a3fc0..a76e742 100644 ---- a/js/src/jit/LIR.cpp -+++ b/js/src/jit/LIR.cpp -@@ -105,8 +105,7 @@ LBlock::init(TempAllocator& alloc) - - int numPhis = (phi->type() == MIRType_Value) ? BOX_PIECES : 1; - for (int i = 0; i < numPhis; i++) { -- void* array = alloc.allocateArray(numPreds); -- LAllocation* inputs = static_cast(array); -+ LAllocation* inputs = alloc.allocateArray(numPreds); - if (!inputs) - return false; - -diff --git a/js/src/jit/MIRGenerator.h b/js/src/jit/MIRGenerator.h -index 01de27d..5e6b9ef 100644 ---- a/js/src/jit/MIRGenerator.h -+++ b/js/src/jit/MIRGenerator.h -@@ -60,10 +60,11 @@ class MIRGenerator - } - - template -- T * allocate(size_t count = 1) { -- if (count & mozilla::tl::MulOverflowMask::value) -+ T* allocate(size_t count = 1) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(count, &bytes))) - return nullptr; -- return reinterpret_cast(alloc().allocate(sizeof(T) * count)); -+ return static_cast(alloc().allocate(bytes)); - } - - // Set an error state and prints a message. Returns false so errors can be -diff --git a/js/src/jit/MIRGraph.cpp b/js/src/jit/MIRGraph.cpp -index 5d000dca..4c5cf8e 100644 ---- a/js/src/jit/MIRGraph.cpp -+++ b/js/src/jit/MIRGraph.cpp -@@ -297,7 +297,7 @@ MBasicBlock::NewAsmJS(MIRGraph& graph, CompileInfo& info, MBasicBlock* pred, Kin - size_t nphis = block->stackPosition_; - - TempAllocator& alloc = graph.alloc(); -- MPhi* phis = (MPhi*)alloc.allocateArray(nphis); -+ MPhi* phis = alloc.allocateArray(nphis); - if (!phis) - return nullptr; - -diff --git a/js/src/jsalloc.h b/js/src/jsalloc.h -index ce11ade..e20fa5f2 100644 ---- a/js/src/jsalloc.h -+++ b/js/src/jsalloc.h -@@ -53,6 +53,14 @@ class TempAllocPolicy - */ - JS_FRIEND_API(void*) onOutOfMemory(void* p, size_t nbytes); - -+ template -+ T* onOutOfMemoryTyped(void* p, size_t numElems) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) -+ return nullptr; -+ return static_cast(onOutOfMemory(p, bytes)); -+ } -+ - public: - MOZ_IMPLICIT TempAllocPolicy(JSContext* cx) : cx_((ContextFriendFields*) cx) {} // :( - MOZ_IMPLICIT TempAllocPolicy(ContextFriendFields* cx) : cx_(cx) {} -@@ -61,7 +69,7 @@ class TempAllocPolicy - T* pod_malloc(size_t numElems) { - T* p = js_pod_malloc(numElems); - if (MOZ_UNLIKELY(!p)) -- p = static_cast(onOutOfMemory(nullptr, numElems * sizeof(T))); -+ p = onOutOfMemoryTyped(nullptr, numElems); - return p; - } - -@@ -69,7 +77,7 @@ class TempAllocPolicy - T* pod_calloc(size_t numElems) { - T* p = js_pod_calloc(numElems); - if (MOZ_UNLIKELY(!p)) -- p = static_cast(onOutOfMemory(reinterpret_cast(1), numElems * sizeof(T))); -+ p = onOutOfMemoryTyped(reinterpret_cast(1), numElems); - return p; - } - -@@ -77,7 +85,7 @@ class TempAllocPolicy - T* pod_realloc(T* prior, size_t oldSize, size_t newSize) { - T* p2 = js_pod_realloc(prior, oldSize, newSize); - if (MOZ_UNLIKELY(!p2)) -- p2 = static_cast(onOutOfMemory(p2, newSize * sizeof(T))); -+ p2 = onOutOfMemoryTyped(p2, newSize); - return p2; - } - -diff --git a/js/src/vm/MallocProvider.h b/js/src/vm/MallocProvider.h -index 1ea4ce2..f334eb1 100644 ---- a/js/src/vm/MallocProvider.h -+++ b/js/src/vm/MallocProvider.h -@@ -64,30 +64,27 @@ struct MallocProvider - client()->updateMallocCounter(numElems * sizeof(T)); - return p; - } -- if (numElems & mozilla::tl::MulOverflowMask::value) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) { - client()->reportAllocationOverflow(); - return nullptr; - } -- return (T*)client()->onOutOfMemory(nullptr, numElems * sizeof(T)); -+ return static_cast(client()->onOutOfMemory(nullptr, bytes)); - } - - template - T* pod_malloc_with_extra(size_t numExtra) { -- if (MOZ_UNLIKELY(numExtra & mozilla::tl::MulOverflowMask::value)) { -+ size_t bytes; -+ if (MOZ_UNLIKELY((!CalculateAllocSizeWithExtra(numExtra, &bytes)))) { - client()->reportAllocationOverflow(); - return nullptr; - } -- size_t bytes = sizeof(T) + numExtra * sizeof(U); -- if (MOZ_UNLIKELY(bytes < sizeof(T))) { -- client()->reportAllocationOverflow(); -- return nullptr; -- } -- T* p = reinterpret_cast(js_pod_malloc(bytes)); -+ T* p = static_cast(js_malloc(bytes)); - if (MOZ_LIKELY(p)) { - client()->updateMallocCounter(bytes); - return p; - } -- return (T*)client()->onOutOfMemory(nullptr, bytes); -+ return static_cast(client()->onOutOfMemory(nullptr, bytes)); - } - - template -@@ -108,30 +105,27 @@ struct MallocProvider - client()->updateMallocCounter(numElems * sizeof(T)); - return p; - } -- if (numElems & mozilla::tl::MulOverflowMask::value) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(numElems, &bytes))) { - client()->reportAllocationOverflow(); - return nullptr; - } -- return (T*)client()->onOutOfMemory(nullptr, numElems * sizeof(T)); -+ return static_cast(client()->onOutOfMemory(nullptr, bytes)); - } - - template - T* pod_calloc_with_extra(size_t numExtra) { -- if (MOZ_UNLIKELY(numExtra & mozilla::tl::MulOverflowMask::value)) { -- client()->reportAllocationOverflow(); -- return nullptr; -- } -- size_t bytes = sizeof(T) + numExtra * sizeof(U); -- if (MOZ_UNLIKELY(bytes < sizeof(T))) { -+ size_t bytes; -+ if (MOZ_UNLIKELY((!CalculateAllocSizeWithExtra(numExtra, &bytes)))) { - client()->reportAllocationOverflow(); - return nullptr; - } -- T* p = reinterpret_cast(js_pod_calloc(bytes)); -+ T* p = static_cast(js_calloc(bytes)); - if (MOZ_LIKELY(p)) { - client()->updateMallocCounter(bytes); - return p; - } -- return (T*)client()->onOutOfMemory(nullptr, bytes); -+ return static_cast(client()->onOutOfMemory(nullptr, bytes)); - } - - template -@@ -151,11 +145,12 @@ struct MallocProvider - client()->updateMallocCounter((newSize - oldSize) * sizeof(T)); - return p; - } -- if (newSize & mozilla::tl::MulOverflowMask::value) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!CalculateAllocSize(newSize, &bytes))) { - client()->reportAllocationOverflow(); - return nullptr; - } -- return (T*)client()->onOutOfMemory(prior, newSize * sizeof(T)); -+ return static_cast(client()->onOutOfMemory(prior, bytes)); - } - - JS_DECLARE_NEW_METHODS(new_, pod_malloc, MOZ_ALWAYS_INLINE) -diff --git a/js/src/vm/Runtime.h b/js/src/vm/Runtime.h -index 90771d6..24c34d3 100644 ---- a/js/src/vm/Runtime.h -+++ b/js/src/vm/Runtime.h -@@ -1354,11 +1354,12 @@ struct JSRuntime : public JS::shadow::Runtime, - T* p = pod_calloc(numElems); - if (MOZ_LIKELY(!!p)) - return p; -- if (numElems & mozilla::tl::MulOverflowMask::value) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!js::CalculateAllocSize(numElems, &bytes))) { - reportAllocationOverflow(); - return nullptr; - } -- return (T*)onOutOfMemoryCanGC(reinterpret_cast(1), numElems * sizeof(T)); -+ return static_cast(onOutOfMemoryCanGC(reinterpret_cast(1), bytes)); - } - - template -@@ -1366,11 +1367,12 @@ struct JSRuntime : public JS::shadow::Runtime, - T* p2 = pod_realloc(p, oldSize, newSize); - if (MOZ_LIKELY(!!p2)) - return p2; -- if (newSize & mozilla::tl::MulOverflowMask::value) { -+ size_t bytes; -+ if (MOZ_UNLIKELY(!js::CalculateAllocSize(newSize, &bytes))) { - reportAllocationOverflow(); - return nullptr; - } -- return (T*)onOutOfMemoryCanGC(p, newSize * sizeof(T)); -+ return static_cast(onOutOfMemoryCanGC(p, bytes)); - } - - /* --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch deleted file mode 100644 index 042188ee9c..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch +++ /dev/null @@ -1,93 +0,0 @@ -From 182bcb255e28b536e2d2a1208fde3324a994dbc1 Mon Sep 17 00:00:00 2001 -From: Benjamin Bouvier -Date: Tue, 13 Oct 2015 19:22:47 +0200 -Subject: [PATCH] Bug 1107011: Propagate recovered on bailout flags when - converting float32 to doubles; r=nbp, a=ritu, a=abillings - ---HG-- -extra : commitid : 51QGWZ84Mqx -extra : amend_source : 48bf9cd43b37c95d61dd4d11b184c307e84a56b5 -extra : histedit_source : ae510534e698e680103f508e0029d75f03f4e6e0%2C1d8eb51e63dd3a52898892976f50747cc3907e65 ---- - js/src/jit-test/tests/ion/bug1107011-1.js | 17 +++++++++++++++++ - js/src/jit-test/tests/ion/bug1107011-2.js | 12 ++++++++++++ - js/src/jit/TypePolicy.cpp | 2 ++ - js/src/jit/ValueNumbering.cpp | 6 ++++++ - 4 files changed, 37 insertions(+) - create mode 100644 js/src/jit-test/tests/ion/bug1107011-1.js - create mode 100644 js/src/jit-test/tests/ion/bug1107011-2.js - -diff --git a/js/src/jit-test/tests/ion/bug1107011-1.js b/js/src/jit-test/tests/ion/bug1107011-1.js -new file mode 100644 -index 0000000..458d7dd ---- /dev/null -+++ b/js/src/jit-test/tests/ion/bug1107011-1.js -@@ -0,0 +1,17 @@ -+var f32 = new Float32Array(32); -+function f(n) { -+ var x; -+ if (n > 10000) { -+ x = 4.5; -+ } else { -+ x = f32[0]; -+ } -+ f32[0] = (function() { -+ for(var f=0;f<4;++f) { -+ x=1; -+ } -+ })() < x; -+} -+for (var n = 0; n < 100; n++) -+ f(n); -+ -diff --git a/js/src/jit-test/tests/ion/bug1107011-2.js b/js/src/jit-test/tests/ion/bug1107011-2.js -new file mode 100644 -index 0000000..d59685e ---- /dev/null -+++ b/js/src/jit-test/tests/ion/bug1107011-2.js -@@ -0,0 +1,12 @@ -+function foo() { -+ var x = 0, y = 0, a = new Float32Array(1); -+ function bar() { -+ x = y; -+ y = a[0]; -+ } -+ for (var i = 0; i < 1000; i++) { -+ bar(); -+ } -+} -+for (var i=0; i < 50; i++) -+ foo(); -diff --git a/js/src/jit/TypePolicy.cpp b/js/src/jit/TypePolicy.cpp -index 4cea638..2510d50 100644 ---- a/js/src/jit/TypePolicy.cpp -+++ b/js/src/jit/TypePolicy.cpp -@@ -22,6 +22,8 @@ EnsureOperandNotFloat32(TempAllocator& alloc, MInstruction* def, unsigned op) - if (in->type() == MIRType_Float32) { - MToDouble* replace = MToDouble::New(alloc, in); - def->block()->insertBefore(def, replace); -+ if (def->isRecoveredOnBailout()) -+ replace->setRecoveredOnBailout(); - def->replaceOperand(op, replace); - } - } -diff --git a/js/src/jit/ValueNumbering.cpp b/js/src/jit/ValueNumbering.cpp -index da3e692..eb367e1 100644 ---- a/js/src/jit/ValueNumbering.cpp -+++ b/js/src/jit/ValueNumbering.cpp -@@ -726,6 +726,12 @@ ValueNumberer::visitDefinition(MDefinition* def) - return true; - } - -+ // Skip optimizations on instructions which are recovered on bailout, to -+ // avoid mixing instructions which are recovered on bailouts with -+ // instructions which are not. -+ if (def->isRecoveredOnBailout()) -+ return true; -+ - // If this instruction has a dependency() into an unreachable block, we'll - // need to update AliasAnalysis. - MInstruction* dep = def->dependency(); --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch deleted file mode 100644 index 6a16b07497..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 544bc596ac085ee1adc0b3d7ea793bc37d747ce2 Mon Sep 17 00:00:00 2001 -From: Carsten Book -Date: Mon, 19 Oct 2015 08:49:46 +0200 -Subject: [PATCH] Bug 1213979 - h2 paket formats. r=hurley, a=al - ---HG-- -extra : source : 551a28778624d4aff67b698952b1b3e011fc21f7 -extra : intermediate-source : ed67ac61d1c0e4a23888abe3abd3f4636757e038 ---- - netwerk/protocol/http/Http2Stream.cpp | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/netwerk/protocol/http/Http2Stream.cpp b/netwerk/protocol/http/Http2Stream.cpp -index 38fc025..340eccf 100644 ---- a/netwerk/protocol/http/Http2Stream.cpp -+++ b/netwerk/protocol/http/Http2Stream.cpp -@@ -629,9 +629,9 @@ Http2Stream::AdjustInitialWindow() - return; - } - -- uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; - EnsureBuffer(mTxInlineFrame, mTxInlineFrameUsed + Http2Session::kFrameHeaderBytes + 4, - mTxInlineFrameUsed, mTxInlineFrameSize); -+ uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; - mTxInlineFrameUsed += Http2Session::kFrameHeaderBytes + 4; - - mSession->CreateFrameHeader(packet, 4, -@@ -661,9 +661,9 @@ Http2Stream::AdjustPushedPriority() - if (mPushSource->RecvdFin() || mPushSource->RecvdReset()) - return; - -- uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; - EnsureBuffer(mTxInlineFrame, mTxInlineFrameUsed + Http2Session::kFrameHeaderBytes + 5, - mTxInlineFrameUsed, mTxInlineFrameSize); -+ uint8_t *packet = mTxInlineFrame.get() + mTxInlineFrameUsed; - mTxInlineFrameUsed += Http2Session::kFrameHeaderBytes + 5; - - mSession->CreateFrameHeader(packet, 5, --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch deleted file mode 100644 index 687eb0af76..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch +++ /dev/null @@ -1,65 +0,0 @@ -From ef6298177a8390c01f5084ba89a808015a0b9473 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart -Date: Thu, 22 Oct 2015 10:00:12 +0200 -Subject: [PATCH] Bug 1204580 - Check box ranges for overflow - r=rillian, a=al - ---- - media/libstagefright/binding/Box.cpp | 21 +++++++++++++++++++-- - 1 file changed, 19 insertions(+), 2 deletions(-) - -diff --git a/media/libstagefright/binding/Box.cpp b/media/libstagefright/binding/Box.cpp -index 71c79ed..2558be0 100644 ---- a/media/libstagefright/binding/Box.cpp -+++ b/media/libstagefright/binding/Box.cpp -@@ -40,6 +40,11 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) - : mContext(aContext), mParent(aParent) - { - uint8_t header[8]; -+ -+ if (aOffset > INT64_MAX - sizeof(header)) { -+ return; -+ } -+ - MediaByteRange headerRange(aOffset, aOffset + sizeof(header)); - if (mParent && !mParent->mRange.Contains(headerRange)) { - return; -@@ -67,11 +72,14 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) - uint64_t size = BigEndian::readUint32(header); - if (size == 1) { - uint8_t bigLength[8]; -+ if (aOffset > INT64_MAX - sizeof(header) - sizeof(bigLength)) { -+ return; -+ } - MediaByteRange bigLengthRange(headerRange.mEnd, - headerRange.mEnd + sizeof(bigLength)); - if ((mParent && !mParent->mRange.Contains(bigLengthRange)) || - !byteRange->Contains(bigLengthRange) || -- !mContext->mSource->CachedReadAt(aOffset, bigLength, -+ !mContext->mSource->CachedReadAt(aOffset + sizeof(header), bigLength, - sizeof(bigLength), &bytes) || - bytes != sizeof(bigLength)) { - return; -@@ -82,10 +90,19 @@ Box::Box(BoxContext* aContext, uint64_t aOffset, const Box* aParent) - mBodyOffset = headerRange.mEnd; - } - -+ if (size > INT64_MAX) { -+ return; -+ } -+ int64_t end = static_cast(aOffset) + static_cast(size); -+ if (end < static_cast(aOffset)) { -+ // Overflowed. -+ return; -+ } -+ - mType = BigEndian::readUint32(&header[4]); - mChildOffset = mBodyOffset + BoxOffset(mType); - -- MediaByteRange boxRange(aOffset, aOffset + size); -+ MediaByteRange boxRange(aOffset, end); - if (mChildOffset > boxRange.mEnd || - (mParent && !mParent->mRange.Contains(boxRange)) || - !byteRange->Contains(boxRange)) { --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch deleted file mode 100644 index 43dd17786f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 7b6c571182661cfffa0987c1a88a2cb5a3230bcd Mon Sep 17 00:00:00 2001 -From: Georg Fritzsche -Date: Tue, 18 Aug 2015 19:21:40 +0200 -Subject: [PATCH] Bug 1193038 - Purposely leak StatisticsReport object and - suppress the leak report. r=glandium,mccr8,njn, a=lizzard - ---HG-- -extra : source : 346b9ee524d1a704ea953ef16237f3d0c7ee56d1 -extra : intermediate-source : 48b17faad125691454ebba9bdef0a5def9128f11 ---- - build/valgrind/cross-architecture.sup | 9 +++++++++ - toolkit/xre/nsAppRunner.cpp | 22 +++++++++++++++------- - 2 files changed, 24 insertions(+), 7 deletions(-) - -diff --git a/build/valgrind/cross-architecture.sup b/build/valgrind/cross-architecture.sup -index 9215d3b..1e9d7ab 100644 ---- a/build/valgrind/cross-architecture.sup -+++ b/build/valgrind/cross-architecture.sup -@@ -34,6 +34,15 @@ - fun:_ZN13CrashReporter14SetupExtraDataEP7nsIFileRK19nsACString_internal - ... - } -+{ -+ We purposely leak the StatisticsReporter object -+ Memcheck:Leak -+ fun:malloc -+ fun:moz_xmalloc -+ fun:operator new -+ fun:_Z21XRE_CreateStatsObjectv -+ ... -+} - - #################################### - # Leaks in third party libraries # -diff --git a/toolkit/xre/nsAppRunner.cpp b/toolkit/xre/nsAppRunner.cpp -index 5334a05..037aeac 100644 ---- a/toolkit/xre/nsAppRunner.cpp -+++ b/toolkit/xre/nsAppRunner.cpp -@@ -20,6 +20,7 @@ - #include "mozilla/Poison.h" - #include "mozilla/Preferences.h" - #include "mozilla/Telemetry.h" -+#include "mozilla/MemoryChecking.h" - - #include "nsAppRunner.h" - #include "mozilla/AppData.h" -@@ -3004,7 +3005,6 @@ public: - - ~XREMain() { - mScopedXPCOM = nullptr; -- mStatisticsRecorder = nullptr; - mAppData = nullptr; - } - -@@ -3023,7 +3023,6 @@ public: - #endif - - UniquePtr mScopedXPCOM; -- UniquePtr mStatisticsRecorder; - nsAutoPtr mAppData; - - nsXREDirProvider mDirProvider; -@@ -4268,10 +4267,6 @@ XREMain::XRE_main(int argc, char* argv[], const nsXREAppData* aAppData) - - NS_ENSURE_TRUE(aAppData, 2); - -- // A initializer to initialize histogram collection, a chromium -- // thing used by Telemetry. -- mStatisticsRecorder = MakeUnique(); -- - mAppData = new ScopedAppData(aAppData); - if (!mAppData) - return 1; -@@ -4345,7 +4340,6 @@ XREMain::XRE_main(int argc, char* argv[], const nsXREAppData* aAppData) - } - - mScopedXPCOM = nullptr; -- mStatisticsRecorder = nullptr; - - // unlock the profile after ScopedXPCOMStartup object (xpcom) - // has gone out of scope. see bug #386739 for more details -@@ -4531,11 +4525,25 @@ XRE_StopLateWriteChecks(void) { - mozilla::StopLateWriteChecks(); - } - -+// Separate stub function to let us specifically suppress it in Valgrind -+void -+XRE_CreateStatsObject() -+{ -+ // A initializer to initialize histogram collection, a chromium -+ // thing used by Telemetry (and effectively a global; it's all static). -+ // Note: purposely leaked -+ base::StatisticsRecorder* statistics_recorder = new base::StatisticsRecorder(); -+ MOZ_LSAN_INTENTIONALLY_LEAK_OBJECT(statistics_recorder); -+ unused << statistics_recorder; -+} -+ - int - XRE_main(int argc, char* argv[], const nsXREAppData* aAppData, uint32_t aFlags) - { - #if !defined(MOZ_METRO) || !defined(XP_WIN) - XREMain main; -+ -+ XRE_CreateStatsObject(); - int result = main.XRE_main(argc, argv, aAppData); - mozilla::RecordShutdownEndTimeStamp(); - return result; --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch deleted file mode 100644 index c4b326b9ed..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch +++ /dev/null @@ -1,42 +0,0 @@ -From 72185a2795d4627203970e3c17fd9b3a6944edc6 Mon Sep 17 00:00:00 2001 -From: "Nicolas B. Pierron" -Date: Thu, 15 Oct 2015 10:57:39 +0200 -Subject: [PATCH] Bug 1204700 - ARM: Use a different scratch register for - store32. r=sstangl, a=lizzard - ---HG-- -extra : commitid : 8itRSfm5tEh -extra : source : ebafbc7c1a870499159cdd2ee91573f1b52c728a ---- - js/src/jit/arm/MacroAssembler-arm.cpp | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/js/src/jit/arm/MacroAssembler-arm.cpp b/js/src/jit/arm/MacroAssembler-arm.cpp -index 7b8c06e..c8030bb 100644 ---- a/js/src/jit/arm/MacroAssembler-arm.cpp -+++ b/js/src/jit/arm/MacroAssembler-arm.cpp -@@ -2487,8 +2487,8 @@ MacroAssemblerARMCompat::store32(Imm32 src, const Address& address) - void - MacroAssemblerARMCompat::store32(Imm32 imm, const BaseIndex& dest) - { -- ma_mov(imm, secondScratchReg_); -- store32(secondScratchReg_, dest); -+ ma_mov(imm, ScratchRegister); -+ store32(ScratchRegister, dest); - } - - void -@@ -2498,8 +2498,8 @@ MacroAssemblerARMCompat::store32(Register src, const BaseIndex& dest) - uint32_t scale = Imm32::ShiftOf(dest.scale).value; - - if (dest.offset != 0) { -- ma_add(base, Imm32(dest.offset), ScratchRegister); -- base = ScratchRegister; -+ ma_add(base, Imm32(dest.offset), secondScratchReg_); -+ base = secondScratchReg_; - } - ma_str(src, DTRAddr(base, DtrRegImmShift(dest.index, LSL, scale))); - } --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7188.patch b/gnu/packages/patches/icecat-CVE-2015-7188.patch deleted file mode 100644 index 15e26e3a6e..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7188.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 23e5bd6ffab4b6fa17a92d0bc58fbd185e9a7e6e Mon Sep 17 00:00:00 2001 -From: Valentin Gosu -Date: Tue, 13 Oct 2015 11:10:26 +0200 -Subject: [PATCH] Bug 1199430 - Reject hostnames containing @. r=mcmanus, a=al - ---- - docshell/test/unit/test_nsDefaultURIFixup_info.js | 16 ++++++------ - netwerk/base/nsStandardURL.cpp | 30 ++++++++++++++--------- - netwerk/base/nsStandardURL.h | 2 +- - 3 files changed, 27 insertions(+), 21 deletions(-) - -diff --git a/docshell/test/unit/test_nsDefaultURIFixup_info.js b/docshell/test/unit/test_nsDefaultURIFixup_info.js -index b178ea9..dbb55c6 100644 ---- a/docshell/test/unit/test_nsDefaultURIFixup_info.js -+++ b/docshell/test/unit/test_nsDefaultURIFixup_info.js -@@ -199,12 +199,10 @@ let testcases = [ { - protocolChange: true - }, { - input: "[::1][100", -- fixedURI: "http://[::1][100/", -- alternateURI: "http://[::1][100/", -+ fixedURI: null, -+ alternateURI: null, - keywordLookup: true, -- protocolChange: true, -- affectedByWhitelist: true, -- affectedByDNSForSingleHosts: true, -+ protocolChange: true - }, { - input: "[::1]]", - keywordLookup: true, -@@ -514,15 +512,15 @@ if (Services.appinfo.OS.toLowerCase().startsWith("win")) { - input: "//mozilla", - fixedURI: "file:////mozilla", - protocolChange: true, -- }); -+ }); // \ is an invalid character in the hostname until bug 652186 is implemented - testcases.push({ - input: "mozilla\\", -- fixedURI: "http://mozilla\\/", -- alternateURI: "http://www.mozilla/", -+ // fixedURI: "http://mozilla\\/", -+ // alternateURI: "http://www.mozilla/", - keywordLookup: true, - protocolChange: true, - affectedByWhitelist: true, -- affectedByDNSForSingleHosts: true, -+ // affectedByDNSForSingleHosts: true, - }); - } - -diff --git a/netwerk/base/nsStandardURL.cpp b/netwerk/base/nsStandardURL.cpp -index f5f516f..cff90fc 100644 ---- a/netwerk/base/nsStandardURL.cpp -+++ b/netwerk/base/nsStandardURL.cpp -@@ -427,14 +427,16 @@ nsStandardURL::NormalizeIDN(const nsCSubstring &host, nsCString &result) - } - - bool --nsStandardURL::ValidIPv6orHostname(const char *host) -+nsStandardURL::ValidIPv6orHostname(const char *host, uint32_t length) - { -- if (!host || !*host) { -- // Should not be NULL or empty string -+ if (!host) { - return false; - } - -- int32_t length = strlen(host); -+ if (length != strlen(host)) { -+ // Embedded null -+ return false; -+ } - - bool openBracket = host[0] == '['; - bool closeBracket = host[length - 1] == ']'; -@@ -448,8 +450,9 @@ nsStandardURL::ValidIPv6orHostname(const char *host) - return false; - } - -- if (PL_strchr(host, ':')) { -- // Hostnames should not contain a colon -+ const char *end = host + length; -+ if (end != net_FindCharInSet(host, end, "\t\n\v\f\r #/:?@[\\]")) { -+ // % is allowed because we don't do hostname percent decoding yet. - return false; - } - -@@ -587,6 +590,11 @@ nsStandardURL::BuildNormalizedSpec(const char *spec) - approxLen += encHost.Length(); - else - approxLen += mHost.mLen; -+ -+ if ((useEncHost && !ValidIPv6orHostname(encHost.BeginReading(), encHost.Length())) || -+ (!useEncHost && !ValidIPv6orHostname(tempHost.BeginReading(), tempHost.Length()))) { -+ return NS_ERROR_MALFORMED_URI; -+ } - } - - // -@@ -1580,14 +1588,10 @@ nsStandardURL::SetHost(const nsACString &input) - if (strchr(host, ' ')) - return NS_ERROR_MALFORMED_URI; - -- if (!ValidIPv6orHostname(host)) { -- return NS_ERROR_MALFORMED_URI; -- } -- - InvalidateCache(); - mHostEncoding = eEncoding_ASCII; - -- int32_t len; -+ uint32_t len; - nsAutoCString hostBuf; - if (NormalizeIDN(flat, hostBuf)) { - host = hostBuf.get(); -@@ -1596,6 +1600,10 @@ nsStandardURL::SetHost(const nsACString &input) - else - len = flat.Length(); - -+ if (!ValidIPv6orHostname(host, len)) { -+ return NS_ERROR_MALFORMED_URI; -+ } -+ - if (mHost.mLen < 0) { - int port_length = 0; - if (mPort != -1) { -diff --git a/netwerk/base/nsStandardURL.h b/netwerk/base/nsStandardURL.h -index 179a618..c56426e 100644 ---- a/netwerk/base/nsStandardURL.h -+++ b/netwerk/base/nsStandardURL.h -@@ -173,7 +173,7 @@ private: - void Clear(); - void InvalidateCache(bool invalidateCachedFile = true); - -- bool ValidIPv6orHostname(const char *host); -+ bool ValidIPv6orHostname(const char *host, uint32_t aLen); - bool NormalizeIDN(const nsCSubstring &host, nsCString &result); - void CoalescePath(netCoalesceFlags coalesceFlag, char *path); - --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7189.patch b/gnu/packages/patches/icecat-CVE-2015-7189.patch deleted file mode 100644 index 329d1b6f1f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7189.patch +++ /dev/null @@ -1,143 +0,0 @@ -From 377e1cefec0fcf230caafb97b4414c835d27c7fe Mon Sep 17 00:00:00 2001 -From: Milan Sreckovic -Date: Fri, 2 Oct 2015 09:18:26 +0200 -Subject: [PATCH] Bug 1205900 - Compare context and canvas element sizes before - extracting the data. r=gwright, a=al - ---HG-- -extra : source : f6c99c8baa9b0b6a34d6791e5d4031a2de8f2087 ---- - dom/canvas/CanvasRenderingContext2D.cpp | 2 -- - dom/canvas/CanvasRenderingContext2D.h | 7 +++---- - dom/canvas/WebGLContext.cpp | 2 -- - dom/canvas/WebGLContext.h | 3 +-- - dom/canvas/nsICanvasRenderingContextInternal.h | 8 +++----- - dom/html/HTMLCanvasElement.cpp | 13 +++++++------ - 6 files changed, 14 insertions(+), 21 deletions(-) - -diff --git a/dom/canvas/CanvasRenderingContext2D.cpp b/dom/canvas/CanvasRenderingContext2D.cpp -index d9eaf99..a06fbce 100644 ---- a/dom/canvas/CanvasRenderingContext2D.cpp -+++ b/dom/canvas/CanvasRenderingContext2D.cpp -@@ -1418,7 +1418,6 @@ CanvasRenderingContext2D::EnsureTarget(RenderingMode aRenderingMode) - return mode; - } - --#ifdef DEBUG - int32_t - CanvasRenderingContext2D::GetWidth() const - { -@@ -1430,7 +1429,6 @@ CanvasRenderingContext2D::GetHeight() const - { - return mHeight; - } --#endif - - NS_IMETHODIMP - CanvasRenderingContext2D::SetDimensions(int32_t width, int32_t height) -diff --git a/dom/canvas/CanvasRenderingContext2D.h b/dom/canvas/CanvasRenderingContext2D.h -index af29c78..e853987 100644 ---- a/dom/canvas/CanvasRenderingContext2D.h -+++ b/dom/canvas/CanvasRenderingContext2D.h -@@ -481,10 +481,9 @@ public: - - nsresult Redraw(); - --#ifdef DEBUG -- virtual int32_t GetWidth() const override; -- virtual int32_t GetHeight() const override; --#endif -+ virtual int32_t GetWidth() const override; -+ virtual int32_t GetHeight() const override; -+ - // nsICanvasRenderingContextInternal - /** - * Gets the pres shell from either the canvas element or the doc shell -diff --git a/dom/canvas/WebGLContext.cpp b/dom/canvas/WebGLContext.cpp -index 1c22c27..f2a620a 100644 ---- a/dom/canvas/WebGLContext.cpp -+++ b/dom/canvas/WebGLContext.cpp -@@ -463,7 +463,6 @@ WebGLContext::SetContextOptions(JSContext* cx, JS::Handle options) - return NS_OK; - } - --#ifdef DEBUG - int32_t - WebGLContext::GetWidth() const - { -@@ -475,7 +474,6 @@ WebGLContext::GetHeight() const - { - return mHeight; - } --#endif - - /* So there are a number of points of failure here. We might fail based - * on EGL vs. WGL, or we might fail to alloc a too-large size, or we -diff --git a/dom/canvas/WebGLContext.h b/dom/canvas/WebGLContext.h -index 63c4091..210f341 100644 ---- a/dom/canvas/WebGLContext.h -+++ b/dom/canvas/WebGLContext.h -@@ -202,10 +202,9 @@ public: - NS_DECL_NSIDOMWEBGLRENDERINGCONTEXT - - // nsICanvasRenderingContextInternal --#ifdef DEBUG - virtual int32_t GetWidth() const override; - virtual int32_t GetHeight() const override; --#endif -+ - NS_IMETHOD SetDimensions(int32_t width, int32_t height) override; - NS_IMETHOD InitializeWithSurface(nsIDocShell*, gfxASurface*, int32_t, - int32_t) override -diff --git a/dom/canvas/nsICanvasRenderingContextInternal.h b/dom/canvas/nsICanvasRenderingContextInternal.h -index 3b1120f..fb1ef7c 100644 ---- a/dom/canvas/nsICanvasRenderingContextInternal.h -+++ b/dom/canvas/nsICanvasRenderingContextInternal.h -@@ -81,11 +81,9 @@ public: - return mCanvasElement; - } - --#ifdef DEBUG -- // Useful for testing -- virtual int32_t GetWidth() const = 0; -- virtual int32_t GetHeight() const = 0; --#endif -+ // Dimensions of the canvas, in pixels. -+ virtual int32_t GetWidth() const = 0; -+ virtual int32_t GetHeight() const = 0; - - // Sets the dimensions of the canvas, in pixels. Called - // whenever the size of the element changes. -diff --git a/dom/html/HTMLCanvasElement.cpp b/dom/html/HTMLCanvasElement.cpp -index f326662..68649f5 100644 ---- a/dom/html/HTMLCanvasElement.cpp -+++ b/dom/html/HTMLCanvasElement.cpp -@@ -526,18 +526,19 @@ HTMLCanvasElement::ToBlob(JSContext* aCx, - return; - } - --#ifdef DEBUG - if (mCurrentContext) { - // We disallow canvases of width or height zero, and set them to 1, so - // we will have a discrepancy with the sizes of the canvas and the context. - // That discrepancy is OK, the rest are not. - nsIntSize elementSize = GetWidthHeight(); -- MOZ_ASSERT(elementSize.width == mCurrentContext->GetWidth() || -- (elementSize.width == 0 && mCurrentContext->GetWidth() == 1)); -- MOZ_ASSERT(elementSize.height == mCurrentContext->GetHeight() || -- (elementSize.height == 0 && mCurrentContext->GetHeight() == 1)); -+ if ((elementSize.width != mCurrentContext->GetWidth() && -+ (elementSize.width != 0 || mCurrentContext->GetWidth() != 1)) || -+ (elementSize.height != mCurrentContext->GetHeight() && -+ (elementSize.height != 0 || mCurrentContext->GetHeight() != 1))) { -+ aRv.Throw(NS_ERROR_FAILURE); -+ return; -+ } - } --#endif - - uint8_t* imageBuffer = nullptr; - int32_t format = 0; --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7193.patch b/gnu/packages/patches/icecat-CVE-2015-7193.patch deleted file mode 100644 index 798799de9f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7193.patch +++ /dev/null @@ -1,397 +0,0 @@ -From d135e3b3c48811c577e1632a41c5c50bc55c035c Mon Sep 17 00:00:00 2001 -From: Ehsan Akhgari -Date: Tue, 20 Oct 2015 11:40:12 +0200 -Subject: [PATCH] Bug 1210302 - Add a NS_ParseRequestContentType API; ba=al, - r=mcmanus, r=sicking, a=al - ---HG-- -extra : amend_source : d93021b626709b03f6499029dc3d1813cccba386 ---- - docshell/base/nsDocShell.cpp | 2 +- - dom/base/Navigator.cpp | 4 +-- - dom/base/nsContentUtils.cpp | 2 +- - dom/html/nsHTMLDocument.cpp | 2 +- - dom/manifest/ManifestProcessor.jsm | 6 ++-- - netwerk/base/moz.build | 1 + - netwerk/base/nsINetUtil_ESR_38.idl | 14 +++++++++ - netwerk/base/nsIOService.cpp | 12 ++++++++ - netwerk/base/nsIOService.h | 3 ++ - netwerk/base/nsNetUtil.h | 21 +++++++++++++ - netwerk/base/nsURLHelper.cpp | 60 +++++++++++++++++++++++++++++++++++--- - netwerk/base/nsURLHelper.h | 32 +++++++++++++++----- - 12 files changed, 139 insertions(+), 20 deletions(-) - create mode 100644 netwerk/base/nsINetUtil_ESR_38.idl - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index bcc205c..4fc7c34 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -13519,7 +13519,7 @@ nsDocShell::OnLinkClickSync(nsIContent* aContent, - anchor->GetType(typeHint); - NS_ConvertUTF16toUTF8 utf8Hint(typeHint); - nsAutoCString type, dummy; -- NS_ParseContentType(utf8Hint, type, dummy); -+ NS_ParseRequestContentType(utf8Hint, type, dummy); - CopyUTF8toUTF16(type, typeHint); - } - -diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp -index f4ea502..7288420 100644 ---- a/dom/base/Navigator.cpp -+++ b/dom/base/Navigator.cpp -@@ -1221,9 +1221,9 @@ Navigator::SendBeacon(const nsAString& aUrl, - rv = secMan->CheckSameOriginURI(documentURI, uri, false); - bool crossOrigin = NS_FAILED(rv); - nsAutoCString contentType, parsedCharset; -- rv = NS_ParseContentType(mimeType, contentType, parsedCharset); -+ rv = NS_ParseRequestContentType(mimeType, contentType, parsedCharset); - if (crossOrigin && -- contentType.Length() > 0 && -+ mimeType.Length() > 0 && - !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) && - !contentType.Equals(MULTIPART_FORM_DATA) && - !contentType.Equals(TEXT_PLAIN)) { -diff --git a/dom/base/nsContentUtils.cpp b/dom/base/nsContentUtils.cpp -index 5e8dbd6..686f7bf 100644 ---- a/dom/base/nsContentUtils.cpp -+++ b/dom/base/nsContentUtils.cpp -@@ -7001,7 +7001,7 @@ nsContentUtils::IsAllowedNonCorsContentType(const nsACString& aHeaderValue) - nsAutoCString contentType; - nsAutoCString unused; - -- nsresult rv = NS_ParseContentType(aHeaderValue, contentType, unused); -+ nsresult rv = NS_ParseRequestContentType(aHeaderValue, contentType, unused); - if (NS_FAILED(rv)) { - return false; - } -diff --git a/dom/html/nsHTMLDocument.cpp b/dom/html/nsHTMLDocument.cpp -index 7481109..d195792 100644 ---- a/dom/html/nsHTMLDocument.cpp -+++ b/dom/html/nsHTMLDocument.cpp -@@ -1422,7 +1422,7 @@ nsHTMLDocument::Open(JSContext* cx, - nsAutoString type; - nsContentUtils::ASCIIToLower(aType, type); - nsAutoCString actualType, dummy; -- NS_ParseContentType(NS_ConvertUTF16toUTF8(type), actualType, dummy); -+ NS_ParseRequestContentType(NS_ConvertUTF16toUTF8(type), actualType, dummy); - if (!actualType.EqualsLiteral("text/html") && - !type.EqualsLiteral("replace")) { - contentType.AssignLiteral("text/plain"); -diff --git a/dom/manifest/ManifestProcessor.jsm b/dom/manifest/ManifestProcessor.jsm -index b6df920..f16881a 100644 ---- a/dom/manifest/ManifestProcessor.jsm -+++ b/dom/manifest/ManifestProcessor.jsm -@@ -31,7 +31,7 @@ const imports = {}; - Cu.import('resource://gre/modules/Services.jsm', imports); - Cu.importGlobalProperties(['URL']); - const securityManager = imports.Services.scriptSecurityManager; --const netutil = Cc['@mozilla.org/network/util;1'].getService(Ci.nsINetUtil); -+const netutil = Cc['@mozilla.org/network/util;1'].getService(Ci.nsINetUtil_ESR_38); - const defaultDisplayMode = 'browser'; - const displayModes = new Set([ - 'fullscreen', -@@ -258,7 +258,7 @@ this.ManifestProcessor.prototype.process = function({ - }; - let value = extractValue(obj), - isParsable = (typeof value === 'string' && value.length > 0); -- value = (isParsable) ? netutil.parseContentType(value.trim(), charset, hadCharset) : undefined; -+ value = (isParsable) ? netutil.parseRequestContentType(value.trim(), charset, hadCharset) : undefined; - return (value === '') ? undefined : value; - } - -@@ -354,4 +354,4 @@ this.ManifestProcessor.prototype.process = function({ - }; - processedManifest.scope = processScopeMember(manifest, manifestURL, docURL, processedManifest.start_url); - return processedManifest; --}; -\ No newline at end of file -+}; -diff --git a/netwerk/base/moz.build b/netwerk/base/moz.build -index 877365b..deedf76 100644 ---- a/netwerk/base/moz.build -+++ b/netwerk/base/moz.build -@@ -59,6 +59,7 @@ XPIDL_SOURCES += [ - 'nsINestedURI.idl', - 'nsINetAddr.idl', - 'nsINetUtil.idl', -+ 'nsINetUtil_ESR_38.idl', - 'nsINetworkInterceptController.idl', - 'nsINetworkLinkService.idl', - 'nsINetworkPredictor.idl', -diff --git a/netwerk/base/nsINetUtil_ESR_38.idl b/netwerk/base/nsINetUtil_ESR_38.idl -new file mode 100644 -index 0000000..7ef40e9 ---- /dev/null -+++ b/netwerk/base/nsINetUtil_ESR_38.idl -@@ -0,0 +1,14 @@ -+/* -*- Mode: C++; tab-width: 2; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ -+/* This Source Code Form is subject to the terms of the Mozilla Public -+ * License, v. 2.0. If a copy of the MPL was not distributed with this -+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -+ -+#include "nsISupports.idl" -+ -+[scriptable, uuid(e82f2b9d-8bac-48bb-ade7-26a7cd4fb894)] -+interface nsINetUtil_ESR_38 : nsISupports -+{ -+ AUTF8String parseRequestContentType(in AUTF8String aTypeHeader, -+ out AUTF8String aCharset, -+ out boolean aHadCharset); -+}; -diff --git a/netwerk/base/nsIOService.cpp b/netwerk/base/nsIOService.cpp -index 83db86f..9a17e8b 100644 ---- a/netwerk/base/nsIOService.cpp -+++ b/netwerk/base/nsIOService.cpp -@@ -321,6 +321,7 @@ NS_IMPL_ISUPPORTS(nsIOService, - nsIIOService, - nsIIOService2, - nsINetUtil, -+ nsINetUtil_ESR_38, - nsISpeculativeConnect, - nsIObserver, - nsISupportsWeakReference) -@@ -1280,6 +1281,17 @@ nsIOService::Observe(nsISupports *subject, - - // nsINetUtil interface - NS_IMETHODIMP -+nsIOService::ParseRequestContentType(const nsACString &aTypeHeader, -+ nsACString &aCharset, -+ bool *aHadCharset, -+ nsACString &aContentType) -+{ -+ net_ParseRequestContentType(aTypeHeader, aContentType, aCharset, aHadCharset); -+ return NS_OK; -+} -+ -+// nsINetUtil interface -+NS_IMETHODIMP - nsIOService::ParseContentType(const nsACString &aTypeHeader, - nsACString &aCharset, - bool *aHadCharset, -diff --git a/netwerk/base/nsIOService.h b/netwerk/base/nsIOService.h -index acd501c..b125709 100644 ---- a/netwerk/base/nsIOService.h -+++ b/netwerk/base/nsIOService.h -@@ -14,6 +14,7 @@ - #include "nsIObserver.h" - #include "nsWeakReference.h" - #include "nsINetUtil.h" -+#include "nsINetUtil_ESR_38.h" - #include "nsIChannelEventSink.h" - #include "nsCategoryCache.h" - #include "nsISpeculativeConnect.h" -@@ -47,6 +48,7 @@ namespace net { - class nsIOService final : public nsIIOService2 - , public nsIObserver - , public nsINetUtil -+ , public nsINetUtil_ESR_38 - , public nsISpeculativeConnect - , public nsSupportsWeakReference - { -@@ -56,6 +58,7 @@ public: - NS_DECL_NSIIOSERVICE2 - NS_DECL_NSIOBSERVER - NS_DECL_NSINETUTIL -+ NS_DECL_NSINETUTIL_ESR_38 - NS_DECL_NSISPECULATIVECONNECT - - // Gets the singleton instance of the IO Service, creating it as needed -diff --git a/netwerk/base/nsNetUtil.h b/netwerk/base/nsNetUtil.h -index ec69716..df8874c 100644 ---- a/netwerk/base/nsNetUtil.h -+++ b/netwerk/base/nsNetUtil.h -@@ -56,6 +56,7 @@ - #include "nsISyncStreamListener.h" - #include "nsInterfaceRequestorAgg.h" - #include "nsINetUtil.h" -+#include "nsINetUtil_ESR_38.h" - #include "nsIURIWithPrincipal.h" - #include "nsIAuthPrompt.h" - #include "nsIAuthPrompt2.h" -@@ -1228,6 +1229,26 @@ NS_GetReferrerFromChannel(nsIChannel *channel, - } - - inline nsresult -+NS_ParseRequestContentType(const nsACString &rawContentType, -+ nsCString &contentType, -+ nsCString &contentCharset) -+{ -+ // contentCharset is left untouched if not present in rawContentType -+ nsresult rv; -+ nsCOMPtr util = do_GetNetUtil(&rv); -+ NS_ENSURE_SUCCESS(rv, rv); -+ nsCOMPtr utilESR38 = do_QueryInterface(util, &rv); -+ NS_ENSURE_SUCCESS(rv, rv); -+ nsCString charset; -+ bool hadCharset; -+ rv = utilESR38->ParseRequestContentType(rawContentType, charset, &hadCharset, -+ contentType); -+ if (NS_SUCCEEDED(rv) && hadCharset) -+ contentCharset = charset; -+ return rv; -+} -+ -+inline nsresult - NS_ParseContentType(const nsACString &rawContentType, - nsCString &contentType, - nsCString &contentCharset) -diff --git a/netwerk/base/nsURLHelper.cpp b/netwerk/base/nsURLHelper.cpp -index 10ea849..cdb2120 100644 ---- a/netwerk/base/nsURLHelper.cpp -+++ b/netwerk/base/nsURLHelper.cpp -@@ -803,7 +803,8 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, - int32_t aOffset, - bool *aHadCharset, - int32_t *aCharsetStart, -- int32_t *aCharsetEnd) -+ int32_t *aCharsetEnd, -+ bool aStrict) - { - const nsCString& flatStr = PromiseFlatCString(aMediaTypeStr); - const char* start = flatStr.get(); -@@ -820,6 +821,8 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, - int32_t charsetParamStart = 0; - int32_t charsetParamEnd = 0; - -+ uint32_t consumed = typeEnd - type; -+ - // Iterate over parameters - bool typeHasCharset = false; - uint32_t paramStart = flatStr.FindChar(';', typeEnd - start); -@@ -843,6 +846,7 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, - charsetParamEnd = curParamEnd; - } - -+ consumed = curParamEnd; - curParamStart = curParamEnd + 1; - } while (curParamStart < flatStr.Length()); - } -@@ -872,8 +876,10 @@ net_ParseMediaType(const nsACString &aMediaTypeStr, - // some servers give junk after the charset parameter, which may - // include a comma, so this check makes us a bit more tolerant. - -- if (type != typeEnd && strncmp(type, "*/*", typeEnd - type) != 0 && -- memchr(type, '/', typeEnd - type) != nullptr) { -+ if (type != typeEnd && -+ memchr(type, '/', typeEnd - type) != nullptr && -+ (aStrict ? (net_FindCharNotInSet(start + consumed, end, HTTP_LWS) == end) : -+ (strncmp(type, "*/*", typeEnd - type) != 0))) { - // Common case here is that aContentType is empty - bool eq = !aContentType.IsEmpty() && - aContentType.Equals(Substring(type, typeEnd), -@@ -980,13 +986,59 @@ net_ParseContentType(const nsACString &aHeaderStr, - net_ParseMediaType(Substring(flatStr, curTypeStart, - curTypeEnd - curTypeStart), - aContentType, aContentCharset, curTypeStart, -- aHadCharset, aCharsetStart, aCharsetEnd); -+ aHadCharset, aCharsetStart, aCharsetEnd, false); - - // And let's move on to the next media-type - curTypeStart = curTypeEnd + 1; - } while (curTypeStart < flatStr.Length()); - } - -+void -+net_ParseRequestContentType(const nsACString &aHeaderStr, -+ nsACString &aContentType, -+ nsACString &aContentCharset, -+ bool *aHadCharset) -+{ -+ // -+ // Augmented BNF (from RFC 7231 section 3.1.1.1): -+ // -+ // media-type = type "/" subtype *( OWS ";" OWS parameter ) -+ // type = token -+ // subtype = token -+ // parameter = token "=" ( token / quoted-string ) -+ // -+ // Examples: -+ // -+ // text/html -+ // text/html; charset=ISO-8859-1 -+ // text/html; charset="ISO-8859-1" -+ // application/octet-stream -+ // -+ -+ aContentType.Truncate(); -+ aContentCharset.Truncate(); -+ *aHadCharset = false; -+ const nsCString& flatStr = PromiseFlatCString(aHeaderStr); -+ -+ // At this point curTypeEnd points to the spot where the media-type -+ // starting at curTypeEnd ends. Time to parse that! -+ nsAutoCString contentType, contentCharset; -+ bool hadCharset = false; -+ int32_t dummy1, dummy2; -+ uint32_t typeEnd = net_FindMediaDelimiter(flatStr, 0, ','); -+ if (typeEnd != flatStr.Length()) { -+ // We have some stuff left at the end, so this is not a valid -+ // request Content-Type header. -+ return; -+ } -+ net_ParseMediaType(flatStr, contentType, contentCharset, 0, -+ &hadCharset, &dummy1, &dummy2, true); -+ -+ aContentType = contentType; -+ aContentCharset = contentCharset; -+ *aHadCharset = hadCharset; -+} -+ - bool - net_IsValidHostName(const nsCSubstring &host) - { -diff --git a/netwerk/base/nsURLHelper.h b/netwerk/base/nsURLHelper.h -index 816a3c5..21e17be 100644 ---- a/netwerk/base/nsURLHelper.h -+++ b/netwerk/base/nsURLHelper.h -@@ -172,11 +172,27 @@ char * net_RFindCharNotInSet(const char *str, const char *end, const char *set); - * specified), aHadCharset is set to false. Otherwise, it's set to - * true. Note that aContentCharset can be empty even if aHadCharset - * is true. -+ * -+ * This parsing is suitable for HTTP request. Use net_ParseContentType -+ * for parsing this header in HTTP responses. -+ */ -+void net_ParseRequestContentType(const nsACString &aHeaderStr, -+ nsACString &aContentType, -+ nsACString &aContentCharset, -+ bool* aHadCharset); -+ -+/** -+ * Parses a content-type header and returns the content type and -+ * charset (if any). aCharset is not modified if no charset is -+ * specified in anywhere in aHeaderStr. In that case (no charset -+ * specified), aHadCharset is set to false. Otherwise, it's set to -+ * true. Note that aContentCharset can be empty even if aHadCharset -+ * is true. - */ - void net_ParseContentType(const nsACString &aHeaderStr, -- nsACString &aContentType, -- nsACString &aContentCharset, -- bool* aHadCharset); -+ nsACString &aContentType, -+ nsACString &aContentCharset, -+ bool* aHadCharset); - /** - * As above, but also returns the start and end indexes for the charset - * parameter in aHeaderStr. These are indices for the entire parameter, NOT -@@ -187,11 +203,11 @@ void net_ParseContentType(const nsACString &aHeaderStr, - * *aCharsetStart is nonnegative; this corresponds to charset="". - */ - void net_ParseContentType(const nsACString &aHeaderStr, -- nsACString &aContentType, -- nsACString &aContentCharset, -- bool *aHadCharset, -- int32_t *aCharsetStart, -- int32_t *aCharsetEnd); -+ nsACString &aContentType, -+ nsACString &aContentCharset, -+ bool *aHadCharset, -+ int32_t *aCharsetStart, -+ int32_t *aCharsetEnd); - - /* inline versions */ - --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7194.patch b/gnu/packages/patches/icecat-CVE-2015-7194.patch deleted file mode 100644 index 481da06a7f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7194.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 382a08fa0b21d46c44c46af39041324f304a9dfa Mon Sep 17 00:00:00 2001 -From: Aaron Klotz -Date: Tue, 13 Oct 2015 12:20:25 -0600 -Subject: [PATCH] Bug 1211262: Ensure that STORED entries in ZIP are considered - corrupt if compressed and uncompressed sizes differ; r=mwu, a=ritu - ---HG-- -extra : source : 673d9f45b802f1fd1ffaaeae19d433622fe68a5e -extra : intermediate-source : db9d3e806685d72a2891830ffbc42ef3cde559ae ---- - modules/libjar/nsZipArchive.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/modules/libjar/nsZipArchive.cpp b/modules/libjar/nsZipArchive.cpp -index bb1e21b..eaf22ac 100644 ---- a/modules/libjar/nsZipArchive.cpp -+++ b/modules/libjar/nsZipArchive.cpp -@@ -828,8 +828,10 @@ MOZ_WIN_MEM_TRY_BEGIN - // -- check if there is enough source data in the file - if (!offset || - mFd->mLen < aItem->Size() || -- offset > mFd->mLen - aItem->Size()) -+ offset > mFd->mLen - aItem->Size() || -+ (aItem->Compression() == STORED && aItem->Size() != aItem->RealSize())) { - return nullptr; -+ } - - return mFd->mFileData + offset; - MOZ_WIN_MEM_TRY_CATCH(return nullptr) --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7196.patch b/gnu/packages/patches/icecat-CVE-2015-7196.patch deleted file mode 100644 index 6114ebf505..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7196.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3ed5c713015536b49dc88d3d4a36b60833ccd09a Mon Sep 17 00:00:00 2001 -From: Jan de Mooij -Date: Tue, 25 Aug 2015 13:11:41 +0200 -Subject: [PATCH] Bug 1140616 - Crash when _releaseobject is called on the - wrong thread. r=bsmedberg, a=sledru, a=lizzard - ---HG-- -extra : source : 6a513309283d06f56cebee8528cfcf134a74f3c4 ---- - dom/plugins/base/nsNPAPIPlugin.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/dom/plugins/base/nsNPAPIPlugin.cpp b/dom/plugins/base/nsNPAPIPlugin.cpp -index f0d07fa..9cd2e05 100644 ---- a/dom/plugins/base/nsNPAPIPlugin.cpp -+++ b/dom/plugins/base/nsNPAPIPlugin.cpp -@@ -1413,6 +1413,7 @@ _releaseobject(NPObject* npobj) - { - if (!NS_IsMainThread()) { - NPN_PLUGIN_LOG(PLUGIN_LOG_ALWAYS,("NPN_releaseobject called from the wrong thread\n")); -+ MOZ_CRASH("NPN_releaseobject called from the wrong thread"); - } - if (!npobj) - return; --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7197.patch b/gnu/packages/patches/icecat-CVE-2015-7197.patch deleted file mode 100644 index 1763341ff7..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7197.patch +++ /dev/null @@ -1,70 +0,0 @@ -From a522e727bff0fb69cb0d34c2d2ad89168d15158d Mon Sep 17 00:00:00 2001 -From: Ehsan Akhgari -Date: Sat, 12 Sep 2015 17:38:51 -0400 -Subject: [PATCH] Bug 1204269 - Use the worker private in order to determine - the origin of the entry settings object for workers; r=smaug a=me - ---- - dom/base/WebSocket.cpp | 46 ++++++++++++++++++++++++++-------------------- - 1 file changed, 26 insertions(+), 20 deletions(-) - -diff --git a/dom/base/WebSocket.cpp b/dom/base/WebSocket.cpp -index ea91232..26b94d0 100644 ---- a/dom/base/WebSocket.cpp -+++ b/dom/base/WebSocket.cpp -@@ -1503,26 +1503,32 @@ WebSocketImpl::Init(JSContext* aCx, - !Preferences::GetBool("network.websocket.allowInsecureFromHTTPS", - false)) { - // Confirmed we are opening plain ws:// and want to prevent this from a -- // secure context (e.g. https). Check the principal's uri to determine if -- // we were loaded from https. -- nsCOMPtr globalObject(GetEntryGlobal()); -- if (globalObject) { -- nsCOMPtr principal(globalObject->PrincipalOrNull()); -- if (principal) { -- nsCOMPtr uri; -- principal->GetURI(getter_AddRefs(uri)); -- if (uri) { -- bool originIsHttps = false; -- aRv = uri->SchemeIs("https", &originIsHttps); -- if (NS_WARN_IF(aRv.Failed())) { -- return; -- } -- -- if (originIsHttps) { -- aRv.Throw(NS_ERROR_DOM_SECURITY_ERR); -- return; -- } -- } -+ // secure context (e.g. https). -+ nsCOMPtr principal; -+ nsCOMPtr originURI; -+ if (mWorkerPrivate) { -+ // For workers, retrieve the URI from the WorkerPrivate -+ principal = mWorkerPrivate->GetPrincipal(); -+ } else { -+ // Check the principal's uri to determine if we were loaded from https. -+ nsCOMPtr globalObject(GetEntryGlobal()); -+ if (globalObject) { -+ principal = globalObject->PrincipalOrNull(); -+ } -+ } -+ -+ if (principal) { -+ principal->GetURI(getter_AddRefs(originURI)); -+ } -+ if (originURI) { -+ bool originIsHttps = false; -+ aRv = originURI->SchemeIs("https", &originIsHttps); -+ if (NS_WARN_IF(aRv.Failed())) { -+ return; -+ } -+ if (originIsHttps) { -+ aRv.Throw(NS_ERROR_DOM_SECURITY_ERR); -+ return; - } - } - } --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7198.patch b/gnu/packages/patches/icecat-CVE-2015-7198.patch deleted file mode 100644 index 2e127897bc..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7198.patch +++ /dev/null @@ -1,27 +0,0 @@ -From cc2a334ee16e99d376fcb49203239abf9eb2c148 Mon Sep 17 00:00:00 2001 -From: Jeff Gilbert -Date: Wed, 7 Oct 2015 13:27:37 -0700 -Subject: [PATCH] Bug 1188010 - Use MOZ_RELEASE_ASSERT when failure means - overflow. - r=kamidphish, a=abillings - ---- - dom/canvas/WebGLTexture.cpp | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/dom/canvas/WebGLTexture.cpp b/dom/canvas/WebGLTexture.cpp -index 60afc45..d6a6ccd 100644 ---- a/dom/canvas/WebGLTexture.cpp -+++ b/dom/canvas/WebGLTexture.cpp -@@ -651,8 +651,7 @@ WebGLTexture::EnsureNoUninitializedImageData(TexImageTarget imageTarget, - imageInfo.mDepth, - bytespertexel, - mContext->mPixelStoreUnpackAlignment); -- MOZ_ASSERT(checked_byteLength.isValid()); // Should have been checked -- // earlier. -+ MOZ_RELEASE_ASSERT(checked_byteLength.isValid()); // Should have been checked earlier. - - // Infallible for now. - UniquePtr zeros((uint8_t*)moz_xcalloc(1, --- -2.5.0 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7199.patch b/gnu/packages/patches/icecat-CVE-2015-7199.patch deleted file mode 100644 index d6b830b8a0..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7199.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 04741232fa561a4c299f31a5b5fb4603da79d2c5 Mon Sep 17 00:00:00 2001 -From: Robert Longson -Date: Tue, 6 Oct 2015 13:19:03 +0100 -Subject: [PATCH] Bug 1204061 - check return values from some methods - r=dholbert, a=sylvestre - ---HG-- -extra : source : f4c2f277aeae7bf8b05c6b01d1e140cd51b693b4 ---- - dom/svg/SVGPathSegListSMILType.cpp | 23 +++++++++++------------ - 1 file changed, 11 insertions(+), 12 deletions(-) - -diff --git a/dom/svg/SVGPathSegListSMILType.cpp b/dom/svg/SVGPathSegListSMILType.cpp -index f8b67d0..6df0f53 100644 ---- a/dom/svg/SVGPathSegListSMILType.cpp -+++ b/dom/svg/SVGPathSegListSMILType.cpp -@@ -232,7 +232,7 @@ AddWeightedPathSegs(double aCoeff1, - * identity, in which case we'll grow it to the right - * size. Also allowed to be the same list as aList1. - */ --static void -+static nsresult - AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, - double aCoeff2, const SVGPathDataAndInfo& aList2, - SVGPathDataAndInfo& aResult) -@@ -263,8 +263,9 @@ AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, - // because in that case, we will have already set iter1 to nullptr above, to - // record that our first operand is an identity value.) - if (aResult.IsIdentity()) { -- DebugOnly success = aResult.SetLength(aList2.Length()); -- MOZ_ASSERT(success, "infallible nsTArray::SetLength should succeed"); -+ if (!aResult.SetLength(aList2.Length())) { -+ return NS_ERROR_OUT_OF_MEMORY; -+ } - aResult.SetElement(aList2.Element()); // propagate target element info! - } - -@@ -280,6 +281,7 @@ AddWeightedPathSegLists(double aCoeff1, const SVGPathDataAndInfo& aList1, - iter2 == end2 && - resultIter == aResult.end(), - "Very, very bad - path data corrupt"); -+ return NS_OK; - } - - static void -@@ -429,9 +431,7 @@ SVGPathSegListSMILType::Add(nsSMILValue& aDest, - } - } - -- AddWeightedPathSegLists(1.0, dest, aCount, valueToAdd, dest); -- -- return NS_OK; -+ return AddWeightedPathSegLists(1.0, dest, aCount, valueToAdd, dest); - } - - nsresult -@@ -482,8 +482,9 @@ SVGPathSegListSMILType::Interpolate(const nsSMILValue& aStartVal, - if (check == eRequiresConversion) { - // Can't convert |start| in-place, since it's const. Instead, we copy it - // into |result|, converting the types as we go, and use that as our start. -- DebugOnly success = result.SetLength(end.Length()); -- MOZ_ASSERT(success, "infallible nsTArray::SetLength should succeed"); -+ if (!result.SetLength(end.Length())) { -+ return NS_ERROR_OUT_OF_MEMORY; -+ } - result.SetElement(end.Element()); // propagate target element info! - - ConvertAllPathSegmentData(start.begin(), start.end(), -@@ -492,10 +493,8 @@ SVGPathSegListSMILType::Interpolate(const nsSMILValue& aStartVal, - startListToUse = &result; - } - -- AddWeightedPathSegLists(1.0 - aUnitDistance, *startListToUse, -- aUnitDistance, end, result); -- -- return NS_OK; -+ return AddWeightedPathSegLists(1.0 - aUnitDistance, *startListToUse, -+ aUnitDistance, end, result); - } - - } // namespace mozilla --- -2.5.0 -