me/guix
Archived
1
0
Fork 0
Code Activity

gnu: icecat: Add fixes for CVE-2016-{1930,1935} and other bugs.

Browse source 
* gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch,
  gnu/packages/patches/icecat-CVE-2016-1935.patch,
  gnu/packages/patches/icecat-bug-1146335-pt1.patch,
  gnu/packages/patches/icecat-bug-1146335-pt2.patch,
  gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New
  files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
This commit is contained in:
Mark H Weaver 2016-01-28 00:22:49 -05:00
parent a394c60aa3
commit 29a780147d
21 changed files with 1770 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
gnu-system.am
View file

@ -517,7 +517,26 @@ dist_patch_DATA = \
gnu/packages/patches/hop-linker-flags.patch \
gnu/packages/patches/hydra-automake-1.15.patch \
gnu/packages/patches/hydra-disable-darcs-test.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch \
gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch \
gnu/packages/patches/icecat-CVE-2016-1935.patch \
gnu/packages/patches/icecat-avoid-bundled-includes.patch \
gnu/packages/patches/icecat-bug-1146335-pt1.patch \
gnu/packages/patches/icecat-bug-1146335-pt2.patch \
gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch \
gnu/packages/patches/icu4c-CVE-2014-6585.patch \
gnu/packages/patches/icu4c-CVE-2015-1270.patch \
gnu/packages/patches/icu4c-CVE-2015-4760.patch \

24
gnu/packages/gnuzilla.scm
View file

@ -1,7 +1,7 @@
;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
;;;
;;; This file is part of GNU Guix.
@ -287,7 +287,27 @@ standards.")
(sha256
(base32
"0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg"))
(patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
(patches (map search-patch
'("icecat-avoid-bundled-includes.patch"
"icecat-CVE-2016-1930-pt01.patch"
"icecat-CVE-2016-1930-pt02.patch"
"icecat-CVE-2016-1930-pt03.patch"
"icecat-CVE-2016-1930-pt04.patch"
"icecat-CVE-2016-1930-pt05.patch"
"icecat-CVE-2016-1930-pt06.patch"
"icecat-CVE-2016-1930-pt07.patch"
"icecat-CVE-2016-1930-pt08.patch"
"icecat-CVE-2016-1930-pt09.patch"
"icecat-CVE-2016-1930-pt10.patch"
"icecat-CVE-2016-1930-pt11.patch"
"icecat-CVE-2016-1930-pt12.patch"
"icecat-CVE-2016-1930-pt13.patch"
"icecat-bug-1146335-pt1.patch"
"icecat-bug-1146335-pt2.patch"
"icecat-CVE-2016-1935.patch"
"icecat-CVE-2016-1930-pt14.patch"
"icecat-CVE-2016-1930-pt15.patch"
"icecat-limit-max-buffers-size-for-ANGLE.patch")))
(modules '((guix build utils)))
(snippet
'(begin

34
gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch Normal file
View file

@ -0,0 +1,34 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346
# HG changeset patch
# User Nils Ohlmeier <drno@ohlmeier.org>
# Date 1451439902 18000
# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4
# Parent ff8e52467d793e935b80bf22a722a71a96fe2d63
Bug 1233346 - r=ekr a=abillings
diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c
--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c
+++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c
@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs
for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) {
char *c;
if (tmpAddress->OperStatus != IfOperStatusUp)
continue;
snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0);
+ munged_ifname[IFNAMSIZ-1] = '\0';
+
/* replace spaces with underscores */
c = strchr(munged_ifname, ' ');
while (c != NULL) {
*c = '_';
c = strchr(munged_ifname, ' ');
}
c = strchr(munged_ifname, '.');
while (c != NULL) {

33
gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch Normal file
View file

@ -0,0 +1,33 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
# HG changeset patch
# User Karl Tomlinson <karlt+@karlt.net>
# Date 1449117514 -46800
# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0
# Parent 925215cae26f9c0ccff07ef403a5b3194a4c45c4
bug 1223670 assert that connected streams have the same graph r=padenot a=abillings
diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
--- a/dom/media/MediaStreamGraph.cpp
+++ b/dom/media/MediaStreamGraph.cpp
@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort(
unused << mPort.forget();
}
virtual void RunDuringShutdown()
{
Run();
}
nsRefPtr<MediaInputPort> mPort;
};
+ MOZ_ASSERT(aStream->GraphImpl() == GraphImpl());
nsRefPtr<MediaInputPort> port = new MediaInputPort(aStream, this, aFlags,
aInputNumber, aOutputNumber);
port->SetGraphImpl(GraphImpl());
GraphImpl()->AppendMessage(new Message(port));
return port.forget();
}
void

308
gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch Normal file
View file

@ -0,0 +1,308 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
# HG changeset patch
# User Karl Tomlinson <karlt+@karlt.net>
# Date 1449764754 18000
# Node ID f746c38d160ea29088c15cacae44f3662befaec5
# Parent fc78180165a8262c80bbb722ed99b2e0c27b02d0
bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings
diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp
--- a/dom/media/webaudio/AudioContext.cpp
+++ b/dom/media/webaudio/AudioContext.cpp
@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H
aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
return nullptr;
}
#endif
nsRefPtr<DOMMediaStream> stream = aMediaElement.MozCaptureStream(aRv);
if (aRv.Failed()) {
return nullptr;
}
- nsRefPtr<MediaElementAudioSourceNode> mediaElementAudioSourceNode =
- new MediaElementAudioSourceNode(this, stream);
- return mediaElementAudioSourceNode.forget();
+ return MediaElementAudioSourceNode::Create(this, stream, aRv);
}
already_AddRefed<MediaStreamAudioSourceNode>
AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream,
ErrorResult& aRv)
{
if (mIsOffline) {
aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
return nullptr;
}
- nsRefPtr<MediaStreamAudioSourceNode> mediaStreamAudioSourceNode =
- new MediaStreamAudioSourceNode(this, &aMediaStream);
- return mediaStreamAudioSourceNode.forget();
+
+ return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv);
}
already_AddRefed<GainNode>
AudioContext::CreateGain()
{
nsRefPtr<GainNode> gainNode = new GainNode(this);
return gainNode.forget();
}
diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp
--- a/dom/media/webaudio/AudioNode.cpp
+++ b/dom/media/webaudio/AudioNode.cpp
@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont
ChannelInterpretation aChannelInterpretation)
: DOMEventTargetHelper(aContext->GetParentObject())
, mContext(aContext)
, mChannelCount(aChannelCount)
, mChannelCountMode(aChannelCountMode)
, mChannelInterpretation(aChannelInterpretation)
, mId(gId++)
, mPassThrough(false)
-#ifdef DEBUG
- , mDemiseNotified(false)
-#endif
{
MOZ_ASSERT(aContext);
DOMEventTargetHelper::BindToOwner(aContext->GetParentObject());
aContext->UpdateNodeCount(1);
}
AudioNode::~AudioNode()
{
MOZ_ASSERT(mInputNodes.IsEmpty());
MOZ_ASSERT(mOutputNodes.IsEmpty());
MOZ_ASSERT(mOutputParams.IsEmpty());
-#ifdef DEBUG
- MOZ_ASSERT(mDemiseNotified,
+ MOZ_ASSERT(!mStream,
"The webaudio-node-demise notification must have been sent");
-#endif
if (mContext) {
mContext->UpdateNodeCount(-1);
}
}
size_t
AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const
{
@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream()
mStream = nullptr;
nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
if (obs) {
nsAutoString id;
id.AppendPrintf("%u", mId);
obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get());
}
-#ifdef DEBUG
- mDemiseNotified = true;
-#endif
}
}
void
AudioNode::RemoveOutputParam(AudioParam* aParam)
{
mOutputParams.RemoveElement(aParam);
}
diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h
--- a/dom/media/webaudio/AudioNode.h
+++ b/dom/media/webaudio/AudioNode.h
@@ -239,19 +239,14 @@ private:
nsTArray<nsRefPtr<AudioParam> > mOutputParams;
uint32_t mChannelCount;
ChannelCountMode mChannelCountMode;
ChannelInterpretation mChannelInterpretation;
const uint32_t mId;
// Whether the node just passes through its input. This is a devtools API that
// only works for some node types.
bool mPassThrough;
-#ifdef DEBUG
- // In debug builds, check to make sure that the node demise notification has
- // been properly sent before the node is destroyed.
- bool mDemiseNotified;
-#endif
};
}
}
#endif
diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
@@ -5,22 +5,36 @@
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#include "MediaElementAudioSourceNode.h"
#include "mozilla/dom/MediaElementAudioSourceNodeBinding.h"
namespace mozilla {
namespace dom {
-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext,
- DOMMediaStream* aStream)
- : MediaStreamAudioSourceNode(aContext, aStream)
+MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext)
+ : MediaStreamAudioSourceNode(aContext)
{
}
+/* static */ already_AddRefed<MediaElementAudioSourceNode>
+MediaElementAudioSourceNode::Create(AudioContext* aContext,
+ DOMMediaStream* aStream, ErrorResult& aRv)
+{
+ nsRefPtr<MediaElementAudioSourceNode> node =
+ new MediaElementAudioSourceNode(aContext);
+
+ node->Init(aStream, aRv);
+ if (aRv.Failed()) {
+ return nullptr;
+ }
+
+ return node.forget();
+}
+
JSObject*
MediaElementAudioSourceNode::WrapObject(JSContext* aCx)
{
return MediaElementAudioSourceNodeBinding::Wrap(aCx, this);
}
}
}
diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h
--- a/dom/media/webaudio/MediaElementAudioSourceNode.h
+++ b/dom/media/webaudio/MediaElementAudioSourceNode.h
@@ -10,28 +10,30 @@
#include "MediaStreamAudioSourceNode.h"
namespace mozilla {
namespace dom {
class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode
{
public:
- MediaElementAudioSourceNode(AudioContext* aContext,
- DOMMediaStream* aStream);
+ static already_AddRefed<MediaElementAudioSourceNode>
+ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
virtual JSObject* WrapObject(JSContext* aCx) override;
virtual const char* NodeType() const override
{
return "MediaElementAudioSourceNode";
}
virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override
{
return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
}
+private:
+ explicit MediaElementAudioSourceNode(AudioContext* aContext);
};
}
}
#endif
diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_
NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode)
NS_INTERFACE_MAP_END_INHERITING(AudioNode)
NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode)
NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode)
-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext,
- DOMMediaStream* aMediaStream)
+MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext)
: AudioNode(aContext,
2,
ChannelCountMode::Max,
- ChannelInterpretation::Speakers),
- mInputStream(aMediaStream)
+ ChannelInterpretation::Speakers)
{
+}
+
+/* static */ already_AddRefed<MediaStreamAudioSourceNode>
+MediaStreamAudioSourceNode::Create(AudioContext* aContext,
+ DOMMediaStream* aStream, ErrorResult& aRv)
+{
+ nsRefPtr<MediaStreamAudioSourceNode> node =
+ new MediaStreamAudioSourceNode(aContext);
+
+ node->Init(aStream, aRv);
+ if (aRv.Failed()) {
+ return nullptr;
+ }
+
+ return node.forget();
+}
+
+void
+MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
+{
+ mInputStream = aMediaStream;
AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
- mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine);
+ mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
MediaInputPort::FLAG_BLOCK_INPUT);
mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
mInputStream->AddPrincipalChangeObserver(this);
}
diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h
--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h
+++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h
@@ -38,17 +38,18 @@ public:
private:
bool mEnabled;
};
class MediaStreamAudioSourceNode : public AudioNode,
public DOMMediaStream::PrincipalChangeObserver
{
public:
- MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream);
+ static already_AddRefed<MediaStreamAudioSourceNode>
+ Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
NS_DECL_ISUPPORTS_INHERITED
NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode)
virtual JSObject* WrapObject(JSContext* aCx) override;
virtual void DestroyMediaStream() override;
@@ -60,16 +61,18 @@ public:
}
virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override;
virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override;
virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override;
protected:
+ explicit MediaStreamAudioSourceNode(AudioContext* aContext);
+ void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv);
virtual ~MediaStreamAudioSourceNode();
private:
nsRefPtr<MediaInputPort> mInputPort;
nsRefPtr<DOMMediaStream> mInputStream;
};
}

47
gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch Normal file
View file

@ -0,0 +1,47 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
# HG changeset patch
# User Karl Tomlinson <karlt+@karlt.net>
# Date 1451362442 -46800
# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
# Parent f746c38d160ea29088c15cacae44f3662befaec5
bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings
diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio
}
return node.forget();
}
void
MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
{
+ MOZ_ASSERT(aMediaStream);
+ MediaStream* inputStream = aMediaStream->GetStream();
+ MediaStreamGraph* graph = Context()->Graph();
+ if (NS_WARN_IF(graph != inputStream->Graph())) {
+ aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+ return;
+ }
+
mInputStream = aMediaStream;
AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
- mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
+ mStream = graph->CreateAudioNodeExternalInputStream(engine);
ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
- mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
+ mInputPort = outputStream->AllocateInputPort(inputStream,
MediaInputPort::FLAG_BLOCK_INPUT);
mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
mInputStream->AddPrincipalChangeObserver(this);
}
MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode()

51
gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch Normal file
View file

@ -0,0 +1,51 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
# HG changeset patch
# User Karl Tomlinson <karlt+@karlt.net>
# Date 1449145091 -46800
# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c
# Parent 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings
diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h
--- a/dom/media/webaudio/AudioDestinationNode.h
+++ b/dom/media/webaudio/AudioDestinationNode.h
@@ -57,17 +57,16 @@ public:
void StartRendering(Promise* aPromise);
void OfflineShutdown();
// nsIDOMEventListener - by proxy
NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override;
AudioChannel MozAudioChannelType() const;
- void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
virtual void NotifyMainThreadStateChanged() override;
void FireOfflineCompletionEvent();
// An amount that should be added to the MediaStream's current time to
// get the AudioContext.currentTime.
double ExtraCurrentTime();
@@ -86,16 +85,17 @@ public:
void InputMuted(bool aInputMuted);
void ResolvePromise(AudioBuffer* aRenderedBuffer);
protected:
virtual ~AudioDestinationNode();
private:
+ void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
bool CheckAudioChannelPermissions(AudioChannel aValue);
void SetCanPlay(bool aCanPlay);
void NotifyStableState();
void ScheduleStableStateNotification();
SelfReference<AudioDestinationNode> mOfflineRenderingRef;

170
gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch Normal file
View file

@ -0,0 +1,170 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686
# HG changeset patch
# User Lee Salzman <lsalzman@mozilla.com>
# Date 1451932822 18000
# Node ID 93617c30c0df35f719dead526b78649d564f5ac3
# Parent 4f6e81673f6938719c86516606f2fda493e8c23c
Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu
diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
--- a/layout/base/nsLayoutUtils.cpp
+++ b/layout/base/nsLayoutUtils.cpp
@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame
nsIAtom *parentType = aFrame->GetParent()->GetType();
return parentType == nsGkAtoms::viewportFrame ||
parentType == nsGkAtoms::pageContentFrame;
}
nsLayoutUtils::SurfaceFromElementResult
nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement,
uint32_t aSurfaceFlags,
- DrawTarget* aTarget)
+ RefPtr<DrawTarget>& aTarget)
{
SurfaceFromElementResult result;
nsresult rv;
nsCOMPtr<imgIRequest> imgRequest;
rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
getter_AddRefs(imgRequest));
if (NS_FAILED(rv) || !imgRequest)
@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma
result.mImageRequest = imgRequest.forget();
return result;
}
nsLayoutUtils::SurfaceFromElementResult
nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement,
uint32_t aSurfaceFlags,
- DrawTarget* aTarget)
+ RefPtr<DrawTarget>& aTarget)
{
return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement),
aSurfaceFlags, aTarget);
}
nsLayoutUtils::SurfaceFromElementResult
nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement,
uint32_t aSurfaceFlags,
- DrawTarget* aTarget)
+ RefPtr<DrawTarget>& aTarget)
{
SurfaceFromElementResult result;
bool* isPremultiplied = nullptr;
if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) {
isPremultiplied = &result.mIsPremultiplied;
}
gfxIntSize size = aElement->GetSize();
result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied);
if (!result.mSourceSurface) {
// If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just
// draw nothing, so return an empty surface.
- DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
+ DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height),
SurfaceFormat::B8G8R8A8);
if (dt) {
result.mSourceSurface = dt->Snapshot();
}
} else if (aTarget) {
RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface);
if (opt) {
@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa
result.mIsWriteOnly = aElement->IsWriteOnly();
return result;
}
nsLayoutUtils::SurfaceFromElementResult
nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement,
uint32_t aSurfaceFlags,
- DrawTarget* aTarget)
+ RefPtr<DrawTarget>& aTarget)
{
SurfaceFromElementResult result;
NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!");
#ifdef MOZ_EME
if (aElement->ContainsRestrictedContent()) {
return result;
@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi
result.mIsWriteOnly = false;
return result;
}
nsLayoutUtils::SurfaceFromElementResult
nsLayoutUtils::SurfaceFromElement(dom::Element* aElement,
uint32_t aSurfaceFlags,
- DrawTarget* aTarget)
+ RefPtr<DrawTarget>& aTarget)
{
// If it's a <canvas>, we may be able to just grab its internal surface
if (HTMLCanvasElement* canvas =
HTMLCanvasElement::FromContentOrNull(aElement)) {
return SurfaceFromElement(canvas, aSurfaceFlags, aTarget);
}
// Maybe it's <video>?
diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h
--- a/layout/base/nsLayoutUtils.h
+++ b/layout/base/nsLayoutUtils.h
@@ -2018,33 +2018,39 @@ public:
bool mIsStillLoading;
/* Whether the element used CORS when loading. */
bool mCORSUsed;
/* Whether the returned image contains premultiplied pixel data */
bool mIsPremultiplied;
};
static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
- uint32_t aSurfaceFlags = 0,
- DrawTarget *aTarget = nullptr);
+ uint32_t aSurfaceFlags,
+ mozilla::RefPtr<DrawTarget>& aTarget);
+ static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
+ uint32_t aSurfaceFlags = 0) {
+ mozilla::RefPtr<DrawTarget> target = nullptr;
+ return SurfaceFromElement(aElement, aSurfaceFlags, target);
+ }
+
static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement,
- uint32_t aSurfaceFlags = 0,
- DrawTarget *aTarget = nullptr);
+ uint32_t aSurfaceFlags,
+ mozilla::RefPtr<DrawTarget>& aTarget);
// Need an HTMLImageElement overload, because otherwise the
// nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous
// for HTMLImageElement.
static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement,
- uint32_t aSurfaceFlags = 0,
- DrawTarget *aTarget = nullptr);
+ uint32_t aSurfaceFlags,
+ mozilla::RefPtr<DrawTarget>& aTarget);
static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement,
- uint32_t aSurfaceFlags = 0,
- DrawTarget *aTarget = nullptr);
+ uint32_t aSurfaceFlags,
+ mozilla::RefPtr<DrawTarget>& aTarget);
static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement,
- uint32_t aSurfaceFlags = 0,
- DrawTarget *aTarget = nullptr);
+ uint32_t aSurfaceFlags,
+ mozilla::RefPtr<DrawTarget>& aTarget);
/**
* When the document is editable by contenteditable attribute of its root
* content or body content.
*
* Be aware, this returns nullptr if it's in designMode.
*
* For example:

56
gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch Normal file
View file

@ -0,0 +1,56 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/750e4cfc90f8
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233152
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1451478493 -3600
# Node ID 750e4cfc90f80df657e44c9c63b1865023d88682
# Parent 93617c30c0df35f719dead526b78649d564f5ac3
Bug 1233152 - Use PersistentRooted for ParseTask script and sourceObject. r=terrence a=abillings
diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
--- a/js/src/vm/HelperThreads.cpp
+++ b/js/src/vm/HelperThreads.cpp
@@ -198,17 +198,17 @@ static const JSClass parseTaskGlobalClas
ParseTask::ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, JSContext* initCx,
const char16_t* chars, size_t length,
JS::OffThreadCompileCallback callback, void* callbackData)
: cx(cx), options(initCx), chars(chars), length(length),
alloc(JSRuntime::TEMP_LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
exclusiveContextGlobal(initCx, exclusiveContextGlobal),
callback(callback), callbackData(callbackData),
- script(nullptr), errors(cx), overRecursed(false)
+ script(initCx->runtime(), nullptr), errors(cx), overRecursed(false)
{
}
bool
ParseTask::init(JSContext* cx, const ReadOnlyCompileOptions& options)
{
if (!this->options.copy(cx, options))
return false;
diff --git a/js/src/vm/HelperThreads.h b/js/src/vm/HelperThreads.h
--- a/js/src/vm/HelperThreads.h
+++ b/js/src/vm/HelperThreads.h
@@ -472,17 +472,17 @@ struct ParseTask
// Callback invoked off the main thread when the parse finishes.
JS::OffThreadCompileCallback callback;
void* callbackData;
// Holds the final script between the invocation of the callback and the
// point where FinishOffThreadScript is called, which will destroy the
// ParseTask.
- JSScript* script;
+ PersistentRootedScript script;
// Any errors or warnings produced during compilation. These are reported
// when finishing the script.
Vector<frontend::CompileError*> errors;
bool overRecursed;
ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal,
JSContext* initCx, const char16_t* chars, size_t length,

48
gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch Normal file
View file

@ -0,0 +1,48 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4444e94a99cb
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1221385
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1451478429 -3600
# Node ID 4444e94a99cb9b00c0351cc8bf5459739cc036a5
# Parent 750e4cfc90f80df657e44c9c63b1865023d88682
Bug 1221385 - Handle OOM during JitRuntime initialization a bit better. r=bhackett a=abillings
diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
--- a/js/src/jscompartment.cpp
+++ b/js/src/jscompartment.cpp
@@ -138,28 +138,20 @@ JSRuntime::createJitRuntime(JSContext* c
// Protect jitRuntime_ from being observed (by InterruptRunningJitCode)
// while it is being initialized. Unfortunately, initialization depends on
// jitRuntime_ being non-null, so we can't just wait to assign jitRuntime_.
JitRuntime::AutoMutateBackedges amb(jrt);
jitRuntime_ = jrt;
if (!jitRuntime_->initialize(cx)) {
- js_ReportOutOfMemory(cx);
-
- js_delete(jitRuntime_);
- jitRuntime_ = nullptr;
-
- JSCompartment* comp = cx->runtime()->atomsCompartment();
- if (comp->jitCompartment_) {
- js_delete(comp->jitCompartment_);
- comp->jitCompartment_ = nullptr;
- }
-
- return nullptr;
+ // Handling OOM here is complicated: if we delete jitRuntime_ now, we
+ // will destroy the ExecutableAllocator, even though there may still be
+ // JitCode instances holding references to ExecutablePools.
+ CrashAtUnhandlableOOM("OOM in createJitRuntime");
}
return jitRuntime_;
}
bool
JSCompartment::ensureJitCompartmentExists(JSContext* cx)
{

189
gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch Normal file
View file

@ -0,0 +1,189 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925
# HG changeset patch
# User Jan de Mooij <jdemooij@mozilla.com>
# Date 1452110721 -3600
# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e
# Parent 4444e94a99cb9b00c0351cc8bf5459739cc036a5
Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu
diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
--- a/js/src/jit/BacktrackingAllocator.cpp
+++ b/js/src/jit/BacktrackingAllocator.cpp
@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters
// constructor calling convention.
if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) {
if (*reg0->def()->output() != *reg1->def()->output())
return true;
}
// Registers which might spill to the frame's argument slots can only be
// grouped with other such registers if the frame might access those
- // arguments through a lazy arguments object.
+ // arguments through a lazy arguments object or rest parameter.
if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) {
- JSScript* script = graph.mir().entryBlock()->info().script();
- if (script && script->argumentsAliasesFormals()) {
+ if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) {
if (*reg0->def()->output() != *reg1->def()->output())
return true;
}
}
VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group();
if (!group0 && group1)
diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h
--- a/js/src/jit/CompileInfo.h
+++ b/js/src/jit/CompileInfo.h
@@ -194,16 +194,17 @@ enum AnalysisMode {
class CompileInfo
{
public:
CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing,
AnalysisMode analysisMode, bool scriptNeedsArgsObj,
InlineScriptTree* inlineScriptTree)
: script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing),
analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj),
+ mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()),
inlineScriptTree_(inlineScriptTree)
{
MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY);
// The function here can flow in from anywhere so look up the canonical
// function to ensure that we do not try to embed a nursery pointer in
// jit-code. Precisely because it can flow in from anywhere, it's not
// guaranteed to be non-lazy. Hence, don't access its script!
@@ -222,17 +223,17 @@ class CompileInfo
fixedLexicalBegin_ = script->fixedLexicalBegin();
nstack_ = script->nslots() - script->nfixed();
nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_;
}
explicit CompileInfo(unsigned nlocals)
: script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr),
constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false),
- inlineScriptTree_(nullptr)
+ mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr)
{
nimplicit_ = 0;
nargs_ = 0;
nbodyfixed_ = 0;
nlocals_ = nlocals;
nstack_ = 1; /* For FunctionCompiler::pushPhiInput/popPhiOutput */
nslots_ = nlocals_ + nstack_;
fixedLexicalBegin_ = nlocals;
@@ -539,16 +540,20 @@ class CompileInfo
return false;
if (needsArgsObj() && isObservableArgumentSlot(slot))
return false;
return true;
}
+ bool mayReadFrameArgsDirectly() const {
+ return mayReadFrameArgsDirectly_;
+ }
+
private:
unsigned nimplicit_;
unsigned nargs_;
unsigned nbodyfixed_;
unsigned nlocals_;
unsigned nstack_;
unsigned nslots_;
unsigned fixedLexicalBegin_;
@@ -559,15 +564,17 @@ class CompileInfo
bool constructing_;
AnalysisMode analysisMode_;
// Whether a script needs an arguments object is unstable over compilation
// since the arguments optimization could be marked as failed on the main
// thread, so cache a value here and use it throughout for consistency.
bool scriptNeedsArgsObj_;
+ bool mayReadFrameArgsDirectly_;
+
InlineScriptTree* inlineScriptTree_;
};
} // namespace jit
} // namespace js
#endif /* jit_CompileInfo_h */
diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
--- a/js/src/jit/JitFrames.cpp
+++ b/js/src/jit/JitFrames.cpp
@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF
// formal arguments is taken care of by the frame's safepoint/snapshot,
// except when the script's lazy arguments object aliases those formals,
// in which case we mark them as well.
size_t nargs = layout->numActualArgs();
size_t nformals = 0;
if (CalleeTokenIsFunction(layout->calleeToken())) {
JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
- nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs();
+ nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs();
}
Value* argv = layout->argv();
// Trace |this|.
gc::MarkValueRoot(trc, argv, "ion-thisv");
// Trace actual arguments beyond the formals. Note + 1 for thisv.
diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
--- a/js/src/jsscript.cpp
+++ b/js/src/jsscript.cpp
@@ -3894,16 +3894,22 @@ JSScript::hasLoops()
JSTryNote* tnlimit = tn + trynotes()->length;
for (; tn < tnlimit; tn++) {
if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP)
return true;
}
return false;
}
+bool
+JSScript::mayReadFrameArgsDirectly()
+{
+ return argumentsHasVarBinding() || (function_ && function_->hasRest());
+}
+
static inline void
LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end,
HashNumber hashes[3])
{
HashNumber hash = lineno;
hash = RotateLeft(hash, 4) ^ column;
hash = RotateLeft(hash, 4) ^ begin;
hash = RotateLeft(hash, 4) ^ end;
diff --git a/js/src/jsscript.h b/js/src/jsscript.h
--- a/js/src/jsscript.h
+++ b/js/src/jsscript.h
@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC
}
inline void setFunction(JSFunction* fun);
/*
* De-lazifies the canonical function. Must be called before entering code
* that expects the function to be non-lazy.
*/
inline void ensureNonLazyCanonicalFunction(JSContext* cx);
+ // Returns true if the script may read formal arguments on the stack
+ // directly, via lazy arguments or a rest parameter.
+ bool mayReadFrameArgsDirectly();
+
JSFlatString* sourceData(JSContext* cx);
static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked);
void setSourceObject(JSObject* object);
JSObject* sourceObject() const {
return sourceObject_;
}

33
gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch Normal file
View file

@ -0,0 +1,33 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/debff255c08e
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234571
# HG changeset patch
# User Randell Jesup <rjesup@jesup.org>
# Date 1451928471 18000
# Node ID debff255c08e898be370e307e1e014f5601c20c6
# Parent f31d643afd4159b5422ae5aebcbbea0a088e018e
Bug 1234571 - unregister encoded-frame callback when releasing codec databases. r=pkerr, a=al
diff --git a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
--- a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+++ b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
@@ -71,16 +71,17 @@ VCMGenericEncoder::VCMGenericEncoder(Vid
VCMGenericEncoder::~VCMGenericEncoder()
{
}
int32_t VCMGenericEncoder::Release()
{
_bitRate = 0;
_frameRate = 0;
+ _encoder.RegisterEncodeCompleteCallback(NULL);
_VCMencodedFrameCallback = NULL;
return _encoder.Release();
}
int32_t
VCMGenericEncoder::InitEncode(const VideoCodec* settings,
int32_t numberOfCores,
uint32_t maxPayloadSize)

183
gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch Normal file
View file

@ -0,0 +1,183 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280
# HG changeset patch
# User Benjamin Bouvier <benj@benj.me>
# Date 1450947090 -3600
# Node ID 0f7224441f2089001f7934b46ac10cb72d267606
# Parent debff255c08e898be370e307e1e014f5601c20c6
Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru
diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
--- a/js/src/jit/CodeGenerator.cpp
+++ b/js/src/jit/CodeGenerator.cpp
@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn
void
CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic)
{
LInstruction* lir = ool->lir();
if (ic->idempotent()) {
size_t numLocs;
CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
- size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
+ size_t locationBase;
+ if (!addCacheLocations(cacheLocs, &numLocs, &locationBase))
+ return;
ic->setLocationInfo(locationBase, numLocs);
}
saveLive(lir);
pushArg(ic->object());
pushArg(Imm32(ool->getCacheIndex()));
pushArg(ImmGCPtr(gen->info().script()));
diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
--- a/js/src/jit/shared/CodeGenerator-shared.cpp
+++ b/js/src/jit/shared/CodeGenerator-shared.cpp
@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB
masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry)));
} else {
masm.j(cond, mir->lir()->label());
}
}
#endif
-size_t
-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs)
+MOZ_WARN_UNUSED_RESULT bool
+CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs,
+ size_t* curIndex)
{
size_t firstIndex = runtimeData_.length();
size_t numLocations = 0;
for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) {
// allocateData() ensures that sizeof(CacheLocation) is word-aligned.
// If this changes, we will need to pad to ensure alignment.
- size_t curIndex = allocateData(sizeof(CacheLocation));
- new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script);
+ if (!allocateData(sizeof(CacheLocation), curIndex))
+ return false;
+ new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script);
numLocations++;
}
MOZ_ASSERT(numLocations != 0);
*numLocs = numLocations;
- return firstIndex;
+ *curIndex = firstIndex;
+ return true;
}
ReciprocalMulConstants
CodeGeneratorShared::computeDivisionConstants(int d) {
// In what follows, d is positive and is not a power of 2.
MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0);
// Speeding up division by non power-of-2 constants is possible by
diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
--- a/js/src/jit/shared/CodeGenerator-shared.h
+++ b/js/src/jit/shared/CodeGenerator-shared.h
@@ -3,16 +3,17 @@
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef jit_shared_CodeGenerator_shared_h
#define jit_shared_CodeGenerator_shared_h
#include "mozilla/Alignment.h"
+#include "mozilla/TypeTraits.h"
#include "jit/JitFrames.h"
#include "jit/LIR.h"
#include "jit/MacroAssembler.h"
#include "jit/MIRGenerator.h"
#include "jit/MIRGraph.h"
#include "jit/OptimizationTracking.h"
#include "jit/Safepoints.h"
@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem
return SlotToStackOffset(a->toStackSlot()->slot());
}
uint32_t frameSize() const {
return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize();
}
protected:
- // Ensure the cache is an IonCache while expecting the size of the derived
- // class. We only need the cache list at GC time. Everyone else can just take
- // runtimeData offsets.
- size_t allocateCache(const IonCache&, size_t size) {
- size_t dataOffset = allocateData(size);
- masm.propagateOOM(cacheList_.append(dataOffset));
- return dataOffset;
- }
#ifdef CHECK_OSIPOINT_REGISTERS
void resetOsiPointRegs(LSafepoint* safepoint);
bool shouldVerifyOsiPointRegs(LSafepoint* safepoint);
void verifyOsiPointRegs(LSafepoint* safepoint);
#endif
bool addNativeToBytecodeEntry(const BytecodeSite* site);
@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem
return lookup();
}
T * operator*() {
return lookup();
}
};
protected:
-
- size_t allocateData(size_t size) {
+ MOZ_WARN_UNUSED_RESULT
+ bool allocateData(size_t size, size_t* offset) {
MOZ_ASSERT(size % sizeof(void*) == 0);
- size_t dataOffset = runtimeData_.length();
+ *offset = runtimeData_.length();
masm.propagateOOM(runtimeData_.appendN(0, size));
- return dataOffset;
+ return !masm.oom();
}
+ // Ensure the cache is an IonCache while expecting the size of the derived
+ // class. We only need the cache list at GC time. Everyone else can just take
+ // runtimeData offsets.
template <typename T>
inline size_t allocateCache(const T& cache) {
- size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>));
+ static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache");
+ size_t index;
+ masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index));
+ masm.propagateOOM(cacheList_.append(index));
if (masm.oom())
return SIZE_MAX;
// Use the copy constructor on the allocated space.
MOZ_ASSERT(index == cacheList_.back());
new (&runtimeData_[index]) T(cache);
return index;
}
@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem
void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr);
template <class ArgSeq, class StoreOutputTo>
inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args,
const StoreOutputTo& out);
void addCache(LInstruction* lir, size_t cacheIndex);
- size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs);
+ bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset);
ReciprocalMulConstants computeDivisionConstants(int d);
protected:
void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir);
void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site);
bool hasOutOfLineCode() { return !outOfLineCode_.empty(); }
bool generateOutOfLineCode();

91
gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch Normal file
View file

@ -0,0 +1,91 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
# HG changeset patch
# User L. David Baron <dbaron@dbaron.org>
# Date 1452248144 -39600
# Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
# Parent 0f7224441f2089001f7934b46ac10cb72d267606
Bug 1230668 - Don't use frame when not in composed document. r=heycam a=sylvestre
diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl
{
MOZ_ASSERT(aElement, "NULL element");
// If the content has a pres shell, we must use it. Otherwise we'd
// potentially mix rule trees by using the wrong pres shell's style
// set. Using the pres shell from the content also means that any
// content that's actually *in* a document will get the style from the
// correct document.
nsIPresShell *presShell = GetPresShellForContent(aElement);
+ bool inDocWithShell = true;
if (!presShell) {
+ inDocWithShell = false;
presShell = aPresShell;
if (!presShell)
return nullptr;
}
- // XXX the !aElement->IsHTML(nsGkAtoms::area)
- // check is needed due to bug 135040 (to avoid using
+ // XXX the !aElement->IsHTML(nsGkAtoms::area)
+ // check is needed due to bug 135040 (to avoid using
// mPrimaryFrame). Remove it once that's fixed.
- if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) {
+ if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+ !aElement->IsHTML(nsGkAtoms::area)) {
+ if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+ !aElement->IsHTMLElement(nsGkAtoms::area)) {
nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
if (frame) {
nsStyleContext* result = frame->StyleContext();
// Don't use the style context if it was influenced by
// pseudo-elements, since then it's not the primary style
// for this element.
if (!result->HasPseudoElementData()) {
// this function returns an addrefed style context
@@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl
nsRefPtr<nsStyleContext> sc;
if (aPseudo) {
nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo);
if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) {
return nullptr;
}
nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
- Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr;
+ Element* pseudoElement =
+ frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr;
sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext,
pseudoElement);
} else {
sc = styleSet->ResolveStyleFor(aElement, parentContext);
}
if (aStyleType == eDefaultOnly) {
// We really only want the user and UA rules. Filter out the other ones.
@@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo
mFlushedPendingReflows = aNeedsLayoutFlush;
#endif
mPresShell = document->GetShell();
if (!mPresShell || !mPresShell->GetPresContext()) {
return;
}
- // XXX the !mContent->IsHTML(nsGkAtoms::area)
- // check is needed due to bug 135040 (to avoid using
+ // XXX the !mContent->IsHTML(nsGkAtoms::area)
+ // check is needed due to bug 135040 (to avoid using
// mPrimaryFrame). Remove it once that's fixed.
if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) {
mOuterFrame = mContent->GetPrimaryFrame();
mInnerFrame = mOuterFrame;
if (mOuterFrame) {
nsIAtom* type = mOuterFrame->GetType();
if (type == nsGkAtoms::tableOuterFrame) {
// If the frame is an outer table frame then we should get the style

34
gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch Normal file
View file

@ -0,0 +1,34 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fceff80a84a3
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
# HG changeset patch
# User Wes Kocher <wkocher@mozilla.com>
# Date 1452542163 28800
# Node ID fceff80a84a32b68d02abc00486fe6c7b86d545b
# Parent 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
Fix up some rebase errors in bug 1230668 r=me a=bustage
diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
--- a/layout/style/nsComputedDOMStyle.cpp
+++ b/layout/style/nsComputedDOMStyle.cpp
@@ -434,18 +434,16 @@ nsComputedDOMStyle::GetStyleContextForEl
return nullptr;
}
// XXX the !aElement->IsHTML(nsGkAtoms::area)
// check is needed due to bug 135040 (to avoid using
// mPrimaryFrame). Remove it once that's fixed.
if (!aPseudo && aStyleType == eAll && inDocWithShell &&
!aElement->IsHTML(nsGkAtoms::area)) {
- if (!aPseudo && aStyleType == eAll && inDocWithShell &&
- !aElement->IsHTMLElement(nsGkAtoms::area)) {
nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
if (frame) {
nsStyleContext* result = frame->StyleContext();
// Don't use the style context if it was influenced by
// pseudo-elements, since then it's not the primary style
// for this element.
if (!result->HasPseudoElementData()) {
// this function returns an addrefed style context

83
gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch Normal file
View file

@ -0,0 +1,83 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/94a95291d095
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1224200
# HG changeset patch
# User Timothy Nikkel <tnikkel@gmail.com>
# Date 1453303652 -3600
# Node ID 94a95291d0958439dbed5b7dc99fae59e1318592
# Parent 999c13acb40e1113306c65925a7d96688339d945
Bug 1224200 - Allow downscaler to get (and ignore) new input lines after it has finished producing all output lines. r=seth, a=lizzard
diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
--- a/image/src/Downscaler.cpp
+++ b/image/src/Downscaler.cpp
@@ -145,43 +145,44 @@ GetFilterOffsetAndLength(UniquePtr<skia:
aFilterLengthOut);
}
void
Downscaler::CommitRow()
{
MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
- int32_t filterOffset = 0;
- int32_t filterLength = 0;
- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
- &filterOffset, &filterLength);
+ if (mCurrentOutLine < mTargetSize.height) {
+ int32_t filterOffset = 0;
+ int32_t filterLength = 0;
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
- int32_t inLineToRead = filterOffset + mLinesInBuffer;
- MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
- if (mCurrentInLine == inLineToRead) {
- skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
- mWindow[mLinesInBuffer++], mHasAlpha,
- /* use_sse2 = */ true);
- }
-
- MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
- "Writing past end of output");
-
- while (mLinesInBuffer == filterLength) {
- DownscaleInputLine();
-
- if (mCurrentOutLine == mTargetSize.height) {
- break; // We're done.
+ int32_t inLineToRead = filterOffset + mLinesInBuffer;
+ MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+ if (mCurrentInLine == inLineToRead) {
+ skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+ mWindow[mLinesInBuffer++], mHasAlpha,
+ /* use_sse2 = */ true);
}
- GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
- &filterOffset, &filterLength);
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+ "Writing past end of output");
+
+ while (mLinesInBuffer == filterLength) {
+ DownscaleInputLine();
+
+ if (mCurrentOutLine == mTargetSize.height) {
+ break; // We're done.
+ }
+
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
+ }
}
mCurrentInLine += 1;
}
bool
Downscaler::HasInvalidation() const
{

35
gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch Normal file
View file

@ -0,0 +1,35 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/ee68c3dae5f6
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230483
# HG changeset patch
# User JW Wang <jwwang@mozilla.com>
# Date 1450698943 -28800
# Node ID ee68c3dae5f639fdd439f69ef2f724067fce0ea6
# Parent 762d015e1854c28c213293ac1e9b2ab51cf201f9
Bug 1230483 - Part 2 - LoadFromSourceChildren() should be queued at most once in an event cycle. r=roc, a=lizzard
diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
--- a/dom/html/HTMLMediaElement.cpp
+++ b/dom/html/HTMLMediaElement.cpp
@@ -4033,16 +4033,19 @@ void HTMLMediaElement::NotifyAddedSource
mNetworkState == nsIDOMHTMLMediaElement::NETWORK_EMPTY)
{
QueueSelectResourceTask();
}
// A load was paused in the resource selection algorithm, waiting for
// a new source child to be added, resume the resource selection algorithm.
if (mLoadWaitStatus == WAITING_FOR_SOURCE) {
+ // Rest the flag so we don't queue multiple LoadFromSourceTask() when
+ // multiple <source> are attached in an event loop.
+ mLoadWaitStatus = NOT_WAITING;
QueueLoadFromSourceTask();
}
}
nsIContent* HTMLMediaElement::GetNextSource()
{
nsCOMPtr<nsIDOMNode> thisDomNode = do_QueryObject(this);

77
gnu/packages/patches/icecat-CVE-2016-1935.patch Normal file
View file

@ -0,0 +1,77 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450
# HG changeset patch
# User Jeff Gilbert <jgilbert@mozilla.com>
# Date 1452570660 28800
# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
# Parent c47640f24251b48c0bba9d2f0f6ee059eca58362
Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu
diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
--- a/dom/canvas/WebGLContextBuffers.cpp
+++ b/dom/canvas/WebGLContextBuffers.cpp
@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target,
if (error) {
GenerateWarning("bufferData generated error %s", ErrorName(error));
return;
}
boundBuffer->SetByteLength(size);
if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
+ boundBuffer->SetByteLength(0);
return ErrorOutOfMemory("bufferData: out of memory");
}
}
void
WebGLContext::BufferData(GLenum target,
const dom::Nullable<dom::ArrayBuffer>& maybeData,
GLenum usage)
@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
if (error) {
GenerateWarning("bufferData generated error %s", ErrorName(error));
return;
}
boundBuffer->SetByteLength(data.Length());
- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
+ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
+ boundBuffer->SetByteLength(0);
return ErrorOutOfMemory("bufferData: out of memory");
+ }
}
void
WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
GLenum usage)
{
if (IsContextLost())
return;
@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target,
GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
if (error) {
GenerateWarning("bufferData generated error %s", ErrorName(error));
return;
}
boundBuffer->SetByteLength(data.Length());
- if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
+ if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
+ boundBuffer->SetByteLength(0);
return ErrorOutOfMemory("bufferData: out of memory");
+ }
}
void
WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
const dom::Nullable<dom::ArrayBuffer>& maybeData)
{
if (IsContextLost())
return;

141
gnu/packages/patches/icecat-bug-1146335-pt1.patch Normal file
View file

@ -0,0 +1,141 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9d14787bd10e
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
# HG changeset patch
# User Seth Fowler <mark.seth.fowler@gmail.com>
# Date 1428627143 25200
# Node ID 9d14787bd10e6f3013263a2cae0bcc78bebde1db
# Parent aaf922ae679685acb5d2b8ffa5f0bf22f1e6987a
Bug 1146335 (Part 1) - Add assertions and fix style issues in image::Downscaler. r=tn a=lizzard
diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
--- a/image/src/Downscaler.cpp
+++ b/image/src/Downscaler.cpp
@@ -72,23 +72,25 @@ Downscaler::BeginFrame(const nsIntSize&
mOutputBuffer = aOutputBuffer;
mHasAlpha = aHasAlpha;
ResetForNextProgressivePass();
ReleaseWindow();
auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3;
- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.width,
- mTargetSize.width, 0,
- mTargetSize.width, mXFilter.get());
+ skia::resize::ComputeFilters(resizeMethod,
+ mOriginalSize.width, mTargetSize.width,
+ 0, mTargetSize.width,
+ mXFilter.get());
- skia::resize::ComputeFilters(resizeMethod, mOriginalSize.height,
- mTargetSize.height, 0,
- mTargetSize.height, mYFilter.get());
+ skia::resize::ComputeFilters(resizeMethod,
+ mOriginalSize.height, mTargetSize.height,
+ 0, mTargetSize.height,
+ mYFilter.get());
// Allocate the buffer, which contains scanlines of the original image.
size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
if (MOZ_UNLIKELY(!mRowBuffer)) {
return NS_ERROR_OUT_OF_MEMORY;
}
@@ -126,39 +128,54 @@ void
Downscaler::ResetForNextProgressivePass()
{
mPrevInvalidatedLine = 0;
mCurrentOutLine = 0;
mCurrentInLine = 0;
mLinesInBuffer = 0;
}
+static void
+GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter,
+ int32_t aOutputImagePosition,
+ int32_t* aFilterOffsetOut,
+ int32_t* aFilterLengthOut)
+{
+ MOZ_ASSERT(aOutputImagePosition < aFilter->num_values());
+ aFilter->FilterForValue(aOutputImagePosition,
+ aFilterOffsetOut,
+ aFilterLengthOut);
+}
+
void
Downscaler::CommitRow()
{
MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
int32_t filterOffset = 0;
int32_t filterLength = 0;
- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
int32_t inLineToRead = filterOffset + mLinesInBuffer;
MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
if (mCurrentInLine == inLineToRead) {
skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
mWindow[mLinesInBuffer++], mHasAlpha,
/* use_sse2 = */ true);
}
while (mLinesInBuffer == filterLength &&
mCurrentOutLine < mTargetSize.height) {
DownscaleInputLine();
- mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &filterOffset, &filterLength);
}
mCurrentInLine += 1;
}
bool
Downscaler::HasInvalidation() const
{
@@ -184,16 +201,17 @@ Downscaler::DownscaleInputLine()
{
typedef skia::ConvolutionFilter1D::Fixed FilterValue;
MOZ_ASSERT(mOutputBuffer);
MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Writing past end of output");
int32_t filterOffset = 0;
int32_t filterLength = 0;
+ MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values());
auto filterValues =
mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
uint8_t* outputLine =
&mOutputBuffer[mCurrentOutLine * mTargetSize.width * sizeof(uint32_t)];
skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues),
filterLength, mWindow.get(), mXFilter->num_values(),
outputLine, mHasAlpha, /* use_sse2 = */ true);
@@ -202,17 +220,18 @@ Downscaler::DownscaleInputLine()
if (mCurrentOutLine == mTargetSize.height) {
// We're done.
return;
}
int32_t newFilterOffset = 0;
int32_t newFilterLength = 0;
- mYFilter->FilterForValue(mCurrentOutLine, &newFilterOffset, &newFilterLength);
+ GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+ &newFilterOffset, &newFilterLength);
int diff = newFilterOffset - filterOffset;
MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?");
// Shift the buffer. We're just moving pointers here, so this is cheap.
mLinesInBuffer -= diff;
mLinesInBuffer = max(mLinesInBuffer, 0);
for (int32_t i = 0; i < mLinesInBuffer; ++i) {

43
gnu/packages/patches/icecat-bug-1146335-pt2.patch Normal file
View file

@ -0,0 +1,43 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8bfaa27698ca
Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
# HG changeset patch
# User Seth Fowler <mark.seth.fowler@gmail.com>
# Date 1428627143 25200
# Node ID 8bfaa27698ca0720d5c9f3910ab7148b38db0625
# Parent 9d14787bd10e6f3013263a2cae0bcc78bebde1db
Bug 1146335 (Part 2) - Fix an off-by-one error in image::Downscaler. r=tn a=lizzard
diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
--- a/image/src/Downscaler.cpp
+++ b/image/src/Downscaler.cpp
@@ -160,20 +160,26 @@ Downscaler::CommitRow()
int32_t inLineToRead = filterOffset + mLinesInBuffer;
MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
if (mCurrentInLine == inLineToRead) {
skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
mWindow[mLinesInBuffer++], mHasAlpha,
/* use_sse2 = */ true);
}
- while (mLinesInBuffer == filterLength &&
- mCurrentOutLine < mTargetSize.height) {
+ MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+ "Writing past end of output");
+
+ while (mLinesInBuffer == filterLength) {
DownscaleInputLine();
+ if (mCurrentOutLine == mTargetSize.height) {
+ break; // We're done.
+ }
+
GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
&filterOffset, &filterLength);
}
mCurrentInLine += 1;
}
bool

73
gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch Normal file
View file

@ -0,0 +1,73 @@
Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac
# HG changeset patch
# User Jeff Gilbert <jdashg@gmail.com>
# Date 1453320785 28800
# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5
# Parent ee68c3dae5f639fdd439f69ef2f724067fce0ea6
Limit max buffers size for ANGLE. r=jrmuizel a=lizzard
diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
--- a/dom/canvas/WebGLContextBuffers.cpp
+++ b/dom/canvas/WebGLContextBuffers.cpp
@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target,
if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
return;
// careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
if (!CheckedInt<GLsizeiptr>(size).isValid())
return ErrorOutOfMemory("bufferData: bad size");
+ if (gl->IsANGLE() && size > UINT32_MAX)
+ return ErrorOutOfMemory("bufferData: size too large");
+
WebGLBuffer* boundBuffer = bufferSlot.get();
if (!boundBuffer)
return ErrorInvalidOperation("bufferData: no buffer bound!");
UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1));
if (!zeroBuffer)
return ErrorOutOfMemory("bufferData: out of memory");
@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target,
const dom::ArrayBuffer& data = maybeData.Value();
data.ComputeLengthAndData();
// Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
// is like intptr_t.
if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
return ErrorOutOfMemory("bufferData: bad size");
+ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
+ return ErrorOutOfMemory("bufferData: size too large");
+
if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
return;
WebGLBuffer* boundBuffer = bufferSlot.get();
if (!boundBuffer)
return ErrorInvalidOperation("bufferData: no buffer bound!");
@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target,
data.ComputeLengthAndData();
// Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
// is like intptr_t.
if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
return ErrorOutOfMemory("bufferData: bad size");
+ if (gl->IsANGLE() && data.Length() > UINT32_MAX)
+ return ErrorOutOfMemory("bufferData: size too large");
+
InvalidateBufferFetching();
MakeContextCurrent();
GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
if (error) {
GenerateWarning("bufferData generated error %s", ErrorName(error));
return;
}