gnu: icecat: Add fixes for CVE-2016-{1930,1935} and other bugs.

* gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch,
  gnu/packages/patches/icecat-CVE-2016-1935.patch,
  gnu/packages/patches/icecat-bug-1146335-pt1.patch,
  gnu/packages/patches/icecat-bug-1146335-pt2.patch,
  gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New
  files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

20 files changed, 1751 insertions, 2 deletions

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 03ca0b7ca0..62010dbf6b 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -1,7 +1,7 @@
 ;;; GNU Guix --- Functional package management for GNU
 ;;; Copyright © 2013, 2015 Andreas Enge <andreas@enge.fr>
 ;;; Copyright © 2013, 2014, 2015 Ludovic Courtès <ludo@gnu.org>
-;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
 ;;; Copyright © 2015 Sou Bunnbu <iyzsong@gmail.com>
 ;;;
 ;;; This file is part of GNU Guix.
@@ -287,7 +287,27 @@ standards.")
       (sha256
        (base32
         "0m18xyb0rd02yaw9xd5z4bab1wr2599iszzqhm86c134jv5vk6cg"))
-      (patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
+      (patches (map search-patch
+                    '("icecat-avoid-bundled-includes.patch"
+                      "icecat-CVE-2016-1930-pt01.patch"
+                      "icecat-CVE-2016-1930-pt02.patch"
+                      "icecat-CVE-2016-1930-pt03.patch"
+                      "icecat-CVE-2016-1930-pt04.patch"
+                      "icecat-CVE-2016-1930-pt05.patch"
+                      "icecat-CVE-2016-1930-pt06.patch"
+                      "icecat-CVE-2016-1930-pt07.patch"
+                      "icecat-CVE-2016-1930-pt08.patch"
+                      "icecat-CVE-2016-1930-pt09.patch"
+                      "icecat-CVE-2016-1930-pt10.patch"
+                      "icecat-CVE-2016-1930-pt11.patch"
+                      "icecat-CVE-2016-1930-pt12.patch"
+                      "icecat-CVE-2016-1930-pt13.patch"
+                      "icecat-bug-1146335-pt1.patch"
+                      "icecat-bug-1146335-pt2.patch"
+                      "icecat-CVE-2016-1935.patch"
+                      "icecat-CVE-2016-1930-pt14.patch"
+                      "icecat-CVE-2016-1930-pt15.patch"
+                      "icecat-limit-max-buffers-size-for-ANGLE.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
new file mode 100644
index 0000000000..27768fa1ac
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/925215cae26f
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233346
+
+# HG changeset patch
+# User Nils Ohlmeier <drno@ohlmeier.org>
+# Date 1451439902 18000
+# Node ID 925215cae26f9c0ccff07ef403a5b3194a4c45c4
+# Parent  ff8e52467d793e935b80bf22a722a71a96fe2d63
+Bug 1233346 - r=ekr a=abillings
+
+diff --git a/media/mtransport/third_party/nICEr/src/stun/addrs.c b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+--- a/media/mtransport/third_party/nICEr/src/stun/addrs.c
++++ b/media/mtransport/third_party/nICEr/src/stun/addrs.c
+@@ -530,16 +530,18 @@ stun_get_win32_addrs(nr_local_addr addrs
+ 
+     for (tmpAddress = AdapterAddresses; tmpAddress != NULL; tmpAddress = tmpAddress->Next) {
+       char *c;
+ 
+       if (tmpAddress->OperStatus != IfOperStatusUp)
+         continue;
+ 
+       snprintf(munged_ifname, IFNAMSIZ, "%S%c", tmpAddress->FriendlyName, 0);
++      munged_ifname[IFNAMSIZ-1] = '\0';
++
+       /* replace spaces with underscores */
+       c = strchr(munged_ifname, ' ');
+       while (c != NULL) {
+         *c = '_';
+          c = strchr(munged_ifname, ' ');
+       }
+       c = strchr(munged_ifname, '.');
+       while (c != NULL) {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
new file mode 100644
index 0000000000..fa1804eb82
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fc78180165a8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449117514 -46800
+# Node ID fc78180165a8262c80bbb722ed99b2e0c27b02d0
+# Parent  925215cae26f9c0ccff07ef403a5b3194a4c45c4
+bug 1223670 assert that connected streams have the same graph r=padenot a=abillings
+
+diff --git a/dom/media/MediaStreamGraph.cpp b/dom/media/MediaStreamGraph.cpp
+--- a/dom/media/MediaStreamGraph.cpp
++++ b/dom/media/MediaStreamGraph.cpp
+@@ -2696,16 +2696,17 @@ ProcessedMediaStream::AllocateInputPort(
+       unused << mPort.forget();
+     }
+     virtual void RunDuringShutdown()
+     {
+       Run();
+     }
+     nsRefPtr<MediaInputPort> mPort;
+   };
++  MOZ_ASSERT(aStream->GraphImpl() == GraphImpl());
+   nsRefPtr<MediaInputPort> port = new MediaInputPort(aStream, this, aFlags,
+                                                      aInputNumber, aOutputNumber);
+   port->SetGraphImpl(GraphImpl());
+   GraphImpl()->AppendMessage(new Message(port));
+   return port.forget();
+ }
+ 
+ void
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
new file mode 100644
index 0000000000..cf0843b8b3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch
@@ -0,0 +1,308 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f746c38d160e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449764754 18000
+# Node ID f746c38d160ea29088c15cacae44f3662befaec5
+# Parent  fc78180165a8262c80bbb722ed99b2e0c27b02d0
+bug 1223670 replace public constructors with fallible factory methods r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioContext.cpp b/dom/media/webaudio/AudioContext.cpp
+--- a/dom/media/webaudio/AudioContext.cpp
++++ b/dom/media/webaudio/AudioContext.cpp
+@@ -299,32 +299,29 @@ AudioContext::CreateMediaElementSource(H
+     aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+     return nullptr;
+   }
+ #endif
+   nsRefPtr<DOMMediaStream> stream = aMediaElement.MozCaptureStream(aRv);
+   if (aRv.Failed()) {
+     return nullptr;
+   }
+-  nsRefPtr<MediaElementAudioSourceNode> mediaElementAudioSourceNode =
+-    new MediaElementAudioSourceNode(this, stream);
+-  return mediaElementAudioSourceNode.forget();
++  return MediaElementAudioSourceNode::Create(this, stream, aRv);
+ }
+ 
+ already_AddRefed<MediaStreamAudioSourceNode>
+ AudioContext::CreateMediaStreamSource(DOMMediaStream& aMediaStream,
+                                       ErrorResult& aRv)
+ {
+   if (mIsOffline) {
+     aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
+     return nullptr;
+   }
+-  nsRefPtr<MediaStreamAudioSourceNode> mediaStreamAudioSourceNode =
+-    new MediaStreamAudioSourceNode(this, &aMediaStream);
+-  return mediaStreamAudioSourceNode.forget();
++
++  return MediaStreamAudioSourceNode::Create(this, &aMediaStream, aRv);
+ }
+ 
+ already_AddRefed<GainNode>
+ AudioContext::CreateGain()
+ {
+   nsRefPtr<GainNode> gainNode = new GainNode(this);
+   return gainNode.forget();
+ }
+diff --git a/dom/media/webaudio/AudioNode.cpp b/dom/media/webaudio/AudioNode.cpp
+--- a/dom/media/webaudio/AudioNode.cpp
++++ b/dom/media/webaudio/AudioNode.cpp
+@@ -61,34 +61,29 @@ AudioNode::AudioNode(AudioContext* aCont
+                      ChannelInterpretation aChannelInterpretation)
+   : DOMEventTargetHelper(aContext->GetParentObject())
+   , mContext(aContext)
+   , mChannelCount(aChannelCount)
+   , mChannelCountMode(aChannelCountMode)
+   , mChannelInterpretation(aChannelInterpretation)
+   , mId(gId++)
+   , mPassThrough(false)
+-#ifdef DEBUG
+-  , mDemiseNotified(false)
+-#endif
+ {
+   MOZ_ASSERT(aContext);
+   DOMEventTargetHelper::BindToOwner(aContext->GetParentObject());
+   aContext->UpdateNodeCount(1);
+ }
+ 
+ AudioNode::~AudioNode()
+ {
+   MOZ_ASSERT(mInputNodes.IsEmpty());
+   MOZ_ASSERT(mOutputNodes.IsEmpty());
+   MOZ_ASSERT(mOutputParams.IsEmpty());
+-#ifdef DEBUG
+-  MOZ_ASSERT(mDemiseNotified,
++  MOZ_ASSERT(!mStream,
+              "The webaudio-node-demise notification must have been sent");
+-#endif
+   if (mContext) {
+     mContext->UpdateNodeCount(-1);
+   }
+ }
+ 
+ size_t
+ AudioNode::SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const
+ {
+@@ -399,19 +394,16 @@ AudioNode::DestroyMediaStream()
+     mStream = nullptr;
+ 
+     nsCOMPtr<nsIObserverService> obs = services::GetObserverService();
+     if (obs) {
+       nsAutoString id;
+       id.AppendPrintf("%u", mId);
+       obs->NotifyObservers(nullptr, "webaudio-node-demise", id.get());
+     }
+-#ifdef DEBUG
+-    mDemiseNotified = true;
+-#endif
+   }
+ }
+ 
+ void
+ AudioNode::RemoveOutputParam(AudioParam* aParam)
+ {
+   mOutputParams.RemoveElement(aParam);
+ }
+diff --git a/dom/media/webaudio/AudioNode.h b/dom/media/webaudio/AudioNode.h
+--- a/dom/media/webaudio/AudioNode.h
++++ b/dom/media/webaudio/AudioNode.h
+@@ -239,19 +239,14 @@ private:
+   nsTArray<nsRefPtr<AudioParam> > mOutputParams;
+   uint32_t mChannelCount;
+   ChannelCountMode mChannelCountMode;
+   ChannelInterpretation mChannelInterpretation;
+   const uint32_t mId;
+   // Whether the node just passes through its input.  This is a devtools API that
+   // only works for some node types.
+   bool mPassThrough;
+-#ifdef DEBUG
+-  // In debug builds, check to make sure that the node demise notification has
+-  // been properly sent before the node is destroyed.
+-  bool mDemiseNotified;
+-#endif
+ };
+ 
+ }
+ }
+ 
+ #endif
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.cpp b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.cpp
+@@ -5,22 +5,36 @@
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #include "MediaElementAudioSourceNode.h"
+ #include "mozilla/dom/MediaElementAudioSourceNodeBinding.h"
+ 
+ namespace mozilla {
+ namespace dom {
+ 
+-MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext,
+-                                                         DOMMediaStream* aStream)
+-  : MediaStreamAudioSourceNode(aContext, aStream)
++MediaElementAudioSourceNode::MediaElementAudioSourceNode(AudioContext* aContext)
++  : MediaStreamAudioSourceNode(aContext)
+ {
+ }
+ 
++/* static */ already_AddRefed<MediaElementAudioSourceNode>
++MediaElementAudioSourceNode::Create(AudioContext* aContext,
++                                    DOMMediaStream* aStream, ErrorResult& aRv)
++{
++  nsRefPtr<MediaElementAudioSourceNode> node =
++    new MediaElementAudioSourceNode(aContext);
++
++  node->Init(aStream, aRv);
++  if (aRv.Failed()) {
++    return nullptr;
++  }
++
++  return node.forget();
++}
++
+ JSObject*
+ MediaElementAudioSourceNode::WrapObject(JSContext* aCx)
+ {
+   return MediaElementAudioSourceNodeBinding::Wrap(aCx, this);
+ }
+ 
+ }
+ }
+diff --git a/dom/media/webaudio/MediaElementAudioSourceNode.h b/dom/media/webaudio/MediaElementAudioSourceNode.h
+--- a/dom/media/webaudio/MediaElementAudioSourceNode.h
++++ b/dom/media/webaudio/MediaElementAudioSourceNode.h
+@@ -10,28 +10,30 @@
+ #include "MediaStreamAudioSourceNode.h"
+ 
+ namespace mozilla {
+ namespace dom {
+ 
+ class MediaElementAudioSourceNode : public MediaStreamAudioSourceNode
+ {
+ public:
+-  MediaElementAudioSourceNode(AudioContext* aContext,
+-                              DOMMediaStream* aStream);
++  static already_AddRefed<MediaElementAudioSourceNode>
++  Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+ 
+   virtual JSObject* WrapObject(JSContext* aCx) override;
+ 
+   virtual const char* NodeType() const override
+   {
+     return "MediaElementAudioSourceNode";
+   }
+ 
+   virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override
+   {
+     return aMallocSizeOf(this) + SizeOfExcludingThis(aMallocSizeOf);
+   }
++private:
++  explicit MediaElementAudioSourceNode(AudioContext* aContext);
+ };
+ 
+ }
+ }
+ 
+ #endif
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -25,26 +25,45 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN_
+ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
+ 
+ NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION_INHERITED(MediaStreamAudioSourceNode)
+ NS_INTERFACE_MAP_END_INHERITING(AudioNode)
+ 
+ NS_IMPL_ADDREF_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ NS_IMPL_RELEASE_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ 
+-MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext,
+-                                                       DOMMediaStream* aMediaStream)
++MediaStreamAudioSourceNode::MediaStreamAudioSourceNode(AudioContext* aContext)
+   : AudioNode(aContext,
+               2,
+               ChannelCountMode::Max,
+-              ChannelInterpretation::Speakers),
+-    mInputStream(aMediaStream)
++              ChannelInterpretation::Speakers)
+ {
++}
++
++/* static */ already_AddRefed<MediaStreamAudioSourceNode>
++MediaStreamAudioSourceNode::Create(AudioContext* aContext,
++                                   DOMMediaStream* aStream, ErrorResult& aRv)
++{
++  nsRefPtr<MediaStreamAudioSourceNode> node =
++    new MediaStreamAudioSourceNode(aContext);
++
++  node->Init(aStream, aRv);
++  if (aRv.Failed()) {
++    return nullptr;
++  }
++
++  return node.forget();
++}
++
++void
++MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
++{
++  mInputStream = aMediaStream;
+   AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+-  mStream = aContext->Graph()->CreateAudioNodeExternalInputStream(engine);
++  mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
+   ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+   mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
+                                                MediaInputPort::FLAG_BLOCK_INPUT);
+   mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+ 
+   PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+   mInputStream->AddPrincipalChangeObserver(this);
+ }
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.h b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.h
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.h
+@@ -38,17 +38,18 @@ public:
+ private:
+   bool mEnabled;
+ };
+ 
+ class MediaStreamAudioSourceNode : public AudioNode,
+                                    public DOMMediaStream::PrincipalChangeObserver
+ {
+ public:
+-  MediaStreamAudioSourceNode(AudioContext* aContext, DOMMediaStream* aMediaStream);
++  static already_AddRefed<MediaStreamAudioSourceNode>
++  Create(AudioContext* aContext, DOMMediaStream* aStream, ErrorResult& aRv);
+ 
+   NS_DECL_ISUPPORTS_INHERITED
+   NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(MediaStreamAudioSourceNode, AudioNode)
+ 
+   virtual JSObject* WrapObject(JSContext* aCx) override;
+ 
+   virtual void DestroyMediaStream() override;
+ 
+@@ -60,16 +61,18 @@ public:
+   }
+ 
+   virtual size_t SizeOfExcludingThis(MallocSizeOf aMallocSizeOf) const override;
+   virtual size_t SizeOfIncludingThis(MallocSizeOf aMallocSizeOf) const override;
+ 
+   virtual void PrincipalChanged(DOMMediaStream* aMediaStream) override;
+ 
+ protected:
++  explicit MediaStreamAudioSourceNode(AudioContext* aContext);
++  void Init(DOMMediaStream* aMediaStream, ErrorResult& aRv);
+   virtual ~MediaStreamAudioSourceNode();
+ 
+ private:
+   nsRefPtr<MediaInputPort> mInputPort;
+   nsRefPtr<DOMMediaStream> mInputStream;
+ };
+ 
+ }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
new file mode 100644
index 0000000000..b212a70d4a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch
@@ -0,0 +1,47 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/6d43ff33bd55
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1451362442 -46800
+# Node ID 6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+# Parent  f746c38d160ea29088c15cacae44f3662befaec5
+bug 1223670 throw not supported when creating a node from a stream with different channel r=baku a=abillings
+
+diff --git a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+--- a/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
++++ b/dom/media/webaudio/MediaStreamAudioSourceNode.cpp
+@@ -51,21 +51,29 @@ MediaStreamAudioSourceNode::Create(Audio
+   }
+ 
+   return node.forget();
+ }
+ 
+ void
+ MediaStreamAudioSourceNode::Init(DOMMediaStream* aMediaStream, ErrorResult& aRv)
+ {
++  MOZ_ASSERT(aMediaStream);
++  MediaStream* inputStream = aMediaStream->GetStream();
++  MediaStreamGraph* graph = Context()->Graph();
++  if (NS_WARN_IF(graph != inputStream->Graph())) {
++    aRv.Throw(NS_ERROR_DOM_NOT_SUPPORTED_ERR);
++    return;
++  }
++
+   mInputStream = aMediaStream;
+   AudioNodeEngine* engine = new MediaStreamAudioSourceNodeEngine(this);
+-  mStream = Context()->Graph()->CreateAudioNodeExternalInputStream(engine);
++  mStream = graph->CreateAudioNodeExternalInputStream(engine);
+   ProcessedMediaStream* outputStream = static_cast<ProcessedMediaStream*>(mStream.get());
+-  mInputPort = outputStream->AllocateInputPort(aMediaStream->GetStream(),
++  mInputPort = outputStream->AllocateInputPort(inputStream,
+                                                MediaInputPort::FLAG_BLOCK_INPUT);
+   mInputStream->AddConsumerToKeepAlive(static_cast<nsIDOMEventTarget*>(this));
+ 
+   PrincipalChanged(mInputStream); // trigger enabling/disabling of the connector
+   mInputStream->AddPrincipalChangeObserver(this);
+ }
+ 
+ MediaStreamAudioSourceNode::~MediaStreamAudioSourceNode()
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
new file mode 100644
index 0000000000..3e62c9c5f1
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch
@@ -0,0 +1,51 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4f6e81673f69
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1223670
+
+# HG changeset patch
+# User Karl Tomlinson <karlt+@karlt.net>
+# Date 1449145091 -46800
+# Node ID 4f6e81673f6938719c86516606f2fda493e8c23c
+# Parent  6d43ff33bd552b8f7a34e4105cf5bcc0a8c8ea8c
+bug 1223670 make SetMozAudioChannelType() private because the type will not change after construction r=baku a=abillings
+
+diff --git a/dom/media/webaudio/AudioDestinationNode.h b/dom/media/webaudio/AudioDestinationNode.h
+--- a/dom/media/webaudio/AudioDestinationNode.h
++++ b/dom/media/webaudio/AudioDestinationNode.h
+@@ -57,17 +57,16 @@ public:
+   void StartRendering(Promise* aPromise);
+ 
+   void OfflineShutdown();
+ 
+   // nsIDOMEventListener - by proxy
+   NS_IMETHOD HandleEvent(nsIDOMEvent* aEvent) override;
+ 
+   AudioChannel MozAudioChannelType() const;
+-  void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+ 
+   virtual void NotifyMainThreadStateChanged() override;
+   void FireOfflineCompletionEvent();
+ 
+   // An amount that should be added to the MediaStream's current time to
+   // get the AudioContext.currentTime.
+   double ExtraCurrentTime();
+ 
+@@ -86,16 +85,17 @@ public:
+ 
+   void InputMuted(bool aInputMuted);
+   void ResolvePromise(AudioBuffer* aRenderedBuffer);
+ 
+ protected:
+   virtual ~AudioDestinationNode();
+ 
+ private:
++  void SetMozAudioChannelType(AudioChannel aValue, ErrorResult& aRv);
+   bool CheckAudioChannelPermissions(AudioChannel aValue);
+ 
+   void SetCanPlay(bool aCanPlay);
+ 
+   void NotifyStableState();
+   void ScheduleStableStateNotification();
+ 
+   SelfReference<AudioDestinationNode> mOfflineRenderingRef;
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
new file mode 100644
index 0000000000..ec1f479ee4
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
@@ -0,0 +1,170 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686
+
+# HG changeset patch
+# User Lee Salzman <lsalzman@mozilla.com>
+# Date 1451932822 18000
+# Node ID 93617c30c0df35f719dead526b78649d564f5ac3
+# Parent  4f6e81673f6938719c86516606f2fda493e8c23c
+Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu
+
+diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
+--- a/layout/base/nsLayoutUtils.cpp
++++ b/layout/base/nsLayoutUtils.cpp
+@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame
+   nsIAtom *parentType = aFrame->GetParent()->GetType();
+   return parentType == nsGkAtoms::viewportFrame ||
+          parentType == nsGkAtoms::pageContentFrame;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+   nsresult rv;
+ 
+   nsCOMPtr<imgIRequest> imgRequest;
+   rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
+                             getter_AddRefs(imgRequest));
+   if (NS_FAILED(rv) || !imgRequest)
+@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma
+   result.mImageRequest = imgRequest.forget();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement),
+                             aSurfaceFlags, aTarget);
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   bool* isPremultiplied = nullptr;
+   if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) {
+     isPremultiplied = &result.mIsPremultiplied;
+   }
+ 
+   gfxIntSize size = aElement->GetSize();
+ 
+   result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied);
+   if (!result.mSourceSurface) {
+      // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just
+      // draw nothing, so return an empty surface.
+-     DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
++     DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
+      RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height),
+                                                           SurfaceFormat::B8G8R8A8);
+      if (dt) {
+        result.mSourceSurface = dt->Snapshot();
+      }
+   } else if (aTarget) {
+     RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface);
+     if (opt) {
+@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa
+   result.mIsWriteOnly = aElement->IsWriteOnly();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!");
+ 
+ #ifdef MOZ_EME
+   if (aElement->ContainsRestrictedContent()) {
+     return result;
+@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi
+   result.mIsWriteOnly = false;
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(dom::Element* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   // If it's a <canvas>, we may be able to just grab its internal surface
+   if (HTMLCanvasElement* canvas =
+         HTMLCanvasElement::FromContentOrNull(aElement)) {
+     return SurfaceFromElement(canvas, aSurfaceFlags, aTarget);
+   }
+ 
+   // Maybe it's <video>?
+diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h
+--- a/layout/base/nsLayoutUtils.h
++++ b/layout/base/nsLayoutUtils.h
+@@ -2018,33 +2018,39 @@ public:
+     bool mIsStillLoading;
+     /* Whether the element used CORS when loading. */
+     bool mCORSUsed;
+     /* Whether the returned image contains premultiplied pixel data */
+     bool mIsPremultiplied;
+   };
+ 
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
++  static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
++                                                     uint32_t aSurfaceFlags = 0) {
++    mozilla::RefPtr<DrawTarget> target = nullptr;
++    return SurfaceFromElement(aElement, aSurfaceFlags, target);
++  }
++
+   static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   // Need an HTMLImageElement overload, because otherwise the
+   // nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous
+   // for HTMLImageElement.
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+ 
+   /**
+    * When the document is editable by contenteditable attribute of its root
+    * content or body content.
+    *
+    * Be aware, this returns nullptr if it's in designMode.
+    *
+    * For example:
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
new file mode 100644
index 0000000000..4f349747c0
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch
@@ -0,0 +1,56 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/750e4cfc90f8
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233152
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478493 -3600
+# Node ID 750e4cfc90f80df657e44c9c63b1865023d88682
+# Parent  93617c30c0df35f719dead526b78649d564f5ac3
+Bug 1233152 - Use PersistentRooted for ParseTask script and sourceObject. r=terrence a=abillings
+
+diff --git a/js/src/vm/HelperThreads.cpp b/js/src/vm/HelperThreads.cpp
+--- a/js/src/vm/HelperThreads.cpp
++++ b/js/src/vm/HelperThreads.cpp
+@@ -198,17 +198,17 @@ static const JSClass parseTaskGlobalClas
+ 
+ ParseTask::ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal, JSContext* initCx,
+                      const char16_t* chars, size_t length,
+                      JS::OffThreadCompileCallback callback, void* callbackData)
+   : cx(cx), options(initCx), chars(chars), length(length),
+     alloc(JSRuntime::TEMP_LIFO_ALLOC_PRIMARY_CHUNK_SIZE),
+     exclusiveContextGlobal(initCx, exclusiveContextGlobal),
+     callback(callback), callbackData(callbackData),
+-    script(nullptr), errors(cx), overRecursed(false)
++    script(initCx->runtime(), nullptr), errors(cx), overRecursed(false)
+ {
+ }
+ 
+ bool
+ ParseTask::init(JSContext* cx, const ReadOnlyCompileOptions& options)
+ {
+     if (!this->options.copy(cx, options))
+         return false;
+diff --git a/js/src/vm/HelperThreads.h b/js/src/vm/HelperThreads.h
+--- a/js/src/vm/HelperThreads.h
++++ b/js/src/vm/HelperThreads.h
+@@ -472,17 +472,17 @@ struct ParseTask
+ 
+     // Callback invoked off the main thread when the parse finishes.
+     JS::OffThreadCompileCallback callback;
+     void* callbackData;
+ 
+     // Holds the final script between the invocation of the callback and the
+     // point where FinishOffThreadScript is called, which will destroy the
+     // ParseTask.
+-    JSScript* script;
++    PersistentRootedScript script;
+ 
+     // Any errors or warnings produced during compilation. These are reported
+     // when finishing the script.
+     Vector<frontend::CompileError*> errors;
+     bool overRecursed;
+ 
+     ParseTask(ExclusiveContext* cx, JSObject* exclusiveContextGlobal,
+               JSContext* initCx, const char16_t* chars, size_t length,
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
new file mode 100644
index 0000000000..406ce1bf2b
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch
@@ -0,0 +1,48 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/4444e94a99cb
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1221385
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1451478429 -3600
+# Node ID 4444e94a99cb9b00c0351cc8bf5459739cc036a5
+# Parent  750e4cfc90f80df657e44c9c63b1865023d88682
+Bug 1221385 - Handle OOM during JitRuntime initialization a bit better. r=bhackett a=abillings
+
+diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
+--- a/js/src/jscompartment.cpp
++++ b/js/src/jscompartment.cpp
+@@ -138,28 +138,20 @@ JSRuntime::createJitRuntime(JSContext* c
+ 
+     // Protect jitRuntime_ from being observed (by InterruptRunningJitCode)
+     // while it is being initialized. Unfortunately, initialization depends on
+     // jitRuntime_ being non-null, so we can't just wait to assign jitRuntime_.
+     JitRuntime::AutoMutateBackedges amb(jrt);
+     jitRuntime_ = jrt;
+ 
+     if (!jitRuntime_->initialize(cx)) {
+-        js_ReportOutOfMemory(cx);
+-
+-        js_delete(jitRuntime_);
+-        jitRuntime_ = nullptr;
+-
+-        JSCompartment* comp = cx->runtime()->atomsCompartment();
+-        if (comp->jitCompartment_) {
+-            js_delete(comp->jitCompartment_);
+-            comp->jitCompartment_ = nullptr;
+-        }
+-
+-        return nullptr;
++        // Handling OOM here is complicated: if we delete jitRuntime_ now, we
++        // will destroy the ExecutableAllocator, even though there may still be
++        // JitCode instances holding references to ExecutablePools.
++        CrashAtUnhandlableOOM("OOM in createJitRuntime");
+     }
+ 
+     return jitRuntime_;
+ }
+ 
+ bool
+ JSCompartment::ensureJitCompartmentExists(JSContext* cx)
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
new file mode 100644
index 0000000000..e87b95f729
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch
@@ -0,0 +1,189 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f31d643afd41
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233925
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1452110721 -3600
+# Node ID f31d643afd4159b5422ae5aebcbbea0a088e018e
+# Parent  4444e94a99cb9b00c0351cc8bf5459739cc036a5
+Bug 1233925 - Treat functions with rest more like functions with lazy arguments. r=nbp a=ritu
+
+diff --git a/js/src/jit/BacktrackingAllocator.cpp b/js/src/jit/BacktrackingAllocator.cpp
+--- a/js/src/jit/BacktrackingAllocator.cpp
++++ b/js/src/jit/BacktrackingAllocator.cpp
+@@ -201,20 +201,19 @@ BacktrackingAllocator::tryGroupRegisters
+     // constructor calling convention.
+     if (IsThisSlotDefinition(reg0->def()) || IsThisSlotDefinition(reg1->def())) {
+         if (*reg0->def()->output() != *reg1->def()->output())
+             return true;
+     }
+ 
+     // Registers which might spill to the frame's argument slots can only be
+     // grouped with other such registers if the frame might access those
+-    // arguments through a lazy arguments object.
++    // arguments through a lazy arguments object or rest parameter.
+     if (IsArgumentSlotDefinition(reg0->def()) || IsArgumentSlotDefinition(reg1->def())) {
+-        JSScript* script = graph.mir().entryBlock()->info().script();
+-        if (script && script->argumentsAliasesFormals()) {
++        if (graph.mir().entryBlock()->info().mayReadFrameArgsDirectly()) {
+             if (*reg0->def()->output() != *reg1->def()->output())
+                 return true;
+         }
+     }
+ 
+     VirtualRegisterGroup* group0 = reg0->group(), *group1 = reg1->group();
+ 
+     if (!group0 && group1)
+diff --git a/js/src/jit/CompileInfo.h b/js/src/jit/CompileInfo.h
+--- a/js/src/jit/CompileInfo.h
++++ b/js/src/jit/CompileInfo.h
+@@ -194,16 +194,17 @@ enum AnalysisMode {
+ class CompileInfo
+ {
+   public:
+     CompileInfo(JSScript* script, JSFunction* fun, jsbytecode* osrPc, bool constructing,
+                 AnalysisMode analysisMode, bool scriptNeedsArgsObj,
+                 InlineScriptTree* inlineScriptTree)
+       : script_(script), fun_(fun), osrPc_(osrPc), constructing_(constructing),
+         analysisMode_(analysisMode), scriptNeedsArgsObj_(scriptNeedsArgsObj),
++        mayReadFrameArgsDirectly_(script->mayReadFrameArgsDirectly()),
+         inlineScriptTree_(inlineScriptTree)
+     {
+         MOZ_ASSERT_IF(osrPc, JSOp(*osrPc) == JSOP_LOOPENTRY);
+ 
+         // The function here can flow in from anywhere so look up the canonical
+         // function to ensure that we do not try to embed a nursery pointer in
+         // jit-code. Precisely because it can flow in from anywhere, it's not
+         // guaranteed to be non-lazy. Hence, don't access its script!
+@@ -222,17 +223,17 @@ class CompileInfo
+         fixedLexicalBegin_ = script->fixedLexicalBegin();
+         nstack_ = script->nslots() - script->nfixed();
+         nslots_ = nimplicit_ + nargs_ + nlocals_ + nstack_;
+     }
+ 
+     explicit CompileInfo(unsigned nlocals)
+       : script_(nullptr), fun_(nullptr), osrPc_(nullptr), osrStaticScope_(nullptr),
+         constructing_(false), analysisMode_(Analysis_None), scriptNeedsArgsObj_(false),
+-        inlineScriptTree_(nullptr)
++        mayReadFrameArgsDirectly_(false), inlineScriptTree_(nullptr)
+     {
+         nimplicit_ = 0;
+         nargs_ = 0;
+         nbodyfixed_ = 0;
+         nlocals_ = nlocals;
+         nstack_ = 1;  /* For FunctionCompiler::pushPhiInput/popPhiOutput */
+         nslots_ = nlocals_ + nstack_;
+         fixedLexicalBegin_ = nlocals;
+@@ -539,16 +540,20 @@ class CompileInfo
+             return false;
+ 
+         if (needsArgsObj() && isObservableArgumentSlot(slot))
+             return false;
+ 
+         return true;
+     }
+ 
++    bool mayReadFrameArgsDirectly() const {
++        return mayReadFrameArgsDirectly_;
++    }
++
+   private:
+     unsigned nimplicit_;
+     unsigned nargs_;
+     unsigned nbodyfixed_;
+     unsigned nlocals_;
+     unsigned nstack_;
+     unsigned nslots_;
+     unsigned fixedLexicalBegin_;
+@@ -559,15 +564,17 @@ class CompileInfo
+     bool constructing_;
+     AnalysisMode analysisMode_;
+ 
+     // Whether a script needs an arguments object is unstable over compilation
+     // since the arguments optimization could be marked as failed on the main
+     // thread, so cache a value here and use it throughout for consistency.
+     bool scriptNeedsArgsObj_;
+ 
++    bool mayReadFrameArgsDirectly_;
++
+     InlineScriptTree* inlineScriptTree_;
+ };
+ 
+ } // namespace jit
+ } // namespace js
+ 
+ #endif /* jit_CompileInfo_h */
+diff --git a/js/src/jit/JitFrames.cpp b/js/src/jit/JitFrames.cpp
+--- a/js/src/jit/JitFrames.cpp
++++ b/js/src/jit/JitFrames.cpp
+@@ -1002,17 +1002,17 @@ MarkThisAndArguments(JSTracer* trc, JitF
+     // formal arguments is taken care of by the frame's safepoint/snapshot,
+     // except when the script's lazy arguments object aliases those formals,
+     // in which case we mark them as well.
+ 
+     size_t nargs = layout->numActualArgs();
+     size_t nformals = 0;
+     if (CalleeTokenIsFunction(layout->calleeToken())) {
+         JSFunction* fun = CalleeTokenToFunction(layout->calleeToken());
+-        nformals = fun->nonLazyScript()->argumentsAliasesFormals() ? 0 : fun->nargs();
++        nformals = fun->nonLazyScript()->mayReadFrameArgsDirectly() ? 0 : fun->nargs();
+     }
+ 
+     Value* argv = layout->argv();
+ 
+     // Trace |this|.
+     gc::MarkValueRoot(trc, argv, "ion-thisv");
+ 
+     // Trace actual arguments beyond the formals. Note + 1 for thisv.
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -3894,16 +3894,22 @@ JSScript::hasLoops()
+     JSTryNote* tnlimit = tn + trynotes()->length;
+     for (; tn < tnlimit; tn++) {
+         if (tn->kind == JSTRY_FOR_IN || tn->kind == JSTRY_LOOP)
+             return true;
+     }
+     return false;
+ }
+ 
++bool
++JSScript::mayReadFrameArgsDirectly()
++{
++    return argumentsHasVarBinding() || (function_ && function_->hasRest());
++}
++
+ static inline void
+ LazyScriptHash(uint32_t lineno, uint32_t column, uint32_t begin, uint32_t end,
+                HashNumber hashes[3])
+ {
+     HashNumber hash = lineno;
+     hash = RotateLeft(hash, 4) ^ column;
+     hash = RotateLeft(hash, 4) ^ begin;
+     hash = RotateLeft(hash, 4) ^ end;
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1397,16 +1397,20 @@ class JSScript : public js::gc::TenuredC
+     }
+     inline void setFunction(JSFunction* fun);
+     /*
+      * De-lazifies the canonical function. Must be called before entering code
+      * that expects the function to be non-lazy.
+      */
+     inline void ensureNonLazyCanonicalFunction(JSContext* cx);
+ 
++    // Returns true if the script may read formal arguments on the stack
++    // directly, via lazy arguments or a rest parameter.
++    bool mayReadFrameArgsDirectly();
++
+     JSFlatString* sourceData(JSContext* cx);
+ 
+     static bool loadSource(JSContext* cx, js::ScriptSource* ss, bool* worked);
+ 
+     void setSourceObject(JSObject* object);
+     JSObject* sourceObject() const {
+         return sourceObject_;
+     }
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
new file mode 100644
index 0000000000..b92bfa4f4e
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch
@@ -0,0 +1,33 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/debff255c08e
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234571
+
+# HG changeset patch
+# User Randell Jesup <rjesup@jesup.org>
+# Date 1451928471 18000
+# Node ID debff255c08e898be370e307e1e014f5601c20c6
+# Parent  f31d643afd4159b5422ae5aebcbbea0a088e018e
+Bug 1234571 - unregister encoded-frame callback when releasing codec databases. r=pkerr, a=al
+
+diff --git a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+--- a/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
++++ b/media/webrtc/trunk/webrtc/modules/video_coding/main/source/generic_encoder.cc
+@@ -71,16 +71,17 @@ VCMGenericEncoder::VCMGenericEncoder(Vid
+ VCMGenericEncoder::~VCMGenericEncoder()
+ {
+ }
+ 
+ int32_t VCMGenericEncoder::Release()
+ {
+     _bitRate = 0;
+     _frameRate = 0;
++    _encoder.RegisterEncodeCompleteCallback(NULL);
+     _VCMencodedFrameCallback = NULL;
+     return _encoder.Release();
+ }
+ 
+ int32_t
+ VCMGenericEncoder::InitEncode(const VideoCodec* settings,
+                               int32_t numberOfCores,
+                               uint32_t maxPayloadSize)
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
new file mode 100644
index 0000000000..2e409d961c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
@@ -0,0 +1,183 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280
+
+# HG changeset patch
+# User Benjamin Bouvier <benj@benj.me>
+# Date 1450947090 -3600
+# Node ID 0f7224441f2089001f7934b46ac10cb72d267606
+# Parent  debff255c08e898be370e307e1e014f5601c20c6
+Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn
+ void
+ CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic)
+ {
+     LInstruction* lir = ool->lir();
+ 
+     if (ic->idempotent()) {
+         size_t numLocs;
+         CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
+-        size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
++        size_t locationBase;
++        if (!addCacheLocations(cacheLocs, &numLocs, &locationBase))
++            return;
+         ic->setLocationInfo(locationBase, numLocs);
+     }
+ 
+     saveLive(lir);
+ 
+     pushArg(ic->object());
+     pushArg(Imm32(ool->getCacheIndex()));
+     pushArg(ImmGCPtr(gen->info().script()));
+diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
+--- a/js/src/jit/shared/CodeGenerator-shared.cpp
++++ b/js/src/jit/shared/CodeGenerator-shared.cpp
+@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB
+ 
+         masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry)));
+     } else {
+         masm.j(cond, mir->lir()->label());
+     }
+ }
+ #endif
+ 
+-size_t
+-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs)
++MOZ_WARN_UNUSED_RESULT bool
++CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs,
++                                       size_t* curIndex)
+ {
+     size_t firstIndex = runtimeData_.length();
+     size_t numLocations = 0;
+     for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) {
+         // allocateData() ensures that sizeof(CacheLocation) is word-aligned.
+         // If this changes, we will need to pad to ensure alignment.
+-        size_t curIndex = allocateData(sizeof(CacheLocation));
+-        new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script);
++        if (!allocateData(sizeof(CacheLocation), curIndex))
++            return false;
++        new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script);
+         numLocations++;
+     }
+     MOZ_ASSERT(numLocations != 0);
+     *numLocs = numLocations;
+-    return firstIndex;
++    *curIndex = firstIndex;
++    return true;
+ }
+ 
+ ReciprocalMulConstants
+ CodeGeneratorShared::computeDivisionConstants(int d) {
+     // In what follows, d is positive and is not a power of 2.
+     MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0);
+ 
+     // Speeding up division by non power-of-2 constants is possible by
+diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
+--- a/js/src/jit/shared/CodeGenerator-shared.h
++++ b/js/src/jit/shared/CodeGenerator-shared.h
+@@ -3,16 +3,17 @@
+  * This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #ifndef jit_shared_CodeGenerator_shared_h
+ #define jit_shared_CodeGenerator_shared_h
+ 
+ #include "mozilla/Alignment.h"
++#include "mozilla/TypeTraits.h"
+ 
+ #include "jit/JitFrames.h"
+ #include "jit/LIR.h"
+ #include "jit/MacroAssembler.h"
+ #include "jit/MIRGenerator.h"
+ #include "jit/MIRGraph.h"
+ #include "jit/OptimizationTracking.h"
+ #include "jit/Safepoints.h"
+@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem
+         return SlotToStackOffset(a->toStackSlot()->slot());
+     }
+ 
+     uint32_t frameSize() const {
+         return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize();
+     }
+ 
+   protected:
+-    // Ensure the cache is an IonCache while expecting the size of the derived
+-    // class. We only need the cache list at GC time. Everyone else can just take
+-    // runtimeData offsets.
+-    size_t allocateCache(const IonCache&, size_t size) {
+-        size_t dataOffset = allocateData(size);
+-        masm.propagateOOM(cacheList_.append(dataOffset));
+-        return dataOffset;
+-    }
+ 
+ #ifdef CHECK_OSIPOINT_REGISTERS
+     void resetOsiPointRegs(LSafepoint* safepoint);
+     bool shouldVerifyOsiPointRegs(LSafepoint* safepoint);
+     void verifyOsiPointRegs(LSafepoint* safepoint);
+ #endif
+ 
+     bool addNativeToBytecodeEntry(const BytecodeSite* site);
+@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem
+             return lookup();
+         }
+         T * operator*() {
+             return lookup();
+         }
+     };
+ 
+   protected:
+-
+-    size_t allocateData(size_t size) {
++    MOZ_WARN_UNUSED_RESULT
++    bool allocateData(size_t size, size_t* offset) {
+         MOZ_ASSERT(size % sizeof(void*) == 0);
+-        size_t dataOffset = runtimeData_.length();
++        *offset = runtimeData_.length();
+         masm.propagateOOM(runtimeData_.appendN(0, size));
+-        return dataOffset;
++        return !masm.oom();
+     }
+ 
++    // Ensure the cache is an IonCache while expecting the size of the derived
++    // class. We only need the cache list at GC time. Everyone else can just take
++    // runtimeData offsets.
+     template <typename T>
+     inline size_t allocateCache(const T& cache) {
+-        size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>));
++        static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache");
++        size_t index;
++        masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index));
++        masm.propagateOOM(cacheList_.append(index));
+         if (masm.oom())
+             return SIZE_MAX;
+         // Use the copy constructor on the allocated space.
+         MOZ_ASSERT(index == cacheList_.back());
+         new (&runtimeData_[index]) T(cache);
+         return index;
+     }
+ 
+@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem
+ 
+     void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr);
+ 
+     template <class ArgSeq, class StoreOutputTo>
+     inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args,
+                                     const StoreOutputTo& out);
+ 
+     void addCache(LInstruction* lir, size_t cacheIndex);
+-    size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs);
++    bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset);
+     ReciprocalMulConstants computeDivisionConstants(int d);
+ 
+   protected:
+     void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir);
+     void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site);
+     bool hasOutOfLineCode() { return !outOfLineCode_.empty(); }
+     bool generateOutOfLineCode();
+ 
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
new file mode 100644
index 0000000000..7861e24c89
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch
@@ -0,0 +1,91 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8c184c30caa6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User L. David Baron <dbaron@dbaron.org>
+# Date 1452248144 -39600
+# Node ID 8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+# Parent  0f7224441f2089001f7934b46ac10cb72d267606
+Bug 1230668 - Don't use frame when not in composed document.  r=heycam a=sylvestre
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -421,26 +421,31 @@ nsComputedDOMStyle::GetStyleContextForEl
+ {
+   MOZ_ASSERT(aElement, "NULL element");
+   // If the content has a pres shell, we must use it.  Otherwise we'd
+   // potentially mix rule trees by using the wrong pres shell's style
+   // set.  Using the pres shell from the content also means that any
+   // content that's actually *in* a document will get the style from the
+   // correct document.
+   nsIPresShell *presShell = GetPresShellForContent(aElement);
++  bool inDocWithShell = true;
+   if (!presShell) {
++    inDocWithShell = false;
+     presShell = aPresShell;
+     if (!presShell)
+       return nullptr;
+   }
+ 
+-  // XXX the !aElement->IsHTML(nsGkAtoms::area)

+-  // check is needed due to bug 135040 (to avoid using 

++  // XXX the !aElement->IsHTML(nsGkAtoms::area)
++  // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+-  if (!aPseudo && aStyleType == eAll && !aElement->IsHTML(nsGkAtoms::area)) {
++  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++      !aElement->IsHTML(nsGkAtoms::area)) {
++  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
++      !aElement->IsHTMLElement(nsGkAtoms::area)) {
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+     if (frame) {
+       nsStyleContext* result = frame->StyleContext();
+       // Don't use the style context if it was influenced by
+       // pseudo-elements, since then it's not the primary style
+       // for this element.
+       if (!result->HasPseudoElementData()) {
+         // this function returns an addrefed style context
+@@ -468,17 +473,18 @@ nsComputedDOMStyle::GetStyleContextForEl
+ 
+   nsRefPtr<nsStyleContext> sc;
+   if (aPseudo) {
+     nsCSSPseudoElements::Type type = nsCSSPseudoElements::GetPseudoType(aPseudo);
+     if (type >= nsCSSPseudoElements::ePseudo_PseudoElementCount) {
+       return nullptr;
+     }
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+-    Element* pseudoElement = frame ? frame->GetPseudoElement(type) : nullptr;
++    Element* pseudoElement =
++      frame && inDocWithShell ? frame->GetPseudoElement(type) : nullptr;
+     sc = styleSet->ResolvePseudoElementStyle(aElement, type, parentContext,
+                                              pseudoElement);
+   } else {
+     sc = styleSet->ResolveStyleFor(aElement, parentContext);
+   }
+ 
+   if (aStyleType == eDefaultOnly) {
+     // We really only want the user and UA rules.  Filter out the other ones.
+@@ -592,18 +598,18 @@ nsComputedDOMStyle::UpdateCurrentStyleSo
+   mFlushedPendingReflows = aNeedsLayoutFlush;
+ #endif
+ 
+   mPresShell = document->GetShell();
+   if (!mPresShell || !mPresShell->GetPresContext()) {
+     return;
+   }
+ 
+-  // XXX the !mContent->IsHTML(nsGkAtoms::area)

+-  // check is needed due to bug 135040 (to avoid using 

++  // XXX the !mContent->IsHTML(nsGkAtoms::area)
++  // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+   if (!mPseudo && mStyleType == eAll && !mContent->IsHTML(nsGkAtoms::area)) {
+     mOuterFrame = mContent->GetPrimaryFrame();
+     mInnerFrame = mOuterFrame;
+     if (mOuterFrame) {
+       nsIAtom* type = mOuterFrame->GetType();
+       if (type == nsGkAtoms::tableOuterFrame) {
+         // If the frame is an outer table frame then we should get the style
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
new file mode 100644
index 0000000000..0e5825becf
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch
@@ -0,0 +1,34 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/fceff80a84a3
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230668
+
+# HG changeset patch
+# User Wes Kocher <wkocher@mozilla.com>
+# Date 1452542163 28800
+# Node ID fceff80a84a32b68d02abc00486fe6c7b86d545b
+# Parent  8c184c30caa6d16f5ec63cce9a77d16f25d2e57e
+Fix up some rebase errors in bug 1230668 r=me a=bustage
+
+diff --git a/layout/style/nsComputedDOMStyle.cpp b/layout/style/nsComputedDOMStyle.cpp
+--- a/layout/style/nsComputedDOMStyle.cpp
++++ b/layout/style/nsComputedDOMStyle.cpp
+@@ -434,18 +434,16 @@ nsComputedDOMStyle::GetStyleContextForEl
+       return nullptr;
+   }
+ 
+   // XXX the !aElement->IsHTML(nsGkAtoms::area)
+   // check is needed due to bug 135040 (to avoid using 
+   // mPrimaryFrame). Remove it once that's fixed.
+   if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+       !aElement->IsHTML(nsGkAtoms::area)) {
+-  if (!aPseudo && aStyleType == eAll && inDocWithShell &&
+-      !aElement->IsHTMLElement(nsGkAtoms::area)) {
+     nsIFrame* frame = nsLayoutUtils::GetStyleFrame(aElement);
+     if (frame) {
+       nsStyleContext* result = frame->StyleContext();
+       // Don't use the style context if it was influenced by
+       // pseudo-elements, since then it's not the primary style
+       // for this element.
+       if (!result->HasPseudoElementData()) {
+         // this function returns an addrefed style context
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
new file mode 100644
index 0000000000..02c1af1775
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch
@@ -0,0 +1,83 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/94a95291d095
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1224200
+
+# HG changeset patch
+# User Timothy Nikkel <tnikkel@gmail.com>
+# Date 1453303652 -3600
+# Node ID 94a95291d0958439dbed5b7dc99fae59e1318592
+# Parent  999c13acb40e1113306c65925a7d96688339d945
+Bug 1224200 - Allow downscaler to get (and ignore) new input lines after it has finished producing all output lines. r=seth, a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -145,43 +145,44 @@ GetFilterOffsetAndLength(UniquePtr<skia:
+                           aFilterLengthOut);
+ }
+ 
+ void
+ Downscaler::CommitRow()
+ {
+   MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+   MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+-  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+ 
+-  int32_t filterOffset = 0;
+-  int32_t filterLength = 0;
+-  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+-                           &filterOffset, &filterLength);
++  if (mCurrentOutLine < mTargetSize.height) {
++    int32_t filterOffset = 0;
++    int32_t filterLength = 0;
++    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                             &filterOffset, &filterLength);
+ 
+-  int32_t inLineToRead = filterOffset + mLinesInBuffer;
+-  MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+-  if (mCurrentInLine == inLineToRead) {
+-    skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+-                               mWindow[mLinesInBuffer++], mHasAlpha,
+-                               /* use_sse2 = */ true);
+-  }
+-
+-  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
+-             "Writing past end of output");
+-
+-  while (mLinesInBuffer == filterLength) {
+-    DownscaleInputLine();
+-
+-    if (mCurrentOutLine == mTargetSize.height) {
+-      break;  // We're done.
++    int32_t inLineToRead = filterOffset + mLinesInBuffer;
++    MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
++    if (mCurrentInLine == inLineToRead) {
++      skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
++                                 mWindow[mLinesInBuffer++], mHasAlpha,
++                                 /* use_sse2 = */ true);
+     }
+ 
+-    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+-                             &filterOffset, &filterLength);
++    MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++               "Writing past end of output");
++
++    while (mLinesInBuffer == filterLength) {
++      DownscaleInputLine();
++
++      if (mCurrentOutLine == mTargetSize.height) {
++        break;  // We're done.
++      }
++
++      GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                               &filterOffset, &filterLength);
++    }
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+ Downscaler::HasInvalidation() const
+ {
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
new file mode 100644
index 0000000000..9ebf18a5d3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch
@@ -0,0 +1,35 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/ee68c3dae5f6
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230483
+
+# HG changeset patch
+# User JW Wang <jwwang@mozilla.com>
+# Date 1450698943 -28800
+# Node ID ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+# Parent  762d015e1854c28c213293ac1e9b2ab51cf201f9
+Bug 1230483 - Part 2 - LoadFromSourceChildren() should be queued at most once in an event cycle. r=roc, a=lizzard
+
+diff --git a/dom/html/HTMLMediaElement.cpp b/dom/html/HTMLMediaElement.cpp
+--- a/dom/html/HTMLMediaElement.cpp
++++ b/dom/html/HTMLMediaElement.cpp
+@@ -4033,16 +4033,19 @@ void HTMLMediaElement::NotifyAddedSource
+       mNetworkState == nsIDOMHTMLMediaElement::NETWORK_EMPTY)
+   {
+     QueueSelectResourceTask();
+   }
+ 
+   // A load was paused in the resource selection algorithm, waiting for
+   // a new source child to be added, resume the resource selection algorithm.
+   if (mLoadWaitStatus == WAITING_FOR_SOURCE) {
++    // Rest the flag so we don't queue multiple LoadFromSourceTask() when
++    // multiple <source> are attached in an event loop.
++    mLoadWaitStatus = NOT_WAITING;
+     QueueLoadFromSourceTask();
+   }
+ }
+ 
+ nsIContent* HTMLMediaElement::GetNextSource()
+ {
+   nsCOMPtr<nsIDOMNode> thisDomNode = do_QueryObject(this);
+ 
+
diff --git a/gnu/packages/patches/icecat-CVE-2016-1935.patch b/gnu/packages/patches/icecat-CVE-2016-1935.patch
new file mode 100644
index 0000000000..a6db4b9b6a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1935.patch
@@ -0,0 +1,77 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450
+
+# HG changeset patch
+# User Jeff Gilbert <jgilbert@mozilla.com>
+# Date 1452570660 28800
+# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
+# Parent  c47640f24251b48c0bba9d2f0f6ee059eca58362
+Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(size);
+     if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
+     }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target,
+                          const dom::Nullable<dom::ArrayBuffer>& maybeData,
+                          GLenum usage)
+@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
+                          GLenum usage)
+ {
+     if (IsContextLost())
+         return;
+@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
+                             const dom::Nullable<dom::ArrayBuffer>& maybeData)
+ {
+     if (IsContextLost())
+         return;
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt1.patch b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
new file mode 100644
index 0000000000..a41e638b2f
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt1.patch
@@ -0,0 +1,141 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9d14787bd10e
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 9d14787bd10e6f3013263a2cae0bcc78bebde1db
+# Parent  aaf922ae679685acb5d2b8ffa5f0bf22f1e6987a
+Bug 1146335 (Part 1) - Add assertions and fix style issues in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -72,23 +72,25 @@ Downscaler::BeginFrame(const nsIntSize& 
+   mOutputBuffer = aOutputBuffer;
+   mHasAlpha = aHasAlpha;
+ 
+   ResetForNextProgressivePass();
+   ReleaseWindow();
+ 
+   auto resizeMethod = skia::ImageOperations::RESIZE_LANCZOS3;
+ 
+-  skia::resize::ComputeFilters(resizeMethod, mOriginalSize.width,
+-                               mTargetSize.width, 0,
+-                               mTargetSize.width, mXFilter.get());
++  skia::resize::ComputeFilters(resizeMethod,
++                               mOriginalSize.width, mTargetSize.width,
++                               0, mTargetSize.width,
++                               mXFilter.get());
+ 
+-  skia::resize::ComputeFilters(resizeMethod, mOriginalSize.height,
+-                               mTargetSize.height, 0,
+-                               mTargetSize.height, mYFilter.get());
++  skia::resize::ComputeFilters(resizeMethod,
++                               mOriginalSize.height, mTargetSize.height,
++                               0, mTargetSize.height,
++                               mYFilter.get());
+ 
+   // Allocate the buffer, which contains scanlines of the original image.
+   size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
+   mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
+   if (MOZ_UNLIKELY(!mRowBuffer)) {
+     return NS_ERROR_OUT_OF_MEMORY;
+   }
+ 
+@@ -126,39 +128,54 @@ void
+ Downscaler::ResetForNextProgressivePass()
+ {
+   mPrevInvalidatedLine = 0;
+   mCurrentOutLine = 0;
+   mCurrentInLine = 0;
+   mLinesInBuffer = 0;
+ }
+ 
++static void
++GetFilterOffsetAndLength(UniquePtr<skia::ConvolutionFilter1D>& aFilter,
++                         int32_t aOutputImagePosition,
++                         int32_t* aFilterOffsetOut,
++                         int32_t* aFilterLengthOut)
++{
++  MOZ_ASSERT(aOutputImagePosition < aFilter->num_values());
++  aFilter->FilterForValue(aOutputImagePosition,
++                          aFilterOffsetOut,
++                          aFilterLengthOut);
++}
++
+ void
+ Downscaler::CommitRow()
+ {
+   MOZ_ASSERT(mOutputBuffer, "Should have a current frame");
+   MOZ_ASSERT(mCurrentInLine < mOriginalSize.height, "Past end of input");
+   MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Past end of output");
+ 
+   int32_t filterOffset = 0;
+   int32_t filterLength = 0;
+-  mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                           &filterOffset, &filterLength);
+ 
+   int32_t inLineToRead = filterOffset + mLinesInBuffer;
+   MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+   if (mCurrentInLine == inLineToRead) {
+     skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+                                mWindow[mLinesInBuffer++], mHasAlpha,
+                                /* use_sse2 = */ true);
+   }
+ 
+   while (mLinesInBuffer == filterLength &&
+          mCurrentOutLine < mTargetSize.height) {
+     DownscaleInputLine();
+-    mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
++
++    GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                             &filterOffset, &filterLength);
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+ Downscaler::HasInvalidation() const
+ {
+@@ -184,16 +201,17 @@ Downscaler::DownscaleInputLine()
+ {
+   typedef skia::ConvolutionFilter1D::Fixed FilterValue;
+ 
+   MOZ_ASSERT(mOutputBuffer);
+   MOZ_ASSERT(mCurrentOutLine < mTargetSize.height, "Writing past end of output");
+ 
+   int32_t filterOffset = 0;
+   int32_t filterLength = 0;
++  MOZ_ASSERT(mCurrentOutLine < mYFilter->num_values());
+   auto filterValues =
+     mYFilter->FilterForValue(mCurrentOutLine, &filterOffset, &filterLength);
+ 
+   uint8_t* outputLine =
+     &mOutputBuffer[mCurrentOutLine * mTargetSize.width * sizeof(uint32_t)];
+   skia::ConvolveVertically(static_cast<const FilterValue*>(filterValues),
+                            filterLength, mWindow.get(), mXFilter->num_values(),
+                            outputLine, mHasAlpha, /* use_sse2 = */ true);
+@@ -202,17 +220,18 @@ Downscaler::DownscaleInputLine()
+ 
+   if (mCurrentOutLine == mTargetSize.height) {
+     // We're done.
+     return;
+   }
+ 
+   int32_t newFilterOffset = 0;
+   int32_t newFilterLength = 0;
+-  mYFilter->FilterForValue(mCurrentOutLine, &newFilterOffset, &newFilterLength);
++  GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
++                           &newFilterOffset, &newFilterLength);
+ 
+   int diff = newFilterOffset - filterOffset;
+   MOZ_ASSERT(diff >= 0, "Moving backwards in the filter?");
+ 
+   // Shift the buffer. We're just moving pointers here, so this is cheap.
+   mLinesInBuffer -= diff;
+   mLinesInBuffer = max(mLinesInBuffer, 0);
+   for (int32_t i = 0; i < mLinesInBuffer; ++i) {
+
diff --git a/gnu/packages/patches/icecat-bug-1146335-pt2.patch b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
new file mode 100644
index 0000000000..240e0cfc66
--- /dev/null
+++ b/gnu/packages/patches/icecat-bug-1146335-pt2.patch
@@ -0,0 +1,43 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/8bfaa27698ca
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1146335
+
+# HG changeset patch
+# User Seth Fowler <mark.seth.fowler@gmail.com>
+# Date 1428627143 25200
+# Node ID 8bfaa27698ca0720d5c9f3910ab7148b38db0625
+# Parent  9d14787bd10e6f3013263a2cae0bcc78bebde1db
+Bug 1146335 (Part 2) - Fix an off-by-one error in image::Downscaler. r=tn a=lizzard
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -160,20 +160,26 @@ Downscaler::CommitRow()
+   int32_t inLineToRead = filterOffset + mLinesInBuffer;
+   MOZ_ASSERT(mCurrentInLine <= inLineToRead, "Reading past end of input");
+   if (mCurrentInLine == inLineToRead) {
+     skia::ConvolveHorizontally(mRowBuffer.get(), *mXFilter,
+                                mWindow[mLinesInBuffer++], mHasAlpha,
+                                /* use_sse2 = */ true);
+   }
+ 
+-  while (mLinesInBuffer == filterLength &&
+-         mCurrentOutLine < mTargetSize.height) {
++  MOZ_ASSERT(mCurrentOutLine < mTargetSize.height,
++             "Writing past end of output");
++
++  while (mLinesInBuffer == filterLength) {
+     DownscaleInputLine();
+ 
++    if (mCurrentOutLine == mTargetSize.height) {
++      break;  // We're done.
++    }
++
+     GetFilterOffsetAndLength(mYFilter, mCurrentOutLine,
+                              &filterOffset, &filterLength);
+   }
+ 
+   mCurrentInLine += 1;
+ }
+ 
+ bool
+
diff --git a/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
new file mode 100644
index 0000000000..5a3a934dba
--- /dev/null
+++ b/gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch
@@ -0,0 +1,73 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/9632375c6aac
+
+# HG changeset patch
+# User Jeff Gilbert <jdashg@gmail.com>
+# Date 1453320785 28800
+# Node ID 9632375c6aacbf673b996b53231d70b91e480fb5
+# Parent  ee68c3dae5f639fdd439f69ef2f724067fce0ea6
+Limit max buffers size for ANGLE. r=jrmuizel a=lizzard
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -164,16 +164,19 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+         return;
+ 
+     // careful: WebGLsizeiptr is always 64-bit, but GLsizeiptr is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(size).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && size > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     WebGLBuffer* boundBuffer = bufferSlot.get();
+ 
+     if (!boundBuffer)
+         return ErrorInvalidOperation("bufferData: no buffer bound!");
+ 
+     UniquePtr<uint8_t> zeroBuffer((uint8_t*)moz_calloc(size, 1));
+     if (!zeroBuffer)
+         return ErrorOutOfMemory("bufferData: out of memory");
+@@ -216,16 +219,19 @@ WebGLContext::BufferData(GLenum target,
+     const dom::ArrayBuffer& data = maybeData.Value();
+     data.ComputeLengthAndData();
+ 
+     // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+     // is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     if (!ValidateBufferUsageEnum(usage, "bufferData: usage"))
+         return;
+ 
+     WebGLBuffer* boundBuffer = bufferSlot.get();
+ 
+     if (!boundBuffer)
+         return ErrorInvalidOperation("bufferData: no buffer bound!");
+ 
+@@ -267,16 +273,19 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     data.ComputeLengthAndData();
+ 
+     // Careful: data.Length() could conceivably be any uint32_t, but GLsizeiptr
+     // is like intptr_t.
+     if (!CheckedInt<GLsizeiptr>(data.Length()).isValid())
+         return ErrorOutOfMemory("bufferData: bad size");
+ 
++    if (gl->IsANGLE() && data.Length() > UINT32_MAX)
++        return ErrorOutOfMemory("bufferData: size too large");
++
+     InvalidateBufferFetching();
+     MakeContextCurrent();
+ 
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+