From 29a780147d066d5ce218d1fa2678a0a36a1145e3 Mon Sep 17 00:00:00 2001
From: Mark H Weaver <mhw@netris.org>
Date: Thu, 28 Jan 2016 00:22:49 -0500
Subject: gnu: icecat: Add fixes for CVE-2016-{1930,1935} and other bugs.

* gnu/packages/patches/icecat-CVE-2016-1930-pt01.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt02.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt03.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt04.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt05.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt07.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt08.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt09.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt10.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt12.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt13.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt14.patch,
  gnu/packages/patches/icecat-CVE-2016-1930-pt15.patch,
  gnu/packages/patches/icecat-CVE-2016-1935.patch,
  gnu/packages/patches/icecat-bug-1146335-pt1.patch,
  gnu/packages/patches/icecat-bug-1146335-pt2.patch,
  gnu/packages/patches/icecat-limit-max-buffers-size-for-ANGLE.patch: New
  files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
---
 .../patches/icecat-CVE-2016-1930-pt06.patch        | 170 +++++++++++++++++++++
 1 file changed, 170 insertions(+)
 create mode 100644 gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch

(limited to 'gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch')

diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
new file mode 100644
index 0000000000..ec1f479ee4
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt06.patch
@@ -0,0 +1,170 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/93617c30c0df
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1230686
+
+# HG changeset patch
+# User Lee Salzman <lsalzman@mozilla.com>
+# Date 1451932822 18000
+# Node ID 93617c30c0df35f719dead526b78649d564f5ac3
+# Parent  4f6e81673f6938719c86516606f2fda493e8c23c
+Bug 1230686 - use RefPtr<DrawTarget>& instead of DrawTarget* to track changes in SurfaceFromElement a=ritu
+
+diff --git a/layout/base/nsLayoutUtils.cpp b/layout/base/nsLayoutUtils.cpp
+--- a/layout/base/nsLayoutUtils.cpp
++++ b/layout/base/nsLayoutUtils.cpp
+@@ -6494,17 +6494,17 @@ nsLayoutUtils::IsReallyFixedPos(nsIFrame
+   nsIAtom *parentType = aFrame->GetParent()->GetType();
+   return parentType == nsGkAtoms::viewportFrame ||
+          parentType == nsGkAtoms::pageContentFrame;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(nsIImageLoadingContent* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+   nsresult rv;
+ 
+   nsCOMPtr<imgIRequest> imgRequest;
+   rv = aElement->GetRequest(nsIImageLoadingContent::CURRENT_REQUEST,
+                             getter_AddRefs(imgRequest));
+   if (NS_FAILED(rv) || !imgRequest)
+@@ -6586,41 +6586,41 @@ nsLayoutUtils::SurfaceFromElement(nsIIma
+   result.mImageRequest = imgRequest.forget();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLImageElement *aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   return SurfaceFromElement(static_cast<nsIImageLoadingContent*>(aElement),
+                             aSurfaceFlags, aTarget);
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLCanvasElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   bool* isPremultiplied = nullptr;
+   if (aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) {
+     isPremultiplied = &result.mIsPremultiplied;
+   }
+ 
+   gfxIntSize size = aElement->GetSize();
+ 
+   result.mSourceSurface = aElement->GetSurfaceSnapshot(isPremultiplied);
+   if (!result.mSourceSurface) {
+      // If the element doesn't have a context then we won't get a snapshot. The canvas spec wants us to not error and just
+      // draw nothing, so return an empty surface.
+-     DrawTarget *ref = aTarget ? aTarget : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
++     DrawTarget *ref = aTarget ? aTarget.get() : gfxPlatform::GetPlatform()->ScreenReferenceDrawTarget();
+      RefPtr<DrawTarget> dt = ref->CreateSimilarDrawTarget(IntSize(size.width, size.height),
+                                                           SurfaceFormat::B8G8R8A8);
+      if (dt) {
+        result.mSourceSurface = dt->Snapshot();
+      }
+   } else if (aTarget) {
+     RefPtr<SourceSurface> opt = aTarget->OptimizeSourceSurface(result.mSourceSurface);
+     if (opt) {
+@@ -6637,17 +6637,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLCa
+   result.mIsWriteOnly = aElement->IsWriteOnly();
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(HTMLVideoElement* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   SurfaceFromElementResult result;
+ 
+   NS_WARN_IF_FALSE((aSurfaceFlags & SFE_PREFER_NO_PREMULTIPLY_ALPHA) == 0, "We can't support non-premultiplied alpha for video!");
+ 
+ #ifdef MOZ_EME
+   if (aElement->ContainsRestrictedContent()) {
+     return result;
+@@ -6689,17 +6689,17 @@ nsLayoutUtils::SurfaceFromElement(HTMLVi
+   result.mIsWriteOnly = false;
+ 
+   return result;
+ }
+ 
+ nsLayoutUtils::SurfaceFromElementResult
+ nsLayoutUtils::SurfaceFromElement(dom::Element* aElement,
+                                   uint32_t aSurfaceFlags,
+-                                  DrawTarget* aTarget)
++                                  RefPtr<DrawTarget>& aTarget)
+ {
+   // If it's a <canvas>, we may be able to just grab its internal surface
+   if (HTMLCanvasElement* canvas =
+         HTMLCanvasElement::FromContentOrNull(aElement)) {
+     return SurfaceFromElement(canvas, aSurfaceFlags, aTarget);
+   }
+ 
+   // Maybe it's <video>?
+diff --git a/layout/base/nsLayoutUtils.h b/layout/base/nsLayoutUtils.h
+--- a/layout/base/nsLayoutUtils.h
++++ b/layout/base/nsLayoutUtils.h
+@@ -2018,33 +2018,39 @@ public:
+     bool mIsStillLoading;
+     /* Whether the element used CORS when loading. */
+     bool mCORSUsed;
+     /* Whether the returned image contains premultiplied pixel data */
+     bool mIsPremultiplied;
+   };
+ 
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
++  static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::Element *aElement,
++                                                     uint32_t aSurfaceFlags = 0) {
++    mozilla::RefPtr<DrawTarget> target = nullptr;
++    return SurfaceFromElement(aElement, aSurfaceFlags, target);
++  }
++
+   static SurfaceFromElementResult SurfaceFromElement(nsIImageLoadingContent *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   // Need an HTMLImageElement overload, because otherwise the
+   // nsIImageLoadingContent and mozilla::dom::Element overloads are ambiguous
+   // for HTMLImageElement.
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLImageElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLCanvasElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+   static SurfaceFromElementResult SurfaceFromElement(mozilla::dom::HTMLVideoElement *aElement,
+-                                                     uint32_t aSurfaceFlags = 0,
+-                                                     DrawTarget *aTarget = nullptr);
++                                                     uint32_t aSurfaceFlags,
++                                                     mozilla::RefPtr<DrawTarget>& aTarget);
+ 
+   /**
+    * When the document is editable by contenteditable attribute of its root
+    * content or body content.
+    *
+    * Be aware, this returns nullptr if it's in designMode.
+    *
+    * For example:
+
-- 
cgit v1.2.3