gnu: icecat: Add several security fixes.

* gnu/packages/patches/icecat-CVE-2015-4477.patch,
gnu/packages/patches/icecat-CVE-2015-7207.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt01.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt02.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt03.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt04.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt05.patch,
gnu/packages/patches/icecat-CVE-2016-1952-pt06.patch,
gnu/packages/patches/icecat-CVE-2016-1954.patch,
gnu/packages/patches/icecat-CVE-2016-1960.patch,
gnu/packages/patches/icecat-CVE-2016-1961.patch,
gnu/packages/patches/icecat-CVE-2016-1962.patch,
gnu/packages/patches/icecat-CVE-2016-1964.patch,
gnu/packages/patches/icecat-CVE-2016-1965.patch,
gnu/packages/patches/icecat-CVE-2016-1966.patch,
gnu/packages/patches/icecat-CVE-2016-1974.patch,
gnu/packages/patches/icecat-bug-1248851.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

1 files changed, 530 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-1974.patch b/gnu/packages/patches/icecat-CVE-2016-1974.patch
new file mode 100644
index 0000000000..70fc23b8f3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1974.patch
@@ -0,0 +1,530 @@
+Copied from upstream:
+https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/271e3a5a53d9
+
+# HG changeset patch
+# User Henri Sivonen <hsivonen@hsivonen.fi>
+# Date 1455014759 -7200
+# Node ID 271e3a5a53d96871141e89271f611033b512e3e4
+# Parent  9719b71d72dd2a3c5ee12ace156af2a63d9595ac
+Bug 1228103. r=smaug. a=sylvestre
+
+diff --git a/parser/htmlparser/nsExpatDriver.cpp b/parser/htmlparser/nsExpatDriver.cpp
+--- a/parser/htmlparser/nsExpatDriver.cpp
++++ b/parser/htmlparser/nsExpatDriver.cpp
+@@ -1127,22 +1127,28 @@ nsExpatDriver::ConsumeToken(nsScanner& a
+       XML_Size lastLineLength = XML_GetCurrentColumnNumber(mExpatParser);
+ 
+       if (lastLineLength <= consumed) {
+         // The length of the last line was less than what expat consumed, so
+         // there was at least one line break in the consumed data. Store the
+         // last line until the point where we stopped parsing.
+         nsScannerIterator startLastLine = currentExpatPosition;
+         startLastLine.advance(-((ptrdiff_t)lastLineLength));
+-        CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine);
++        if (!CopyUnicodeTo(startLastLine, currentExpatPosition, mLastLine)) {
++          return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
++        }
+       }
+       else {
+         // There was no line break in the consumed data, append the consumed
+         // data.
+-        AppendUnicodeTo(oldExpatPosition, currentExpatPosition, mLastLine);
++        if (!AppendUnicodeTo(oldExpatPosition,
++                             currentExpatPosition,
++                             mLastLine)) {
++          return (mInternalState = NS_ERROR_OUT_OF_MEMORY);
++        }
+       }
+     }
+ 
+     mExpatBuffered += length - consumed;
+ 
+     if (BlockedOrInterrupted()) {
+       PR_LOG(GetExpatDriverLog(), PR_LOG_DEBUG,
+              ("Blocked or interrupted parser (probably for loading linked "
+diff --git a/parser/htmlparser/nsParser.cpp b/parser/htmlparser/nsParser.cpp
+--- a/parser/htmlparser/nsParser.cpp
++++ b/parser/htmlparser/nsParser.cpp
+@@ -1508,17 +1508,19 @@ nsParser::ResumeParse(bool allowIteratio
+                 DidBuildModel(mStreamStatus);
+                 return NS_OK;
+               }
+             } else {
+               CParserContext* theContext = PopContext();
+               if (theContext) {
+                 theIterationIsOk = allowIteration && theContextIsStringBased;
+                 if (theContext->mCopyUnused) {
+-                  theContext->mScanner->CopyUnusedData(mUnusedInput);
++                  if (!theContext->mScanner->CopyUnusedData(mUnusedInput)) {
++                    mInternalState = NS_ERROR_OUT_OF_MEMORY;
++                  }
+                 }
+ 
+                 delete theContext;
+               }
+ 
+               result = mInternalState;
+               aIsFinalChunk = mParserContext &&
+                               mParserContext->mStreamListenerState == eOnStop;
+diff --git a/parser/htmlparser/nsScanner.cpp b/parser/htmlparser/nsScanner.cpp
+--- a/parser/htmlparser/nsScanner.cpp
++++ b/parser/htmlparser/nsScanner.cpp
+@@ -379,17 +379,19 @@ nsresult nsScanner::Peek(nsAString& aStr
+   if (mCountRemaining < uint32_t(aNumChars + aOffset)) {
+     end = mEndPosition;
+   }
+   else {
+     end = start;
+     end.advance(aNumChars);
+   }
+ 
+-  CopyUnicodeTo(start, end, aStr);
++  if (!CopyUnicodeTo(start, end, aStr)) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
+ 
+   return NS_OK;
+ }
+ 
+ 
+ /**
+  *  Skip whitespace on scanner input stream
+  *  
+@@ -542,17 +544,19 @@ nsresult nsScanner::ReadTagIdentifier(ns
+ 
+     if (!found) {
+       ++current;
+     }
+   }
+ 
+   // Don't bother appending nothing.
+   if (current != mCurrentPosition) {
+-    AppendUnicodeTo(mCurrentPosition, current, aString);
++    if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
++      return NS_ERROR_OUT_OF_MEMORY;
++    }
+   }
+ 
+   SetPosition(current);  
+   if (current == end) {
+     result = kEOF;
+   }
+ 
+   //DoErrTest(aString);
+@@ -597,26 +601,30 @@ nsresult nsScanner::ReadEntityIdentifier
+         default:
+           found = ('a'<=theChar && theChar<='z') ||
+                   ('A'<=theChar && theChar<='Z') ||
+                   ('0'<=theChar && theChar<='9');
+           break;
+       }
+ 
+       if(!found) {
+-        AppendUnicodeTo(mCurrentPosition, current, aString);
++        if (!AppendUnicodeTo(mCurrentPosition, current, aString)) {
++          return NS_ERROR_OUT_OF_MEMORY;
++        }
+         break;
+       }
+     }
+     ++current;
+   }
+   
+   SetPosition(current);
+   if (current == end) {
+-    AppendUnicodeTo(origin, current, aString);
++    if (!AppendUnicodeTo(origin, current, aString)) {
++      return NS_ERROR_OUT_OF_MEMORY;
++    }
+     return kEOF;
+   }
+ 
+   //DoErrTest(aString);
+ 
+   return result;
+ }
+ 
+@@ -646,26 +654,30 @@ nsresult nsScanner::ReadNumber(nsString&
+   while(current != end) {
+     theChar=*current;
+     if(theChar) {
+       done = (theChar < '0' || theChar > '9') && 
+              ((aBase == 16)? (theChar < 'A' || theChar > 'F') &&
+                              (theChar < 'a' || theChar > 'f')
+                              :true);
+       if(done) {
+-        AppendUnicodeTo(origin, current, aString);
++        if (!AppendUnicodeTo(origin, current, aString)) {
++          return NS_ERROR_OUT_OF_MEMORY;
++        }
+         break;
+       }
+     }
+     ++current;
+   }
+ 
+   SetPosition(current);
+   if (current == end) {
+-    AppendUnicodeTo(origin, current, aString);
++    if (!AppendUnicodeTo(origin, current, aString)) {
++      return NS_ERROR_OUT_OF_MEMORY;
++    }
+     return kEOF;
+   }
+ 
+   //DoErrTest(aString);
+ 
+   return result;
+ }
+ 
+@@ -712,37 +724,43 @@ nsresult nsScanner::ReadWhitespace(nsSca
+           char16_t thePrevChar = theChar;
+           theChar = (++current != end) ? *current : '\0';
+           if ((thePrevChar == '\r' && theChar == '\n') ||
+               (thePrevChar == '\n' && theChar == '\r')) {
+             theChar = (++current != end) ? *current : '\0'; // CRLF == LFCR => LF
+             haveCR = true;
+           } else if (thePrevChar == '\r') {
+             // Lone CR becomes CRLF; callers should know to remove extra CRs
+-            AppendUnicodeTo(origin, current, aString);
++            if (!AppendUnicodeTo(origin, current, aString)) {
++              return NS_ERROR_OUT_OF_MEMORY;
++            }
+             aString.writable().Append(char16_t('\n'));
+             origin = current;
+             haveCR = true;
+           }
+         }
+         break;
+       case ' ' :
+       case '\t':
+         theChar = (++current != end) ? *current : '\0';
+         break;
+       default:
+         done = true;
+-        AppendUnicodeTo(origin, current, aString);
++        if (!AppendUnicodeTo(origin, current, aString)) {
++          return NS_ERROR_OUT_OF_MEMORY;
++        }
+         break;
+     }
+   }
+ 
+   SetPosition(current);
+   if (current == end) {
+-    AppendUnicodeTo(origin, current, aString);
++    if (!AppendUnicodeTo(origin, current, aString)) {
++      return NS_ERROR_OUT_OF_MEMORY;
++    }
+     result = kEOF;
+   }
+ 
+   aHaveCR = haveCR;
+   return result;
+ }
+ 
+ //XXXbz callers of this have to manage their lone '\r' themselves if they want
+@@ -846,34 +864,38 @@ nsresult nsScanner::ReadUntil(nsAString&
+     if(!(theChar & aEndCondition.mFilter)) {
+       // They were. Do a thorough check.
+ 
+       setcurrent = setstart;
+       while (*setcurrent) {
+         if (*setcurrent == theChar) {
+           if(addTerminal)
+             ++current;
+-          AppendUnicodeTo(origin, current, aString);
++          if (!AppendUnicodeTo(origin, current, aString)) {
++            return NS_ERROR_OUT_OF_MEMORY;
++          }
+           SetPosition(current);
+ 
+           //DoErrTest(aString);
+ 
+           return NS_OK;
+         }
+         ++setcurrent;
+       }
+     }
+     
+     ++current;
+   }
+ 
+   // If we are here, we didn't find any terminator in the string and
+   // current = mEndPosition
+   SetPosition(current);
+-  AppendUnicodeTo(origin, current, aString);
++  if (!AppendUnicodeTo(origin, current, aString)) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
+   return kEOF;
+ }
+ 
+ nsresult nsScanner::ReadUntil(nsScannerSharedSubstring& aString,
+                               const nsReadEndCondition& aEndCondition,
+                               bool addTerminal)
+ {  
+   if (!mSlidingBuffer) {
+@@ -906,34 +928,38 @@ nsresult nsScanner::ReadUntil(nsScannerS
+     if(!(theChar & aEndCondition.mFilter)) {
+       // They were. Do a thorough check.
+ 
+       setcurrent = setstart;
+       while (*setcurrent) {
+         if (*setcurrent == theChar) {
+           if(addTerminal)
+             ++current;
+-          AppendUnicodeTo(origin, current, aString);
++          if (!AppendUnicodeTo(origin, current, aString)) {
++            return NS_ERROR_OUT_OF_MEMORY;
++          }
+           SetPosition(current);
+ 
+           //DoErrTest(aString);
+ 
+           return NS_OK;
+         }
+         ++setcurrent;
+       }
+     }
+     
+     ++current;
+   }
+ 
+   // If we are here, we didn't find any terminator in the string and
+   // current = mEndPosition
+   SetPosition(current);
+-  AppendUnicodeTo(origin, current, aString);
++  if (!AppendUnicodeTo(origin, current, aString)) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
+   return kEOF;
+ }
+ 
+ nsresult nsScanner::ReadUntil(nsScannerIterator& aStart, 
+                               nsScannerIterator& aEnd,
+                               const nsReadEndCondition &aEndCondition,
+                               bool addTerminal)
+ {
+@@ -1025,26 +1051,30 @@ nsresult nsScanner::ReadUntil(nsAString&
+     if (theChar == '\0') {
+       ReplaceCharacter(current, sInvalid);
+       theChar = sInvalid;
+     }
+ 
+     if (aTerminalChar == theChar) {
+       if(addTerminal)
+         ++current;
+-      AppendUnicodeTo(origin, current, aString);
++      if (!AppendUnicodeTo(origin, current, aString)) {
++        return NS_ERROR_OUT_OF_MEMORY;
++      }
+       SetPosition(current);
+       return NS_OK;
+     }
+     ++current;
+   }
+ 
+   // If we are here, we didn't find any terminator in the string and
+   // current = mEndPosition
+-  AppendUnicodeTo(origin, current, aString);
++  if (!AppendUnicodeTo(origin, current, aString)) {
++    return NS_ERROR_OUT_OF_MEMORY;
++  }
+   SetPosition(current);
+   return kEOF;
+ 
+ }
+ 
+ void nsScanner::BindSubstring(nsScannerSubstring& aSubstring, const nsScannerIterator& aStart, const nsScannerIterator& aEnd)
+ {
+   aSubstring.Rebind(*mSlidingBuffer, aStart, aEnd);
+@@ -1142,29 +1172,29 @@ bool nsScanner::AppendToBuffer(nsScanner
+ }
+ 
+ /**
+  *  call this to copy bytes out of the scanner that have not yet been consumed
+  *  by the tokenization process.
+  *  
+  *  @update  gess 5/12/98
+  *  @param   aCopyBuffer is where the scanner buffer will be copied to
+- *  @return  nada
++ *  @return  true if OK or false on OOM
+  */
+-void nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
++bool nsScanner::CopyUnusedData(nsString& aCopyBuffer) {
+   if (!mSlidingBuffer) {
+     aCopyBuffer.Truncate();
+-    return;
++    return true;
+   }
+ 
+   nsScannerIterator start, end;
+   start = mCurrentPosition;
+   end = mEndPosition;
+ 
+-  CopyUnicodeTo(start, end, aCopyBuffer);
++  return CopyUnicodeTo(start, end, aCopyBuffer);
+ }
+ 
+ /**
+  *  Retrieve the name of the file that the scanner is reading from.
+  *  In some cases, it's just a given name, because the scanner isn't
+  *  really reading from a file.
+  *  
+  *  @update  gess 5/12/98
+diff --git a/parser/htmlparser/nsScanner.h b/parser/htmlparser/nsScanner.h
+--- a/parser/htmlparser/nsScanner.h
++++ b/parser/htmlparser/nsScanner.h
+@@ -204,19 +204,19 @@ class nsScanner {
+                       nsIRequest *aRequest);
+ 
+       /**
+        *  Call this to copy bytes out of the scanner that have not yet been consumed
+        *  by the tokenization process.
+        *  
+        *  @update  gess 5/12/98
+        *  @param   aCopyBuffer is where the scanner buffer will be copied to
+-       *  @return  nada
++       *  @return  true if OK or false on OOM
+        */
+-      void CopyUnusedData(nsString& aCopyBuffer);
++      bool CopyUnusedData(nsString& aCopyBuffer);
+ 
+       /**
+        *  Retrieve the name of the file that the scanner is reading from.
+        *  In some cases, it's just a given name, because the scanner isn't
+        *  really reading from a file.
+        *  
+        *  @update  gess 5/12/98
+        *  @return  
+diff --git a/parser/htmlparser/nsScannerString.cpp b/parser/htmlparser/nsScannerString.cpp
+--- a/parser/htmlparser/nsScannerString.cpp
++++ b/parser/htmlparser/nsScannerString.cpp
+@@ -461,61 +461,63 @@ copy_multifragment_string( nsScannerIter
+         sink_traits::write(result, source_traits::read(first), distance);
+         NS_ASSERTION(distance > 0, "|copy_multifragment_string| will never terminate");
+         source_traits::advance(first, distance);
+       }
+ 
+     return result;
+   }
+ 
+-void
++bool
+ CopyUnicodeTo( const nsScannerIterator& aSrcStart,
+                const nsScannerIterator& aSrcEnd,
+                nsAString& aDest )
+   {
+     nsAString::iterator writer;
+     if (!aDest.SetLength(Distance(aSrcStart, aSrcEnd), mozilla::fallible)) {
+       aDest.Truncate();
+-      return; // out of memory
++      return false; // out of memory
+     }
+     aDest.BeginWriting(writer);
+     nsScannerIterator fromBegin(aSrcStart);
+     
+     copy_multifragment_string(fromBegin, aSrcEnd, writer);
++    return true;
+   }
+ 
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+                  const nsScannerIterator& aSrcEnd,
+                  nsScannerSharedSubstring& aDest )
+   {
+     // Check whether we can just create a dependent string.
+     if (aDest.str().IsEmpty()) {
+       // We can just make |aDest| point to the buffer.
+       // This will take care of copying if the buffer spans fragments.
+       aDest.Rebind(aSrcStart, aSrcEnd);
+-    } else {
+-      // The dest string is not empty, so it can't be a dependent substring.
+-      AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
++      return true;
+     }
++    // The dest string is not empty, so it can't be a dependent substring.
++    return AppendUnicodeTo(aSrcStart, aSrcEnd, aDest.writable());
+   }
+ 
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+                  const nsScannerIterator& aSrcEnd,
+                  nsAString& aDest )
+   {
+     nsAString::iterator writer;
+     uint32_t oldLength = aDest.Length();
+     if (!aDest.SetLength(oldLength + Distance(aSrcStart, aSrcEnd), mozilla::fallible))
+-      return; // out of memory
++      return false; // out of memory
+     aDest.BeginWriting(writer).advance(oldLength);
+     nsScannerIterator fromBegin(aSrcStart);
+     
+     copy_multifragment_string(fromBegin, aSrcEnd, writer);
++    return true;
+   }
+ 
+ bool
+ FindCharInReadable( char16_t aChar,
+                     nsScannerIterator& aSearchStart,
+                     const nsScannerIterator& aSearchEnd )
+   {
+     while ( aSearchStart != aSearchEnd )
+diff --git a/parser/htmlparser/nsScannerString.h b/parser/htmlparser/nsScannerString.h
+--- a/parser/htmlparser/nsScannerString.h
++++ b/parser/htmlparser/nsScannerString.h
+@@ -539,43 +539,43 @@ nsScannerBufferList::Position::operator=
+ inline
+ size_t
+ Distance( const nsScannerIterator& aStart, const nsScannerIterator& aEnd )
+   {
+     typedef nsScannerBufferList::Position Position;
+     return Position::Distance(Position(aStart), Position(aEnd));
+   }
+ 
+-void
++bool
+ CopyUnicodeTo( const nsScannerIterator& aSrcStart,
+                const nsScannerIterator& aSrcEnd,
+                nsAString& aDest );
+ 
+ inline
+-void
++bool
+ CopyUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
+   {
+     nsScannerIterator begin, end;
+-    CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
++    return CopyUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+   }
+ 
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+                  const nsScannerIterator& aSrcEnd,
+                  nsAString& aDest );
+ 
+ inline
+-void
++bool
+ AppendUnicodeTo( const nsScannerSubstring& aSrc, nsAString& aDest )
+   {
+     nsScannerIterator begin, end;
+-    AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
++    return AppendUnicodeTo(aSrc.BeginReading(begin), aSrc.EndReading(end), aDest);
+   }
+ 
+-void
++bool
+ AppendUnicodeTo( const nsScannerIterator& aSrcStart,
+                  const nsScannerIterator& aSrcEnd,
+                  nsScannerSharedSubstring& aDest );
+ 
+ bool
+ FindCharInReadable( char16_t aChar,
+                     nsScannerIterator& aStart,
+                     const nsScannerIterator& aEnd );
+