summary refs log tree commit diff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-02-26 00:16:07 -0500
committerMark H Weaver <mhw@netris.org>2015-02-26 00:39:31 -0500
commit8830740643397d8d38e018c728ed62d0bcb4c310 (patch)
tree5f8b08f0bdd0f5b5041e8b4dbd0e788b69c978ea /gnu/packages/patches
parent5be2f8844dba4aab0c134f61a830acb16b56d2c5 (diff)
downloadguix-8830740643397d8d38e018c728ed62d0bcb4c310.tar.gz
gnu: icecat: Apply fixes for CVE-2015-{0822,0827,0831,0836}.
* gnu/packages/patches/icecat-CVE-2015-0822.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch,
  gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch,
  gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch,
  gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch,
  gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0822.patch154
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch56
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch32
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch26
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch26
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch27
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch220
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch89
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch25
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch41
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch54
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch53
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch52
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch219
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch104
17 files changed, 1246 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0822.patch b/gnu/packages/patches/icecat-CVE-2015-0822.patch
new file mode 100644
index 0000000000..2625151453
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0822.patch
@@ -0,0 +1,154 @@
+From 0922145c255bf2503d3b2dd5f8f1e813338ba990 Mon Sep 17 00:00:00 2001
+From: Mats Palmgren <mats@mozilla.com>
+Date: Sat, 24 Jan 2015 12:37:47 -0500
+Subject: [PATCH] Bug 1110557. r=mak, r=gavin, a=bkerensa
+
+---
+ .../components/satchel/nsFormFillController.cpp    | 67 +++++++++++++++-------
+ toolkit/components/satchel/nsFormFillController.h  |  5 ++
+ 2 files changed, 52 insertions(+), 20 deletions(-)
+
+diff --git a/toolkit/components/satchel/nsFormFillController.cpp b/toolkit/components/satchel/nsFormFillController.cpp
+index 315fc68..676ad84 100644
+--- a/toolkit/components/satchel/nsFormFillController.cpp
++++ b/toolkit/components/satchel/nsFormFillController.cpp
+@@ -61,6 +61,7 @@ nsFormFillController::nsFormFillController() :
+   mSuppressOnInput(false)
+ {
+   mController = do_GetService("@mozilla.org/autocomplete/controller;1");
++  MOZ_ASSERT(mController);
+ }
+ 
+ struct PwmgrInputsEnumData
+@@ -104,6 +105,21 @@ nsFormFillController::AttributeChanged(nsIDocument* aDocument,
+                                        int32_t aNameSpaceID,
+                                        nsIAtom* aAttribute, int32_t aModType)
+ {
++  if ((aAttribute == nsGkAtoms::type || aAttribute == nsGkAtoms::readonly ||
++       aAttribute == nsGkAtoms::autocomplete) &&
++      aNameSpaceID == kNameSpaceID_None) {
++    nsCOMPtr<nsIDOMHTMLInputElement> focusedInput(mFocusedInput);
++    // Reset the current state of the controller, unconditionally.
++    StopControllingInput();
++    // Then restart based on the new values.  We have to delay this
++    // to avoid ending up in an endless loop due to re-registering our
++    // mutation observer (which would notify us again for *this* event).
++    nsCOMPtr<nsIRunnable> event =
++      NS_NewRunnableMethodWithArg<nsCOMPtr<nsIDOMHTMLInputElement>>
++      (this, &nsFormFillController::MaybeStartControllingInput, focusedInput);
++    NS_DispatchToCurrentThread(event);
++  }
++
+   if (mListNode && mListNode->Contains(aElement)) {
+     RevalidateDataList();
+   }
+@@ -841,28 +857,26 @@ nsFormFillController::RemoveForDocumentEnumerator(const nsINode* aKey,
+   return PL_DHASH_NEXT;
+ }
+ 
+-nsresult
+-nsFormFillController::Focus(nsIDOMEvent* aEvent)
++void
++nsFormFillController::MaybeStartControllingInput(nsIDOMHTMLInputElement* aInput)
+ {
+-  nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
+-    aEvent->InternalDOMEvent()->GetTarget());
+-  nsCOMPtr<nsINode> inputNode = do_QueryInterface(input);
++  nsCOMPtr<nsINode> inputNode = do_QueryInterface(aInput);
+   if (!inputNode)
+-    return NS_OK;
++    return;
+ 
+-  nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(input);
++  nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(aInput);
+   if (!formControl || !formControl->IsSingleLineTextControl(true))
+-    return NS_OK;
++    return;
+ 
+   bool isReadOnly = false;
+-  input->GetReadOnly(&isReadOnly);
++  aInput->GetReadOnly(&isReadOnly);
+   if (isReadOnly)
+-    return NS_OK;
++    return;
+ 
+-  bool autocomplete = nsContentUtils::IsAutocompleteEnabled(input);
++  bool autocomplete = nsContentUtils::IsAutocompleteEnabled(aInput);
+ 
+   nsCOMPtr<nsIDOMHTMLElement> datalist;
+-  input->GetList(getter_AddRefs(datalist));
++  aInput->GetList(getter_AddRefs(datalist));
+   bool hasList = datalist != nullptr;
+ 
+   bool dummy;
+@@ -871,9 +885,16 @@ nsFormFillController::Focus(nsIDOMEvent* aEvent)
+       isPwmgrInput = true;
+ 
+   if (isPwmgrInput || hasList || autocomplete) {
+-    StartControllingInput(input);
++    StartControllingInput(aInput);
+   }
++}
+ 
++nsresult
++nsFormFillController::Focus(nsIDOMEvent* aEvent)
++{
++  nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
++    aEvent->InternalDOMEvent()->GetTarget());
++  MaybeStartControllingInput(input);
+   return NS_OK;
+ }
+ 
+@@ -1087,6 +1108,10 @@ nsFormFillController::StartControllingInput(nsIDOMHTMLInputElement *aInput)
+   // Make sure we're not still attached to an input
+   StopControllingInput();
+ 
++  if (!mController) {
++    return;
++  }
++
+   // Find the currently focused docShell
+   nsCOMPtr<nsIDocShell> docShell = GetDocShellForInput(aInput);
+   int32_t index = GetIndexOfDocShell(docShell);
+@@ -1129,13 +1154,15 @@ nsFormFillController::StopControllingInput()
+     mListNode = nullptr;
+   }
+ 
+-  // Reset the controller's input, but not if it has been switched
+-  // to another input already, which might happen if the user switches
+-  // focus by clicking another autocomplete textbox
+-  nsCOMPtr<nsIAutoCompleteInput> input;
+-  mController->GetInput(getter_AddRefs(input));
+-  if (input == this)
+-    mController->SetInput(nullptr);
++  if (mController) {
++    // Reset the controller's input, but not if it has been switched
++    // to another input already, which might happen if the user switches
++    // focus by clicking another autocomplete textbox
++    nsCOMPtr<nsIAutoCompleteInput> input;
++    mController->GetInput(getter_AddRefs(input));
++    if (input == this)
++      mController->SetInput(nullptr);
++  }
+ 
+   if (mFocusedInputNode) {
+     MaybeRemoveMutationObserver(mFocusedInputNode);
+diff --git a/toolkit/components/satchel/nsFormFillController.h b/toolkit/components/satchel/nsFormFillController.h
+index b60d28d..8c3ba26 100644
+--- a/toolkit/components/satchel/nsFormFillController.h
++++ b/toolkit/components/satchel/nsFormFillController.h
+@@ -62,6 +62,11 @@ protected:
+ 
+   void StartControllingInput(nsIDOMHTMLInputElement *aInput);
+   void StopControllingInput();
++  /**
++   * Checks that aElement is a type of element we want to fill, then calls
++   * StartControllingInput on it.
++   */
++  void MaybeStartControllingInput(nsIDOMHTMLInputElement* aElement);
+ 
+   nsresult PerformInputListAutoComplete(nsIAutoCompleteResult* aPreviousResult);
+ 
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch
new file mode 100644
index 0000000000..c57da755d1
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch
@@ -0,0 +1,33 @@
+From 28b6204b1421aa57b3c10c43d90cb516910bc80f Mon Sep 17 00:00:00 2001
+From: Markus Stange <mstange@themasta.com>
+Date: Tue, 6 Jan 2015 12:08:39 +0100
+Subject: [PATCH] Bug 1117304 - Also do the checks at the start of CopyRect in
+ release builds. r=Bas, a=sledru
+
+---
+ gfx/2d/FilterNodeSoftware.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 00d790f..396d0da 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -253,9 +253,12 @@ CopyRect(DataSourceSurface* aSrc, DataSourceSurface* aDest,
+     MOZ_CRASH("we should never be getting invalid rects at this point");
+   }
+ 
+-  MOZ_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), "different surface formats");
+-  MOZ_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), "source rect too big for source surface");
+-  MOZ_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(aSrcRect - aSrcRect.TopLeft() + aDestPoint), "dest surface too small");
++  MOZ_RELEASE_ASSERT(aSrc->GetFormat() == aDest->GetFormat(),
++                     "different surface formats");
++  MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect),
++                     "source rect too big for source surface");
++  MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(IntRect(aDestPoint, aSrcRect.Size())),
++                     "dest surface too small");
+ 
+   if (aSrcRect.IsEmpty()) {
+     return;
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch
new file mode 100644
index 0000000000..1ff68f4b4c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch
@@ -0,0 +1,35 @@
+From 5ff75fbe51d5760a96b4e614617c9cbf35f1fbaa Mon Sep 17 00:00:00 2001
+From: Markus Stange <mstange@themasta.com>
+Date: Mon, 5 Jan 2015 18:40:27 +0100
+Subject: [PATCH] Bug 1117304 - Make sure the tile filter doesn't call CopyRect
+ on surfaces with different formats. r=Bas, a=sledru
+
+---
+ gfx/2d/FilterNodeSoftware.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 396d0da..10d92c6 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -1568,7 +1568,16 @@ FilterNodeTileSoftware::Render(const IntRect& aRect)
+           return nullptr;
+         }
+       }
+-      MOZ_ASSERT(input->GetFormat() == target->GetFormat(), "different surface formats from the same input?");
++
++      if (input->GetFormat() != target->GetFormat()) {
++        // Different rectangles of the input can have different formats. If
++        // that happens, just convert everything to B8G8R8A8.
++        target = FilterProcessing::ConvertToB8G8R8A8(target);
++        input = FilterProcessing::ConvertToB8G8R8A8(input);
++        if (MOZ2D_WARN_IF(!target) || MOZ2D_WARN_IF(!input)) {
++          return nullptr;
++        }
++      }
+ 
+       CopyRect(input, target, srcRect - srcRect.TopLeft(), destRect.TopLeft() - aRect.TopLeft());
+     }
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch
new file mode 100644
index 0000000000..8d40126849
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch
@@ -0,0 +1,56 @@
+From c91087708686ae1c47abee65e19536688e5ec8f2 Mon Sep 17 00:00:00 2001
+From: Ryan VanderMeulen <ryanvm@gmail.com>
+Date: Mon, 26 Jan 2015 17:24:46 -0500
+Subject: [PATCH] Bug 1117304 - Add missing MOZ2D_WARN_IF definition to fix
+ bustage. r=milan, a=bustage
+
+---
+ gfx/2d/FilterNodeSoftware.cpp |  1 +
+ gfx/2d/Logging.h              | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 10d92c6..48bf162 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -12,6 +12,7 @@
+ #include "Blur.h"
+ #include <map>
+ #include "FilterProcessing.h"
++#include "Logging.h"
+ #include "mozilla/PodOperations.h"
+ #include "mozilla/DebugOnly.h"
+ 
+diff --git a/gfx/2d/Logging.h b/gfx/2d/Logging.h
+index 85e788c..d7728bb 100644
+--- a/gfx/2d/Logging.h
++++ b/gfx/2d/Logging.h
+@@ -155,6 +155,25 @@ typedef Log<LOG_WARNING> WarningLog;
+ #define gfxWarning if (1) ; else NoLog
+ #endif
+ 
++// See nsDebug.h and the NS_WARN_IF macro
++
++#ifdef __cplusplus
++#ifdef DEBUG
++inline bool MOZ2D_warn_if_impl(bool aCondition, const char* aExpr,
++                               const char* aFile, int32_t aLine)
++{
++  if (MOZ_UNLIKELY(aCondition)) {
++    gfxWarning() << aExpr << " at " << aFile << ":" << aLine;
++  }
++  return aCondition;
++}
++#define MOZ2D_WARN_IF(condition) \
++  MOZ2D_warn_if_impl(condition, #condition, __FILE__, __LINE__)
++#else
++#define MOZ2D_WARN_IF(condition) (bool)(condition)
++#endif
++#endif
++
+ const int INDENT_PER_LEVEL = 2;
+ 
+ class TreeLog
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch
new file mode 100644
index 0000000000..c04d604923
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch
@@ -0,0 +1,32 @@
+From c8437505a63fc2b2552b8af217d60d79abb92ba3 Mon Sep 17 00:00:00 2001
+From: Ben Turner <bent.mozilla@gmail.com>
+Date: Fri, 6 Feb 2015 15:25:33 -0800
+Subject: [PATCH] Bug 1130541. r=janv, a=sledru
+
+---
+ dom/indexedDB/IDBDatabase.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp
+index 7329cec..c9c7e4f 100644
+--- a/dom/indexedDB/IDBDatabase.cpp
++++ b/dom/indexedDB/IDBDatabase.cpp
+@@ -536,6 +536,7 @@ IDBDatabase::CreateObjectStore(
+   IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
+ 
+   if (!transaction ||
++      transaction->Database() != this ||
+       transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
+     aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
+     return nullptr;
+@@ -577,6 +578,7 @@ IDBDatabase::DeleteObjectStore(const nsAString& aName, ErrorResult& aRv)
+   IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
+ 
+   if (!transaction ||
++      transaction->Database() != this ||
+       transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
+     aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
+     return;
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch
new file mode 100644
index 0000000000..9510cd611f
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch
@@ -0,0 +1,26 @@
+From 4e799e44288c951f8d9acd17e7d8c56c9ee6a7d3 Mon Sep 17 00:00:00 2001
+From: Ben Turner <bent.mozilla@gmail.com>
+Date: Mon, 9 Feb 2015 14:38:26 -0800
+Subject: [PATCH] Bug 1130541 followup a=test-only
+
+--HG--
+extra : amend_source : 23d80353f87897fdac9c99048d12ebe4ed390f76
+---
+ dom/indexedDB/test/browser_quotaPrompt.html | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dom/indexedDB/test/browser_quotaPrompt.html b/dom/indexedDB/test/browser_quotaPrompt.html
+index c139970..dbeea68 100644
+--- a/dom/indexedDB/test/browser_quotaPrompt.html
++++ b/dom/indexedDB/test/browser_quotaPrompt.html
+@@ -38,6 +38,7 @@
+         let request = indexedDB.open(window.location.pathname, version++);
+         request.onerror = errorHandler;
+         request.onupgradeneeded = function(event) {
++          let db = event.target.result;
+           db.deleteObjectStore("foo");
+           db.onversionchange = function () { db.close(); };
+           request.transaction.oncomplete = function(event) {
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch
new file mode 100644
index 0000000000..f6e2756054
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch
@@ -0,0 +1,26 @@
+From 4106ffa6ee83b814428bb07948b3595e3fa3847e Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Tue, 10 Feb 2015 09:40:46 +0100
+Subject: [PATCH] Bug 1128196 - Don't relazify scripts with a TypeScript.
+ r=till, a=lmandel
+
+---
+ js/src/jsscript.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+index 4d548ef..9a0cfbb 100644
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1251,7 +1251,7 @@ class JSScript : public js::gc::BarrieredCell<JSScript>
+     }
+ 
+     bool isRelazifiable() const {
+-        return (selfHosted() || lazyScript) &&
++        return (selfHosted() || lazyScript) && !types &&
+                !isGenerator() && !hasBaselineScript() && !hasAnyIonScript() && !hasBeenInlined();
+     }
+     void setLazyScript(js::LazyScript *lazy) {
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch
new file mode 100644
index 0000000000..c95cf23a29
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch
@@ -0,0 +1,27 @@
+From 83c4bfeea2d2203f726e3bfcb7ee6fe56b4d9703 Mon Sep 17 00:00:00 2001
+From: Ryan VanderMeulen <ryanvm@gmail.com>
+Date: Thu, 29 Jan 2015 10:31:25 -0500
+Subject: [PATCH] Bug 1111248. r=Waldo, a=sledru
+
+---
+ js/src/jsbool.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/js/src/jsbool.cpp b/js/src/jsbool.cpp
+index 5d88bd5..8d5d672 100644
+--- a/js/src/jsbool.cpp
++++ b/js/src/jsbool.cpp
+@@ -198,7 +198,8 @@ js::ToBooleanSlow(HandleValue v)
+ bool
+ js::BooleanGetPrimitiveValueSlow(HandleObject wrappedBool)
+ {
+-    JSObject *obj = wrappedBool->as<ProxyObject>().target();
+-    JS_ASSERT(obj);
++    JSObject *obj = CheckedUnwrap(wrappedBool);
++    if (!obj || !obj->is<BooleanObject>())
++        return false;
+     return obj->as<BooleanObject>().unbox();
+ }
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
new file mode 100644
index 0000000000..115cd76201
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
@@ -0,0 +1,220 @@
+From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001
+From: Tom Schuster <evilpies@gmail.com>
+Date: Sun, 25 Jan 2015 21:42:10 +0100
+Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray.
+ r=efaust, a=abillings
+
+---
+ browser/devtools/app-manager/app-projects.js |  2 ++
+ js/public/Class.h                            |  5 +++-
+ js/src/jsarray.cpp                           |  9 ++++--
+ js/src/jsobjinlines.h                        | 15 +++++++++-
+ js/src/json.cpp                              | 11 +++----
+ js/src/jsproxy.cpp                           | 45 ++++++++++++++++++++++++++++
+ 6 files changed, 78 insertions(+), 9 deletions(-)
+
+diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js
+index d09f72f..77ca67b 100644
+--- a/browser/devtools/app-manager/app-projects.js
++++ b/browser/devtools/app-manager/app-projects.js
+@@ -61,6 +61,8 @@ const IDB = {
+   add: function(project) {
+     let deferred = promise.defer();
+ 
++    project = JSON.parse(JSON.stringify(project));
++
+     if (!project.location) {
+       // We need to make sure this object has a `.location` property.
+       deferred.reject("Missing location property on project object.");
+diff --git a/js/public/Class.h b/js/public/Class.h
+index ff864b1..46f7d39 100644
+--- a/js/public/Class.h
++++ b/js/public/Class.h
+@@ -521,7 +521,10 @@ Valueify(const JSClass *c)
+  */
+ enum ESClassValue {
+     ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean,
+-    ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date
++    ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date,
++    // Special snowflake for the ES6 IsArray method.
++    // Please don't use it without calling that function.
++    ESClass_IsArray
+ };
+ 
+ /*
+diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
+index 24da176..46f1c20 100644
+--- a/js/src/jsarray.cpp
++++ b/js/src/jsarray.cpp
+@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp)
+         HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
+         if (v.isObject()) {
+             RootedObject obj(cx, &v.toObject());
+-            if (ObjectClassIs(obj, ESClass_Array, cx)) {
++            // This should be IsConcatSpreadable
++            if (IsArray(obj, cx)) {
+                 uint32_t alength;
+                 if (!GetLengthProperty(cx, obj, &alength))
+                     return false;
+@@ -2870,7 +2871,11 @@ static bool
+ array_isArray(JSContext *cx, unsigned argc, Value *vp)
+ {
+     CallArgs args = CallArgsFromVp(argc, vp);
+-    bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
++    bool isArray = false;
++    if (args.get(0).isObject()) {
++        RootedObject obj(cx, &args[0].toObject());
++        isArray = IsArray(obj, cx);
++    }
+     args.rval().setBoolean(isArray);
+     return true;
+ }
+diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
+index e848ba7..557dd26 100644
+--- a/js/src/jsobjinlines.h
++++ b/js/src/jsobjinlines.h
+@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx)
+         return Proxy::objectClassIs(obj, classValue, cx);
+ 
+     switch (classValue) {
+-      case ESClass_Array: return obj->is<ArrayObject>();
++      case ESClass_Array:
++      case ESClass_IsArray:
++        // There difference between those is only relevant for proxies.
++        return obj->is<ArrayObject>();
+       case ESClass_Number: return obj->is<NumberObject>();
+       case ESClass_String: return obj->is<StringObject>();
+       case ESClass_Boolean: return obj->is<BooleanObject>();
+@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx)
+     return ObjectClassIs(obj, classValue, cx);
+ }
+ 
++// ES6 7.2.2
++inline bool
++IsArray(HandleObject obj, JSContext *cx)
++{
++    if (obj->is<ArrayObject>())
++        return true;
++
++    return ObjectClassIs(obj, ESClass_IsArray, cx);
++}
++
+ static MOZ_ALWAYS_INLINE bool
+ NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
+ {
+diff --git a/js/src/json.cpp b/js/src/json.cpp
+index 6e45bfd..81a99a6 100644
+--- a/js/src/json.cpp
++++ b/js/src/json.cpp
+@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx)
+     Maybe<AutoIdVector> ids;
+     const AutoIdVector *props;
+     if (scx->replacer && !scx->replacer->isCallable()) {
+-        JS_ASSERT(JS_IsArrayObject(cx, scx->replacer));
++        JS_ASSERT(IsArray(scx->replacer, cx));
+         props = &scx->propertyList;
+     } else {
+         JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0);
+@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx)
+ 
+     scx->depth++;
+     bool ok;
+-    if (ObjectClassIs(obj, ESClass_Array, cx))
++    if (IsArray(obj, cx))
+         ok = JA(cx, obj, scx);
+     else
+         ok = JO(cx, obj, scx);
+@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+     if (replacer) {
+         if (replacer->isCallable()) {
+             /* Step 4a(i): use replacer to transform values.  */
+-        } else if (ObjectClassIs(replacer, ESClass_Array, cx)) {
++        } else if (IsArray(replacer, cx)) {
+             /*
+              * Step 4b: The spec algorithm is unhelpfully vague about the exact
+              * steps taken when the replacer is an array, regarding the exact
+@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+ 
+             /* Step 4b(ii). */
+             uint32_t len;
+-            JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len));
++            if (!GetLengthProperty(cx, replacer, &len))
++                return false;
+             if (replacer->is<ArrayObject>() && !replacer->isIndexed())
+                 len = Min(len, replacer->getDenseInitializedLength());
+ 
+@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut
+     if (val.isObject()) {
+         RootedObject obj(cx, &val.toObject());
+ 
+-        if (ObjectClassIs(obj, ESClass_Array, cx)) {
++        if (IsArray(obj, cx)) {
+             /* Step 2a(ii). */
+             uint32_t length;
+             if (!GetLengthProperty(cx, obj, &length))
+diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
+index 7644da1..7453103 100644
+--- a/js/src/jsproxy.cpp
++++ b/js/src/jsproxy.cpp
+@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler {
+     virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE;
+ 
+     /* Spidermonkey extensions. */
++    // A scripted proxy should not be treated as generic in most contexts.
++    virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++                            CallArgs args) MOZ_OVERRIDE;
++    virtual bool objectClassIs(HandleObject obj, ESClassValue classValue,
++                               JSContext *cx) MOZ_OVERRIDE;
++    virtual bool regexp_toShared(JSContext *cx, HandleObject proxy,
++                                 RegExpGuard *g) MOZ_OVERRIDE;
++
+     virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+     virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+     virtual bool isScripted() MOZ_OVERRIDE { return true; }
+@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C
+     return true;
+ }
+ 
++bool
++ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++                                       CallArgs args)
++{
++    ReportIncompatible(cx, args);
++    return false;
++}
++
++bool
++ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue,
++                                          JSContext *cx)
++{
++    // Special case IsArray. In every other instance ES wants to have exactly
++    // one object type and not a proxy around it, so return false.
++    if (classValue != ESClass_IsArray)
++        return false;
++
++    // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here.
++    // The reason for this is that we have proxies for which looking at the target might
++    // be impossible. So instead we use our little objectClassIs function that just works
++    // already across different wrappers.
++    RootedObject target(cx, proxy->as<ProxyObject>().target());
++    if (!target)
++        return false;
++
++    return IsArray(target, cx);
++}
++
++bool
++ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy,
++                                            RegExpGuard *g)
++{
++    MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared");
++    return false;
++}
++
++
+ ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton;
+ 
+ #define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall)                   \
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch
new file mode 100644
index 0000000000..58e61d080c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch
@@ -0,0 +1,89 @@
+From 97ba04bf95606b409b1b3035504a41c274ecffe2 Mon Sep 17 00:00:00 2001
+From: Shu-yu Guo <shu@rfrn.org>
+Date: Mon, 26 Jan 2015 18:26:25 -0800
+Subject: [PATCH] Bug 1119579 - Don't GC while iterating compartments in
+ findAllGlobals. r=sfink, a=abillings
+
+---
+ js/src/vm/Debugger.cpp | 56 ++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
+index 27e993d..a8decef 100644
+--- a/js/src/vm/Debugger.cpp
++++ b/js/src/vm/Debugger.cpp
+@@ -2825,37 +2825,49 @@ Debugger::findAllGlobals(JSContext *cx, unsigned argc, Value *vp)
+ {
+     THIS_DEBUGGER(cx, argc, vp, "findAllGlobals", args, dbg);
+ 
+-    RootedObject result(cx, NewDenseEmptyArray(cx));
+-    if (!result)
+-        return false;
++    AutoObjectVector globals(cx);
+ 
+-    for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
+-        if (c->options().invisibleToDebugger())
+-            continue;
++    {
++        // Accumulate the list of globals before wrapping them, because
++        // wrapping can GC and collect compartments from under us, while
++        // iterating.
+ 
+-        c->zone()->scheduledForDestruction = false;
++        for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
++            if (c->options().invisibleToDebugger())
++                continue;
+ 
+-        GlobalObject *global = c->maybeGlobal();
++            c->zone()->scheduledForDestruction = false;
+ 
+-        if (cx->runtime()->isSelfHostingGlobal(global))
+-            continue;
++            GlobalObject *global = c->maybeGlobal();
+ 
+-        if (global) {
+-            /*
+-             * We pulled |global| out of nowhere, so it's possible that it was
+-             * marked gray by XPConnect. Since we're now exposing it to JS code,
+-             * we need to mark it black.
+-             */
+-            JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
++            if (cx->runtime()->isSelfHostingGlobal(global))
++                continue;
+ 
+-            RootedValue globalValue(cx, ObjectValue(*global));
+-            if (!dbg->wrapDebuggeeValue(cx, &globalValue))
+-                return false;
+-            if (!NewbornArrayPush(cx, result, globalValue))
+-                return false;
++            if (global) {
++                /*
++                 * We pulled |global| out of nowhere, so it's possible that it was
++                 * marked gray by XPConnect. Since we're now exposing it to JS code,
++                 * we need to mark it black.
++                 */
++                JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
++                if (!globals.append(global))
++                    return false;
++            }
+         }
+     }
+ 
++    RootedObject result(cx, NewDenseEmptyArray(cx));
++    if (!result)
++        return false;
++
++    for (size_t i = 0; i < globals.length(); i++) {
++        RootedValue globalValue(cx, ObjectValue(*globals[i]));
++        if (!dbg->wrapDebuggeeValue(cx, &globalValue))
++            return false;
++        if (!NewbornArrayPush(cx, result, globalValue))
++            return false;
++    }
++
+     args.rval().setObject(*result);
+     return true;
+ }
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch
new file mode 100644
index 0000000000..3e4ed17598
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch
@@ -0,0 +1,25 @@
+From 746ddf19ff532b8abc90d3a91322a04b462ebfa8 Mon Sep 17 00:00:00 2001
+From: Brian Hackett <bhackett1024@gmail.com>
+Date: Mon, 26 Jan 2015 13:14:34 -0500
+Subject: [PATCH] Bug 1124018 - Null the allocation site table if
+ initialization fails. r=jonco, a=bkerensa
+
+---
+ js/src/jsinfer.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
+index b62ad1f..4019b16 100644
+--- a/js/src/jsinfer.cpp
++++ b/js/src/jsinfer.cpp
+@@ -2035,6 +2035,7 @@ TypeCompartment::addAllocationSiteTypeObject(JSContext *cx, AllocationSiteKey ke
+         allocationSiteTable = cx->new_<AllocationSiteTable>();
+         if (!allocationSiteTable || !allocationSiteTable->init()) {
+             js_delete(allocationSiteTable);
++            allocationSiteTable = nullptr;
+             return nullptr;
+         }
+     }
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch
new file mode 100644
index 0000000000..181f9243e3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch
@@ -0,0 +1,41 @@
+From 0758363d982b0b3e6cf021c164715a028a345b9e Mon Sep 17 00:00:00 2001
+From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
+Date: Wed, 21 Jan 2015 08:56:36 -0800
+Subject: [PATCH] Bug 1123882 - Fix case where offset != 0. r=derf, a=bkerensa
+
+---
+ content/media/MediaDecoderStateMachine.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/content/media/MediaDecoderStateMachine.cpp b/content/media/MediaDecoderStateMachine.cpp
+index ce5870f..4ed496c 100644
+--- a/content/media/MediaDecoderStateMachine.cpp
++++ b/content/media/MediaDecoderStateMachine.cpp
+@@ -328,6 +328,8 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
+   if (offset >= aAudio->mFrames)
+     return;
+ 
++  size_t framesToWrite = aAudio->mFrames - offset;
++
+   aAudio->EnsureAudioBuffer();
+   nsRefPtr<SharedBuffer> buffer = aAudio->mAudioBuffer;
+   AudioDataValue* bufferData = static_cast<AudioDataValue*>(buffer->Data());
+@@ -335,10 +337,11 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
+   for (uint32_t i = 0; i < aAudio->mChannels; ++i) {
+     channels.AppendElement(bufferData + i*aAudio->mFrames + offset);
+   }
+-  aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames);
+-  VERBOSE_LOG("writing %d frames of data to MediaStream for AudioData at %lld",
+-              aAudio->mFrames - int32_t(offset), aAudio->mTime);
+-  aStream->mAudioFramesWritten += aAudio->mFrames - int32_t(offset);
++  aOutput->AppendFrames(buffer.forget(), channels, framesToWrite);
++  VERBOSE_LOG("writing %u frames of data to MediaStream for AudioData at %lld",
++              static_cast<unsigned>(framesToWrite),
++              aAudio->mTime);
++  aStream->mAudioFramesWritten += framesToWrite;
+ }
+ 
+ static void WriteVideoToMediaStream(layers::Image* aImage,
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
new file mode 100644
index 0000000000..818d369b26
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
@@ -0,0 +1,54 @@
+From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+Date: Mon, 26 Jan 2015 16:07:00 -0500
+Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values.
+ r=jmuizelaar, a=abillings
+
+---
+ image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
+index acaa835..8e6bc2d 100644
+--- a/image/decoders/nsPNGDecoder.cpp
++++ b/image/decoders/nsPNGDecoder.cpp
+@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr)
+     png_set_expand(png_ptr);
+ 
+   if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
+-    int sample_max = (1 << bit_depth);
+     png_color_16p trans_values;
+     png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values);
+     /* libpng doesn't reject a tRNS chunk with out-of-range samples
+        so we check it here to avoid setting up a useless opacity
+-       channel or producing unexpected transparent pixels when using
+-       libpng-1.2.19 through 1.2.26 (bug #428045) */
+-    if ((color_type == PNG_COLOR_TYPE_GRAY &&
+-       (int)trans_values->gray > sample_max) ||
+-       (color_type == PNG_COLOR_TYPE_RGB &&
+-       ((int)trans_values->red > sample_max ||
+-       (int)trans_values->green > sample_max ||
+-       (int)trans_values->blue > sample_max)))
++       channel or producing unexpected transparent pixels (bug #428045) */
++    if (bit_depth < 16) {
++      png_uint_16 sample_max = (1 << bit_depth) - 1;
++      if ((color_type == PNG_COLOR_TYPE_GRAY &&
++           trans_values->gray > sample_max) ||
++           (color_type == PNG_COLOR_TYPE_RGB &&
++           (trans_values->red > sample_max ||
++           trans_values->green > sample_max ||
++           trans_values->blue > sample_max)))
+       {
+         /* clear the tRNS valid flag and release tRNS memory */
+         png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
++        num_trans = 0;
+       }
+-    else
++    }
++    if (num_trans != 0)
+       png_set_expand(png_ptr);
+   }
+ 
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch
new file mode 100644
index 0000000000..685e3a6d43
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch
@@ -0,0 +1,53 @@
+From 4920c5c447d1153dffa623dd70d8b535b9ca6795 Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Mon, 26 Jan 2015 12:59:47 +0100
+Subject: [PATCH] Bug 1115776 - Fix LApplyArgsGeneric to always emit the
+ has-script check. r=shu, a=sledru
+
+---
+ js/src/jit/CodeGenerator.cpp | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+index ba14f86..0669692 100644
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -2448,27 +2448,19 @@ CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply)
+ 
+     masm.checkStackAlignment();
+ 
+-    // If the function is known to be uncompilable, only emit the call to InvokeFunction.
++    // If the function is native, only emit the call to InvokeFunction.
+     ExecutionMode executionMode = gen->info().executionMode();
+-    if (apply->hasSingleTarget()) {
+-        JSFunction *target = apply->getSingleTarget();
+-        if (target->isNative()) {
+-            if (!emitCallInvokeFunction(apply, copyreg))
+-                return false;
+-            emitPopArguments(apply, copyreg);
+-            return true;
+-        }
++    if (apply->hasSingleTarget() && apply->getSingleTarget()->isNative()) {
++        if (!emitCallInvokeFunction(apply, copyreg))
++            return false;
++        emitPopArguments(apply, copyreg);
++        return true;
+     }
+ 
+     Label end, invoke;
+ 
+-    // Guard that calleereg is an interpreted function with a JSScript:
+-    if (!apply->hasSingleTarget()) {
+-        masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+-    } else {
+-        // Native single targets are handled by LCallNative.
+-        JS_ASSERT(!apply->getSingleTarget()->isNative());
+-    }
++    // Guard that calleereg is an interpreted function with a JSScript.
++    masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+ 
+     // Knowing that calleereg is a non-native function, load the JSScript.
+     masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch
new file mode 100644
index 0000000000..d067d8133d
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch
@@ -0,0 +1,52 @@
+From f7d24f37425d3d9054a7e5657815440a07166d3f Mon Sep 17 00:00:00 2001
+From: Kartikaya Gupta <kgupta@mozilla.com>
+Date: Tue, 20 Jan 2015 10:33:27 -0500
+Subject: [PATCH] Bug 1107009 - Additional locking needed for esr31 backport.
+ r=BenWa a=sledru
+
+---
+ gfx/layers/ipc/CompositorParent.cpp | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
+index 97c8693..cb03e71 100644
+--- a/gfx/layers/ipc/CompositorParent.cpp
++++ b/gfx/layers/ipc/CompositorParent.cpp
+@@ -1286,13 +1286,19 @@ CrossProcessCompositorParent::ShadowLayersUpdated(
+ {
+   uint64_t id = aLayerTree->GetId();
+   MOZ_ASSERT(id != 0);
++  const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
++  if (!state) {
++    return;
++  }
++  MOZ_ASSERT(state->mParent);
++
+   Layer* shadowRoot = aLayerTree->GetRoot();
+   if (shadowRoot) {
+     SetShadowProperties(shadowRoot);
+   }
+   UpdateIndirectTree(id, shadowRoot, aTargetConfig);
+ 
+-  sIndirectLayerTrees[id].mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
++  state->mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
+ }
+ 
+ void
+@@ -1329,7 +1335,12 @@ AsyncCompositionManager*
+ CrossProcessCompositorParent::GetCompositionManager(LayerTransactionParent* aLayerTree)
+ {
+   uint64_t id = aLayerTree->GetId();
+-  return sIndirectLayerTrees[id].mParent->GetCompositionManager(aLayerTree);
++  const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
++  if (!state) {
++    return nullptr;
++  }
++  MOZ_ASSERT(state->mParent);
++  return state->mParent->GetCompositionManager(aLayerTree);
+ }
+ 
+ void
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch
new file mode 100644
index 0000000000..9a4668b2dc
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch
@@ -0,0 +1,219 @@
+From 66e65b2138c6db20288ef4cf78d15995f382a7e2 Mon Sep 17 00:00:00 2001
+From: Kartikaya Gupta <kgupta@mozilla.com>
+Date: Tue, 13 Jan 2015 13:26:26 -0500
+Subject: [PATCH] Bug 1107009. r=BenWa, a=sledru
+
+---
+ gfx/layers/ipc/CompositorParent.cpp | 57 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
+index ce50277..cbbb2ef 100644
+--- a/gfx/layers/ipc/CompositorParent.cpp
++++ b/gfx/layers/ipc/CompositorParent.cpp
+@@ -22,6 +22,7 @@
+ #include "gfxPrefs.h"                   // for gfxPrefs
+ #include "ipc/ShadowLayersManager.h"    // for ShadowLayersManager
+ #include "mozilla/AutoRestore.h"        // for AutoRestore
++#include "mozilla/ClearOnShutdown.h"    // for ClearOnShutdown
+ #include "mozilla/DebugOnly.h"          // for DebugOnly
+ #include "mozilla/gfx/2D.h"          // for DrawTarget
+ #include "mozilla/gfx/Point.h"          // for IntSize
+@@ -70,6 +71,16 @@ CompositorParent::LayerTreeState::LayerTreeState()
+ 
+ typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;
+ static LayerTreeMap sIndirectLayerTrees;
++static StaticAutoPtr<mozilla::Monitor> sIndirectLayerTreesLock;
++
++static void EnsureLayerTreeMapReady()
++{
++  MOZ_ASSERT(NS_IsMainThread());
++  if (!sIndirectLayerTreesLock) {
++    sIndirectLayerTreesLock = new Monitor("IndirectLayerTree");
++    mozilla::ClearOnShutdown(&sIndirectLayerTreesLock);
++  }
++}
+ 
+ // FIXME/bug 774386: we're assuming that there's only one
+ // CompositorParent, but that's not always true.  This assumption only
+@@ -132,6 +143,7 @@ void CompositorParent::StartUp()
+     return;
+   }
+   MOZ_ASSERT(!sCompositorLoop);
++  EnsureLayerTreeMapReady();
+   CreateCompositorMap();
+   CreateThread();
+   sMainLoop = MessageLoop::current();
+@@ -206,7 +218,11 @@ CompositorParent::CompositorParent(nsIWidget* aWidget,
+                                                           this, &mCompositorID));
+ 
+   mRootLayerTreeID = AllocateLayerTreeId();
+-  sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
++
++  { // scope lock
++    MonitorAutoLock lock(*sIndirectLayerTreesLock);
++    sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
++  }
+ 
+   mApzcTreeManager = new APZCTreeManager();
+   ++sCompositorThreadRefCount;
+@@ -249,7 +265,10 @@ CompositorParent::Destroy()
+   mCompositionManager = nullptr;
+   mApzcTreeManager->ClearTree();
+   mApzcTreeManager = nullptr;
+-  sIndirectLayerTrees.erase(mRootLayerTreeID);
++  { // scope lock
++    MonitorAutoLock lock(*sIndirectLayerTreesLock);
++    sIndirectLayerTrees.erase(mRootLayerTreeID);
++  }
+ }
+ 
+ void
+@@ -266,6 +285,7 @@ CompositorParent::RecvWillStop()
+ 
+   // Ensure that the layer manager is destroyed before CompositorChild.
+   if (mLayerManager) {
++    MonitorAutoLock lock(*sIndirectLayerTreesLock);
+     for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
+          it != sIndirectLayerTrees.end(); it++)
+     {
+@@ -380,7 +400,10 @@ CompositorParent::ActorDestroy(ActorDestroyReason why)
+   if (mLayerManager) {
+     mLayerManager->Destroy();
+     mLayerManager = nullptr;
+-    sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
++    { // scope lock
++      MonitorAutoLock lock(*sIndirectLayerTreesLock);
++      sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
++    }
+     mCompositionManager = nullptr;
+     mCompositor = nullptr;
+   }
+@@ -696,6 +719,7 @@ CompositorParent::DidComposite()
+ {
+   unused << SendDidComposite(0);
+ 
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
+        it != sIndirectLayerTrees.end(); it++) {
+     LayerTreeState* lts = &it->second;
+@@ -867,6 +891,7 @@ CompositorParent::InitializeLayerManager(const nsTArray<LayersBackend>& aBackend
+       mLayerManager = layerManager;
+       MOZ_ASSERT(compositor);
+       mCompositor = compositor;
++      MonitorAutoLock lock(*sIndirectLayerTreesLock);
+       sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = layerManager;
+       return;
+     }
+@@ -969,6 +994,7 @@ CompositorParent::RecvNotifyChildCreated(const uint64_t& child)
+ void
+ CompositorParent::NotifyChildCreated(uint64_t aChild)
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees[aChild].mParent = this;
+   sIndirectLayerTrees[aChild].mLayerManager = mLayerManager;
+ }
+@@ -985,6 +1011,7 @@ CompositorParent::AllocateLayerTreeId()
+ static void
+ EraseLayerState(uint64_t aId)
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees.erase(aId);
+ }
+ 
+@@ -1001,6 +1028,7 @@ UpdateControllerForLayersId(uint64_t aLayersId,
+                             GeckoContentController* aController)
+ {
+   // Adopt ref given to us by SetControllerForLayerTree()
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees[aLayersId].mController =
+     already_AddRefed<GeckoContentController>(aController);
+ }
+@@ -1010,12 +1038,15 @@ ScopedLayerTreeRegistration::ScopedLayerTreeRegistration(uint64_t aLayersId,
+                                                          GeckoContentController* aController)
+     : mLayersId(aLayersId)
+ {
++  EnsureLayerTreeMapReady();
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees[aLayersId].mRoot = aRoot;
+   sIndirectLayerTrees[aLayersId].mController = aController;
+ }
+ 
+ ScopedLayerTreeRegistration::~ScopedLayerTreeRegistration()
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees.erase(mLayersId);
+ }
+ 
+@@ -1175,6 +1206,7 @@ CompositorParent::CloneToplevel(const InfallibleTArray<mozilla::ipc::ProtocolFdM
+ static void
+ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig)
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees[aId].mRoot = aRoot;
+   sIndirectLayerTrees[aId].mTargetConfig = aTargetConfig;
+ }
+@@ -1182,6 +1214,7 @@ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig
+ /* static */ const CompositorParent::LayerTreeState*
+ CompositorParent::GetIndirectShadowTree(uint64_t aId)
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   LayerTreeMap::const_iterator cit = sIndirectLayerTrees.find(aId);
+   if (sIndirectLayerTrees.end() == cit) {
+     return nullptr;
+@@ -1189,12 +1222,6 @@ CompositorParent::GetIndirectShadowTree(uint64_t aId)
+   return &cit->second;
+ }
+ 
+-static void
+-RemoveIndirectTree(uint64_t aId)
+-{
+-  sIndirectLayerTrees.erase(aId);
+-}
+-
+ void
+ CrossProcessCompositorParent::ActorDestroy(ActorDestroyReason aWhy)
+ {
+@@ -1211,6 +1238,8 @@ CrossProcessCompositorParent::AllocPLayerTransactionParent(const nsTArray<Layers
+ {
+   MOZ_ASSERT(aId != 0);
+ 
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
++
+   if (sIndirectLayerTrees[aId].mLayerManager) {
+     sIndirectLayerTrees[aId].mCrossProcessParent = this;
+     LayerManagerComposite* lm = sIndirectLayerTrees[aId].mLayerManager;
+@@ -1234,7 +1263,7 @@ bool
+ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionParent* aLayers)
+ {
+   LayerTransactionParent* slp = static_cast<LayerTransactionParent*>(aLayers);
+-  RemoveIndirectTree(slp->GetId());
++  EraseLayerState(slp->GetId());
+   static_cast<LayerTransactionParent*>(aLayers)->ReleaseIPDLReference();
+   return true;
+ }
+@@ -1242,6 +1271,7 @@ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionPa
+ bool
+ CrossProcessCompositorParent::RecvNotifyChildCreated(const uint64_t& child)
+ {
++  MonitorAutoLock lock(*sIndirectLayerTreesLock);
+   sIndirectLayerTrees[child].mParent->NotifyChildCreated(child);
+   return true;
+ }
+@@ -1269,7 +1299,12 @@ CrossProcessCompositorParent::ForceComposite(LayerTransactionParent* aLayerTree)
+ {
+   uint64_t id = aLayerTree->GetId();
+   MOZ_ASSERT(id != 0);
+-  sIndirectLayerTrees[id].mParent->ForceComposite(aLayerTree);
++  CompositorParent* parent;
++  { // scope lock
++    MonitorAutoLock lock(*sIndirectLayerTreesLock);
++    parent = sIndirectLayerTrees[id].mParent;
++  }
++  parent->ForceComposite(aLayerTree);
+ }
+ 
+ bool
+-- 
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch
new file mode 100644
index 0000000000..869feaf7c6
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch
@@ -0,0 +1,104 @@
+From 3f0f685829445ae82974d61f6017fdb67349c32b Mon Sep 17 00:00:00 2001
+From: Dan Gohman <sunfish@mozilla.com>
+Date: Fri, 9 Jan 2015 09:04:12 -0500
+Subject: [PATCH] Bug 1096138 - IonMonkey: Augment Nops with Mops to avoid
+ collisions with fixed live ranges. r=jandem, a=sledru
+
+---
+ js/src/jit/CodeGenerator.cpp |  6 ++++++
+ js/src/jit/CodeGenerator.h   |  1 +
+ js/src/jit/LIR-Common.h      |  6 ++++++
+ js/src/jit/LOpcodes.h        |  1 +
+ js/src/jit/Lowering.cpp      | 12 ++++++++++++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+index 4f07524..ba14f86 100644
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -1077,6 +1077,12 @@ CodeGenerator::visitNop(LNop *lir)
+ }
+ 
+ bool
++CodeGenerator::visitMop(LMop *lir)
++{
++    return true;
++}
++
++bool
+ CodeGenerator::visitOsiPoint(LOsiPoint *lir)
+ {
+     // Note: markOsiPoint ensures enough space exists between the last
+diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h
+index 03677a5..dce095d 100644
+--- a/js/src/jit/CodeGenerator.h
++++ b/js/src/jit/CodeGenerator.h
+@@ -58,6 +58,7 @@ class CodeGenerator : public CodeGeneratorSpecific
+ 
+     bool visitLabel(LLabel *lir);
+     bool visitNop(LNop *lir);
++    bool visitMop(LMop *lir);
+     bool visitOsiPoint(LOsiPoint *lir);
+     bool visitGoto(LGoto *lir);
+     bool visitTableSwitch(LTableSwitch *ins);
+diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h
+index c90aef9..e7a0e4c 100644
+--- a/js/src/jit/LIR-Common.h
++++ b/js/src/jit/LIR-Common.h
+@@ -42,6 +42,12 @@ class LNop : public LInstructionHelper<0, 0, 0>
+     LIR_HEADER(Nop)
+ };
+ 
++class LMop : public LInstructionHelper<0, 0, 0>
++{
++  public:
++    LIR_HEADER(Mop)
++};
++
+ // An LOsiPoint captures a snapshot after a call and ensures enough space to
+ // patch in a call to the invalidation mechanism.
+ //
+diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h
+index a32d64f..cd7eef8 100644
+--- a/js/src/jit/LOpcodes.h
++++ b/js/src/jit/LOpcodes.h
+@@ -10,6 +10,7 @@
+ #define LIR_COMMON_OPCODE_LIST(_)   \
+     _(Label)                        \
+     _(Nop)                          \
++    _(Mop)                          \
+     _(OsiPoint)                     \
+     _(MoveGroup)                    \
+     _(Integer)                      \
+diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
+index d5f8227..48b7fa9 100644
+--- a/js/src/jit/Lowering.cpp
++++ b/js/src/jit/Lowering.cpp
+@@ -3616,12 +3616,24 @@ LIRGenerator::visitInstruction(MInstruction *ins)
+     ins->setInWorklistUnchecked();
+ #endif
+ 
++    // If we added a Nop for this instruction, we'll also add a Mop, so that
++    // that live-ranges for fixed register defs, which with LSRA extend through
++    // the Nop so that they can extend through the OsiPoint don't, with their
++    // one-extra extension, extend into a position where they use the input
++    // move group for the following instruction.
++    bool needsMop = !current->instructions().empty() && current->rbegin()->isNop();
++
+     // If no safepoint was created, there's no need for an OSI point.
+     if (LOsiPoint *osiPoint = popOsiPoint()) {
+         if (!add(osiPoint))
+             return false;
+     }
+ 
++    if (needsMop) {
++        if (!add(new(alloc()) LMop))
++            return false;
++    }
++
+     return true;
+ }
+ 
+-- 
+2.2.1
+