1 files changed, 112 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
new file mode 100644
index 0000000000..c5d0e4ad60
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
@@ -0,0 +1,112 @@
+From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001
+From: Gerald Squelart <gsquelart@mozilla.com>
+Date: Wed, 9 Dec 2015 09:59:37 +0100
+Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage -
+ r=rillian, a=sylvestre
+
+---
+ .../av/include/media/stagefright/MetaData.h        |  2 +-
+ .../av/media/libstagefright/MetaData.cpp           | 35 ++++++++++++++--------
+ 2 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
+index 30d969d..0a8ff77 100644
+--- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
++++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
+@@ -248,7 +248,7 @@ private:
+             return mSize <= sizeof(u.reservoir);
+         }
+ 
+-        void allocateStorage(size_t size);
++        bool allocateStorage(size_t size);
+         void freeStorage();
+ 
+         void *storage() {
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
+index c832c96..cba324d 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
+@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type,
+ }
+ 
+ MetaData::typed_data::typed_data()
+-    : mType(0),
++    : mType(TYPE_NONE),
+       mSize(0) {
+ }
+ 
+@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() {
+ MetaData::typed_data::typed_data(const typed_data &from)
+     : mType(from.mType),
+       mSize(0) {
+-    allocateStorage(from.mSize);
+-    memcpy(storage(), from.storage(), mSize);
++    if (allocateStorage(from.mSize)) {
++        memcpy(storage(), from.storage(), mSize);
++    }
+ }
+ 
+ MetaData::typed_data &MetaData::typed_data::operator=(
+         const MetaData::typed_data &from) {
+     if (this != &from) {
+         clear();
+-        mType = from.mType;
+-        allocateStorage(from.mSize);
+-        memcpy(storage(), from.storage(), mSize);
++        if (allocateStorage(from.mSize)) {
++            mType = from.mType;
++            memcpy(storage(), from.storage(), mSize);
++        }
+     }
+ 
+     return *this;
+@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=(
+ void MetaData::typed_data::clear() {
+     freeStorage();
+ 
+-    mType = 0;
++    mType = TYPE_NONE;
+ }
+ 
+ void MetaData::typed_data::setData(
+         uint32_t type, const void *data, size_t size) {
+     clear();
+ 
+-    mType = type;
+-    allocateStorage(size);
+-    memcpy(storage(), data, size);
++    if (allocateStorage(size)) {
++        mType = type;
++        memcpy(storage(), data, size);
++    }
+ }
+ 
+ void MetaData::typed_data::getData(
+@@ -269,14 +272,22 @@ void MetaData::typed_data::getData(
+     *data = storage();
+ }
+ 
+-void MetaData::typed_data::allocateStorage(size_t size) {
++bool MetaData::typed_data::allocateStorage(size_t size) {
++    // Update mSize now, as it is needed by usesReservoir() below.
++    // (mSize will be reset if the allocation fails further below.)
+     mSize = size;
+ 
+     if (usesReservoir()) {
+-        return;
++        return true;
+     }
+ 
+     u.ext_data = malloc(mSize);
++    if (!u.ext_data) {
++      mType = TYPE_NONE;
++      mSize = 0;
++      return false;
++    }
++    return true;
+ }
+ 
+ void MetaData::typed_data::freeStorage() {
+-- 
+2.6.3
+