1 files changed, 77 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-1935.patch b/gnu/packages/patches/icecat-CVE-2016-1935.patch
new file mode 100644
index 0000000000..a6db4b9b6a
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1935.patch
@@ -0,0 +1,77 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/f9aad6c0253a
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-03/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1220450
+
+# HG changeset patch
+# User Jeff Gilbert <jgilbert@mozilla.com>
+# Date 1452570660 28800
+# Node ID f9aad6c0253a3b81699a3d7a05e78615dd814ea3
+# Parent  c47640f24251b48c0bba9d2f0f6ee059eca58362
+Bug 1220450 - Clear length on cache OOM. r=kamidphish, a=ritu
+
+diff --git a/dom/canvas/WebGLContextBuffers.cpp b/dom/canvas/WebGLContextBuffers.cpp
+--- a/dom/canvas/WebGLContextBuffers.cpp
++++ b/dom/canvas/WebGLContextBuffers.cpp
+@@ -185,16 +185,17 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(size);
+     if (!boundBuffer->ElementArrayCacheBufferData(nullptr, size)) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
+     }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target,
+                          const dom::Nullable<dom::ArrayBuffer>& maybeData,
+                          GLenum usage)
+@@ -234,18 +235,20 @@ WebGLContext::BufferData(GLenum target,
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+ 
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferData(GLenum target, const dom::ArrayBufferView& data,
+                          GLenum usage)
+ {
+     if (IsContextLost())
+         return;
+@@ -274,18 +277,20 @@ WebGLContext::BufferData(GLenum target, 
+ 
+     GLenum error = CheckedBufferData(target, data.Length(), data.Data(), usage);
+     if (error) {
+         GenerateWarning("bufferData generated error %s", ErrorName(error));
+         return;
+     }
+ 
+     boundBuffer->SetByteLength(data.Length());
+-    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length()))
++    if (!boundBuffer->ElementArrayCacheBufferData(data.Data(), data.Length())) {
++        boundBuffer->SetByteLength(0);
+         return ErrorOutOfMemory("bufferData: out of memory");
++    }
+ }
+ 
+ void
+ WebGLContext::BufferSubData(GLenum target, WebGLsizeiptr byteOffset,
+                             const dom::Nullable<dom::ArrayBuffer>& maybeData)
+ {
+     if (IsContextLost())
+         return;
+