diff options
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0801.patch | 162 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0807.patch | 30 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch | 63 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch | 89 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0816.patch | 76 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0817.patch | 44 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch | 67 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch | 28 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-bug-1127780.patch | 25 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-bug-1145870.patch | 43 |
11 files changed, 0 insertions, 664 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0801.patch b/gnu/packages/patches/icecat-CVE-2015-0801.patch deleted file mode 100644 index 9d858523b9..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0801.patch +++ /dev/null @@ -1,162 +0,0 @@ -From 4ca86283a71427f27e810d77c8e75418f6428457 Mon Sep 17 00:00:00 2001 -From: Olli Pettay <Olli.Pettay@helsinki.fi> -Date: Mon, 23 Mar 2015 22:23:53 -0400 -Subject: [PATCH] Bug 1146339 - Do anchor scrolling right before dispatching - popstate/hashchange. r=bz, a=lmandel - ---- - docshell/base/nsDocShell.cpp | 64 +++++++++++++++++++++----------------------- - docshell/base/nsDocShell.h | 1 - - 2 files changed, 30 insertions(+), 35 deletions(-) - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index bdf88a5cf..efb6a6e 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -1322,7 +1322,7 @@ nsDocShell::LoadURI(nsIURI * aURI, - - // Note: we allow loads to get through here even if mFiredUnloadEvent is - // true; that case will get handled in LoadInternal or LoadHistoryEntry. -- if (IsPrintingOrPP() || mBlockNavigation) { -+ if (IsPrintingOrPP()) { - return NS_OK; // JS may not handle returning of an error code - } - -@@ -4206,7 +4206,8 @@ bool - nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) - { - bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && -- !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { -+ !mFiredUnloadEvent; -+ if (!isAllowed) { - return false; - } - if (!mContentViewer) { -@@ -8901,8 +8902,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - - NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); - -- NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); -- - // wyciwyg urls can only be loaded through history. Any normal load of - // wyciwyg through docshell is illegal. Disallow such loads. - if (aLoadType & LOAD_CMD_NORMAL) { -@@ -9324,19 +9323,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - GetCurScrollPos(ScrollOrientation_X, &cx); - GetCurScrollPos(ScrollOrientation_Y, &cy); - -- { -- AutoRestore<bool> scrollingToAnchor(mBlockNavigation); -- mBlockNavigation = true; -- -- // ScrollToAnchor doesn't necessarily cause us to scroll the window; -- // the function decides whether a scroll is appropriate based on the -- // arguments it receives. But even if we don't end up scrolling, -- // ScrollToAnchor performs other important tasks, such as informing -- // the presShell that we have a new hash. See bug 680257. -- rv = ScrollToAnchor(curHash, newHash, aLoadType); -- NS_ENSURE_SUCCESS(rv, rv); -- } -- - // Reset mLoadType to its original value once we exit this block, - // because this short-circuited load might have started after a - // normal, network load, and we don't want to clobber its load type. -@@ -9424,16 +9410,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - mOSHE->SetCacheKey(cacheKey); - } - -- /* restore previous position of scroller(s), if we're moving -- * back in history (bug 59774) -- */ -- if (mOSHE && (aLoadType == LOAD_HISTORY || aLoadType == LOAD_RELOAD_NORMAL)) -- { -- nscoord bx, by; -- mOSHE->GetScrollPosition(&bx, &by); -- SetCurScrollPosEx(bx, by); -- } -- - /* Restore the original LSHE if we were loading something - * while short-circuited load was initiated. - */ -@@ -9471,12 +9447,36 @@ nsDocShell::InternalLoad(nsIURI * aURI, - - SetDocCurrentStateObj(mOSHE); - -+ // Inform the favicon service that the favicon for oldURI also -+ // applies to aURI. -+ CopyFavicon(currentURI, aURI, mInPrivateBrowsing); -+ -+ nsRefPtr<nsGlobalWindow> win = mScriptGlobal ? -+ mScriptGlobal->GetCurrentInnerWindowInternal() : nullptr; -+ -+ // ScrollToAnchor doesn't necessarily cause us to scroll the window; -+ // the function decides whether a scroll is appropriate based on the -+ // arguments it receives. But even if we don't end up scrolling, -+ // ScrollToAnchor performs other important tasks, such as informing -+ // the presShell that we have a new hash. See bug 680257. -+ rv = ScrollToAnchor(curHash, newHash, aLoadType); -+ NS_ENSURE_SUCCESS(rv, rv); -+ -+ /* restore previous position of scroller(s), if we're moving -+ * back in history (bug 59774) -+ */ -+ if (mOSHE && (aLoadType == LOAD_HISTORY || -+ aLoadType == LOAD_RELOAD_NORMAL)) { -+ nscoord bx, by; -+ mOSHE->GetScrollPosition(&bx, &by); -+ SetCurScrollPosEx(bx, by); -+ } -+ - // Dispatch the popstate and hashchange events, as appropriate. - // - // The event dispatch below can cause us to re-enter script and - // destroy the docshell, nulling out mScriptGlobal. Hold a stack - // reference to avoid null derefs. See bug 914521. -- nsRefPtr<nsGlobalWindow> win = mScriptGlobal; - if (win) { - // Fire a hashchange event URIs differ, and only in their hashes. - bool doHashchange = sameExceptHashes && !curHash.Equals(newHash); -@@ -9492,10 +9492,6 @@ nsDocShell::InternalLoad(nsIURI * aURI, - } - } - -- // Inform the favicon service that the favicon for oldURI also -- // applies to aURI. -- CopyFavicon(currentURI, aURI, mInPrivateBrowsing); -- - return NS_OK; - } - } -@@ -12573,7 +12569,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, - { - NS_ASSERTION(NS_IsMainThread(), "wrong thread"); - -- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { -+ if (!IsOKToLoadURI(aURI)) { - return NS_OK; - } - -@@ -12629,7 +12625,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, - *aRequest = nullptr; - } - -- if (!IsOKToLoadURI(aURI) || mBlockNavigation) { -+ if (!IsOKToLoadURI(aURI)) { - return NS_OK; - } - -diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h -index be353ee..c191777 100644 ---- a/docshell/base/nsDocShell.h -+++ b/docshell/base/nsDocShell.h -@@ -835,7 +835,6 @@ protected: - bool mInPrivateBrowsing; - bool mUseRemoteTabs; - bool mDeviceSizeIsPageSize; -- bool mBlockNavigation; - - // Because scriptability depends on the mAllowJavascript values of our - // ancestors, we cache the effective scriptability and recompute it when --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0807.patch b/gnu/packages/patches/icecat-CVE-2015-0807.patch deleted file mode 100644 index 833bc36d6b..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0807.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 1b97832a8ae9983e4f15befe142f5ea0626707f1 Mon Sep 17 00:00:00 2001 -From: Christoph Kerschbaumer <mozilla@christophkerschbaumer.com> -Date: Thu, 19 Feb 2015 13:43:40 -0800 -Subject: [PATCH] Bug 1111834 - CORS request after preflight should not follow - 30x redirect. r=sicking, a=lmandel - ---- - dom/base/Navigator.cpp | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/dom/base/Navigator.cpp b/dom/base/Navigator.cpp -index 020e370..727b7cb7 100644 ---- a/dom/base/Navigator.cpp -+++ b/dom/base/Navigator.cpp -@@ -1278,6 +1278,12 @@ Navigator::SendBeacon(const nsAString& aUrl, - !contentType.Equals(APPLICATION_WWW_FORM_URLENCODED) && - !contentType.Equals(MULTIPART_FORM_DATA) && - !contentType.Equals(TEXT_PLAIN)) { -+ -+ // we need to set the sameOriginChecker as a notificationCallback -+ // so we can tell the channel not to follow redirects -+ nsCOMPtr<nsIInterfaceRequestor> soc = nsContentUtils::GetSameOriginChecker(); -+ channel->SetNotificationCallbacks(soc); -+ - nsCOMPtr<nsIChannel> preflightChannel; - nsTArray<nsCString> unsafeHeaders; - unsafeHeaders.AppendElement(NS_LITERAL_CSTRING("Content-Type")); --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch deleted file mode 100644 index 1dd5e20c67..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001 -From: Steve Fink <sfink@mozilla.com> -Date: Mon, 12 Jan 2015 14:19:27 -0800 -Subject: [PATCH] Bug 1137326 - Fix out of bounds error in - JS_iterateCompartments. r=terrence, a=abillings - ---- - js/src/gc/Zone.h | 11 ++++++----- - js/src/jsapi.h | 5 +++-- - 2 files changed, 9 insertions(+), 7 deletions(-) - -diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h -index cbbde6b..612defe 100644 ---- a/js/src/gc/Zone.h -+++ b/js/src/gc/Zone.h -@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter - // This is for the benefit of CompartmentsIterT::comp. - friend class mozilla::Maybe<CompartmentsInZoneIter>; - private: -- JSCompartment **it, **end; -+ JS::Zone *zone; -+ JSCompartment **it; - - CompartmentsInZoneIter() -- : it(nullptr), end(nullptr) -+ : zone(nullptr), it(nullptr) - {} - - public: -- explicit CompartmentsInZoneIter(JS::Zone *zone) { -+ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) { - it = zone->compartments.begin(); -- end = zone->compartments.end(); - } - - bool done() const { - JS_ASSERT(it); -- return it == end; -+ return it < zone->compartments.begin() || -+ it >= zone->compartments.end(); - } - void next() { - JS_ASSERT(!done()); -diff --git a/js/src/jsapi.h b/js/src/jsapi.h -index 5ae1f86..40fdb37 100644 ---- a/js/src/jsapi.h -+++ b/js/src/jsapi.h -@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment); - typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment); - - /* -- * This function calls |compartmentCallback| on every compartment. Beware that -+ * This function calls |compartmentCallback| on every compartment. Beware that - * there is no guarantee that the compartment will survive after the callback -- * returns. -+ * returns. Also, if the callback can GC, there is no guarantee that every -+ * compartment will be visited. - */ - extern JS_PUBLIC_API(void) - JS_IterateCompartments(JSRuntime *rt, void *data, --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch deleted file mode 100644 index 0a0cbed177..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0815-pt2.patch +++ /dev/null @@ -1,89 +0,0 @@ -From f6d39ec03896eaf5d30d79d8165263c98e957749 Mon Sep 17 00:00:00 2001 -From: Nathan Froyd <froydnj@mozilla.com> -Date: Fri, 6 Feb 2015 16:19:36 -0500 -Subject: [PATCH] Bug 1036515 - Narrow the scope of unlocking mMonitor in - nsTimerImpl::PostTimerEvents. r=bsmedberg, a=abillings - ---- - xpcom/threads/TimerThread.cpp | 55 ++++++++++++++++++++++--------------------- - 1 file changed, 28 insertions(+), 27 deletions(-) - -diff --git a/xpcom/threads/TimerThread.cpp b/xpcom/threads/TimerThread.cpp -index bd586c9..b95846f 100644 ---- a/xpcom/threads/TimerThread.cpp -+++ b/xpcom/threads/TimerThread.cpp -@@ -239,43 +239,44 @@ NS_IMETHODIMP TimerThread::Run() - RemoveTimerInternal(timer); - timer = nullptr; - -+#ifdef DEBUG_TIMERS -+ if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { -+ PR_LOG(GetTimerLog(), PR_LOG_DEBUG, -+ ("Timer thread woke up %fms from when it was supposed to\n", -+ fabs((now - timerRef->mTimeout).ToMilliseconds()))); -+ } -+#endif -+ - { - // We release mMonitor around the Fire call to avoid deadlock. - MonitorAutoUnlock unlock(mMonitor); - --#ifdef DEBUG_TIMERS -- if (PR_LOG_TEST(GetTimerLog(), PR_LOG_DEBUG)) { -- PR_LOG(GetTimerLog(), PR_LOG_DEBUG, -- ("Timer thread woke up %fms from when it was supposed to\n", -- fabs((now - timerRef->mTimeout).ToMilliseconds()))); -- } --#endif - - // We are going to let the call to PostTimerEvent here handle the - // release of the timer so that we don't end up releasing the timer - // on the TimerThread instead of on the thread it targets. - timerRef = nsTimerImpl::PostTimerEvent(timerRef.forget()); -+ } - -- if (timerRef) { -- // We got our reference back due to an error. -- // Unhook the nsRefPtr, and release manually so we can get the -- // refcount. -- nsrefcnt rc = timerRef.forget().take()->Release(); -- (void)rc; -- -- // The nsITimer interface requires that its users keep a reference -- // to the timers they use while those timers are initialized but -- // have not yet fired. If this ever happens, it is a bug in the -- // code that created and used the timer. -- // -- // Further, note that this should never happen even with a -- // misbehaving user, because nsTimerImpl::Release checks for a -- // refcount of 1 with an armed timer (a timer whose only reference -- // is from the timer thread) and when it hits this will remove the -- // timer from the timer thread and thus destroy the last reference, -- // preventing this situation from occurring. -- MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); -- } -+ if (timerRef) { -+ // We got our reference back due to an error. -+ // Unhook the nsRefPtr, and release manually so we can get the -+ // refcount. -+ nsrefcnt rc = timerRef.forget().take()->Release(); -+ (void)rc; -+ -+ // The nsITimer interface requires that its users keep a reference -+ // to the timers they use while those timers are initialized but -+ // have not yet fired. If this ever happens, it is a bug in the -+ // code that created and used the timer. -+ // -+ // Further, note that this should never happen even with a -+ // misbehaving user, because nsTimerImpl::Release checks for a -+ // refcount of 1 with an armed timer (a timer whose only reference -+ // is from the timer thread) and when it hits this will remove the -+ // timer from the timer thread and thus destroy the last reference, -+ // preventing this situation from occurring. -+ MOZ_ASSERT(rc != 0, "destroyed timer off its target thread!"); - } - - if (mShutdown) --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch deleted file mode 100644 index 5ac053df78..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0815-pt3.patch +++ /dev/null @@ -1,37 +0,0 @@ -From e7fc74f6a281c12a4a406f2dd20ff2c27a61484d Mon Sep 17 00:00:00 2001 -From: Brian Hackett <bhackett1024@gmail.com> -Date: Sun, 8 Mar 2015 22:10:01 -0400 -Subject: [PATCH] Bug 1138199. r=billm, a=lmandel - ---- - js/src/ds/LifoAlloc.h | 12 ++++++------ - 1 file changed, 6 insertions(+), 6 deletions(-) - -diff --git a/js/src/ds/LifoAlloc.h b/js/src/ds/LifoAlloc.h -index 7617cf5..b112353 100644 ---- a/js/src/ds/LifoAlloc.h -+++ b/js/src/ds/LifoAlloc.h -@@ -193,14 +193,14 @@ class LifoAlloc - - // Append used chunks to the end of this LifoAlloc. We act as if all the - // chunks in |this| are used, even if they're not, so memory may be wasted. -- void appendUsed(BumpChunk *start, BumpChunk *latest, BumpChunk *end) { -- JS_ASSERT(start && latest && end); -+ void appendUsed(BumpChunk *otherFirst, BumpChunk *otherLatest, BumpChunk *otherLast) { -+ JS_ASSERT(otherFirst && otherLatest && otherLast); - if (last) -- last->setNext(start); -+ last->setNext(otherFirst); - else -- first = latest = start; -- last = end; -- this->latest = latest; -+ first = otherFirst; -+ latest = otherLatest; -+ last = otherLast; - } - - void incrementCurSize(size_t size) { --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0816.patch b/gnu/packages/patches/icecat-CVE-2015-0816.patch deleted file mode 100644 index 5632e37eb3..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0816.patch +++ /dev/null @@ -1,76 +0,0 @@ -From ae49ed04f54c2f78d6ba7e545e0099602a3270fa Mon Sep 17 00:00:00 2001 -From: Boris Zbarsky <bzbarsky@mit.edu> -Date: Thu, 19 Mar 2015 18:58:44 -0400 -Subject: [PATCH] Bug 1144991 - Be a bit more restrictive about when a - URI_IS_UI_RESOURCE source is allowed to link to a URI_IS_UI_RESOURCE URI that - doesn't have the same scheme. r=bholley, a=abillings - ---- - caps/src/nsScriptSecurityManager.cpp | 38 +++++++++++++++++++++++++----------- - 1 file changed, 27 insertions(+), 11 deletions(-) - -diff --git a/caps/src/nsScriptSecurityManager.cpp b/caps/src/nsScriptSecurityManager.cpp -index 3587358..6577b95 100644 ---- a/caps/src/nsScriptSecurityManager.cpp -+++ b/caps/src/nsScriptSecurityManager.cpp -@@ -770,12 +770,31 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - NS_ENSURE_SUCCESS(rv, rv); - if (hasFlags) { - if (aFlags & nsIScriptSecurityManager::ALLOW_CHROME) { -+ -+ // For now, don't change behavior for resource:// or moz-icon:// and -+ // just allow them. - if (!targetScheme.EqualsLiteral("chrome")) { -- // for now don't change behavior for resource: or moz-icon: - return NS_OK; - } - -- // allow load only if chrome package is whitelisted -+ // Allow a URI_IS_UI_RESOURCE source to link to a URI_IS_UI_RESOURCE -+ // target if ALLOW_CHROME is set. -+ // -+ // ALLOW_CHROME is a flag that we pass on all loads _except_ docshell -+ // loads (since docshell loads run the loaded content with its origin -+ // principal). So we're effectively allowing resource://, chrome://, -+ // and moz-icon:// source URIs to load resource://, chrome://, and -+ // moz-icon:// files, so long as they're not loading it as a document. -+ bool sourceIsUIResource; -+ rv = NS_URIChainHasFlags(sourceBaseURI, -+ nsIProtocolHandler::URI_IS_UI_RESOURCE, -+ &sourceIsUIResource); -+ NS_ENSURE_SUCCESS(rv, rv); -+ if (sourceIsUIResource) { -+ return NS_OK; -+ } -+ -+ // Allow the load only if the chrome package is whitelisted. - nsCOMPtr<nsIXULChromeRegistry> reg(do_GetService( - NS_CHROMEREGISTRY_CONTRACTID)); - if (reg) { -@@ -787,17 +806,14 @@ nsScriptSecurityManager::CheckLoadURIWithPrincipal(nsIPrincipal* aPrincipal, - } - } - -- // resource: and chrome: are equivalent, securitywise -- // That's bogus!! Fix this. But watch out for -- // the view-source stylesheet? -- bool sourceIsChrome; -- rv = NS_URIChainHasFlags(sourceBaseURI, -- nsIProtocolHandler::URI_IS_UI_RESOURCE, -- &sourceIsChrome); -- NS_ENSURE_SUCCESS(rv, rv); -- if (sourceIsChrome) { -+ // Special-case the hidden window: it's allowed to load -+ // URI_IS_UI_RESOURCE no matter what. Bug 1145470 tracks removing this. -+ nsAutoCString sourceSpec; -+ if (NS_SUCCEEDED(sourceBaseURI->GetSpec(sourceSpec)) && -+ sourceSpec.EqualsLiteral("resource://gre-resources/hiddenWindow.html")) { - return NS_OK; - } -+ - if (reportErrors) { - ReportError(nullptr, errorTag, sourceURI, aTargetURI); - } --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0817.patch b/gnu/packages/patches/icecat-CVE-2015-0817.patch deleted file mode 100644 index bb530a535d..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0817.patch +++ /dev/null @@ -1,44 +0,0 @@ -From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001 -From: Steve Fink <sfink@mozilla.com> -Date: Thu, 19 Mar 2015 15:46:24 -0700 -Subject: [PATCH] Bug 1145255. r=luke, a=lmandel - ---- - js/src/jit/AsmJS.cpp | 13 +++++++++++-- - 1 file changed, 11 insertions(+), 2 deletions(-) - -diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp -index 302b5ab..1b8eed6 100644 ---- a/js/src/jit/AsmJS.cpp -+++ b/js/src/jit/AsmJS.cpp -@@ -14,6 +14,7 @@ - - #include "jsmath.h" - #include "jsprf.h" -+#include "jsutil.h" - #include "jsworkers.h" - #include "prmjtime.h" - -@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask, - if (IsLiteralOrConstInt(f, maskNode, &mask2)) { - // Flag the access to skip the bounds check if the mask ensures that an 'out of - // bounds' access can not occur based on the current heap length constraint. -- if (mask2 == 0 || -- CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) { -+ if (mask2 == 0) { - *needsBoundsCheck = NO_BOUNDS_CHECK; -+ } else { -+ uint32_t minHeap = f.m().minHeapLength(); -+ uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1); -+ uint32_t maskZeroes = CountLeadingZeroes32(mask2); -+ if ((minHeapZeroes < maskZeroes) || -+ (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes)) -+ { -+ *needsBoundsCheck = NO_BOUNDS_CHECK; -+ } - } - *mask &= mask2; - *indexExpr = indexNode; --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch deleted file mode 100644 index 5d396eed6b..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0818-pt1.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 79dddb16aaa58f5b5cef49dac6d234f500af3baf Mon Sep 17 00:00:00 2001 -From: Olli Pettay <Olli.Pettay@helsinki.fi> -Date: Thu, 19 Mar 2015 21:53:32 -0400 -Subject: [PATCH] Bug 1144988 - Don't let other pages to load while doing - scroll-to-anchor. r=bz, a=lmandel - ---- - docshell/base/nsDocShell.cpp | 23 ++++++++++++++--------- - docshell/base/nsDocShell.h | 1 + - 2 files changed, 15 insertions(+), 9 deletions(-) - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index 887c910..14ff3f2 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -4204,8 +4204,8 @@ nsDocShell::IsPrintingOrPP(bool aDisplayErrorDialog) - bool - nsDocShell::IsNavigationAllowed(bool aDisplayPrintErrorDialog) - { -- bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && !mFiredUnloadEvent; -- if (!isAllowed) { -+ bool isAllowed = !IsPrintingOrPP(aDisplayPrintErrorDialog) && -+ !mFiredUnloadEvent && !mBlockNavigation; if (!isAllowed) { - return false; - } - if (!mContentViewer) { -@@ -9321,13 +9321,18 @@ nsDocShell::InternalLoad(nsIURI * aURI, - GetCurScrollPos(ScrollOrientation_X, &cx); - GetCurScrollPos(ScrollOrientation_Y, &cy); - -- // ScrollToAnchor doesn't necessarily cause us to scroll the window; -- // the function decides whether a scroll is appropriate based on the -- // arguments it receives. But even if we don't end up scrolling, -- // ScrollToAnchor performs other important tasks, such as informing -- // the presShell that we have a new hash. See bug 680257. -- rv = ScrollToAnchor(curHash, newHash, aLoadType); -- NS_ENSURE_SUCCESS(rv, rv); -+ { -+ AutoRestore<bool> scrollingToAnchor(mBlockNavigation); -+ mBlockNavigation = true; -+ -+ // ScrollToAnchor doesn't necessarily cause us to scroll the window; -+ // the function decides whether a scroll is appropriate based on the -+ // arguments it receives. But even if we don't end up scrolling, -+ // ScrollToAnchor performs other important tasks, such as informing -+ // the presShell that we have a new hash. See bug 680257. -+ rv = ScrollToAnchor(curHash, newHash, aLoadType); -+ NS_ENSURE_SUCCESS(rv, rv); -+ } - - // Reset mLoadType to its original value once we exit this block, - // because this short-circuited load might have started after a -diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h -index c191777..be353ee 100644 ---- a/docshell/base/nsDocShell.h -+++ b/docshell/base/nsDocShell.h -@@ -835,6 +835,7 @@ protected: - bool mInPrivateBrowsing; - bool mUseRemoteTabs; - bool mDeviceSizeIsPageSize; -+ bool mBlockNavigation; - - // Because scriptability depends on the mAllowJavascript values of our - // ancestors, we cache the effective scriptability and recompute it when --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch deleted file mode 100644 index 4eac5df4db..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-0818-pt2.patch +++ /dev/null @@ -1,28 +0,0 @@ -From 83364c747c421b191f9d4012896a9e5a1d5223ad Mon Sep 17 00:00:00 2001 -From: Kyle Huey <khuey@kylehuey.com> -Date: Fri, 20 Mar 2015 19:15:13 -0700 -Subject: [PATCH] Bug 1144988. r=bz a=lmandel - ---- - docshell/base/nsDocShell.cpp | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index 4cddcef..bdf88a5cf 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -1322,9 +1322,10 @@ nsDocShell::LoadURI(nsIURI * aURI, - - // Note: we allow loads to get through here even if mFiredUnloadEvent is - // true; that case will get handled in LoadInternal or LoadHistoryEntry. -- if (IsPrintingOrPP()) { -+ if (IsPrintingOrPP() || mBlockNavigation) { - return NS_OK; // JS may not handle returning of an error code - } -+ - nsCOMPtr<nsIURI> referrer; - nsCOMPtr<nsIInputStream> postStream; - nsCOMPtr<nsIInputStream> headersStream; --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-bug-1127780.patch b/gnu/packages/patches/icecat-bug-1127780.patch deleted file mode 100644 index c433616087..0000000000 --- a/gnu/packages/patches/icecat-bug-1127780.patch +++ /dev/null @@ -1,25 +0,0 @@ -From cf1de3d04302841aaa05aed8364da3399cbca9b4 Mon Sep 17 00:00:00 2001 -From: Bobby Holley <bobbyholley@gmail.com> -Date: Tue, 17 Feb 2015 17:47:12 -0500 -Subject: [PATCH] Bug 1127780 - Add null check. r=bz, a=bkerensa - ---- - js/xpconnect/wrappers/XrayWrapper.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/js/xpconnect/wrappers/XrayWrapper.h b/js/xpconnect/wrappers/XrayWrapper.h -index ead095f1..cc8c580 100644 ---- a/js/xpconnect/wrappers/XrayWrapper.h -+++ b/js/xpconnect/wrappers/XrayWrapper.h -@@ -131,7 +131,7 @@ class XrayWrapper : public Base { - { - if (!Base::getPrototypeOf(cx, wrapper, protop)) - return false; -- if (WrapperFactory::IsXrayWrapper(protop)) -+ if (!protop || WrapperFactory::IsXrayWrapper(protop)) - return true; - - protop.set(JS_GetObjectPrototype(cx, wrapper)); --- -2.2.1 - diff --git a/gnu/packages/patches/icecat-bug-1145870.patch b/gnu/packages/patches/icecat-bug-1145870.patch deleted file mode 100644 index 34a018c697..0000000000 --- a/gnu/packages/patches/icecat-bug-1145870.patch +++ /dev/null @@ -1,43 +0,0 @@ -From a40e2ebc2ab57dacb539d4e49ed4193764ff7112 Mon Sep 17 00:00:00 2001 -From: Kyle Huey <khuey@kylehuey.com> -Date: Fri, 20 Mar 2015 19:05:56 -0700 -Subject: [PATCH] Bug 1145870. r=bz a=lmandel - ---- - docshell/base/nsDocShell.cpp | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp -index 14ff3f2..4cddcef 100644 ---- a/docshell/base/nsDocShell.cpp -+++ b/docshell/base/nsDocShell.cpp -@@ -8900,6 +8900,8 @@ nsDocShell::InternalLoad(nsIURI * aURI, - - NS_ENSURE_TRUE(!mIsBeingDestroyed, NS_ERROR_NOT_AVAILABLE); - -+ NS_ENSURE_TRUE(!mBlockNavigation, NS_ERROR_UNEXPECTED); -+ - // wyciwyg urls can only be loaded through history. Any normal load of - // wyciwyg through docshell is illegal. Disallow such loads. - if (aLoadType & LOAD_CMD_NORMAL) { -@@ -12570,7 +12572,7 @@ nsDocShell::OnLinkClick(nsIContent* aContent, - { - NS_ASSERTION(NS_IsMainThread(), "wrong thread"); - -- if (!IsOKToLoadURI(aURI)) { -+ if (!IsOKToLoadURI(aURI) || mBlockNavigation) { - return NS_OK; - } - -@@ -12626,7 +12628,7 @@ nsDocShell::OnLinkClickSync(nsIContent *aContent, - *aRequest = nullptr; - } - -- if (!IsOKToLoadURI(aURI)) { -+ if (!IsOKToLoadURI(aURI) || mBlockNavigation) { - return NS_OK; - } - --- -2.2.1 - |