summary refs log tree commit diff
path: root/gnu
diff options
context:
space:
mode:
Diffstat (limited to 'gnu')
-rw-r--r--gnu/packages/gnuzilla.scm19
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch123
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch29
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7205.patch84
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7210.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7212.patch364
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch32
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch27
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7214.patch47
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch112
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch34
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch37
-rw-r--r--gnu/packages/patches/icecat-freetype-2.6.patch14
14 files changed, 3 insertions, 1001 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 3172bc8c45..40a13e7939 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -266,7 +266,7 @@ standards.")
 (define-public icecat
   (package
     (name "icecat")
-    (version "38.4.0-gnu1")
+    (version "38.5.0-gnu1")
     (source
      (origin
       (method url-fetch)
@@ -275,21 +275,8 @@ standards.")
                           name "-" version ".tar.bz2"))
       (sha256
        (base32
-        "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp"))
-      (patches (map search-patch '("icecat-CVE-2015-7210.patch"
-                                   "icecat-CVE-2015-7205.patch"
-                                   "icecat-CVE-2015-7201-pt1.patch"
-                                   "icecat-CVE-2015-7201-pt2.patch"
-                                   "icecat-CVE-2015-7212.patch"
-                                   "icecat-CVE-2015-7213-pt1.patch"
-                                   "icecat-CVE-2015-7213-pt2.patch"
-                                   "icecat-CVE-2015-7222-pt1.patch"
-                                   "icecat-CVE-2015-7222-pt2.patch"
-                                   "icecat-CVE-2015-7222-pt3.patch"
-                                   "icecat-CVE-2015-7214.patch"
-                                   "icecat-CVE-2015-7201-pt3.patch"
-                                   "icecat-avoid-bundled-includes.patch"
-                                   "icecat-freetype-2.6.patch")))
+        "1bf20mpvx84jsa0dan2hhfc49f30v0wasikv7sh3cg8mwp62faj6"))
+      (patches (map search-patch '("icecat-avoid-bundled-includes.patch")))
       (modules '((guix build utils)))
       (snippet
        '(begin
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
deleted file mode 100644
index 0fcfe9b409..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
+++ /dev/null
@@ -1,123 +0,0 @@
-From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001
-From: Andrew Comminos <andrew@comminos.com>
-Date: Fri, 23 Oct 2015 21:35:16 -0700
-Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute
- count is exceeded on Mesa. r=jgilbert, a=ritu
-
---HG--
-extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0
-extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536
----
- dom/canvas/WebGLProgram.cpp         | 28 ++++++++++++++++++----------
- dom/canvas/WebGLShader.cpp          | 10 ++++++++++
- dom/canvas/WebGLShader.h            |  1 +
- dom/canvas/WebGLShaderValidator.cpp |  6 ++++++
- dom/canvas/WebGLShaderValidator.h   |  1 +
- 5 files changed, 36 insertions(+), 10 deletions(-)
-
-diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp
-index 78f7413..0e056e8 100644
---- a/dom/canvas/WebGLProgram.cpp
-+++ b/dom/canvas/WebGLProgram.cpp
-@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram()
-     gl::GLContext* gl = mContext->gl;
-     gl->MakeCurrent();
- 
--    // Bug 777028: Mesa can't handle more than 16 samplers per program,
--    // counting each array entry.
--    size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
--                                           mFragShader->CalcNumSamplerUniforms();
-     if (gl->WorkAroundDriverBugs() &&
--        mContext->mIsMesa &&
--        numSamplerUniforms_upperBound > 16)
-+        mContext->mIsMesa)
-     {
--        mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
--                               " Mesa drivers to avoid crashing.");
--        mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
--        return false;
-+        // Bug 777028: Mesa can't handle more than 16 samplers per program,
-+        // counting each array entry.
-+        size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
-+                                               mFragShader->CalcNumSamplerUniforms();
-+        if (numSamplerUniforms_upperBound > 16) {
-+            mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
-+                                   " Mesa drivers to avoid crashing.");
-+            mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
-+            return false;
-+        }
-+
-+        // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count.
-+        if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) {
-+            mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count.");
-+            mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
-+            return false;
-+        }
-     }
- 
-     // Bind the attrib locations.
-diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp
-index 85a3809..bab4157 100644
---- a/dom/canvas/WebGLShader.cpp
-+++ b/dom/canvas/WebGLShader.cpp
-@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const
-     return 0;
- }
- 
-+size_t
-+WebGLShader::NumAttributes() const
-+{
-+    if (mValidator)
-+        return mValidator->NumAttributes();
-+
-+    // TODO
-+    return 0;
-+}
-+
- void
- WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName,
-                                 GLuint index) const
-diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h
-index 698e30c..2c80b16a 100644
---- a/dom/canvas/WebGLShader.h
-+++ b/dom/canvas/WebGLShader.h
-@@ -45,6 +45,7 @@ public:
-     // Util funcs
-     bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const;
-     size_t CalcNumSamplerUniforms() const;
-+    size_t NumAttributes() const;
-     void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const;
-     bool FindAttribUserNameByMappedName(const nsACString& mappedName,
-                                         nsDependentCString* const out_userName) const;
-diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp
-index 80005e2..8bedf88 100644
---- a/dom/canvas/WebGLShaderValidator.cpp
-+++ b/dom/canvas/WebGLShaderValidator.cpp
-@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const
-     return accum;
- }
- 
-+size_t
-+ShaderValidator::NumAttributes() const
-+{
-+  return ShGetAttributes(mHandle)->size();
-+}
-+
- // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3.
- // Therefore, attrib names are always simple.
- bool
-diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h
-index 35db2f1..1f794bf0 100644
---- a/dom/canvas/WebGLShaderValidator.h
-+++ b/dom/canvas/WebGLShaderValidator.h
-@@ -41,6 +41,7 @@ public:
-     void GetOutput(nsACString* out) const;
-     bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const;
-     size_t CalcNumSamplerUniforms() const;
-+    size_t NumAttributes() const;
- 
-     bool FindAttribUserNameByMappedName(const std::string& mappedName,
-                                         const std::string** const out_userName) const;
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
deleted file mode 100644
index 3764371a11..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001
-From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com>
-Date: Tue, 8 Dec 2015 12:38:15 +0100
-Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when
- initialized from GPU texture. r=jmuizelaar, a=lizzard
-
----
- gfx/2d/SourceSurfaceSkia.cpp | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp
-index 4b95bc2..d7e0714 100644
---- a/gfx/2d/SourceSurfaceSkia.cpp
-+++ b/gfx/2d/SourceSurfaceSkia.cpp
-@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner,
-   GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue);
-   SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType);
-   SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false);
--  mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4);
-+  mBitmap.setInfo(imgInfo);
-   mBitmap.setPixelRef(texRef);
-+  mFormat = aFormat;
-+  mStride = mBitmap.rowBytes();
- 
-   mDrawTarget = aOwner;
-   return true;
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
deleted file mode 100644
index 022ab5cc16..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001
-From: Edwin Flores <eflores@mozilla.com>
-Date: Wed, 2 Dec 2015 16:15:29 +0100
-Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth,
- a=sledru
-
----
- image/src/Downscaler.cpp | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
-index 24ecfda..2a7acfd 100644
---- a/image/src/Downscaler.cpp
-+++ b/image/src/Downscaler.cpp
-@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize,
-                                mTargetSize.height, mYFilter.get());
- 
-   // Allocate the buffer, which contains scanlines of the original image.
--  mRowBuffer = MakeUnique<uint8_t[]>(mOriginalSize.width * sizeof(uint32_t));
-+  size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
-+  mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
-   if (MOZ_UNLIKELY(!mRowBuffer)) {
-     return NS_ERROR_OUT_OF_MEMORY;
-   }
- 
-+  // Zero buffer to keep valgrind happy.
-+  memset(mRowBuffer.get(), 0, bufferLen);
-+
-+
-   // Allocate the window, which contains horizontally downscaled scanlines. (We
-   // can store scanlines which are already downscale because our downscaling
-   // filter is separable.)
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch
deleted file mode 100644
index 620fa0d6bd..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7205.patch
+++ /dev/null
@@ -1,84 +0,0 @@
-From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001
-From: Randell Jesup <rjesup@jesup.org>
-Date: Thu, 5 Nov 2015 10:17:29 -0500
-Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows.
- r=pkerr a=sylvestre
-
---HG--
-extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb
-extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997
----
- .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc  | 26 ++++++++++++----------
- 1 file changed, 14 insertions(+), 12 deletions(-)
-
-diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-index 9334b23..80cf55a 100644
---- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
-@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
-     return false;
-   }
- 
--  const uint8_t CSRCocts = CC * 4;
--
--  if ((ptr + CSRCocts) > _ptrRTPDataEnd) {
--    return false;
--  }
--
-   header.markerBit      = M;
-   header.payloadType    = PT;
-   header.sequenceNumber = sequenceNumber;
-@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
-   header.numCSRCs       = CC;
-   header.paddingLength  = P ? *(_ptrRTPDataEnd - 1) : 0;
- 
-+  // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes
-+  header.headerLength   = 12 + (CC * 4);
-+  // not a full validation, just safety against underflow.  Padding must
-+  // start after the header.  We can have 0 payload bytes left, note.
-+  if (header.paddingLength + header.headerLength > length) {
-+    return false;
-+  }
-+
-   for (unsigned int i = 0; i < CC; ++i) {
-     uint32_t CSRC = *ptr++ << 24;
-     CSRC += *ptr++ << 16;
-@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
-     CSRC += *ptr++;
-     header.arrOfCSRCs[i] = CSRC;
-   }
--
--  header.headerLength   = 12 + CSRCocts;
-+  assert((ptr - _ptrRTPDataBegin) == header.headerLength);
- 
-   // If in effect, MAY be omitted for those packets for which the offset
-   // is zero.
-@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
-     |                        header extension                       |
-     |                             ....                              |
-     */
--    const ptrdiff_t remain = _ptrRTPDataEnd - ptr;
--    if (remain < 4) {
-+    // earlier test ensures we have at least paddingLength bytes left
-+    const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength;
-+    if (remain < 4) { // minimum header extension length = 32 bits
-       return false;
-     }
- 
-@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
-     uint16_t definedByProfile = *ptr++ << 8;
-     definedByProfile += *ptr++;
- 
--    uint16_t XLen = *ptr++ << 8;
-+    size_t XLen = *ptr++ << 8;
-     XLen += *ptr++; // in 32 bit words
-     XLen *= 4; // in octs
- 
--    if (remain < (4 + XLen)) {
-+    if (remain < (4 + XLen)) { // we already accounted for padding
-       return false;
-     }
-     if (definedByProfile == kRtpOneByteHeaderExtensionId) {
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch
deleted file mode 100644
index eab57021db..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7210.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001
-From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
-Date: Wed, 28 Oct 2015 12:48:17 -0500
-Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed
- PeerConnections. r=jesup a=sylvestre
-
---HG--
-extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826
-extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6
----
- media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-index c3d8d26..fe86ff7 100644
---- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
-@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const
- NS_IMETHODIMP
- PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams)
- {
--  PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+  PC_AUTO_ENTER_API_CALL(false);
- 
- #ifdef MOZILLA_INTERNAL_API
-   if (mDataConnection) {
-@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters(
- nsresult
- PeerConnectionImpl::InitializeDataChannel()
- {
--  PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+  PC_AUTO_ENTER_API_CALL(false);
-   CSFLogDebug(logTag, "%s", __FUNCTION__);
- 
-   const JsepApplicationCodecDescription* codec;
-@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel,
-                                       uint16_t aStream,
-                                       nsDOMDataChannel** aRetval)
- {
--  PC_AUTO_ENTER_API_CALL_NO_CHECK();
-+  PC_AUTO_ENTER_API_CALL(false);
-   MOZ_ASSERT(aRetval);
- 
- #ifdef MOZILLA_INTERNAL_API
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch
deleted file mode 100644
index 7bda486ff7..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7212.patch
+++ /dev/null
@@ -1,364 +0,0 @@
-From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001
-From: Nicolas Silva <nsilva@mozilla.com>
-Date: Wed, 18 Nov 2015 16:59:11 +0100
-Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large
- textures. r=Bas, a=sylvestre
-
----
- gfx/2d/2D.h                             | 25 ++++++++++--
- gfx/2d/Factory.cpp                      | 67 ++++++++++++++++++++++++++++-----
- gfx/layers/ImageDataSerializer.cpp      | 21 ++++++-----
- gfx/layers/YCbCrImageDataSerializer.cpp |  7 ++++
- gfx/layers/client/TextureClient.cpp     | 12 ++++++
- gfx/thebes/gfxPlatform.cpp              | 15 ++++++--
- gfx/thebes/gfxPrefs.h                   |  3 ++
- 7 files changed, 124 insertions(+), 26 deletions(-)
-
-diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h
-index cf35bb2..b1e0e3e 100644
---- a/gfx/2d/2D.h
-+++ b/gfx/2d/2D.h
-@@ -1082,22 +1082,41 @@ struct TileSet
-   size_t mTileCount;
- };
- 
-+struct Config {
-+  LogForwarder* mLogForwarder;
-+  int32_t mMaxTextureSize;
-+  int32_t mMaxAllocSize;
-+
-+  Config()
-+  : mLogForwarder(nullptr)
-+  , mMaxTextureSize(8192)
-+  , mMaxAllocSize(52000000)
-+  {}
-+};
-+
- class GFX2D_API Factory
- {
- public:
-+  static void Init(const Config& aConfig);
-+  static void ShutDown();
-+
-   static bool HasSSE2();
- 
-   /** Make sure that the given dimensions don't overflow a 32-bit signed int
-    * using 4 bytes per pixel; optionally, make sure that either dimension
-    * doesn't exceed the given limit.
-    */
--  static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0);
-+  static bool CheckSurfaceSize(const IntSize &sz,
-+                               int32_t limit = 0,
-+                               int32_t allocLimit = 0);
- 
-   /** Make sure the given dimension satisfies the CheckSurfaceSize and is
-    * within 8k limit.  The 8k value is chosen a bit randomly.
-    */
-   static bool ReasonableSurfaceSize(const IntSize &aSize);
- 
-+  static bool AllowedSurfaceSize(const IntSize &aSize);
-+
-   static TemporaryRef<DrawTarget> CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr);
- 
-   static TemporaryRef<DrawTarget>
-@@ -1171,10 +1190,10 @@ public:
- 
-   static uint32_t GetMaxSurfaceSize(BackendType aType);
- 
--  static LogForwarder* GetLogForwarder() { return mLogForwarder; }
-+  static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; }
- 
- private:
--  static LogForwarder* mLogForwarder;
-+  static Config* sConfig;
- public:
- 
- #ifdef USE_SKIA_GPU
-diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp
-index 948d3c3..6750c28 100644
---- a/gfx/2d/Factory.cpp
-+++ b/gfx/2d/Factory.cpp
-@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device;
- 
- DrawEventRecorder *Factory::mRecorder;
- 
-+mozilla::gfx::Config* Factory::sConfig = nullptr;
-+
-+void
-+Factory::Init(const Config& aConfig)
-+{
-+  MOZ_ASSERT(!sConfig);
-+  sConfig = new Config(aConfig);
-+
-+  // Make sure we don't completely break rendering because of a typo in the
-+  // pref or whatnot.
-+  const int32_t kMinAllocPref = 10000000;
-+  const int32_t kMinSizePref = 2048;
-+  if (sConfig->mMaxAllocSize < kMinAllocPref) {
-+    sConfig->mMaxAllocSize = kMinAllocPref;
-+  }
-+  if (sConfig->mMaxTextureSize < kMinSizePref) {
-+    sConfig->mMaxTextureSize = kMinSizePref;
-+  }
-+}
-+
-+void
-+Factory::ShutDown()
-+{
-+  if (sConfig) {
-+    delete sConfig;
-+    sConfig = nullptr;
-+  }
-+}
-+
- bool
- Factory::HasSSE2()
- {
-@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize)
- bool
- Factory::ReasonableSurfaceSize(const IntSize &aSize)
- {
--  return Factory::CheckSurfaceSize(aSize,8192);
-+  return Factory::CheckSurfaceSize(aSize, 8192);
-+}
-+
-+bool
-+Factory::AllowedSurfaceSize(const IntSize &aSize)
-+{
-+  if (sConfig) {
-+    return Factory::CheckSurfaceSize(aSize,
-+                                     sConfig->mMaxTextureSize,
-+                                     sConfig->mMaxAllocSize);
-+  }
-+
-+  return CheckSurfaceSize(aSize);
- }
- 
- bool
--Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
-+Factory::CheckSurfaceSize(const IntSize &sz,
-+                          int32_t extentLimit,
-+                          int32_t allocLimit)
- {
-   if (sz.width <= 0 || sz.height <= 0) {
-     gfxDebug() << "Surface width or height <= 0!";
-@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
-   }
- 
-   // reject images with sides bigger than limit
--  if (limit && (sz.width > limit || sz.height > limit)) {
--    gfxDebug() << "Surface size too large (exceeds caller's limit)!";
-+  if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) {
-+    gfxDebug() << "Surface size too large (exceeds extent limit)!";
-     return false;
-   }
- 
-@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
-     return false;
-   }
- 
-+  if (allocLimit && allocLimit < numBytes.value()) {
-+    gfxDebug() << "Surface size too large (exceeds allocation limit)!";
-+    return false;
-+  }
-+
-   return true;
- }
- 
- TemporaryRef<DrawTarget>
- Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat)
- {
--  if (!CheckSurfaceSize(aSize)) {
-+  if (!AllowedSurfaceSize(aSize)) {
-     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
-     return nullptr;
-   }
-@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend,
-                                  SurfaceFormat aFormat)
- {
-   MOZ_ASSERT(aData);
--  if (!CheckSurfaceSize(aSize)) {
-+  if (!AllowedSurfaceSize(aSize)) {
-     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
-     return nullptr;
-   }
-@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize,
-                                  SurfaceFormat aFormat,
-                                  bool aZero)
- {
--  if (!CheckSurfaceSize(aSize)) {
-+  if (!AllowedSurfaceSize(aSize)) {
-     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
-     return nullptr;
-   }
-@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder)
-   mRecorder = aRecorder;
- }
- 
--LogForwarder* Factory::mLogForwarder = nullptr;
--
- // static
- void
- Factory::SetLogForwarder(LogForwarder* aLogFwd) {
--  mLogForwarder = aLogFwd;
-+  sConfig->mLogForwarder = aLogFwd;
- }
- 
-+
- // static
- void
- CriticalLogger::OutputMessage(const std::string &aString,
-diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp
-index 5dd6aca..331dd04 100644
---- a/gfx/layers/ImageDataSerializer.cpp
-+++ b/gfx/layers/ImageDataSerializer.cpp
-@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize,
-                                               SurfaceFormat aFormat)
- {
-   MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0);
--  if (aSize.height <= 0 || aSize.width <= 0) {
--    gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height;
-+
-+  // This takes care of checking whether there could be overflow
-+  // with enough margin for the metadata.
-+  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
-     return 0;
-   }
- 
--  CheckedInt<int32_t> bufsize = ComputeStride(aFormat, aSize.width);
--  bufsize *= aSize.height;
-+  int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width)
-+                                         * aSize.height)
-+                  + SurfaceBufferInfo::GetOffset();
- 
--  if (!bufsize.isValid() || bufsize.value() <= 0) {
--    gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height;
-+  if (bufsize < 0) {
-+    // This should not be possible thanks to Factory::AllowedSurfaceSize
-     return 0;
-   }
- 
--  return SurfaceBufferInfo::GetOffset()
--       + GetAlignedStride<16>(bufsize.value());
-+  return bufsize;
- }
- 
- void
-@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate()
-   }
-   size_t requiredSize =
-            ComputeMinBufferSize(IntSize(info->width, info->height), info->format);
--  mIsValid = requiredSize <= mDataSize;
-+
-+  mIsValid = !!requiredSize && requiredSize <= mDataSize;
- }
- 
- uint8_t*
-diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
-index c8e148d..05f5ab2 100644
---- a/gfx/layers/YCbCrImageDataSerializer.cpp
-+++ b/gfx/layers/YCbCrImageDataSerializer.cpp
-@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize,
-     gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width;
-     return 0;
-   }
-+
-+  if (!gfx::Factory::AllowedSurfaceSize(aYSize) ||
-+      aCbCrSize.width > aYSize.width ||
-+      aCbCrSize.height > aYSize.height) {
-+    return 0;
-+  }
-+
-   return ComputeOffset(aYSize.height, aYStride)
-          + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride)
-          + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo));
-diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp
-index 9b45ca0..6ae7cbf 100644
---- a/gfx/layers/client/TextureClient.cpp
-+++ b/gfx/layers/client/TextureClient.cpp
-@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator,
-     aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend();
-   }
- 
-+  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
-+    return nullptr;
-+  }
-+
-   RefPtr<TextureClient> texture;
- 
- #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN)
-@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator,
-                                         TextureFlags aTextureFlags,
-                                         TextureAllocationFlags aAllocFlags)
- {
-+  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
-+    return nullptr;
-+  }
-+
-   RefPtr<BufferTextureClient> texture =
-     CreateBufferTextureClient(aAllocator, aFormat,
-                               aTextureFlags, aMoz2DBackend);
-@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator,
-                               StereoMode aStereoMode,
-                               TextureFlags aTextureFlags)
- {
-+  if (!gfx::Factory::AllowedSurfaceSize(aYSize)) {
-+    return nullptr;
-+  }
-+
-   RefPtr<BufferTextureClient> texture;
-   if (aAllocator->IsSameProcess()) {
-     texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV,
-diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
-index 41e4b0c..209a0a8 100644
---- a/gfx/thebes/gfxPlatform.cpp
-+++ b/gfx/thebes/gfxPlatform.cpp
-@@ -458,13 +458,18 @@ gfxPlatform::Init()
-     }
-     gEverInitialized = true;
- 
--    CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError");
--    mozilla::gfx::Factory::SetLogForwarder(logForwarder);
--
-     // Initialize the preferences by creating the singleton.
-     gfxPrefs::GetSingleton();
- 
--    logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
-+    auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError");
-+    fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
-+
-+    mozilla::gfx::Config cfg;
-+    cfg.mLogForwarder = fwd;
-+    cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize();
-+    cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize();
-+
-+    gfx::Factory::Init(cfg);
- 
-     gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");
- 
-@@ -641,6 +646,8 @@ gfxPlatform::Shutdown()
-     delete mozilla::gfx::Factory::GetLogForwarder();
-     mozilla::gfx::Factory::SetLogForwarder(nullptr);
- 
-+    gfx::Factory::ShutDown();
-+
-     delete gGfxPlatformPrefsLock;
- 
-     gfxPrefs::DestroySingleton();
-diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h
-index b7a5fb9..038e1ff 100644
---- a/gfx/thebes/gfxPrefs.h
-+++ b/gfx/thebes/gfxPrefs.h
-@@ -209,6 +209,9 @@ private:
-   DECL_GFX_PREF(Live, "gfx.layerscope.port",                   LayerScopePort, int32_t, 23456);
-   // Note that        "gfx.logging.level" is defined in Logging.h
-   DECL_GFX_PREF(Once, "gfx.logging.crash.length",              GfxLoggingCrashLength, uint32_t, 6);
-+  // The maximums here are quite conservative, we can tighten them if problems show up.
-+  DECL_GFX_PREF(Once, "gfx.max-alloc-size",                    MaxAllocSize, int32_t, (int32_t)500000000);
-+  DECL_GFX_PREF(Once, "gfx.max-texture-size",                  MaxTextureSize, int32_t, (int32_t)32767);
-   DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled",             PerfWarnings, bool, false);
-   DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs",           WorkAroundDriverBugs, bool, true);
- 
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
deleted file mode 100644
index 854c91b8aa..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
+++ /dev/null
@@ -1,32 +0,0 @@
-From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
-From: Jean-Yves Avenard <jyavenard@mozilla.com>
-Date: Wed, 9 Dec 2015 09:54:58 +0100
-Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
- r=kentuckyfriedtakahe, a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp            | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index 22163fa..318152a 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
-     CHECK_NE(err, (status_t)NO_INIT);
- 
-     // copy pssh data into file metadata
--    int psshsize = 0;
-+    uint64_t psshsize = 0;
-     for (size_t i = 0; i < mPssh.size(); i++) {
-         psshsize += 20 + mPssh[i].datalen;
-     }
-+    if (psshsize > kMAX_ALLOCATION) {
-+        return ERROR_MALFORMED;
-+    }
-     if (psshsize) {
-         char *buf = (char*)malloc(psshsize);
-         char *ptr = buf;
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
deleted file mode 100644
index 20bbd36281..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001
-From: Jean-Yves Avenard <jyavenard@mozilla.com>
-Date: Wed, 9 Dec 2015 09:55:16 +0100
-Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe,
- a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp              | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index 318152a..c6aaf1d 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() {
-     }
-     if (psshsize) {
-         char *buf = (char*)malloc(psshsize);
-+        if (!buf) {
-+            return ERROR_MALFORMED;
-+        }
-         char *ptr = buf;
-         for (size_t i = 0; i < mPssh.size(); i++) {
-             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch
deleted file mode 100644
index 3a56d3d2cd..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7214.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001
-From: Bobby Holley <bobbyholley@gmail.com>
-Date: Mon, 14 Dec 2015 15:36:20 -0500
-Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz,
- a=lizzard
-
----
- dom/base/nsHostObjectURI.cpp | 9 +++++++++
- dom/base/nsHostObjectURI.h   | 2 ++
- 2 files changed, 11 insertions(+)
-
-diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp
-index 94b02ff..57b0209 100644
---- a/dom/base/nsHostObjectURI.cpp
-+++ b/dom/base/nsHostObjectURI.cpp
-@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream)
-                                         true);
- }
- 
-+NS_IMETHODIMP
-+nsHostObjectURI::SetScheme(const nsACString& aScheme)
-+{
-+  // Disallow setting the scheme, since that could cause us to be associated
-+  // with a different protocol handler that doesn't expect us to be carrying
-+  // around a principal with nsIURIWithPrincipal.
-+  return NS_ERROR_FAILURE;
-+}
-+
- // nsIURI methods:
- nsresult
- nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode,
-diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h
-index b468d5d..23ff7ab 100644
---- a/dom/base/nsHostObjectURI.h
-+++ b/dom/base/nsHostObjectURI.h
-@@ -34,6 +34,8 @@ public:
-   NS_DECL_NSISERIALIZABLE
-   NS_DECL_NSICLASSINFO
- 
-+  NS_IMETHOD SetScheme(const nsACString &aProtocol) override;
-+
-   // Override CloneInternal() and EqualsInternal()
-   virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode,
-                                  nsIURI** aClone) override;
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
deleted file mode 100644
index c5d0e4ad60..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
+++ /dev/null
@@ -1,112 +0,0 @@
-From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 09:59:37 +0100
-Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage -
- r=rillian, a=sylvestre
-
----
- .../av/include/media/stagefright/MetaData.h        |  2 +-
- .../av/media/libstagefright/MetaData.cpp           | 35 ++++++++++++++--------
- 2 files changed, 24 insertions(+), 13 deletions(-)
-
-diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-index 30d969d..0a8ff77 100644
---- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
-@@ -248,7 +248,7 @@ private:
-             return mSize <= sizeof(u.reservoir);
-         }
- 
--        void allocateStorage(size_t size);
-+        bool allocateStorage(size_t size);
-         void freeStorage();
- 
-         void *storage() {
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-index c832c96..cba324d 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
-@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type,
- }
- 
- MetaData::typed_data::typed_data()
--    : mType(0),
-+    : mType(TYPE_NONE),
-       mSize(0) {
- }
- 
-@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() {
- MetaData::typed_data::typed_data(const typed_data &from)
-     : mType(from.mType),
-       mSize(0) {
--    allocateStorage(from.mSize);
--    memcpy(storage(), from.storage(), mSize);
-+    if (allocateStorage(from.mSize)) {
-+        memcpy(storage(), from.storage(), mSize);
-+    }
- }
- 
- MetaData::typed_data &MetaData::typed_data::operator=(
-         const MetaData::typed_data &from) {
-     if (this != &from) {
-         clear();
--        mType = from.mType;
--        allocateStorage(from.mSize);
--        memcpy(storage(), from.storage(), mSize);
-+        if (allocateStorage(from.mSize)) {
-+            mType = from.mType;
-+            memcpy(storage(), from.storage(), mSize);
-+        }
-     }
- 
-     return *this;
-@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=(
- void MetaData::typed_data::clear() {
-     freeStorage();
- 
--    mType = 0;
-+    mType = TYPE_NONE;
- }
- 
- void MetaData::typed_data::setData(
-         uint32_t type, const void *data, size_t size) {
-     clear();
- 
--    mType = type;
--    allocateStorage(size);
--    memcpy(storage(), data, size);
-+    if (allocateStorage(size)) {
-+        mType = type;
-+        memcpy(storage(), data, size);
-+    }
- }
- 
- void MetaData::typed_data::getData(
-@@ -269,14 +272,22 @@ void MetaData::typed_data::getData(
-     *data = storage();
- }
- 
--void MetaData::typed_data::allocateStorage(size_t size) {
-+bool MetaData::typed_data::allocateStorage(size_t size) {
-+    // Update mSize now, as it is needed by usesReservoir() below.
-+    // (mSize will be reset if the allocation fails further below.)
-     mSize = size;
- 
-     if (usesReservoir()) {
--        return;
-+        return true;
-     }
- 
-     u.ext_data = malloc(mSize);
-+    if (!u.ext_data) {
-+      mType = TYPE_NONE;
-+      mSize = 0;
-+      return false;
-+    }
-+    return true;
- }
- 
- void MetaData::typed_data::freeStorage() {
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
deleted file mode 100644
index 688d7f903f..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 10:00:13 +0100
-Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create
- underflow - r=rillian, a=sylvestre
-
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp            | 5 ++++-
- 1 file changed, 4 insertions(+), 1 deletion(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index c6aaf1d..a69fc14 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
-             if (mFileMetaData != NULL) {
-                 ALOGV("chunk_data_size = %lld and data_offset = %lld",
-                         chunk_data_size, data_offset);
-+                const int kSkipBytesOfDataBox = 16;
-+                if (chunk_data_size <= kSkipBytesOfDataBox) {
-+                  return ERROR_MALFORMED;
-+                }
-                 sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
-                 if (mDataSource->readAt(
-                     data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
-                     return ERROR_IO;
-                 }
--                const int kSkipBytesOfDataBox = 16;
-                 mFileMetaData->setData(
-                     kKeyAlbumArt, MetaData::TYPE_NONE,
-                     buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
deleted file mode 100644
index 2f3c95623d..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
-From: Gerald Squelart <gsquelart@mozilla.com>
-Date: Wed, 9 Dec 2015 10:00:32 +0100
-Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
- r=rillian, a=sylvestre
-
-Found only one other use that needed better checks: the size of the pssh
-data was only checked after all items were added up; so it would be
-possible to create a set of big items such that they create an overflow,
-but the final sum looks reasonable.
-Instead each item size should be checked, and the sum should also be
-checked at each step.
----
- .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp          | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-index a69fc14..413a495 100644
---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
-@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
-     uint64_t psshsize = 0;
-     for (size_t i = 0; i < mPssh.size(); i++) {
-         psshsize += 20 + mPssh[i].datalen;
--    }
--    if (psshsize > kMAX_ALLOCATION) {
--        return ERROR_MALFORMED;
-+        if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
-+            psshsize > kMAX_ALLOCATION) {
-+            return ERROR_MALFORMED;
-+        }
-     }
-     if (psshsize) {
-         char *buf = (char*)malloc(psshsize);
--- 
-2.6.3
-
diff --git a/gnu/packages/patches/icecat-freetype-2.6.patch b/gnu/packages/patches/icecat-freetype-2.6.patch
deleted file mode 100644
index ef69f2f715..0000000000
--- a/gnu/packages/patches/icecat-freetype-2.6.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Adapt to freetype 2.6.  This patch copied from upstream, see:
-https://bugzilla.mozilla.org/show_bug.cgi?id=1143411
-https://hg.mozilla.org/mozilla-central/rev/afd840d66e6a
-
---- a/config/system-headers
-+++ b/config/system-headers
-@@ -415,6 +415,7 @@ freetype/ftbitmap.h
- freetype/ftxf86.h
- freetype.h
- ftcache.h
-+ftfntfmt.h
- ftglyph.h
- ftsynth.h
- ftoutln.h