diff options
Diffstat (limited to 'gnu')
-rw-r--r-- | gnu/packages/gnuzilla.scm | 19 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch | 123 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch | 29 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch | 35 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7205.patch | 84 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7210.patch | 47 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7212.patch | 364 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch | 32 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch | 27 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7214.patch | 47 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch | 112 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch | 34 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch | 37 | ||||
-rw-r--r-- | gnu/packages/patches/icecat-freetype-2.6.patch | 14 |
14 files changed, 3 insertions, 1001 deletions
diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm index 3172bc8c45..40a13e7939 100644 --- a/gnu/packages/gnuzilla.scm +++ b/gnu/packages/gnuzilla.scm @@ -266,7 +266,7 @@ standards.") (define-public icecat (package (name "icecat") - (version "38.4.0-gnu1") + (version "38.5.0-gnu1") (source (origin (method url-fetch) @@ -275,21 +275,8 @@ standards.") name "-" version ".tar.bz2")) (sha256 (base32 - "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp")) - (patches (map search-patch '("icecat-CVE-2015-7210.patch" - "icecat-CVE-2015-7205.patch" - "icecat-CVE-2015-7201-pt1.patch" - "icecat-CVE-2015-7201-pt2.patch" - "icecat-CVE-2015-7212.patch" - "icecat-CVE-2015-7213-pt1.patch" - "icecat-CVE-2015-7213-pt2.patch" - "icecat-CVE-2015-7222-pt1.patch" - "icecat-CVE-2015-7222-pt2.patch" - "icecat-CVE-2015-7222-pt3.patch" - "icecat-CVE-2015-7214.patch" - "icecat-CVE-2015-7201-pt3.patch" - "icecat-avoid-bundled-includes.patch" - "icecat-freetype-2.6.patch"))) + "1bf20mpvx84jsa0dan2hhfc49f30v0wasikv7sh3cg8mwp62faj6")) + (patches (map search-patch '("icecat-avoid-bundled-includes.patch"))) (modules '((guix build utils))) (snippet '(begin diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch deleted file mode 100644 index 0fcfe9b409..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch +++ /dev/null @@ -1,123 +0,0 @@ -From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001 -From: Andrew Comminos <andrew@comminos.com> -Date: Fri, 23 Oct 2015 21:35:16 -0700 -Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute - count is exceeded on Mesa. r=jgilbert, a=ritu - ---HG-- -extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0 -extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536 ---- - dom/canvas/WebGLProgram.cpp | 28 ++++++++++++++++++---------- - dom/canvas/WebGLShader.cpp | 10 ++++++++++ - dom/canvas/WebGLShader.h | 1 + - dom/canvas/WebGLShaderValidator.cpp | 6 ++++++ - dom/canvas/WebGLShaderValidator.h | 1 + - 5 files changed, 36 insertions(+), 10 deletions(-) - -diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp -index 78f7413..0e056e8 100644 ---- a/dom/canvas/WebGLProgram.cpp -+++ b/dom/canvas/WebGLProgram.cpp -@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram() - gl::GLContext* gl = mContext->gl; - gl->MakeCurrent(); - -- // Bug 777028: Mesa can't handle more than 16 samplers per program, -- // counting each array entry. -- size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + -- mFragShader->CalcNumSamplerUniforms(); - if (gl->WorkAroundDriverBugs() && -- mContext->mIsMesa && -- numSamplerUniforms_upperBound > 16) -+ mContext->mIsMesa) - { -- mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" -- " Mesa drivers to avoid crashing."); -- mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -- return false; -+ // Bug 777028: Mesa can't handle more than 16 samplers per program, -+ // counting each array entry. -+ size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() + -+ mFragShader->CalcNumSamplerUniforms(); -+ if (numSamplerUniforms_upperBound > 16) { -+ mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on" -+ " Mesa drivers to avoid crashing."); -+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -+ return false; -+ } -+ -+ // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count. -+ if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) { -+ mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count."); -+ mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading()); -+ return false; -+ } - } - - // Bind the attrib locations. -diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp -index 85a3809..bab4157 100644 ---- a/dom/canvas/WebGLShader.cpp -+++ b/dom/canvas/WebGLShader.cpp -@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const - return 0; - } - -+size_t -+WebGLShader::NumAttributes() const -+{ -+ if (mValidator) -+ return mValidator->NumAttributes(); -+ -+ // TODO -+ return 0; -+} -+ - void - WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName, - GLuint index) const -diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h -index 698e30c..2c80b16a 100644 ---- a/dom/canvas/WebGLShader.h -+++ b/dom/canvas/WebGLShader.h -@@ -45,6 +45,7 @@ public: - // Util funcs - bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const; - size_t CalcNumSamplerUniforms() const; -+ size_t NumAttributes() const; - void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const; - bool FindAttribUserNameByMappedName(const nsACString& mappedName, - nsDependentCString* const out_userName) const; -diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp -index 80005e2..8bedf88 100644 ---- a/dom/canvas/WebGLShaderValidator.cpp -+++ b/dom/canvas/WebGLShaderValidator.cpp -@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const - return accum; - } - -+size_t -+ShaderValidator::NumAttributes() const -+{ -+ return ShGetAttributes(mHandle)->size(); -+} -+ - // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3. - // Therefore, attrib names are always simple. - bool -diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h -index 35db2f1..1f794bf0 100644 ---- a/dom/canvas/WebGLShaderValidator.h -+++ b/dom/canvas/WebGLShaderValidator.h -@@ -41,6 +41,7 @@ public: - void GetOutput(nsACString* out) const; - bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const; - size_t CalcNumSamplerUniforms() const; -+ size_t NumAttributes() const; - - bool FindAttribUserNameByMappedName(const std::string& mappedName, - const std::string** const out_userName) const; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch deleted file mode 100644 index 3764371a11..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch +++ /dev/null @@ -1,29 +0,0 @@ -From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001 -From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com> -Date: Tue, 8 Dec 2015 12:38:15 +0100 -Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when - initialized from GPU texture. r=jmuizelaar, a=lizzard - ---- - gfx/2d/SourceSurfaceSkia.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp -index 4b95bc2..d7e0714 100644 ---- a/gfx/2d/SourceSurfaceSkia.cpp -+++ b/gfx/2d/SourceSurfaceSkia.cpp -@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner, - GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue); - SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType); - SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false); -- mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4); -+ mBitmap.setInfo(imgInfo); - mBitmap.setPixelRef(texRef); -+ mFormat = aFormat; -+ mStride = mBitmap.rowBytes(); - - mDrawTarget = aOwner; - return true; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch deleted file mode 100644 index 022ab5cc16..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001 -From: Edwin Flores <eflores@mozilla.com> -Date: Wed, 2 Dec 2015 16:15:29 +0100 -Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth, - a=sledru - ---- - image/src/Downscaler.cpp | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp -index 24ecfda..2a7acfd 100644 ---- a/image/src/Downscaler.cpp -+++ b/image/src/Downscaler.cpp -@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize, - mTargetSize.height, mYFilter.get()); - - // Allocate the buffer, which contains scanlines of the original image. -- mRowBuffer = MakeUnique<uint8_t[]>(mOriginalSize.width * sizeof(uint32_t)); -+ size_t bufferLen = mOriginalSize.width * sizeof(uint32_t); -+ mRowBuffer = MakeUnique<uint8_t[]>(bufferLen); - if (MOZ_UNLIKELY(!mRowBuffer)) { - return NS_ERROR_OUT_OF_MEMORY; - } - -+ // Zero buffer to keep valgrind happy. -+ memset(mRowBuffer.get(), 0, bufferLen); -+ -+ - // Allocate the window, which contains horizontally downscaled scanlines. (We - // can store scanlines which are already downscale because our downscaling - // filter is separable.) --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch deleted file mode 100644 index 620fa0d6bd..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7205.patch +++ /dev/null @@ -1,84 +0,0 @@ -From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001 -From: Randell Jesup <rjesup@jesup.org> -Date: Thu, 5 Nov 2015 10:17:29 -0500 -Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows. - r=pkerr a=sylvestre - ---HG-- -extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb -extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997 ---- - .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc | 26 ++++++++++++---------- - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -index 9334b23..80cf55a 100644 ---- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -+++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc -@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - return false; - } - -- const uint8_t CSRCocts = CC * 4; -- -- if ((ptr + CSRCocts) > _ptrRTPDataEnd) { -- return false; -- } -- - header.markerBit = M; - header.payloadType = PT; - header.sequenceNumber = sequenceNumber; -@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - header.numCSRCs = CC; - header.paddingLength = P ? *(_ptrRTPDataEnd - 1) : 0; - -+ // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes -+ header.headerLength = 12 + (CC * 4); -+ // not a full validation, just safety against underflow. Padding must -+ // start after the header. We can have 0 payload bytes left, note. -+ if (header.paddingLength + header.headerLength > length) { -+ return false; -+ } -+ - for (unsigned int i = 0; i < CC; ++i) { - uint32_t CSRC = *ptr++ << 24; - CSRC += *ptr++ << 16; -@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - CSRC += *ptr++; - header.arrOfCSRCs[i] = CSRC; - } -- -- header.headerLength = 12 + CSRCocts; -+ assert((ptr - _ptrRTPDataBegin) == header.headerLength); - - // If in effect, MAY be omitted for those packets for which the offset - // is zero. -@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - | header extension | - | .... | - */ -- const ptrdiff_t remain = _ptrRTPDataEnd - ptr; -- if (remain < 4) { -+ // earlier test ensures we have at least paddingLength bytes left -+ const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength; -+ if (remain < 4) { // minimum header extension length = 32 bits - return false; - } - -@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header, - uint16_t definedByProfile = *ptr++ << 8; - definedByProfile += *ptr++; - -- uint16_t XLen = *ptr++ << 8; -+ size_t XLen = *ptr++ << 8; - XLen += *ptr++; // in 32 bit words - XLen *= 4; // in octs - -- if (remain < (4 + XLen)) { -+ if (remain < (4 + XLen)) { // we already accounted for padding - return false; - } - if (definedByProfile == kRtpOneByteHeaderExtensionId) { --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch deleted file mode 100644 index eab57021db..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7210.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001 -From: "Byron Campen [:bwc]" <docfaraday@gmail.com> -Date: Wed, 28 Oct 2015 12:48:17 -0500 -Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed - PeerConnections. r=jesup a=sylvestre - ---HG-- -extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826 -extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6 ---- - media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -index c3d8d26..fe86ff7 100644 ---- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -+++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp -@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const - NS_IMETHODIMP - PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams) - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - - #ifdef MOZILLA_INTERNAL_API - if (mDataConnection) { -@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters( - nsresult - PeerConnectionImpl::InitializeDataChannel() - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - CSFLogDebug(logTag, "%s", __FUNCTION__); - - const JsepApplicationCodecDescription* codec; -@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel, - uint16_t aStream, - nsDOMDataChannel** aRetval) - { -- PC_AUTO_ENTER_API_CALL_NO_CHECK(); -+ PC_AUTO_ENTER_API_CALL(false); - MOZ_ASSERT(aRetval); - - #ifdef MOZILLA_INTERNAL_API --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch deleted file mode 100644 index 7bda486ff7..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7212.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001 -From: Nicolas Silva <nsilva@mozilla.com> -Date: Wed, 18 Nov 2015 16:59:11 +0100 -Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large - textures. r=Bas, a=sylvestre - ---- - gfx/2d/2D.h | 25 ++++++++++-- - gfx/2d/Factory.cpp | 67 ++++++++++++++++++++++++++++----- - gfx/layers/ImageDataSerializer.cpp | 21 ++++++----- - gfx/layers/YCbCrImageDataSerializer.cpp | 7 ++++ - gfx/layers/client/TextureClient.cpp | 12 ++++++ - gfx/thebes/gfxPlatform.cpp | 15 ++++++-- - gfx/thebes/gfxPrefs.h | 3 ++ - 7 files changed, 124 insertions(+), 26 deletions(-) - -diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h -index cf35bb2..b1e0e3e 100644 ---- a/gfx/2d/2D.h -+++ b/gfx/2d/2D.h -@@ -1082,22 +1082,41 @@ struct TileSet - size_t mTileCount; - }; - -+struct Config { -+ LogForwarder* mLogForwarder; -+ int32_t mMaxTextureSize; -+ int32_t mMaxAllocSize; -+ -+ Config() -+ : mLogForwarder(nullptr) -+ , mMaxTextureSize(8192) -+ , mMaxAllocSize(52000000) -+ {} -+}; -+ - class GFX2D_API Factory - { - public: -+ static void Init(const Config& aConfig); -+ static void ShutDown(); -+ - static bool HasSSE2(); - - /** Make sure that the given dimensions don't overflow a 32-bit signed int - * using 4 bytes per pixel; optionally, make sure that either dimension - * doesn't exceed the given limit. - */ -- static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0); -+ static bool CheckSurfaceSize(const IntSize &sz, -+ int32_t limit = 0, -+ int32_t allocLimit = 0); - - /** Make sure the given dimension satisfies the CheckSurfaceSize and is - * within 8k limit. The 8k value is chosen a bit randomly. - */ - static bool ReasonableSurfaceSize(const IntSize &aSize); - -+ static bool AllowedSurfaceSize(const IntSize &aSize); -+ - static TemporaryRef<DrawTarget> CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr); - - static TemporaryRef<DrawTarget> -@@ -1171,10 +1190,10 @@ public: - - static uint32_t GetMaxSurfaceSize(BackendType aType); - -- static LogForwarder* GetLogForwarder() { return mLogForwarder; } -+ static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; } - - private: -- static LogForwarder* mLogForwarder; -+ static Config* sConfig; - public: - - #ifdef USE_SKIA_GPU -diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp -index 948d3c3..6750c28 100644 ---- a/gfx/2d/Factory.cpp -+++ b/gfx/2d/Factory.cpp -@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device; - - DrawEventRecorder *Factory::mRecorder; - -+mozilla::gfx::Config* Factory::sConfig = nullptr; -+ -+void -+Factory::Init(const Config& aConfig) -+{ -+ MOZ_ASSERT(!sConfig); -+ sConfig = new Config(aConfig); -+ -+ // Make sure we don't completely break rendering because of a typo in the -+ // pref or whatnot. -+ const int32_t kMinAllocPref = 10000000; -+ const int32_t kMinSizePref = 2048; -+ if (sConfig->mMaxAllocSize < kMinAllocPref) { -+ sConfig->mMaxAllocSize = kMinAllocPref; -+ } -+ if (sConfig->mMaxTextureSize < kMinSizePref) { -+ sConfig->mMaxTextureSize = kMinSizePref; -+ } -+} -+ -+void -+Factory::ShutDown() -+{ -+ if (sConfig) { -+ delete sConfig; -+ sConfig = nullptr; -+ } -+} -+ - bool - Factory::HasSSE2() - { -@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize) - bool - Factory::ReasonableSurfaceSize(const IntSize &aSize) - { -- return Factory::CheckSurfaceSize(aSize,8192); -+ return Factory::CheckSurfaceSize(aSize, 8192); -+} -+ -+bool -+Factory::AllowedSurfaceSize(const IntSize &aSize) -+{ -+ if (sConfig) { -+ return Factory::CheckSurfaceSize(aSize, -+ sConfig->mMaxTextureSize, -+ sConfig->mMaxAllocSize); -+ } -+ -+ return CheckSurfaceSize(aSize); - } - - bool --Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) -+Factory::CheckSurfaceSize(const IntSize &sz, -+ int32_t extentLimit, -+ int32_t allocLimit) - { - if (sz.width <= 0 || sz.height <= 0) { - gfxDebug() << "Surface width or height <= 0!"; -@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) - } - - // reject images with sides bigger than limit -- if (limit && (sz.width > limit || sz.height > limit)) { -- gfxDebug() << "Surface size too large (exceeds caller's limit)!"; -+ if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) { -+ gfxDebug() << "Surface size too large (exceeds extent limit)!"; - return false; - } - -@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit) - return false; - } - -+ if (allocLimit && allocLimit < numBytes.value()) { -+ gfxDebug() << "Surface size too large (exceeds allocation limit)!"; -+ return false; -+ } -+ - return true; - } - - TemporaryRef<DrawTarget> - Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat) - { -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend, - SurfaceFormat aFormat) - { - MOZ_ASSERT(aData); -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize, - SurfaceFormat aFormat, - bool aZero) - { -- if (!CheckSurfaceSize(aSize)) { -+ if (!AllowedSurfaceSize(aSize)) { - gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize; - return nullptr; - } -@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder) - mRecorder = aRecorder; - } - --LogForwarder* Factory::mLogForwarder = nullptr; -- - // static - void - Factory::SetLogForwarder(LogForwarder* aLogFwd) { -- mLogForwarder = aLogFwd; -+ sConfig->mLogForwarder = aLogFwd; - } - -+ - // static - void - CriticalLogger::OutputMessage(const std::string &aString, -diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp -index 5dd6aca..331dd04 100644 ---- a/gfx/layers/ImageDataSerializer.cpp -+++ b/gfx/layers/ImageDataSerializer.cpp -@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize, - SurfaceFormat aFormat) - { - MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0); -- if (aSize.height <= 0 || aSize.width <= 0) { -- gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height; -+ -+ // This takes care of checking whether there could be overflow -+ // with enough margin for the metadata. -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { - return 0; - } - -- CheckedInt<int32_t> bufsize = ComputeStride(aFormat, aSize.width); -- bufsize *= aSize.height; -+ int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width) -+ * aSize.height) -+ + SurfaceBufferInfo::GetOffset(); - -- if (!bufsize.isValid() || bufsize.value() <= 0) { -- gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height; -+ if (bufsize < 0) { -+ // This should not be possible thanks to Factory::AllowedSurfaceSize - return 0; - } - -- return SurfaceBufferInfo::GetOffset() -- + GetAlignedStride<16>(bufsize.value()); -+ return bufsize; - } - - void -@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate() - } - size_t requiredSize = - ComputeMinBufferSize(IntSize(info->width, info->height), info->format); -- mIsValid = requiredSize <= mDataSize; -+ -+ mIsValid = !!requiredSize && requiredSize <= mDataSize; - } - - uint8_t* -diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp -index c8e148d..05f5ab2 100644 ---- a/gfx/layers/YCbCrImageDataSerializer.cpp -+++ b/gfx/layers/YCbCrImageDataSerializer.cpp -@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize, - gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width; - return 0; - } -+ -+ if (!gfx::Factory::AllowedSurfaceSize(aYSize) || -+ aCbCrSize.width > aYSize.width || -+ aCbCrSize.height > aYSize.height) { -+ return 0; -+ } -+ - return ComputeOffset(aYSize.height, aYStride) - + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride) - + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo)); -diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp -index 9b45ca0..6ae7cbf 100644 ---- a/gfx/layers/client/TextureClient.cpp -+++ b/gfx/layers/client/TextureClient.cpp -@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator, - aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend(); - } - -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { -+ return nullptr; -+ } -+ - RefPtr<TextureClient> texture; - - #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN) -@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator, - TextureFlags aTextureFlags, - TextureAllocationFlags aAllocFlags) - { -+ if (!gfx::Factory::AllowedSurfaceSize(aSize)) { -+ return nullptr; -+ } -+ - RefPtr<BufferTextureClient> texture = - CreateBufferTextureClient(aAllocator, aFormat, - aTextureFlags, aMoz2DBackend); -@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator, - StereoMode aStereoMode, - TextureFlags aTextureFlags) - { -+ if (!gfx::Factory::AllowedSurfaceSize(aYSize)) { -+ return nullptr; -+ } -+ - RefPtr<BufferTextureClient> texture; - if (aAllocator->IsSameProcess()) { - texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV, -diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp -index 41e4b0c..209a0a8 100644 ---- a/gfx/thebes/gfxPlatform.cpp -+++ b/gfx/thebes/gfxPlatform.cpp -@@ -458,13 +458,18 @@ gfxPlatform::Init() - } - gEverInitialized = true; - -- CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError"); -- mozilla::gfx::Factory::SetLogForwarder(logForwarder); -- - // Initialize the preferences by creating the singleton. - gfxPrefs::GetSingleton(); - -- logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); -+ auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError"); -+ fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength()); -+ -+ mozilla::gfx::Config cfg; -+ cfg.mLogForwarder = fwd; -+ cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize(); -+ cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize(); -+ -+ gfx::Factory::Init(cfg); - - gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock"); - -@@ -641,6 +646,8 @@ gfxPlatform::Shutdown() - delete mozilla::gfx::Factory::GetLogForwarder(); - mozilla::gfx::Factory::SetLogForwarder(nullptr); - -+ gfx::Factory::ShutDown(); -+ - delete gGfxPlatformPrefsLock; - - gfxPrefs::DestroySingleton(); -diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h -index b7a5fb9..038e1ff 100644 ---- a/gfx/thebes/gfxPrefs.h -+++ b/gfx/thebes/gfxPrefs.h -@@ -209,6 +209,9 @@ private: - DECL_GFX_PREF(Live, "gfx.layerscope.port", LayerScopePort, int32_t, 23456); - // Note that "gfx.logging.level" is defined in Logging.h - DECL_GFX_PREF(Once, "gfx.logging.crash.length", GfxLoggingCrashLength, uint32_t, 6); -+ // The maximums here are quite conservative, we can tighten them if problems show up. -+ DECL_GFX_PREF(Once, "gfx.max-alloc-size", MaxAllocSize, int32_t, (int32_t)500000000); -+ DECL_GFX_PREF(Once, "gfx.max-texture-size", MaxTextureSize, int32_t, (int32_t)32767); - DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled", PerfWarnings, bool, false); - DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs", WorkAroundDriverBugs, bool, true); - --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch deleted file mode 100644 index 854c91b8aa..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001 -From: Jean-Yves Avenard <jyavenard@mozilla.com> -Date: Wed, 9 Dec 2015 09:54:58 +0100 -Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow. - r=kentuckyfriedtakahe, a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index 22163fa..318152a 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() { - CHECK_NE(err, (status_t)NO_INIT); - - // copy pssh data into file metadata -- int psshsize = 0; -+ uint64_t psshsize = 0; - for (size_t i = 0; i < mPssh.size(); i++) { - psshsize += 20 + mPssh[i].datalen; - } -+ if (psshsize > kMAX_ALLOCATION) { -+ return ERROR_MALFORMED; -+ } - if (psshsize) { - char *buf = (char*)malloc(psshsize); - char *ptr = buf; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch deleted file mode 100644 index 20bbd36281..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch +++ /dev/null @@ -1,27 +0,0 @@ -From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001 -From: Jean-Yves Avenard <jyavenard@mozilla.com> -Date: Wed, 9 Dec 2015 09:55:16 +0100 -Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe, - a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index 318152a..c6aaf1d 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() { - } - if (psshsize) { - char *buf = (char*)malloc(psshsize); -+ if (!buf) { -+ return ERROR_MALFORMED; -+ } - char *ptr = buf; - for (size_t i = 0; i < mPssh.size(); i++) { - memcpy(ptr, mPssh[i].uuid, 20); // uuid + length --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch deleted file mode 100644 index 3a56d3d2cd..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7214.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001 -From: Bobby Holley <bobbyholley@gmail.com> -Date: Mon, 14 Dec 2015 15:36:20 -0500 -Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz, - a=lizzard - ---- - dom/base/nsHostObjectURI.cpp | 9 +++++++++ - dom/base/nsHostObjectURI.h | 2 ++ - 2 files changed, 11 insertions(+) - -diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp -index 94b02ff..57b0209 100644 ---- a/dom/base/nsHostObjectURI.cpp -+++ b/dom/base/nsHostObjectURI.cpp -@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream) - true); - } - -+NS_IMETHODIMP -+nsHostObjectURI::SetScheme(const nsACString& aScheme) -+{ -+ // Disallow setting the scheme, since that could cause us to be associated -+ // with a different protocol handler that doesn't expect us to be carrying -+ // around a principal with nsIURIWithPrincipal. -+ return NS_ERROR_FAILURE; -+} -+ - // nsIURI methods: - nsresult - nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode, -diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h -index b468d5d..23ff7ab 100644 ---- a/dom/base/nsHostObjectURI.h -+++ b/dom/base/nsHostObjectURI.h -@@ -34,6 +34,8 @@ public: - NS_DECL_NSISERIALIZABLE - NS_DECL_NSICLASSINFO - -+ NS_IMETHOD SetScheme(const nsACString &aProtocol) override; -+ - // Override CloneInternal() and EqualsInternal() - virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode, - nsIURI** aClone) override; --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch deleted file mode 100644 index c5d0e4ad60..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch +++ /dev/null @@ -1,112 +0,0 @@ -From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart <gsquelart@mozilla.com> -Date: Wed, 9 Dec 2015 09:59:37 +0100 -Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage - - r=rillian, a=sylvestre - ---- - .../av/include/media/stagefright/MetaData.h | 2 +- - .../av/media/libstagefright/MetaData.cpp | 35 ++++++++++++++-------- - 2 files changed, 24 insertions(+), 13 deletions(-) - -diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -index 30d969d..0a8ff77 100644 ---- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -+++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h -@@ -248,7 +248,7 @@ private: - return mSize <= sizeof(u.reservoir); - } - -- void allocateStorage(size_t size); -+ bool allocateStorage(size_t size); - void freeStorage(); - - void *storage() { -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -index c832c96..cba324d 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp -@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type, - } - - MetaData::typed_data::typed_data() -- : mType(0), -+ : mType(TYPE_NONE), - mSize(0) { - } - -@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() { - MetaData::typed_data::typed_data(const typed_data &from) - : mType(from.mType), - mSize(0) { -- allocateStorage(from.mSize); -- memcpy(storage(), from.storage(), mSize); -+ if (allocateStorage(from.mSize)) { -+ memcpy(storage(), from.storage(), mSize); -+ } - } - - MetaData::typed_data &MetaData::typed_data::operator=( - const MetaData::typed_data &from) { - if (this != &from) { - clear(); -- mType = from.mType; -- allocateStorage(from.mSize); -- memcpy(storage(), from.storage(), mSize); -+ if (allocateStorage(from.mSize)) { -+ mType = from.mType; -+ memcpy(storage(), from.storage(), mSize); -+ } - } - - return *this; -@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=( - void MetaData::typed_data::clear() { - freeStorage(); - -- mType = 0; -+ mType = TYPE_NONE; - } - - void MetaData::typed_data::setData( - uint32_t type, const void *data, size_t size) { - clear(); - -- mType = type; -- allocateStorage(size); -- memcpy(storage(), data, size); -+ if (allocateStorage(size)) { -+ mType = type; -+ memcpy(storage(), data, size); -+ } - } - - void MetaData::typed_data::getData( -@@ -269,14 +272,22 @@ void MetaData::typed_data::getData( - *data = storage(); - } - --void MetaData::typed_data::allocateStorage(size_t size) { -+bool MetaData::typed_data::allocateStorage(size_t size) { -+ // Update mSize now, as it is needed by usesReservoir() below. -+ // (mSize will be reset if the allocation fails further below.) - mSize = size; - - if (usesReservoir()) { -- return; -+ return true; - } - - u.ext_data = malloc(mSize); -+ if (!u.ext_data) { -+ mType = TYPE_NONE; -+ mSize = 0; -+ return false; -+ } -+ return true; - } - - void MetaData::typed_data::freeStorage() { --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch deleted file mode 100644 index 688d7f903f..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch +++ /dev/null @@ -1,34 +0,0 @@ -From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart <gsquelart@mozilla.com> -Date: Wed, 9 Dec 2015 10:00:13 +0100 -Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create - underflow - r=rillian, a=sylvestre - ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index c6aaf1d..a69fc14 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) { - if (mFileMetaData != NULL) { - ALOGV("chunk_data_size = %lld and data_offset = %lld", - chunk_data_size, data_offset); -+ const int kSkipBytesOfDataBox = 16; -+ if (chunk_data_size <= kSkipBytesOfDataBox) { -+ return ERROR_MALFORMED; -+ } - sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1); - if (mDataSource->readAt( - data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) { - return ERROR_IO; - } -- const int kSkipBytesOfDataBox = 16; - mFileMetaData->setData( - kKeyAlbumArt, MetaData::TYPE_NONE, - buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox); --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch deleted file mode 100644 index 2f3c95623d..0000000000 --- a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001 -From: Gerald Squelart <gsquelart@mozilla.com> -Date: Wed, 9 Dec 2015 10:00:32 +0100 -Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses - - r=rillian, a=sylvestre - -Found only one other use that needed better checks: the size of the pssh -data was only checked after all items were added up; so it would be -possible to create a set of big items such that they create an overflow, -but the final sum looks reasonable. -Instead each item size should be checked, and the sum should also be -checked at each step. ---- - .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -index a69fc14..413a495 100644 ---- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -+++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp -@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() { - uint64_t psshsize = 0; - for (size_t i = 0; i < mPssh.size(); i++) { - psshsize += 20 + mPssh[i].datalen; -- } -- if (psshsize > kMAX_ALLOCATION) { -- return ERROR_MALFORMED; -+ if (mPssh[i].datalen > kMAX_ALLOCATION - 20 || -+ psshsize > kMAX_ALLOCATION) { -+ return ERROR_MALFORMED; -+ } - } - if (psshsize) { - char *buf = (char*)malloc(psshsize); --- -2.6.3 - diff --git a/gnu/packages/patches/icecat-freetype-2.6.patch b/gnu/packages/patches/icecat-freetype-2.6.patch deleted file mode 100644 index ef69f2f715..0000000000 --- a/gnu/packages/patches/icecat-freetype-2.6.patch +++ /dev/null @@ -1,14 +0,0 @@ -Adapt to freetype 2.6. This patch copied from upstream, see: -https://bugzilla.mozilla.org/show_bug.cgi?id=1143411 -https://hg.mozilla.org/mozilla-central/rev/afd840d66e6a - ---- a/config/system-headers -+++ b/config/system-headers -@@ -415,6 +415,7 @@ freetype/ftbitmap.h - freetype/ftxf86.h - freetype.h - ftcache.h -+ftfntfmt.h - ftglyph.h - ftsynth.h - ftoutln.h |