aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-02-26 00:16:07 -0500
committerMark H Weaver <mhw@netris.org>2015-02-26 00:39:31 -0500
commit8830740643397d8d38e018c728ed62d0bcb4c310 (patch)
tree5f8b08f0bdd0f5b5041e8b4dbd0e788b69c978ea /gnu/packages/patches
parent5be2f8844dba4aab0c134f61a830acb16b56d2c5 (diff)
downloadguix-8830740643397d8d38e018c728ed62d0bcb4c310.tar.gz
guix-8830740643397d8d38e018c728ed62d0bcb4c310.zip
gnu: icecat: Apply fixes for CVE-2015-{0822,0827,0831,0836}.
* gnu/packages/patches/icecat-CVE-2015-0822.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch, gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch, gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch, gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch, gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch: New files. * gnu-system.am (dist_patch_DATA): Add them. * gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0822.patch154
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch33
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch35
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch56
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch32
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch26
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch26
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch27
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch220
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch89
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch25
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch41
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch54
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch53
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch52
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch219
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch104
17 files changed, 1246 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0822.patch b/gnu/packages/patches/icecat-CVE-2015-0822.patch
new file mode 100644
index 0000000000..2625151453
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0822.patch
@@ -0,0 +1,154 @@
+From 0922145c255bf2503d3b2dd5f8f1e813338ba990 Mon Sep 17 00:00:00 2001
+From: Mats Palmgren <mats@mozilla.com>
+Date: Sat, 24 Jan 2015 12:37:47 -0500
+Subject: [PATCH] Bug 1110557. r=mak, r=gavin, a=bkerensa
+
+---
+ .../components/satchel/nsFormFillController.cpp | 67 +++++++++++++++-------
+ toolkit/components/satchel/nsFormFillController.h | 5 ++
+ 2 files changed, 52 insertions(+), 20 deletions(-)
+
+diff --git a/toolkit/components/satchel/nsFormFillController.cpp b/toolkit/components/satchel/nsFormFillController.cpp
+index 315fc68..676ad84 100644
+--- a/toolkit/components/satchel/nsFormFillController.cpp
++++ b/toolkit/components/satchel/nsFormFillController.cpp
+@@ -61,6 +61,7 @@ nsFormFillController::nsFormFillController() :
+ mSuppressOnInput(false)
+ {
+ mController = do_GetService("@mozilla.org/autocomplete/controller;1");
++ MOZ_ASSERT(mController);
+ }
+
+ struct PwmgrInputsEnumData
+@@ -104,6 +105,21 @@ nsFormFillController::AttributeChanged(nsIDocument* aDocument,
+ int32_t aNameSpaceID,
+ nsIAtom* aAttribute, int32_t aModType)
+ {
++ if ((aAttribute == nsGkAtoms::type || aAttribute == nsGkAtoms::readonly ||
++ aAttribute == nsGkAtoms::autocomplete) &&
++ aNameSpaceID == kNameSpaceID_None) {
++ nsCOMPtr<nsIDOMHTMLInputElement> focusedInput(mFocusedInput);
++ // Reset the current state of the controller, unconditionally.
++ StopControllingInput();
++ // Then restart based on the new values. We have to delay this
++ // to avoid ending up in an endless loop due to re-registering our
++ // mutation observer (which would notify us again for *this* event).
++ nsCOMPtr<nsIRunnable> event =
++ NS_NewRunnableMethodWithArg<nsCOMPtr<nsIDOMHTMLInputElement>>
++ (this, &nsFormFillController::MaybeStartControllingInput, focusedInput);
++ NS_DispatchToCurrentThread(event);
++ }
++
+ if (mListNode && mListNode->Contains(aElement)) {
+ RevalidateDataList();
+ }
+@@ -841,28 +857,26 @@ nsFormFillController::RemoveForDocumentEnumerator(const nsINode* aKey,
+ return PL_DHASH_NEXT;
+ }
+
+-nsresult
+-nsFormFillController::Focus(nsIDOMEvent* aEvent)
++void
++nsFormFillController::MaybeStartControllingInput(nsIDOMHTMLInputElement* aInput)
+ {
+- nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
+- aEvent->InternalDOMEvent()->GetTarget());
+- nsCOMPtr<nsINode> inputNode = do_QueryInterface(input);
++ nsCOMPtr<nsINode> inputNode = do_QueryInterface(aInput);
+ if (!inputNode)
+- return NS_OK;
++ return;
+
+- nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(input);
++ nsCOMPtr<nsIFormControl> formControl = do_QueryInterface(aInput);
+ if (!formControl || !formControl->IsSingleLineTextControl(true))
+- return NS_OK;
++ return;
+
+ bool isReadOnly = false;
+- input->GetReadOnly(&isReadOnly);
++ aInput->GetReadOnly(&isReadOnly);
+ if (isReadOnly)
+- return NS_OK;
++ return;
+
+- bool autocomplete = nsContentUtils::IsAutocompleteEnabled(input);
++ bool autocomplete = nsContentUtils::IsAutocompleteEnabled(aInput);
+
+ nsCOMPtr<nsIDOMHTMLElement> datalist;
+- input->GetList(getter_AddRefs(datalist));
++ aInput->GetList(getter_AddRefs(datalist));
+ bool hasList = datalist != nullptr;
+
+ bool dummy;
+@@ -871,9 +885,16 @@ nsFormFillController::Focus(nsIDOMEvent* aEvent)
+ isPwmgrInput = true;
+
+ if (isPwmgrInput || hasList || autocomplete) {
+- StartControllingInput(input);
++ StartControllingInput(aInput);
+ }
++}
+
++nsresult
++nsFormFillController::Focus(nsIDOMEvent* aEvent)
++{
++ nsCOMPtr<nsIDOMHTMLInputElement> input = do_QueryInterface(
++ aEvent->InternalDOMEvent()->GetTarget());
++ MaybeStartControllingInput(input);
+ return NS_OK;
+ }
+
+@@ -1087,6 +1108,10 @@ nsFormFillController::StartControllingInput(nsIDOMHTMLInputElement *aInput)
+ // Make sure we're not still attached to an input
+ StopControllingInput();
+
++ if (!mController) {
++ return;
++ }
++
+ // Find the currently focused docShell
+ nsCOMPtr<nsIDocShell> docShell = GetDocShellForInput(aInput);
+ int32_t index = GetIndexOfDocShell(docShell);
+@@ -1129,13 +1154,15 @@ nsFormFillController::StopControllingInput()
+ mListNode = nullptr;
+ }
+
+- // Reset the controller's input, but not if it has been switched
+- // to another input already, which might happen if the user switches
+- // focus by clicking another autocomplete textbox
+- nsCOMPtr<nsIAutoCompleteInput> input;
+- mController->GetInput(getter_AddRefs(input));
+- if (input == this)
+- mController->SetInput(nullptr);
++ if (mController) {
++ // Reset the controller's input, but not if it has been switched
++ // to another input already, which might happen if the user switches
++ // focus by clicking another autocomplete textbox
++ nsCOMPtr<nsIAutoCompleteInput> input;
++ mController->GetInput(getter_AddRefs(input));
++ if (input == this)
++ mController->SetInput(nullptr);
++ }
+
+ if (mFocusedInputNode) {
+ MaybeRemoveMutationObserver(mFocusedInputNode);
+diff --git a/toolkit/components/satchel/nsFormFillController.h b/toolkit/components/satchel/nsFormFillController.h
+index b60d28d..8c3ba26 100644
+--- a/toolkit/components/satchel/nsFormFillController.h
++++ b/toolkit/components/satchel/nsFormFillController.h
+@@ -62,6 +62,11 @@ protected:
+
+ void StartControllingInput(nsIDOMHTMLInputElement *aInput);
+ void StopControllingInput();
++ /**
++ * Checks that aElement is a type of element we want to fill, then calls
++ * StartControllingInput on it.
++ */
++ void MaybeStartControllingInput(nsIDOMHTMLInputElement* aElement);
+
+ nsresult PerformInputListAutoComplete(nsIAutoCompleteResult* aPreviousResult);
+
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch
new file mode 100644
index 0000000000..c57da755d1
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-1.patch
@@ -0,0 +1,33 @@
+From 28b6204b1421aa57b3c10c43d90cb516910bc80f Mon Sep 17 00:00:00 2001
+From: Markus Stange <mstange@themasta.com>
+Date: Tue, 6 Jan 2015 12:08:39 +0100
+Subject: [PATCH] Bug 1117304 - Also do the checks at the start of CopyRect in
+ release builds. r=Bas, a=sledru
+
+---
+ gfx/2d/FilterNodeSoftware.cpp | 9 ++++++---
+ 1 file changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 00d790f..396d0da 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -253,9 +253,12 @@ CopyRect(DataSourceSurface* aSrc, DataSourceSurface* aDest,
+ MOZ_CRASH("we should never be getting invalid rects at this point");
+ }
+
+- MOZ_ASSERT(aSrc->GetFormat() == aDest->GetFormat(), "different surface formats");
+- MOZ_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect), "source rect too big for source surface");
+- MOZ_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(aSrcRect - aSrcRect.TopLeft() + aDestPoint), "dest surface too small");
++ MOZ_RELEASE_ASSERT(aSrc->GetFormat() == aDest->GetFormat(),
++ "different surface formats");
++ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aSrc->GetSize()).Contains(aSrcRect),
++ "source rect too big for source surface");
++ MOZ_RELEASE_ASSERT(IntRect(IntPoint(), aDest->GetSize()).Contains(IntRect(aDestPoint, aSrcRect.Size())),
++ "dest surface too small");
+
+ if (aSrcRect.IsEmpty()) {
+ return;
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch
new file mode 100644
index 0000000000..1ff68f4b4c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-2.patch
@@ -0,0 +1,35 @@
+From 5ff75fbe51d5760a96b4e614617c9cbf35f1fbaa Mon Sep 17 00:00:00 2001
+From: Markus Stange <mstange@themasta.com>
+Date: Mon, 5 Jan 2015 18:40:27 +0100
+Subject: [PATCH] Bug 1117304 - Make sure the tile filter doesn't call CopyRect
+ on surfaces with different formats. r=Bas, a=sledru
+
+---
+ gfx/2d/FilterNodeSoftware.cpp | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 396d0da..10d92c6 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -1568,7 +1568,16 @@ FilterNodeTileSoftware::Render(const IntRect& aRect)
+ return nullptr;
+ }
+ }
+- MOZ_ASSERT(input->GetFormat() == target->GetFormat(), "different surface formats from the same input?");
++
++ if (input->GetFormat() != target->GetFormat()) {
++ // Different rectangles of the input can have different formats. If
++ // that happens, just convert everything to B8G8R8A8.
++ target = FilterProcessing::ConvertToB8G8R8A8(target);
++ input = FilterProcessing::ConvertToB8G8R8A8(input);
++ if (MOZ2D_WARN_IF(!target) || MOZ2D_WARN_IF(!input)) {
++ return nullptr;
++ }
++ }
+
+ CopyRect(input, target, srcRect - srcRect.TopLeft(), destRect.TopLeft() - aRect.TopLeft());
+ }
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch
new file mode 100644
index 0000000000..8d40126849
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0827-pt-3.patch
@@ -0,0 +1,56 @@
+From c91087708686ae1c47abee65e19536688e5ec8f2 Mon Sep 17 00:00:00 2001
+From: Ryan VanderMeulen <ryanvm@gmail.com>
+Date: Mon, 26 Jan 2015 17:24:46 -0500
+Subject: [PATCH] Bug 1117304 - Add missing MOZ2D_WARN_IF definition to fix
+ bustage. r=milan, a=bustage
+
+---
+ gfx/2d/FilterNodeSoftware.cpp | 1 +
+ gfx/2d/Logging.h | 19 +++++++++++++++++++
+ 2 files changed, 20 insertions(+)
+
+diff --git a/gfx/2d/FilterNodeSoftware.cpp b/gfx/2d/FilterNodeSoftware.cpp
+index 10d92c6..48bf162 100644
+--- a/gfx/2d/FilterNodeSoftware.cpp
++++ b/gfx/2d/FilterNodeSoftware.cpp
+@@ -12,6 +12,7 @@
+ #include "Blur.h"
+ #include <map>
+ #include "FilterProcessing.h"
++#include "Logging.h"
+ #include "mozilla/PodOperations.h"
+ #include "mozilla/DebugOnly.h"
+
+diff --git a/gfx/2d/Logging.h b/gfx/2d/Logging.h
+index 85e788c..d7728bb 100644
+--- a/gfx/2d/Logging.h
++++ b/gfx/2d/Logging.h
+@@ -155,6 +155,25 @@ typedef Log<LOG_WARNING> WarningLog;
+ #define gfxWarning if (1) ; else NoLog
+ #endif
+
++// See nsDebug.h and the NS_WARN_IF macro
++
++#ifdef __cplusplus
++#ifdef DEBUG
++inline bool MOZ2D_warn_if_impl(bool aCondition, const char* aExpr,
++ const char* aFile, int32_t aLine)
++{
++ if (MOZ_UNLIKELY(aCondition)) {
++ gfxWarning() << aExpr << " at " << aFile << ":" << aLine;
++ }
++ return aCondition;
++}
++#define MOZ2D_WARN_IF(condition) \
++ MOZ2D_warn_if_impl(condition, #condition, __FILE__, __LINE__)
++#else
++#define MOZ2D_WARN_IF(condition) (bool)(condition)
++#endif
++#endif
++
+ const int INDENT_PER_LEVEL = 2;
+
+ class TreeLog
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch
new file mode 100644
index 0000000000..c04d604923
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-1.patch
@@ -0,0 +1,32 @@
+From c8437505a63fc2b2552b8af217d60d79abb92ba3 Mon Sep 17 00:00:00 2001
+From: Ben Turner <bent.mozilla@gmail.com>
+Date: Fri, 6 Feb 2015 15:25:33 -0800
+Subject: [PATCH] Bug 1130541. r=janv, a=sledru
+
+---
+ dom/indexedDB/IDBDatabase.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/dom/indexedDB/IDBDatabase.cpp b/dom/indexedDB/IDBDatabase.cpp
+index 7329cec..c9c7e4f 100644
+--- a/dom/indexedDB/IDBDatabase.cpp
++++ b/dom/indexedDB/IDBDatabase.cpp
+@@ -536,6 +536,7 @@ IDBDatabase::CreateObjectStore(
+ IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
+
+ if (!transaction ||
++ transaction->Database() != this ||
+ transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
+ aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
+ return nullptr;
+@@ -577,6 +578,7 @@ IDBDatabase::DeleteObjectStore(const nsAString& aName, ErrorResult& aRv)
+ IDBTransaction* transaction = AsyncConnectionHelper::GetCurrentTransaction();
+
+ if (!transaction ||
++ transaction->Database() != this ||
+ transaction->GetMode() != IDBTransaction::VERSION_CHANGE) {
+ aRv.Throw(NS_ERROR_DOM_INDEXEDDB_NOT_ALLOWED_ERR);
+ return;
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch
new file mode 100644
index 0000000000..9510cd611f
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0831-pt-2.patch
@@ -0,0 +1,26 @@
+From 4e799e44288c951f8d9acd17e7d8c56c9ee6a7d3 Mon Sep 17 00:00:00 2001
+From: Ben Turner <bent.mozilla@gmail.com>
+Date: Mon, 9 Feb 2015 14:38:26 -0800
+Subject: [PATCH] Bug 1130541 followup a=test-only
+
+--HG--
+extra : amend_source : 23d80353f87897fdac9c99048d12ebe4ed390f76
+---
+ dom/indexedDB/test/browser_quotaPrompt.html | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/dom/indexedDB/test/browser_quotaPrompt.html b/dom/indexedDB/test/browser_quotaPrompt.html
+index c139970..dbeea68 100644
+--- a/dom/indexedDB/test/browser_quotaPrompt.html
++++ b/dom/indexedDB/test/browser_quotaPrompt.html
+@@ -38,6 +38,7 @@
+ let request = indexedDB.open(window.location.pathname, version++);
+ request.onerror = errorHandler;
+ request.onupgradeneeded = function(event) {
++ let db = event.target.result;
+ db.deleteObjectStore("foo");
+ db.onversionchange = function () { db.close(); };
+ request.transaction.oncomplete = function(event) {
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch
new file mode 100644
index 0000000000..f6e2756054
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-01.patch
@@ -0,0 +1,26 @@
+From 4106ffa6ee83b814428bb07948b3595e3fa3847e Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Tue, 10 Feb 2015 09:40:46 +0100
+Subject: [PATCH] Bug 1128196 - Don't relazify scripts with a TypeScript.
+ r=till, a=lmandel
+
+---
+ js/src/jsscript.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+index 4d548ef..9a0cfbb 100644
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -1251,7 +1251,7 @@ class JSScript : public js::gc::BarrieredCell<JSScript>
+ }
+
+ bool isRelazifiable() const {
+- return (selfHosted() || lazyScript) &&
++ return (selfHosted() || lazyScript) && !types &&
+ !isGenerator() && !hasBaselineScript() && !hasAnyIonScript() && !hasBeenInlined();
+ }
+ void setLazyScript(js::LazyScript *lazy) {
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch
new file mode 100644
index 0000000000..c95cf23a29
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-02.patch
@@ -0,0 +1,27 @@
+From 83c4bfeea2d2203f726e3bfcb7ee6fe56b4d9703 Mon Sep 17 00:00:00 2001
+From: Ryan VanderMeulen <ryanvm@gmail.com>
+Date: Thu, 29 Jan 2015 10:31:25 -0500
+Subject: [PATCH] Bug 1111248. r=Waldo, a=sledru
+
+---
+ js/src/jsbool.cpp | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/js/src/jsbool.cpp b/js/src/jsbool.cpp
+index 5d88bd5..8d5d672 100644
+--- a/js/src/jsbool.cpp
++++ b/js/src/jsbool.cpp
+@@ -198,7 +198,8 @@ js::ToBooleanSlow(HandleValue v)
+ bool
+ js::BooleanGetPrimitiveValueSlow(HandleObject wrappedBool)
+ {
+- JSObject *obj = wrappedBool->as<ProxyObject>().target();
+- JS_ASSERT(obj);
++ JSObject *obj = CheckedUnwrap(wrappedBool);
++ if (!obj || !obj->is<BooleanObject>())
++ return false;
+ return obj->as<BooleanObject>().unbox();
+ }
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
new file mode 100644
index 0000000000..115cd76201
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
@@ -0,0 +1,220 @@
+From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001
+From: Tom Schuster <evilpies@gmail.com>
+Date: Sun, 25 Jan 2015 21:42:10 +0100
+Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray.
+ r=efaust, a=abillings
+
+---
+ browser/devtools/app-manager/app-projects.js | 2 ++
+ js/public/Class.h | 5 +++-
+ js/src/jsarray.cpp | 9 ++++--
+ js/src/jsobjinlines.h | 15 +++++++++-
+ js/src/json.cpp | 11 +++----
+ js/src/jsproxy.cpp | 45 ++++++++++++++++++++++++++++
+ 6 files changed, 78 insertions(+), 9 deletions(-)
+
+diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js
+index d09f72f..77ca67b 100644
+--- a/browser/devtools/app-manager/app-projects.js
++++ b/browser/devtools/app-manager/app-projects.js
+@@ -61,6 +61,8 @@ const IDB = {
+ add: function(project) {
+ let deferred = promise.defer();
+
++ project = JSON.parse(JSON.stringify(project));
++
+ if (!project.location) {
+ // We need to make sure this object has a `.location` property.
+ deferred.reject("Missing location property on project object.");
+diff --git a/js/public/Class.h b/js/public/Class.h
+index ff864b1..46f7d39 100644
+--- a/js/public/Class.h
++++ b/js/public/Class.h
+@@ -521,7 +521,10 @@ Valueify(const JSClass *c)
+ */
+ enum ESClassValue {
+ ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean,
+- ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date
++ ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date,
++ // Special snowflake for the ES6 IsArray method.
++ // Please don't use it without calling that function.
++ ESClass_IsArray
+ };
+
+ /*
+diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
+index 24da176..46f1c20 100644
+--- a/js/src/jsarray.cpp
++++ b/js/src/jsarray.cpp
+@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp)
+ HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
+ if (v.isObject()) {
+ RootedObject obj(cx, &v.toObject());
+- if (ObjectClassIs(obj, ESClass_Array, cx)) {
++ // This should be IsConcatSpreadable
++ if (IsArray(obj, cx)) {
+ uint32_t alength;
+ if (!GetLengthProperty(cx, obj, &alength))
+ return false;
+@@ -2870,7 +2871,11 @@ static bool
+ array_isArray(JSContext *cx, unsigned argc, Value *vp)
+ {
+ CallArgs args = CallArgsFromVp(argc, vp);
+- bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
++ bool isArray = false;
++ if (args.get(0).isObject()) {
++ RootedObject obj(cx, &args[0].toObject());
++ isArray = IsArray(obj, cx);
++ }
+ args.rval().setBoolean(isArray);
+ return true;
+ }
+diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
+index e848ba7..557dd26 100644
+--- a/js/src/jsobjinlines.h
++++ b/js/src/jsobjinlines.h
+@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx)
+ return Proxy::objectClassIs(obj, classValue, cx);
+
+ switch (classValue) {
+- case ESClass_Array: return obj->is<ArrayObject>();
++ case ESClass_Array:
++ case ESClass_IsArray:
++ // There difference between those is only relevant for proxies.
++ return obj->is<ArrayObject>();
+ case ESClass_Number: return obj->is<NumberObject>();
+ case ESClass_String: return obj->is<StringObject>();
+ case ESClass_Boolean: return obj->is<BooleanObject>();
+@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx)
+ return ObjectClassIs(obj, classValue, cx);
+ }
+
++// ES6 7.2.2
++inline bool
++IsArray(HandleObject obj, JSContext *cx)
++{
++ if (obj->is<ArrayObject>())
++ return true;
++
++ return ObjectClassIs(obj, ESClass_IsArray, cx);
++}
++
+ static MOZ_ALWAYS_INLINE bool
+ NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
+ {
+diff --git a/js/src/json.cpp b/js/src/json.cpp
+index 6e45bfd..81a99a6 100644
+--- a/js/src/json.cpp
++++ b/js/src/json.cpp
+@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx)
+ Maybe<AutoIdVector> ids;
+ const AutoIdVector *props;
+ if (scx->replacer && !scx->replacer->isCallable()) {
+- JS_ASSERT(JS_IsArrayObject(cx, scx->replacer));
++ JS_ASSERT(IsArray(scx->replacer, cx));
+ props = &scx->propertyList;
+ } else {
+ JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0);
+@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx)
+
+ scx->depth++;
+ bool ok;
+- if (ObjectClassIs(obj, ESClass_Array, cx))
++ if (IsArray(obj, cx))
+ ok = JA(cx, obj, scx);
+ else
+ ok = JO(cx, obj, scx);
+@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+ if (replacer) {
+ if (replacer->isCallable()) {
+ /* Step 4a(i): use replacer to transform values. */
+- } else if (ObjectClassIs(replacer, ESClass_Array, cx)) {
++ } else if (IsArray(replacer, cx)) {
+ /*
+ * Step 4b: The spec algorithm is unhelpfully vague about the exact
+ * steps taken when the replacer is an array, regarding the exact
+@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+
+ /* Step 4b(ii). */
+ uint32_t len;
+- JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len));
++ if (!GetLengthProperty(cx, replacer, &len))
++ return false;
+ if (replacer->is<ArrayObject>() && !replacer->isIndexed())
+ len = Min(len, replacer->getDenseInitializedLength());
+
+@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut
+ if (val.isObject()) {
+ RootedObject obj(cx, &val.toObject());
+
+- if (ObjectClassIs(obj, ESClass_Array, cx)) {
++ if (IsArray(obj, cx)) {
+ /* Step 2a(ii). */
+ uint32_t length;
+ if (!GetLengthProperty(cx, obj, &length))
+diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
+index 7644da1..7453103 100644
+--- a/js/src/jsproxy.cpp
++++ b/js/src/jsproxy.cpp
+@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler {
+ virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE;
+
+ /* Spidermonkey extensions. */
++ // A scripted proxy should not be treated as generic in most contexts.
++ virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++ CallArgs args) MOZ_OVERRIDE;
++ virtual bool objectClassIs(HandleObject obj, ESClassValue classValue,
++ JSContext *cx) MOZ_OVERRIDE;
++ virtual bool regexp_toShared(JSContext *cx, HandleObject proxy,
++ RegExpGuard *g) MOZ_OVERRIDE;
++
+ virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+ virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+ virtual bool isScripted() MOZ_OVERRIDE { return true; }
+@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C
+ return true;
+ }
+
++bool
++ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++ CallArgs args)
++{
++ ReportIncompatible(cx, args);
++ return false;
++}
++
++bool
++ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue,
++ JSContext *cx)
++{
++ // Special case IsArray. In every other instance ES wants to have exactly
++ // one object type and not a proxy around it, so return false.
++ if (classValue != ESClass_IsArray)
++ return false;
++
++ // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here.
++ // The reason for this is that we have proxies for which looking at the target might
++ // be impossible. So instead we use our little objectClassIs function that just works
++ // already across different wrappers.
++ RootedObject target(cx, proxy->as<ProxyObject>().target());
++ if (!target)
++ return false;
++
++ return IsArray(target, cx);
++}
++
++bool
++ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy,
++ RegExpGuard *g)
++{
++ MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared");
++ return false;
++}
++
++
+ ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton;
+
+ #define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall) \
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch
new file mode 100644
index 0000000000..58e61d080c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch
@@ -0,0 +1,89 @@
+From 97ba04bf95606b409b1b3035504a41c274ecffe2 Mon Sep 17 00:00:00 2001
+From: Shu-yu Guo <shu@rfrn.org>
+Date: Mon, 26 Jan 2015 18:26:25 -0800
+Subject: [PATCH] Bug 1119579 - Don't GC while iterating compartments in
+ findAllGlobals. r=sfink, a=abillings
+
+---
+ js/src/vm/Debugger.cpp | 56 ++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 34 insertions(+), 22 deletions(-)
+
+diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
+index 27e993d..a8decef 100644
+--- a/js/src/vm/Debugger.cpp
++++ b/js/src/vm/Debugger.cpp
+@@ -2825,37 +2825,49 @@ Debugger::findAllGlobals(JSContext *cx, unsigned argc, Value *vp)
+ {
+ THIS_DEBUGGER(cx, argc, vp, "findAllGlobals", args, dbg);
+
+- RootedObject result(cx, NewDenseEmptyArray(cx));
+- if (!result)
+- return false;
++ AutoObjectVector globals(cx);
+
+- for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
+- if (c->options().invisibleToDebugger())
+- continue;
++ {
++ // Accumulate the list of globals before wrapping them, because
++ // wrapping can GC and collect compartments from under us, while
++ // iterating.
+
+- c->zone()->scheduledForDestruction = false;
++ for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
++ if (c->options().invisibleToDebugger())
++ continue;
+
+- GlobalObject *global = c->maybeGlobal();
++ c->zone()->scheduledForDestruction = false;
+
+- if (cx->runtime()->isSelfHostingGlobal(global))
+- continue;
++ GlobalObject *global = c->maybeGlobal();
+
+- if (global) {
+- /*
+- * We pulled |global| out of nowhere, so it's possible that it was
+- * marked gray by XPConnect. Since we're now exposing it to JS code,
+- * we need to mark it black.
+- */
+- JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
++ if (cx->runtime()->isSelfHostingGlobal(global))
++ continue;
+
+- RootedValue globalValue(cx, ObjectValue(*global));
+- if (!dbg->wrapDebuggeeValue(cx, &globalValue))
+- return false;
+- if (!NewbornArrayPush(cx, result, globalValue))
+- return false;
++ if (global) {
++ /*
++ * We pulled |global| out of nowhere, so it's possible that it was
++ * marked gray by XPConnect. Since we're now exposing it to JS code,
++ * we need to mark it black.
++ */
++ JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
++ if (!globals.append(global))
++ return false;
++ }
+ }
+ }
+
++ RootedObject result(cx, NewDenseEmptyArray(cx));
++ if (!result)
++ return false;
++
++ for (size_t i = 0; i < globals.length(); i++) {
++ RootedValue globalValue(cx, ObjectValue(*globals[i]));
++ if (!dbg->wrapDebuggeeValue(cx, &globalValue))
++ return false;
++ if (!NewbornArrayPush(cx, result, globalValue))
++ return false;
++ }
++
+ args.rval().setObject(*result);
+ return true;
+ }
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch
new file mode 100644
index 0000000000..3e4ed17598
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-05.patch
@@ -0,0 +1,25 @@
+From 746ddf19ff532b8abc90d3a91322a04b462ebfa8 Mon Sep 17 00:00:00 2001
+From: Brian Hackett <bhackett1024@gmail.com>
+Date: Mon, 26 Jan 2015 13:14:34 -0500
+Subject: [PATCH] Bug 1124018 - Null the allocation site table if
+ initialization fails. r=jonco, a=bkerensa
+
+---
+ js/src/jsinfer.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/js/src/jsinfer.cpp b/js/src/jsinfer.cpp
+index b62ad1f..4019b16 100644
+--- a/js/src/jsinfer.cpp
++++ b/js/src/jsinfer.cpp
+@@ -2035,6 +2035,7 @@ TypeCompartment::addAllocationSiteTypeObject(JSContext *cx, AllocationSiteKey ke
+ allocationSiteTable = cx->new_<AllocationSiteTable>();
+ if (!allocationSiteTable || !allocationSiteTable->init()) {
+ js_delete(allocationSiteTable);
++ allocationSiteTable = nullptr;
+ return nullptr;
+ }
+ }
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch
new file mode 100644
index 0000000000..181f9243e3
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-06.patch
@@ -0,0 +1,41 @@
+From 0758363d982b0b3e6cf021c164715a028a345b9e Mon Sep 17 00:00:00 2001
+From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
+Date: Wed, 21 Jan 2015 08:56:36 -0800
+Subject: [PATCH] Bug 1123882 - Fix case where offset != 0. r=derf, a=bkerensa
+
+---
+ content/media/MediaDecoderStateMachine.cpp | 11 +++++++----
+ 1 file changed, 7 insertions(+), 4 deletions(-)
+
+diff --git a/content/media/MediaDecoderStateMachine.cpp b/content/media/MediaDecoderStateMachine.cpp
+index ce5870f..4ed496c 100644
+--- a/content/media/MediaDecoderStateMachine.cpp
++++ b/content/media/MediaDecoderStateMachine.cpp
+@@ -328,6 +328,8 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
+ if (offset >= aAudio->mFrames)
+ return;
+
++ size_t framesToWrite = aAudio->mFrames - offset;
++
+ aAudio->EnsureAudioBuffer();
+ nsRefPtr<SharedBuffer> buffer = aAudio->mAudioBuffer;
+ AudioDataValue* bufferData = static_cast<AudioDataValue*>(buffer->Data());
+@@ -335,10 +337,11 @@ void MediaDecoderStateMachine::SendStreamAudio(AudioData* aAudio,
+ for (uint32_t i = 0; i < aAudio->mChannels; ++i) {
+ channels.AppendElement(bufferData + i*aAudio->mFrames + offset);
+ }
+- aOutput->AppendFrames(buffer.forget(), channels, aAudio->mFrames);
+- VERBOSE_LOG("writing %d frames of data to MediaStream for AudioData at %lld",
+- aAudio->mFrames - int32_t(offset), aAudio->mTime);
+- aStream->mAudioFramesWritten += aAudio->mFrames - int32_t(offset);
++ aOutput->AppendFrames(buffer.forget(), channels, framesToWrite);
++ VERBOSE_LOG("writing %u frames of data to MediaStream for AudioData at %lld",
++ static_cast<unsigned>(framesToWrite),
++ aAudio->mTime);
++ aStream->mAudioFramesWritten += framesToWrite;
+ }
+
+ static void WriteVideoToMediaStream(layers::Image* aImage,
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
new file mode 100644
index 0000000000..818d369b26
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-07.patch
@@ -0,0 +1,54 @@
+From 94899f849e50a765bb26420f5c70d49002d6673f Mon Sep 17 00:00:00 2001
+From: Glenn Randers-Pehrson <glennrp+bmo@gmail.com>
+Date: Mon, 26 Jan 2015 16:07:00 -0500
+Subject: [PATCH] Bug 1117406 - Fix handling of out-of-range PNG tRNS values.
+ r=jmuizelaar, a=abillings
+
+---
+ image/decoders/nsPNGDecoder.cpp | 22 ++++++++++++----------
+ 1 file changed, 12 insertions(+), 10 deletions(-)
+
+diff --git a/image/decoders/nsPNGDecoder.cpp b/image/decoders/nsPNGDecoder.cpp
+index acaa835..8e6bc2d 100644
+--- a/image/decoders/nsPNGDecoder.cpp
++++ b/image/decoders/nsPNGDecoder.cpp
+@@ -528,24 +528,26 @@ nsPNGDecoder::info_callback(png_structp png_ptr, png_infop info_ptr)
+ png_set_expand(png_ptr);
+
+ if (png_get_valid(png_ptr, info_ptr, PNG_INFO_tRNS)) {
+- int sample_max = (1 << bit_depth);
+ png_color_16p trans_values;
+ png_get_tRNS(png_ptr, info_ptr, &trans, &num_trans, &trans_values);
+ /* libpng doesn't reject a tRNS chunk with out-of-range samples
+ so we check it here to avoid setting up a useless opacity
+- channel or producing unexpected transparent pixels when using
+- libpng-1.2.19 through 1.2.26 (bug #428045) */
+- if ((color_type == PNG_COLOR_TYPE_GRAY &&
+- (int)trans_values->gray > sample_max) ||
+- (color_type == PNG_COLOR_TYPE_RGB &&
+- ((int)trans_values->red > sample_max ||
+- (int)trans_values->green > sample_max ||
+- (int)trans_values->blue > sample_max)))
++ channel or producing unexpected transparent pixels (bug #428045) */
++ if (bit_depth < 16) {
++ png_uint_16 sample_max = (1 << bit_depth) - 1;
++ if ((color_type == PNG_COLOR_TYPE_GRAY &&
++ trans_values->gray > sample_max) ||
++ (color_type == PNG_COLOR_TYPE_RGB &&
++ (trans_values->red > sample_max ||
++ trans_values->green > sample_max ||
++ trans_values->blue > sample_max)))
+ {
+ /* clear the tRNS valid flag and release tRNS memory */
+ png_free_data(png_ptr, info_ptr, PNG_FREE_TRNS, 0);
++ num_trans = 0;
+ }
+- else
++ }
++ if (num_trans != 0)
+ png_set_expand(png_ptr);
+ }
+
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch
new file mode 100644
index 0000000000..685e3a6d43
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-08.patch
@@ -0,0 +1,53 @@
+From 4920c5c447d1153dffa623dd70d8b535b9ca6795 Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Mon, 26 Jan 2015 12:59:47 +0100
+Subject: [PATCH] Bug 1115776 - Fix LApplyArgsGeneric to always emit the
+ has-script check. r=shu, a=sledru
+
+---
+ js/src/jit/CodeGenerator.cpp | 24 ++++++++----------------
+ 1 file changed, 8 insertions(+), 16 deletions(-)
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+index ba14f86..0669692 100644
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -2448,27 +2448,19 @@ CodeGenerator::visitApplyArgsGeneric(LApplyArgsGeneric *apply)
+
+ masm.checkStackAlignment();
+
+- // If the function is known to be uncompilable, only emit the call to InvokeFunction.
++ // If the function is native, only emit the call to InvokeFunction.
+ ExecutionMode executionMode = gen->info().executionMode();
+- if (apply->hasSingleTarget()) {
+- JSFunction *target = apply->getSingleTarget();
+- if (target->isNative()) {
+- if (!emitCallInvokeFunction(apply, copyreg))
+- return false;
+- emitPopArguments(apply, copyreg);
+- return true;
+- }
++ if (apply->hasSingleTarget() && apply->getSingleTarget()->isNative()) {
++ if (!emitCallInvokeFunction(apply, copyreg))
++ return false;
++ emitPopArguments(apply, copyreg);
++ return true;
+ }
+
+ Label end, invoke;
+
+- // Guard that calleereg is an interpreted function with a JSScript:
+- if (!apply->hasSingleTarget()) {
+- masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+- } else {
+- // Native single targets are handled by LCallNative.
+- JS_ASSERT(!apply->getSingleTarget()->isNative());
+- }
++ // Guard that calleereg is an interpreted function with a JSScript.
++ masm.branchIfFunctionHasNoScript(calleereg, &invoke);
+
+ // Knowing that calleereg is a non-native function, load the JSScript.
+ masm.loadPtr(Address(calleereg, JSFunction::offsetOfNativeOrScript()), objreg);
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch
new file mode 100644
index 0000000000..d067d8133d
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-09.patch
@@ -0,0 +1,52 @@
+From f7d24f37425d3d9054a7e5657815440a07166d3f Mon Sep 17 00:00:00 2001
+From: Kartikaya Gupta <kgupta@mozilla.com>
+Date: Tue, 20 Jan 2015 10:33:27 -0500
+Subject: [PATCH] Bug 1107009 - Additional locking needed for esr31 backport.
+ r=BenWa a=sledru
+
+---
+ gfx/layers/ipc/CompositorParent.cpp | 15 +++++++++++++--
+ 1 file changed, 13 insertions(+), 2 deletions(-)
+
+diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
+index 97c8693..cb03e71 100644
+--- a/gfx/layers/ipc/CompositorParent.cpp
++++ b/gfx/layers/ipc/CompositorParent.cpp
+@@ -1286,13 +1286,19 @@ CrossProcessCompositorParent::ShadowLayersUpdated(
+ {
+ uint64_t id = aLayerTree->GetId();
+ MOZ_ASSERT(id != 0);
++ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
++ if (!state) {
++ return;
++ }
++ MOZ_ASSERT(state->mParent);
++
+ Layer* shadowRoot = aLayerTree->GetRoot();
+ if (shadowRoot) {
+ SetShadowProperties(shadowRoot);
+ }
+ UpdateIndirectTree(id, shadowRoot, aTargetConfig);
+
+- sIndirectLayerTrees[id].mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
++ state->mParent->NotifyShadowTreeTransaction(id, aIsFirstPaint, aScheduleComposite);
+ }
+
+ void
+@@ -1329,7 +1335,12 @@ AsyncCompositionManager*
+ CrossProcessCompositorParent::GetCompositionManager(LayerTransactionParent* aLayerTree)
+ {
+ uint64_t id = aLayerTree->GetId();
+- return sIndirectLayerTrees[id].mParent->GetCompositionManager(aLayerTree);
++ const CompositorParent::LayerTreeState* state = CompositorParent::GetIndirectShadowTree(id);
++ if (!state) {
++ return nullptr;
++ }
++ MOZ_ASSERT(state->mParent);
++ return state->mParent->GetCompositionManager(aLayerTree);
+ }
+
+ void
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch
new file mode 100644
index 0000000000..9a4668b2dc
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-10.patch
@@ -0,0 +1,219 @@
+From 66e65b2138c6db20288ef4cf78d15995f382a7e2 Mon Sep 17 00:00:00 2001
+From: Kartikaya Gupta <kgupta@mozilla.com>
+Date: Tue, 13 Jan 2015 13:26:26 -0500
+Subject: [PATCH] Bug 1107009. r=BenWa, a=sledru
+
+---
+ gfx/layers/ipc/CompositorParent.cpp | 57 ++++++++++++++++++++++++++++++-------
+ 1 file changed, 46 insertions(+), 11 deletions(-)
+
+diff --git a/gfx/layers/ipc/CompositorParent.cpp b/gfx/layers/ipc/CompositorParent.cpp
+index ce50277..cbbb2ef 100644
+--- a/gfx/layers/ipc/CompositorParent.cpp
++++ b/gfx/layers/ipc/CompositorParent.cpp
+@@ -22,6 +22,7 @@
+ #include "gfxPrefs.h" // for gfxPrefs
+ #include "ipc/ShadowLayersManager.h" // for ShadowLayersManager
+ #include "mozilla/AutoRestore.h" // for AutoRestore
++#include "mozilla/ClearOnShutdown.h" // for ClearOnShutdown
+ #include "mozilla/DebugOnly.h" // for DebugOnly
+ #include "mozilla/gfx/2D.h" // for DrawTarget
+ #include "mozilla/gfx/Point.h" // for IntSize
+@@ -70,6 +71,16 @@ CompositorParent::LayerTreeState::LayerTreeState()
+
+ typedef map<uint64_t, CompositorParent::LayerTreeState> LayerTreeMap;
+ static LayerTreeMap sIndirectLayerTrees;
++static StaticAutoPtr<mozilla::Monitor> sIndirectLayerTreesLock;
++
++static void EnsureLayerTreeMapReady()
++{
++ MOZ_ASSERT(NS_IsMainThread());
++ if (!sIndirectLayerTreesLock) {
++ sIndirectLayerTreesLock = new Monitor("IndirectLayerTree");
++ mozilla::ClearOnShutdown(&sIndirectLayerTreesLock);
++ }
++}
+
+ // FIXME/bug 774386: we're assuming that there's only one
+ // CompositorParent, but that's not always true. This assumption only
+@@ -132,6 +143,7 @@ void CompositorParent::StartUp()
+ return;
+ }
+ MOZ_ASSERT(!sCompositorLoop);
++ EnsureLayerTreeMapReady();
+ CreateCompositorMap();
+ CreateThread();
+ sMainLoop = MessageLoop::current();
+@@ -206,7 +218,11 @@ CompositorParent::CompositorParent(nsIWidget* aWidget,
+ this, &mCompositorID));
+
+ mRootLayerTreeID = AllocateLayerTreeId();
+- sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
++
++ { // scope lock
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
++ sIndirectLayerTrees[mRootLayerTreeID].mParent = this;
++ }
+
+ mApzcTreeManager = new APZCTreeManager();
+ ++sCompositorThreadRefCount;
+@@ -249,7 +265,10 @@ CompositorParent::Destroy()
+ mCompositionManager = nullptr;
+ mApzcTreeManager->ClearTree();
+ mApzcTreeManager = nullptr;
+- sIndirectLayerTrees.erase(mRootLayerTreeID);
++ { // scope lock
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
++ sIndirectLayerTrees.erase(mRootLayerTreeID);
++ }
+ }
+
+ void
+@@ -266,6 +285,7 @@ CompositorParent::RecvWillStop()
+
+ // Ensure that the layer manager is destroyed before CompositorChild.
+ if (mLayerManager) {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
+ it != sIndirectLayerTrees.end(); it++)
+ {
+@@ -380,7 +400,10 @@ CompositorParent::ActorDestroy(ActorDestroyReason why)
+ if (mLayerManager) {
+ mLayerManager->Destroy();
+ mLayerManager = nullptr;
+- sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
++ { // scope lock
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
++ sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = nullptr;
++ }
+ mCompositionManager = nullptr;
+ mCompositor = nullptr;
+ }
+@@ -696,6 +719,7 @@ CompositorParent::DidComposite()
+ {
+ unused << SendDidComposite(0);
+
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ for (LayerTreeMap::iterator it = sIndirectLayerTrees.begin();
+ it != sIndirectLayerTrees.end(); it++) {
+ LayerTreeState* lts = &it->second;
+@@ -867,6 +891,7 @@ CompositorParent::InitializeLayerManager(const nsTArray<LayersBackend>& aBackend
+ mLayerManager = layerManager;
+ MOZ_ASSERT(compositor);
+ mCompositor = compositor;
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[mRootLayerTreeID].mLayerManager = layerManager;
+ return;
+ }
+@@ -969,6 +994,7 @@ CompositorParent::RecvNotifyChildCreated(const uint64_t& child)
+ void
+ CompositorParent::NotifyChildCreated(uint64_t aChild)
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[aChild].mParent = this;
+ sIndirectLayerTrees[aChild].mLayerManager = mLayerManager;
+ }
+@@ -985,6 +1011,7 @@ CompositorParent::AllocateLayerTreeId()
+ static void
+ EraseLayerState(uint64_t aId)
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees.erase(aId);
+ }
+
+@@ -1001,6 +1028,7 @@ UpdateControllerForLayersId(uint64_t aLayersId,
+ GeckoContentController* aController)
+ {
+ // Adopt ref given to us by SetControllerForLayerTree()
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[aLayersId].mController =
+ already_AddRefed<GeckoContentController>(aController);
+ }
+@@ -1010,12 +1038,15 @@ ScopedLayerTreeRegistration::ScopedLayerTreeRegistration(uint64_t aLayersId,
+ GeckoContentController* aController)
+ : mLayersId(aLayersId)
+ {
++ EnsureLayerTreeMapReady();
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[aLayersId].mRoot = aRoot;
+ sIndirectLayerTrees[aLayersId].mController = aController;
+ }
+
+ ScopedLayerTreeRegistration::~ScopedLayerTreeRegistration()
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees.erase(mLayersId);
+ }
+
+@@ -1175,6 +1206,7 @@ CompositorParent::CloneToplevel(const InfallibleTArray<mozilla::ipc::ProtocolFdM
+ static void
+ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig)
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[aId].mRoot = aRoot;
+ sIndirectLayerTrees[aId].mTargetConfig = aTargetConfig;
+ }
+@@ -1182,6 +1214,7 @@ UpdateIndirectTree(uint64_t aId, Layer* aRoot, const TargetConfig& aTargetConfig
+ /* static */ const CompositorParent::LayerTreeState*
+ CompositorParent::GetIndirectShadowTree(uint64_t aId)
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ LayerTreeMap::const_iterator cit = sIndirectLayerTrees.find(aId);
+ if (sIndirectLayerTrees.end() == cit) {
+ return nullptr;
+@@ -1189,12 +1222,6 @@ CompositorParent::GetIndirectShadowTree(uint64_t aId)
+ return &cit->second;
+ }
+
+-static void
+-RemoveIndirectTree(uint64_t aId)
+-{
+- sIndirectLayerTrees.erase(aId);
+-}
+-
+ void
+ CrossProcessCompositorParent::ActorDestroy(ActorDestroyReason aWhy)
+ {
+@@ -1211,6 +1238,8 @@ CrossProcessCompositorParent::AllocPLayerTransactionParent(const nsTArray<Layers
+ {
+ MOZ_ASSERT(aId != 0);
+
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
++
+ if (sIndirectLayerTrees[aId].mLayerManager) {
+ sIndirectLayerTrees[aId].mCrossProcessParent = this;
+ LayerManagerComposite* lm = sIndirectLayerTrees[aId].mLayerManager;
+@@ -1234,7 +1263,7 @@ bool
+ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionParent* aLayers)
+ {
+ LayerTransactionParent* slp = static_cast<LayerTransactionParent*>(aLayers);
+- RemoveIndirectTree(slp->GetId());
++ EraseLayerState(slp->GetId());
+ static_cast<LayerTransactionParent*>(aLayers)->ReleaseIPDLReference();
+ return true;
+ }
+@@ -1242,6 +1271,7 @@ CrossProcessCompositorParent::DeallocPLayerTransactionParent(PLayerTransactionPa
+ bool
+ CrossProcessCompositorParent::RecvNotifyChildCreated(const uint64_t& child)
+ {
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
+ sIndirectLayerTrees[child].mParent->NotifyChildCreated(child);
+ return true;
+ }
+@@ -1269,7 +1299,12 @@ CrossProcessCompositorParent::ForceComposite(LayerTransactionParent* aLayerTree)
+ {
+ uint64_t id = aLayerTree->GetId();
+ MOZ_ASSERT(id != 0);
+- sIndirectLayerTrees[id].mParent->ForceComposite(aLayerTree);
++ CompositorParent* parent;
++ { // scope lock
++ MonitorAutoLock lock(*sIndirectLayerTreesLock);
++ parent = sIndirectLayerTrees[id].mParent;
++ }
++ parent->ForceComposite(aLayerTree);
+ }
+
+ bool
+--
+2.2.1
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch
new file mode 100644
index 0000000000..869feaf7c6
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-11.patch
@@ -0,0 +1,104 @@
+From 3f0f685829445ae82974d61f6017fdb67349c32b Mon Sep 17 00:00:00 2001
+From: Dan Gohman <sunfish@mozilla.com>
+Date: Fri, 9 Jan 2015 09:04:12 -0500
+Subject: [PATCH] Bug 1096138 - IonMonkey: Augment Nops with Mops to avoid
+ collisions with fixed live ranges. r=jandem, a=sledru
+
+---
+ js/src/jit/CodeGenerator.cpp | 6 ++++++
+ js/src/jit/CodeGenerator.h | 1 +
+ js/src/jit/LIR-Common.h | 6 ++++++
+ js/src/jit/LOpcodes.h | 1 +
+ js/src/jit/Lowering.cpp | 12 ++++++++++++
+ 5 files changed, 26 insertions(+)
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+index 4f07524..ba14f86 100644
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -1077,6 +1077,12 @@ CodeGenerator::visitNop(LNop *lir)
+ }
+
+ bool
++CodeGenerator::visitMop(LMop *lir)
++{
++ return true;
++}
++
++bool
+ CodeGenerator::visitOsiPoint(LOsiPoint *lir)
+ {
+ // Note: markOsiPoint ensures enough space exists between the last
+diff --git a/js/src/jit/CodeGenerator.h b/js/src/jit/CodeGenerator.h
+index 03677a5..dce095d 100644
+--- a/js/src/jit/CodeGenerator.h
++++ b/js/src/jit/CodeGenerator.h
+@@ -58,6 +58,7 @@ class CodeGenerator : public CodeGeneratorSpecific
+
+ bool visitLabel(LLabel *lir);
+ bool visitNop(LNop *lir);
++ bool visitMop(LMop *lir);
+ bool visitOsiPoint(LOsiPoint *lir);
+ bool visitGoto(LGoto *lir);
+ bool visitTableSwitch(LTableSwitch *ins);
+diff --git a/js/src/jit/LIR-Common.h b/js/src/jit/LIR-Common.h
+index c90aef9..e7a0e4c 100644
+--- a/js/src/jit/LIR-Common.h
++++ b/js/src/jit/LIR-Common.h
+@@ -42,6 +42,12 @@ class LNop : public LInstructionHelper<0, 0, 0>
+ LIR_HEADER(Nop)
+ };
+
++class LMop : public LInstructionHelper<0, 0, 0>
++{
++ public:
++ LIR_HEADER(Mop)
++};
++
+ // An LOsiPoint captures a snapshot after a call and ensures enough space to
+ // patch in a call to the invalidation mechanism.
+ //
+diff --git a/js/src/jit/LOpcodes.h b/js/src/jit/LOpcodes.h
+index a32d64f..cd7eef8 100644
+--- a/js/src/jit/LOpcodes.h
++++ b/js/src/jit/LOpcodes.h
+@@ -10,6 +10,7 @@
+ #define LIR_COMMON_OPCODE_LIST(_) \
+ _(Label) \
+ _(Nop) \
++ _(Mop) \
+ _(OsiPoint) \
+ _(MoveGroup) \
+ _(Integer) \
+diff --git a/js/src/jit/Lowering.cpp b/js/src/jit/Lowering.cpp
+index d5f8227..48b7fa9 100644
+--- a/js/src/jit/Lowering.cpp
++++ b/js/src/jit/Lowering.cpp
+@@ -3616,12 +3616,24 @@ LIRGenerator::visitInstruction(MInstruction *ins)
+ ins->setInWorklistUnchecked();
+ #endif
+
++ // If we added a Nop for this instruction, we'll also add a Mop, so that
++ // that live-ranges for fixed register defs, which with LSRA extend through
++ // the Nop so that they can extend through the OsiPoint don't, with their
++ // one-extra extension, extend into a position where they use the input
++ // move group for the following instruction.
++ bool needsMop = !current->instructions().empty() && current->rbegin()->isNop();
++
+ // If no safepoint was created, there's no need for an OSI point.
+ if (LOsiPoint *osiPoint = popOsiPoint()) {
+ if (!add(osiPoint))
+ return false;
+ }
+
++ if (needsMop) {
++ if (!add(new(alloc()) LMop))
++ return false;
++ }
++
+ return true;
+ }
+
+--
+2.2.1
+