gnu: icecat: Add fixes for CVE-2016-{2818,2819,2821,2824,2828,2831}.

* gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt2.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt3.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt4.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt5.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt6.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt7.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt8.patch,
gnu/packages/patches/icecat-CVE-2016-2818-pt9.patch,
gnu/packages/patches/icecat-CVE-2016-2819.patch,
gnu/packages/patches/icecat-CVE-2016-2821.patch,
gnu/packages/patches/icecat-CVE-2016-2824.patch,
gnu/packages/patches/icecat-CVE-2016-2828.patch,
gnu/packages/patches/icecat-CVE-2016-2831.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

1 files changed, 62 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch
new file mode 100644
index 0000000000..57bc45f3c2
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2818-pt1.patch
@@ -0,0 +1,62 @@
+  changeset:   312039:4290826b078c
+  user:        Timothy Nikkel <tnikkel@gmail.com>
+  Date:        Fri May 13 06:09:38 2016 +0200
+  summary:     Bug 1261230. r=mats, a=ritu
+
+diff -r 45a59425b498 -r 4290826b078c layout/generic/nsSubDocumentFrame.cpp
+--- a/layout/generic/nsSubDocumentFrame.cpp	Tue May 10 14:12:20 2016 +0200
++++ b/layout/generic/nsSubDocumentFrame.cpp	Fri May 13 06:09:38 2016 +0200
+@@ -132,6 +132,7 @@
+     nsCOMPtr<nsIDocument> oldContainerDoc;
+     nsView* detachedViews =
+       frameloader->GetDetachedSubdocView(getter_AddRefs(oldContainerDoc));
++    frameloader->SetDetachedSubdocView(nullptr, nullptr);
+     if (detachedViews) {
+       if (oldContainerDoc == aContent->OwnerDoc()) {
+         // Restore stashed presentation.
+@@ -142,7 +143,6 @@
+         frameloader->Hide();
+       }
+     }
+-    frameloader->SetDetachedSubdocView(nullptr, nullptr);
+   }
+ 
+   nsContentUtils::AddScriptRunner(new AsyncFrameInit(this));
+@@ -936,13 +936,16 @@
+     if (!mPresShell->IsDestroying()) {
+       mPresShell->FlushPendingNotifications(Flush_Frames);
+     }
++
++    // Either the frame has been constructed by now, or it never will be,
++    // either way we want to clear the stashed views.
++    mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
++
+     nsSubDocumentFrame* frame = do_QueryFrame(mFrameElement->GetPrimaryFrame());
+     if ((!frame && mHideViewerIfFrameless) ||
+         mPresShell->IsDestroying()) {
+       // Either the frame element has no nsIFrame or the presshell is being
+-      // destroyed. Hide the nsFrameLoader, which destroys the presentation,
+-      // and clear our references to the stashed presentation.
+-      mFrameLoader->SetDetachedSubdocView(nullptr, nullptr);
++      // destroyed. Hide the nsFrameLoader, which destroys the presentation.
+       mFrameLoader->Hide();
+     }
+     return NS_OK;
+@@ -968,7 +971,7 @@
+   // Detach the subdocument's views and stash them in the frame loader.
+   // We can then reattach them if we're being reframed (for example if
+   // the frame has been made position:fixed).
+-  nsFrameLoader* frameloader = FrameLoader();
++  RefPtr<nsFrameLoader> frameloader = FrameLoader();
+   if (frameloader) {
+     nsView* detachedViews = ::BeginSwapDocShellsForViews(mInnerView->GetFirstChild());
+     frameloader->SetDetachedSubdocView(detachedViews, mContent->OwnerDoc());
+@@ -977,7 +980,7 @@
+     // safely determine whether the frame is being reframed or destroyed.
+     nsContentUtils::AddScriptRunner(
+       new nsHideViewer(mContent,
+-                       mFrameLoader,
++                       frameloader,
+                        PresContext()->PresShell(),
+                        (mDidCreateDoc || mCallingShow)));
+   }