gnu: icecat: Add fixes for several security flaws.

* gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch,
  gnu/packages/patches/icecat-CVE-2015-7205.patch,
  gnu/packages/patches/icecat-CVE-2015-7210.patch,
  gnu/packages/patches/icecat-CVE-2015-7212.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7214.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch,
  gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.

13 files changed, 984 insertions, 1 deletions

diff --git a/gnu/packages/gnuzilla.scm b/gnu/packages/gnuzilla.scm
index 6d134a89c7..8125a262aa 100644
--- a/gnu/packages/gnuzilla.scm
+++ b/gnu/packages/gnuzilla.scm
@@ -276,7 +276,19 @@ standards.")
       (sha256
        (base32
         "0rcaa19rfgclwd2qvcz8798m57jjzra6kaxg5dniysajvx7qndfp"))
-      (patches (map search-patch '("icecat-avoid-bundled-includes.patch"
+      (patches (map search-patch '("icecat-CVE-2015-7210.patch"
+                                   "icecat-CVE-2015-7205.patch"
+                                   "icecat-CVE-2015-7201-pt1.patch"
+                                   "icecat-CVE-2015-7201-pt2.patch"
+                                   "icecat-CVE-2015-7212.patch"
+                                   "icecat-CVE-2015-7213-pt1.patch"
+                                   "icecat-CVE-2015-7213-pt2.patch"
+                                   "icecat-CVE-2015-7222-pt1.patch"
+                                   "icecat-CVE-2015-7222-pt2.patch"
+                                   "icecat-CVE-2015-7222-pt3.patch"
+                                   "icecat-CVE-2015-7214.patch"
+                                   "icecat-CVE-2015-7201-pt3.patch"
+                                   "icecat-avoid-bundled-includes.patch"
                                    "icecat-freetype-2.6.patch")))
       (modules '((guix build utils)))
       (snippet
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
new file mode 100644
index 0000000000..0fcfe9b409
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt1.patch
@@ -0,0 +1,123 @@
+From e2bbd632e220be7626efd34acb9a517430d36004 Mon Sep 17 00:00:00 2001
+From: Andrew Comminos <andrew@comminos.com>
+Date: Fri, 23 Oct 2015 21:35:16 -0700
+Subject: [PATCH] Bug 1203135 - Terminate linking if maximum vertex attribute
+ count is exceeded on Mesa. r=jgilbert, a=ritu
+
+--HG--
+extra : source : 8021382da9722db0ad97ebd93698b69a74f0d9b0
+extra : intermediate-source : 90eff805d2810e9d9ea88f6869335b0500b1a536
+---
+ dom/canvas/WebGLProgram.cpp         | 28 ++++++++++++++++++----------
+ dom/canvas/WebGLShader.cpp          | 10 ++++++++++
+ dom/canvas/WebGLShader.h            |  1 +
+ dom/canvas/WebGLShaderValidator.cpp |  6 ++++++
+ dom/canvas/WebGLShaderValidator.h   |  1 +
+ 5 files changed, 36 insertions(+), 10 deletions(-)
+
+diff --git a/dom/canvas/WebGLProgram.cpp b/dom/canvas/WebGLProgram.cpp
+index 78f7413..0e056e8 100644
+--- a/dom/canvas/WebGLProgram.cpp
++++ b/dom/canvas/WebGLProgram.cpp
+@@ -569,18 +569,26 @@ WebGLProgram::LinkProgram()
+     gl::GLContext* gl = mContext->gl;
+     gl->MakeCurrent();
+ 
+-    // Bug 777028: Mesa can't handle more than 16 samplers per program,
+-    // counting each array entry.
+-    size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
+-                                           mFragShader->CalcNumSamplerUniforms();
+     if (gl->WorkAroundDriverBugs() &&
+-        mContext->mIsMesa &&
+-        numSamplerUniforms_upperBound > 16)
++        mContext->mIsMesa)
+     {
+-        mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
+-                               " Mesa drivers to avoid crashing.");
+-        mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
+-        return false;
++        // Bug 777028: Mesa can't handle more than 16 samplers per program,
++        // counting each array entry.
++        size_t numSamplerUniforms_upperBound = mVertShader->CalcNumSamplerUniforms() +
++                                               mFragShader->CalcNumSamplerUniforms();
++        if (numSamplerUniforms_upperBound > 16) {
++            mLinkLog.AssignLiteral("Programs with more than 16 samplers are disallowed on"
++                                   " Mesa drivers to avoid crashing.");
++            mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
++            return false;
++        }
++
++        // Bug 1203135: Mesa crashes internally if we exceed the reported maximum attribute count.
++        if (mVertShader->NumAttributes() > mContext->MaxVertexAttribs()) {
++            mLinkLog.AssignLiteral("Number of attributes exceeds Mesa's reported max attribute count.");
++            mContext->GenerateWarning("linkProgram: %s", mLinkLog.BeginReading());
++            return false;
++        }
+     }
+ 
+     // Bind the attrib locations.
+diff --git a/dom/canvas/WebGLShader.cpp b/dom/canvas/WebGLShader.cpp
+index 85a3809..bab4157 100644
+--- a/dom/canvas/WebGLShader.cpp
++++ b/dom/canvas/WebGLShader.cpp
+@@ -299,6 +299,16 @@ WebGLShader::CalcNumSamplerUniforms() const
+     return 0;
+ }
+ 
++size_t
++WebGLShader::NumAttributes() const
++{
++    if (mValidator)
++        return mValidator->NumAttributes();
++
++    // TODO
++    return 0;
++}
++
+ void
+ WebGLShader::BindAttribLocation(GLuint prog, const nsCString& userName,
+                                 GLuint index) const
+diff --git a/dom/canvas/WebGLShader.h b/dom/canvas/WebGLShader.h
+index 698e30c..2c80b16a 100644
+--- a/dom/canvas/WebGLShader.h
++++ b/dom/canvas/WebGLShader.h
+@@ -45,6 +45,7 @@ public:
+     // Util funcs
+     bool CanLinkTo(const WebGLShader* prev, nsCString* const out_log) const;
+     size_t CalcNumSamplerUniforms() const;
++    size_t NumAttributes() const;
+     void BindAttribLocation(GLuint prog, const nsCString& userName, GLuint index) const;
+     bool FindAttribUserNameByMappedName(const nsACString& mappedName,
+                                         nsDependentCString* const out_userName) const;
+diff --git a/dom/canvas/WebGLShaderValidator.cpp b/dom/canvas/WebGLShaderValidator.cpp
+index 80005e2..8bedf88 100644
+--- a/dom/canvas/WebGLShaderValidator.cpp
++++ b/dom/canvas/WebGLShaderValidator.cpp
+@@ -274,6 +274,12 @@ ShaderValidator::CalcNumSamplerUniforms() const
+     return accum;
+ }
+ 
++size_t
++ShaderValidator::NumAttributes() const
++{
++  return ShGetAttributes(mHandle)->size();
++}
++
+ // Attribs cannot be structs or arrays, and neither can vertex inputs in ES3.
+ // Therefore, attrib names are always simple.
+ bool
+diff --git a/dom/canvas/WebGLShaderValidator.h b/dom/canvas/WebGLShaderValidator.h
+index 35db2f1..1f794bf0 100644
+--- a/dom/canvas/WebGLShaderValidator.h
++++ b/dom/canvas/WebGLShaderValidator.h
+@@ -41,6 +41,7 @@ public:
+     void GetOutput(nsACString* out) const;
+     bool CanLinkTo(const ShaderValidator* prev, nsCString* const out_log) const;
+     size_t CalcNumSamplerUniforms() const;
++    size_t NumAttributes() const;
+ 
+     bool FindAttribUserNameByMappedName(const std::string& mappedName,
+                                         const std::string** const out_userName) const;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
new file mode 100644
index 0000000000..3764371a11
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt2.patch
@@ -0,0 +1,29 @@
+From f02e3252391f5fa79916e4c8f30b3d8340d06cc7 Mon Sep 17 00:00:00 2001
+From: "Carsten \"Tomcat\" Book" <cbook@mozilla.com>
+Date: Tue, 8 Dec 2015 12:38:15 +0100
+Subject: [PATCH] Bug 1225250 - fix stride on SourceSurfaceSkia when
+ initialized from GPU texture. r=jmuizelaar, a=lizzard
+
+---
+ gfx/2d/SourceSurfaceSkia.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/gfx/2d/SourceSurfaceSkia.cpp b/gfx/2d/SourceSurfaceSkia.cpp
+index 4b95bc2..d7e0714 100644
+--- a/gfx/2d/SourceSurfaceSkia.cpp
++++ b/gfx/2d/SourceSurfaceSkia.cpp
+@@ -110,8 +110,10 @@ SourceSurfaceSkia::InitFromTexture(DrawTargetSkia* aOwner,
+   GrTexture *skiaTexture = aOwner->mGrContext->wrapBackendTexture(skiaTexGlue);
+   SkImageInfo imgInfo = SkImageInfo::Make(aSize.width, aSize.height, GfxFormatToSkiaColorType(aFormat), kOpaque_SkAlphaType);
+   SkGrPixelRef *texRef = new SkGrPixelRef(imgInfo, skiaTexture, false);
+-  mBitmap.setInfo(imgInfo, aSize.width*aSize.height*4);
++  mBitmap.setInfo(imgInfo);
+   mBitmap.setPixelRef(texRef);
++  mFormat = aFormat;
++  mStride = mBitmap.rowBytes();
+ 
+   mDrawTarget = aOwner;
+   return true;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
new file mode 100644
index 0000000000..022ab5cc16
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7201-pt3.patch
@@ -0,0 +1,35 @@
+From 567a97b6347ac8c2b93ec788c437b7e9bb23ef75 Mon Sep 17 00:00:00 2001
+From: Edwin Flores <eflores@mozilla.com>
+Date: Wed, 2 Dec 2015 16:15:29 +0100
+Subject: [PATCH] Bug 1224100 - Initialize padding to 0 in Downscaler. r=seth,
+ a=sledru
+
+---
+ image/src/Downscaler.cpp | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/image/src/Downscaler.cpp b/image/src/Downscaler.cpp
+index 24ecfda..2a7acfd 100644
+--- a/image/src/Downscaler.cpp
++++ b/image/src/Downscaler.cpp
+@@ -86,11 +86,16 @@ Downscaler::BeginFrame(const nsIntSize& aOriginalSize,
+                                mTargetSize.height, mYFilter.get());
+ 
+   // Allocate the buffer, which contains scanlines of the original image.
+-  mRowBuffer = MakeUnique<uint8_t[]>(mOriginalSize.width * sizeof(uint32_t));
++  size_t bufferLen = mOriginalSize.width * sizeof(uint32_t);
++  mRowBuffer = MakeUnique<uint8_t[]>(bufferLen);
+   if (MOZ_UNLIKELY(!mRowBuffer)) {
+     return NS_ERROR_OUT_OF_MEMORY;
+   }
+ 
++  // Zero buffer to keep valgrind happy.
++  memset(mRowBuffer.get(), 0, bufferLen);
++
++
+   // Allocate the window, which contains horizontally downscaled scanlines. (We
+   // can store scanlines which are already downscale because our downscaling
+   // filter is separable.)
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7205.patch b/gnu/packages/patches/icecat-CVE-2015-7205.patch
new file mode 100644
index 0000000000..620fa0d6bd
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7205.patch
@@ -0,0 +1,84 @@
+From 20df7b0b3f3e7dd201c9811bbb1e6515da8da359 Mon Sep 17 00:00:00 2001
+From: Randell Jesup <rjesup@jesup.org>
+Date: Thu, 5 Nov 2015 10:17:29 -0500
+Subject: [PATCH] Bug 1220493 - validate RTP packets against underflows.
+ r=pkerr a=sylvestre
+
+--HG--
+extra : source : 575d3aa376b1c8e7507d94833f7b74bf963127cb
+extra : intermediate-source : 2c1b396ef5c3e2424fb9af56d86ebf6f6551a997
+---
+ .../webrtc/modules/rtp_rtcp/source/rtp_utility.cc  | 26 ++++++++++++----------
+ 1 file changed, 14 insertions(+), 12 deletions(-)
+
+diff --git a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+index 9334b23..80cf55a 100644
+--- a/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
++++ b/media/webrtc/trunk/webrtc/modules/rtp_rtcp/source/rtp_utility.cc
+@@ -338,12 +338,6 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
+     return false;
+   }
+ 
+-  const uint8_t CSRCocts = CC * 4;
+-
+-  if ((ptr + CSRCocts) > _ptrRTPDataEnd) {
+-    return false;
+-  }
+-
+   header.markerBit      = M;
+   header.payloadType    = PT;
+   header.sequenceNumber = sequenceNumber;
+@@ -352,6 +346,14 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
+   header.numCSRCs       = CC;
+   header.paddingLength  = P ? *(_ptrRTPDataEnd - 1) : 0;
+ 
++  // 12 == sizeof(RFC rtp header) == kRtpMinParseLength, each CSRC=4 bytes
++  header.headerLength   = 12 + (CC * 4);
++  // not a full validation, just safety against underflow.  Padding must
++  // start after the header.  We can have 0 payload bytes left, note.
++  if (header.paddingLength + header.headerLength > length) {
++    return false;
++  }
++
+   for (unsigned int i = 0; i < CC; ++i) {
+     uint32_t CSRC = *ptr++ << 24;
+     CSRC += *ptr++ << 16;
+@@ -359,8 +361,7 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
+     CSRC += *ptr++;
+     header.arrOfCSRCs[i] = CSRC;
+   }
+-
+-  header.headerLength   = 12 + CSRCocts;
++  assert((ptr - _ptrRTPDataBegin) == header.headerLength);
+ 
+   // If in effect, MAY be omitted for those packets for which the offset
+   // is zero.
+@@ -385,8 +386,9 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
+     |                        header extension                       |
+     |                             ....                              |
+     */
+-    const ptrdiff_t remain = _ptrRTPDataEnd - ptr;
+-    if (remain < 4) {
++    // earlier test ensures we have at least paddingLength bytes left
++    const ptrdiff_t remain = (_ptrRTPDataEnd - ptr) - header.paddingLength;
++    if (remain < 4) { // minimum header extension length = 32 bits
+       return false;
+     }
+ 
+@@ -395,11 +397,11 @@ bool RtpHeaderParser::Parse(RTPHeader& header,
+     uint16_t definedByProfile = *ptr++ << 8;
+     definedByProfile += *ptr++;
+ 
+-    uint16_t XLen = *ptr++ << 8;
++    size_t XLen = *ptr++ << 8;
+     XLen += *ptr++; // in 32 bit words
+     XLen *= 4; // in octs
+ 
+-    if (remain < (4 + XLen)) {
++    if (remain < (4 + XLen)) { // we already accounted for padding
+       return false;
+     }
+     if (definedByProfile == kRtpOneByteHeaderExtensionId) {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7210.patch b/gnu/packages/patches/icecat-CVE-2015-7210.patch
new file mode 100644
index 0000000000..eab57021db
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7210.patch
@@ -0,0 +1,47 @@
+From 4e0cd9ba4924869f91be0e7c8cf666182bb75f90 Mon Sep 17 00:00:00 2001
+From: "Byron Campen [:bwc]" <docfaraday@gmail.com>
+Date: Wed, 28 Oct 2015 12:48:17 -0500
+Subject: [PATCH] Bug 1218326 - Prevent datachannel operations on closed
+ PeerConnections. r=jesup a=sylvestre
+
+--HG--
+extra : source : a7637b62d9b5ab73f58e5aa3c663d7d35b624826
+extra : intermediate-source : d8f0412f38f75040064157d8d2b0140df21600e6
+---
+ media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+index c3d8d26..fe86ff7 100644
+--- a/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
++++ b/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp
+@@ -1004,7 +1004,7 @@ PeerConnectionImpl::GetIdentity() const
+ NS_IMETHODIMP
+ PeerConnectionImpl::EnsureDataConnection(uint16_t aNumstreams)
+ {
+-  PC_AUTO_ENTER_API_CALL_NO_CHECK();
++  PC_AUTO_ENTER_API_CALL(false);
+ 
+ #ifdef MOZILLA_INTERNAL_API
+   if (mDataConnection) {
+@@ -1102,7 +1102,7 @@ PeerConnectionImpl::GetDatachannelParameters(
+ nsresult
+ PeerConnectionImpl::InitializeDataChannel()
+ {
+-  PC_AUTO_ENTER_API_CALL_NO_CHECK();
++  PC_AUTO_ENTER_API_CALL(false);
+   CSFLogDebug(logTag, "%s", __FUNCTION__);
+ 
+   const JsepApplicationCodecDescription* codec;
+@@ -1184,7 +1184,7 @@ PeerConnectionImpl::CreateDataChannel(const nsAString& aLabel,
+                                       uint16_t aStream,
+                                       nsDOMDataChannel** aRetval)
+ {
+-  PC_AUTO_ENTER_API_CALL_NO_CHECK();
++  PC_AUTO_ENTER_API_CALL(false);
+   MOZ_ASSERT(aRetval);
+ 
+ #ifdef MOZILLA_INTERNAL_API
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7212.patch b/gnu/packages/patches/icecat-CVE-2015-7212.patch
new file mode 100644
index 0000000000..7bda486ff7
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7212.patch
@@ -0,0 +1,364 @@
+From 595e3a152ff2912a950defd0ef4b5f659135b03a Mon Sep 17 00:00:00 2001
+From: Nicolas Silva <nsilva@mozilla.com>
+Date: Wed, 18 Nov 2015 16:59:11 +0100
+Subject: [PATCH] Bug 1222809 - Don't try to allocate unreasonably large
+ textures. r=Bas, a=sylvestre
+
+---
+ gfx/2d/2D.h                             | 25 ++++++++++--
+ gfx/2d/Factory.cpp                      | 67 ++++++++++++++++++++++++++++-----
+ gfx/layers/ImageDataSerializer.cpp      | 21 ++++++-----
+ gfx/layers/YCbCrImageDataSerializer.cpp |  7 ++++
+ gfx/layers/client/TextureClient.cpp     | 12 ++++++
+ gfx/thebes/gfxPlatform.cpp              | 15 ++++++--
+ gfx/thebes/gfxPrefs.h                   |  3 ++
+ 7 files changed, 124 insertions(+), 26 deletions(-)
+
+diff --git a/gfx/2d/2D.h b/gfx/2d/2D.h
+index cf35bb2..b1e0e3e 100644
+--- a/gfx/2d/2D.h
++++ b/gfx/2d/2D.h
+@@ -1082,22 +1082,41 @@ struct TileSet
+   size_t mTileCount;
+ };
+ 
++struct Config {
++  LogForwarder* mLogForwarder;
++  int32_t mMaxTextureSize;
++  int32_t mMaxAllocSize;
++
++  Config()
++  : mLogForwarder(nullptr)
++  , mMaxTextureSize(8192)
++  , mMaxAllocSize(52000000)
++  {}
++};
++
+ class GFX2D_API Factory
+ {
+ public:
++  static void Init(const Config& aConfig);
++  static void ShutDown();
++
+   static bool HasSSE2();
+ 
+   /** Make sure that the given dimensions don't overflow a 32-bit signed int
+    * using 4 bytes per pixel; optionally, make sure that either dimension
+    * doesn't exceed the given limit.
+    */
+-  static bool CheckSurfaceSize(const IntSize &sz, int32_t limit = 0);
++  static bool CheckSurfaceSize(const IntSize &sz,
++                               int32_t limit = 0,
++                               int32_t allocLimit = 0);
+ 
+   /** Make sure the given dimension satisfies the CheckSurfaceSize and is
+    * within 8k limit.  The 8k value is chosen a bit randomly.
+    */
+   static bool ReasonableSurfaceSize(const IntSize &aSize);
+ 
++  static bool AllowedSurfaceSize(const IntSize &aSize);
++
+   static TemporaryRef<DrawTarget> CreateDrawTargetForCairoSurface(cairo_surface_t* aSurface, const IntSize& aSize, SurfaceFormat* aFormat = nullptr);
+ 
+   static TemporaryRef<DrawTarget>
+@@ -1171,10 +1190,10 @@ public:
+ 
+   static uint32_t GetMaxSurfaceSize(BackendType aType);
+ 
+-  static LogForwarder* GetLogForwarder() { return mLogForwarder; }
++  static LogForwarder* GetLogForwarder() { return sConfig ? sConfig->mLogForwarder : nullptr; }
+ 
+ private:
+-  static LogForwarder* mLogForwarder;
++  static Config* sConfig;
+ public:
+ 
+ #ifdef USE_SKIA_GPU
+diff --git a/gfx/2d/Factory.cpp b/gfx/2d/Factory.cpp
+index 948d3c3..6750c28 100644
+--- a/gfx/2d/Factory.cpp
++++ b/gfx/2d/Factory.cpp
+@@ -188,6 +188,35 @@ ID2D1Device *Factory::mD2D1Device;
+ 
+ DrawEventRecorder *Factory::mRecorder;
+ 
++mozilla::gfx::Config* Factory::sConfig = nullptr;
++
++void
++Factory::Init(const Config& aConfig)
++{
++  MOZ_ASSERT(!sConfig);
++  sConfig = new Config(aConfig);
++
++  // Make sure we don't completely break rendering because of a typo in the
++  // pref or whatnot.
++  const int32_t kMinAllocPref = 10000000;
++  const int32_t kMinSizePref = 2048;
++  if (sConfig->mMaxAllocSize < kMinAllocPref) {
++    sConfig->mMaxAllocSize = kMinAllocPref;
++  }
++  if (sConfig->mMaxTextureSize < kMinSizePref) {
++    sConfig->mMaxTextureSize = kMinSizePref;
++  }
++}
++
++void
++Factory::ShutDown()
++{
++  if (sConfig) {
++    delete sConfig;
++    sConfig = nullptr;
++  }
++}
++
+ bool
+ Factory::HasSSE2()
+ {
+@@ -222,11 +251,25 @@ inline int LoggerOptionsBasedOnSize(const IntSize& aSize)
+ bool
+ Factory::ReasonableSurfaceSize(const IntSize &aSize)
+ {
+-  return Factory::CheckSurfaceSize(aSize,8192);
++  return Factory::CheckSurfaceSize(aSize, 8192);
++}
++
++bool
++Factory::AllowedSurfaceSize(const IntSize &aSize)
++{
++  if (sConfig) {
++    return Factory::CheckSurfaceSize(aSize,
++                                     sConfig->mMaxTextureSize,
++                                     sConfig->mMaxAllocSize);
++  }
++
++  return CheckSurfaceSize(aSize);
+ }
+ 
+ bool
+-Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
++Factory::CheckSurfaceSize(const IntSize &sz,
++                          int32_t extentLimit,
++                          int32_t allocLimit)
+ {
+   if (sz.width <= 0 || sz.height <= 0) {
+     gfxDebug() << "Surface width or height <= 0!";
+@@ -234,8 +277,8 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
+   }
+ 
+   // reject images with sides bigger than limit
+-  if (limit && (sz.width > limit || sz.height > limit)) {
+-    gfxDebug() << "Surface size too large (exceeds caller's limit)!";
++  if (extentLimit && (sz.width > extentLimit || sz.height > extentLimit)) {
++    gfxDebug() << "Surface size too large (exceeds extent limit)!";
+     return false;
+   }
+ 
+@@ -267,13 +310,18 @@ Factory::CheckSurfaceSize(const IntSize &sz, int32_t limit)
+     return false;
+   }
+ 
++  if (allocLimit && allocLimit < numBytes.value()) {
++    gfxDebug() << "Surface size too large (exceeds allocation limit)!";
++    return false;
++  }
++
+   return true;
+ }
+ 
+ TemporaryRef<DrawTarget>
+ Factory::CreateDrawTarget(BackendType aBackend, const IntSize &aSize, SurfaceFormat aFormat)
+ {
+-  if (!CheckSurfaceSize(aSize)) {
++  if (!AllowedSurfaceSize(aSize)) {
+     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
+     return nullptr;
+   }
+@@ -364,7 +412,7 @@ Factory::CreateDrawTargetForData(BackendType aBackend,
+                                  SurfaceFormat aFormat)
+ {
+   MOZ_ASSERT(aData);
+-  if (!CheckSurfaceSize(aSize)) {
++  if (!AllowedSurfaceSize(aSize)) {
+     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
+     return nullptr;
+   }
+@@ -835,7 +883,7 @@ Factory::CreateDataSourceSurface(const IntSize &aSize,
+                                  SurfaceFormat aFormat,
+                                  bool aZero)
+ {
+-  if (!CheckSurfaceSize(aSize)) {
++  if (!AllowedSurfaceSize(aSize)) {
+     gfxCriticalError(LoggerOptionsBasedOnSize(aSize)) << "Failed to allocate a surface due to invalid size " << aSize;
+     return nullptr;
+   }
+@@ -881,14 +929,13 @@ Factory::SetGlobalEventRecorder(DrawEventRecorder *aRecorder)
+   mRecorder = aRecorder;
+ }
+ 
+-LogForwarder* Factory::mLogForwarder = nullptr;
+-
+ // static
+ void
+ Factory::SetLogForwarder(LogForwarder* aLogFwd) {
+-  mLogForwarder = aLogFwd;
++  sConfig->mLogForwarder = aLogFwd;
+ }
+ 
++
+ // static
+ void
+ CriticalLogger::OutputMessage(const std::string &aString,
+diff --git a/gfx/layers/ImageDataSerializer.cpp b/gfx/layers/ImageDataSerializer.cpp
+index 5dd6aca..331dd04 100644
+--- a/gfx/layers/ImageDataSerializer.cpp
++++ b/gfx/layers/ImageDataSerializer.cpp
+@@ -84,21 +84,23 @@ ImageDataSerializerBase::ComputeMinBufferSize(IntSize aSize,
+                                               SurfaceFormat aFormat)
+ {
+   MOZ_ASSERT(aSize.height >= 0 && aSize.width >= 0);
+-  if (aSize.height <= 0 || aSize.width <= 0) {
+-    gfxDebug() << "Non-positive image buffer size request " << aSize.width << "x" << aSize.height;
++
++  // This takes care of checking whether there could be overflow
++  // with enough margin for the metadata.
++  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
+     return 0;
+   }
+ 
+-  CheckedInt<int32_t> bufsize = ComputeStride(aFormat, aSize.width);
+-  bufsize *= aSize.height;
++  int32_t bufsize = GetAlignedStride<16>(ComputeStride(aFormat, aSize.width)
++                                         * aSize.height)
++                  + SurfaceBufferInfo::GetOffset();
+ 
+-  if (!bufsize.isValid() || bufsize.value() <= 0) {
+-    gfxDebug() << "Buffer size overflow " << aSize.width << "x" << aSize.height;
++  if (bufsize < 0) {
++    // This should not be possible thanks to Factory::AllowedSurfaceSize
+     return 0;
+   }
+ 
+-  return SurfaceBufferInfo::GetOffset()
+-       + GetAlignedStride<16>(bufsize.value());
++  return bufsize;
+ }
+ 
+ void
+@@ -114,7 +116,8 @@ ImageDataSerializerBase::Validate()
+   }
+   size_t requiredSize =
+            ComputeMinBufferSize(IntSize(info->width, info->height), info->format);
+-  mIsValid = requiredSize <= mDataSize;
++
++  mIsValid = !!requiredSize && requiredSize <= mDataSize;
+ }
+ 
+ uint8_t*
+diff --git a/gfx/layers/YCbCrImageDataSerializer.cpp b/gfx/layers/YCbCrImageDataSerializer.cpp
+index c8e148d..05f5ab2 100644
+--- a/gfx/layers/YCbCrImageDataSerializer.cpp
++++ b/gfx/layers/YCbCrImageDataSerializer.cpp
+@@ -150,6 +150,13 @@ YCbCrImageDataDeserializerBase::ComputeMinBufferSize(const gfx::IntSize& aYSize,
+     gfxDebug() << "Non-positive YCbCr buffer size request " << aYSize.height << "x" << aYSize.width << ", " << aCbCrSize.height << "x" << aCbCrSize.width;
+     return 0;
+   }
++
++  if (!gfx::Factory::AllowedSurfaceSize(aYSize) ||
++      aCbCrSize.width > aYSize.width ||
++      aCbCrSize.height > aYSize.height) {
++    return 0;
++  }
++
+   return ComputeOffset(aYSize.height, aYStride)
+          + 2 * ComputeOffset(aCbCrSize.height, aCbCrStride)
+          + MOZ_ALIGN_WORD(sizeof(YCbCrBufferInfo));
+diff --git a/gfx/layers/client/TextureClient.cpp b/gfx/layers/client/TextureClient.cpp
+index 9b45ca0..6ae7cbf 100644
+--- a/gfx/layers/client/TextureClient.cpp
++++ b/gfx/layers/client/TextureClient.cpp
+@@ -315,6 +315,10 @@ TextureClient::CreateForDrawing(ISurfaceAllocator* aAllocator,
+     aMoz2DBackend = gfxPlatform::GetPlatform()->GetContentBackend();
+   }
+ 
++  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
++    return nullptr;
++  }
++
+   RefPtr<TextureClient> texture;
+ 
+ #if defined(MOZ_WIDGET_GONK) || defined(XP_WIN)
+@@ -415,6 +419,10 @@ TextureClient::CreateForRawBufferAccess(ISurfaceAllocator* aAllocator,
+                                         TextureFlags aTextureFlags,
+                                         TextureAllocationFlags aAllocFlags)
+ {
++  if (!gfx::Factory::AllowedSurfaceSize(aSize)) {
++    return nullptr;
++  }
++
+   RefPtr<BufferTextureClient> texture =
+     CreateBufferTextureClient(aAllocator, aFormat,
+                               aTextureFlags, aMoz2DBackend);
+@@ -434,6 +442,10 @@ TextureClient::CreateForYCbCr(ISurfaceAllocator* aAllocator,
+                               StereoMode aStereoMode,
+                               TextureFlags aTextureFlags)
+ {
++  if (!gfx::Factory::AllowedSurfaceSize(aYSize)) {
++    return nullptr;
++  }
++
+   RefPtr<BufferTextureClient> texture;
+   if (aAllocator->IsSameProcess()) {
+     texture = new MemoryTextureClient(aAllocator, gfx::SurfaceFormat::YUV,
+diff --git a/gfx/thebes/gfxPlatform.cpp b/gfx/thebes/gfxPlatform.cpp
+index 41e4b0c..209a0a8 100644
+--- a/gfx/thebes/gfxPlatform.cpp
++++ b/gfx/thebes/gfxPlatform.cpp
+@@ -458,13 +458,18 @@ gfxPlatform::Init()
+     }
+     gEverInitialized = true;
+ 
+-    CrashStatsLogForwarder* logForwarder = new CrashStatsLogForwarder("GraphicsCriticalError");
+-    mozilla::gfx::Factory::SetLogForwarder(logForwarder);
+-
+     // Initialize the preferences by creating the singleton.
+     gfxPrefs::GetSingleton();
+ 
+-    logForwarder->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
++    auto fwd = new CrashStatsLogForwarder("GraphicsCriticalError");
++    fwd->SetCircularBufferSize(gfxPrefs::GfxLoggingCrashLength());
++
++    mozilla::gfx::Config cfg;
++    cfg.mLogForwarder = fwd;
++    cfg.mMaxTextureSize = gfxPrefs::MaxTextureSize();
++    cfg.mMaxAllocSize = gfxPrefs::MaxAllocSize();
++
++    gfx::Factory::Init(cfg);
+ 
+     gGfxPlatformPrefsLock = new Mutex("gfxPlatform::gGfxPlatformPrefsLock");
+ 
+@@ -641,6 +646,8 @@ gfxPlatform::Shutdown()
+     delete mozilla::gfx::Factory::GetLogForwarder();
+     mozilla::gfx::Factory::SetLogForwarder(nullptr);
+ 
++    gfx::Factory::ShutDown();
++
+     delete gGfxPlatformPrefsLock;
+ 
+     gfxPrefs::DestroySingleton();
+diff --git a/gfx/thebes/gfxPrefs.h b/gfx/thebes/gfxPrefs.h
+index b7a5fb9..038e1ff 100644
+--- a/gfx/thebes/gfxPrefs.h
++++ b/gfx/thebes/gfxPrefs.h
+@@ -209,6 +209,9 @@ private:
+   DECL_GFX_PREF(Live, "gfx.layerscope.port",                   LayerScopePort, int32_t, 23456);
+   // Note that        "gfx.logging.level" is defined in Logging.h
+   DECL_GFX_PREF(Once, "gfx.logging.crash.length",              GfxLoggingCrashLength, uint32_t, 6);
++  // The maximums here are quite conservative, we can tighten them if problems show up.
++  DECL_GFX_PREF(Once, "gfx.max-alloc-size",                    MaxAllocSize, int32_t, (int32_t)500000000);
++  DECL_GFX_PREF(Once, "gfx.max-texture-size",                  MaxTextureSize, int32_t, (int32_t)32767);
+   DECL_GFX_PREF(Live, "gfx.perf-warnings.enabled",             PerfWarnings, bool, false);
+   DECL_GFX_PREF(Once, "gfx.work-around-driver-bugs",           WorkAroundDriverBugs, bool, true);
+ 
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
new file mode 100644
index 0000000000..854c91b8aa
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7213-pt1.patch
@@ -0,0 +1,32 @@
+From 3f31bf9e243fb3de26e36d6be0bb0153f51c5b2a Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jyavenard@mozilla.com>
+Date: Wed, 9 Dec 2015 09:54:58 +0100
+Subject: [PATCH] Bug 1206211 - P1. Ensure operation can't overflow.
+ r=kentuckyfriedtakahe, a=sylvestre
+
+---
+ .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp            | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+index 22163fa..318152a 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+@@ -508,10 +508,13 @@ status_t MPEG4Extractor::readMetaData() {
+     CHECK_NE(err, (status_t)NO_INIT);
+ 
+     // copy pssh data into file metadata
+-    int psshsize = 0;
++    uint64_t psshsize = 0;
+     for (size_t i = 0; i < mPssh.size(); i++) {
+         psshsize += 20 + mPssh[i].datalen;
+     }
++    if (psshsize > kMAX_ALLOCATION) {
++        return ERROR_MALFORMED;
++    }
+     if (psshsize) {
+         char *buf = (char*)malloc(psshsize);
+         char *ptr = buf;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
new file mode 100644
index 0000000000..20bbd36281
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7213-pt2.patch
@@ -0,0 +1,27 @@
+From bb6870bd6dc3acb183f44360c7cc6488656f47ea Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jyavenard@mozilla.com>
+Date: Wed, 9 Dec 2015 09:55:16 +0100
+Subject: [PATCH] Bug 1206211 - P2. Abort on OOM. r=kentuckyfriedtakahe,
+ a=sylvestre
+
+---
+ .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp              | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+index 318152a..c6aaf1d 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+@@ -517,6 +517,9 @@ status_t MPEG4Extractor::readMetaData() {
+     }
+     if (psshsize) {
+         char *buf = (char*)malloc(psshsize);
++        if (!buf) {
++            return ERROR_MALFORMED;
++        }
+         char *ptr = buf;
+         for (size_t i = 0; i < mPssh.size(); i++) {
+             memcpy(ptr, mPssh[i].uuid, 20); // uuid + length
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7214.patch b/gnu/packages/patches/icecat-CVE-2015-7214.patch
new file mode 100644
index 0000000000..3a56d3d2cd
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7214.patch
@@ -0,0 +1,47 @@
+From 487799700b0b676c2c6b95ad33c8afb8dbd329d8 Mon Sep 17 00:00:00 2001
+From: Bobby Holley <bobbyholley@gmail.com>
+Date: Mon, 14 Dec 2015 15:36:20 -0500
+Subject: [PATCH] Bug 1228950 - Disallow scheme sets on nsHostObjectURI. r=bz,
+ a=lizzard
+
+---
+ dom/base/nsHostObjectURI.cpp | 9 +++++++++
+ dom/base/nsHostObjectURI.h   | 2 ++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/dom/base/nsHostObjectURI.cpp b/dom/base/nsHostObjectURI.cpp
+index 94b02ff..57b0209 100644
+--- a/dom/base/nsHostObjectURI.cpp
++++ b/dom/base/nsHostObjectURI.cpp
+@@ -81,6 +81,15 @@ nsHostObjectURI::Write(nsIObjectOutputStream* aStream)
+                                         true);
+ }
+ 
++NS_IMETHODIMP
++nsHostObjectURI::SetScheme(const nsACString& aScheme)
++{
++  // Disallow setting the scheme, since that could cause us to be associated
++  // with a different protocol handler that doesn't expect us to be carrying
++  // around a principal with nsIURIWithPrincipal.
++  return NS_ERROR_FAILURE;
++}
++
+ // nsIURI methods:
+ nsresult
+ nsHostObjectURI::CloneInternal(nsSimpleURI::RefHandlingEnum aRefHandlingMode,
+diff --git a/dom/base/nsHostObjectURI.h b/dom/base/nsHostObjectURI.h
+index b468d5d..23ff7ab 100644
+--- a/dom/base/nsHostObjectURI.h
++++ b/dom/base/nsHostObjectURI.h
+@@ -34,6 +34,8 @@ public:
+   NS_DECL_NSISERIALIZABLE
+   NS_DECL_NSICLASSINFO
+ 
++  NS_IMETHOD SetScheme(const nsACString &aProtocol) override;
++
+   // Override CloneInternal() and EqualsInternal()
+   virtual nsresult CloneInternal(RefHandlingEnum aRefHandlingMode,
+                                  nsIURI** aClone) override;
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
new file mode 100644
index 0000000000..c5d0e4ad60
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt1.patch
@@ -0,0 +1,112 @@
+From 76e6db3e514350fd146cb04425e669d63b59f889 Mon Sep 17 00:00:00 2001
+From: Gerald Squelart <gsquelart@mozilla.com>
+Date: Wed, 9 Dec 2015 09:59:37 +0100
+Subject: [PATCH] Bug 1216748 - p2. Handle failed malloc in Metadata storage -
+ r=rillian, a=sylvestre
+
+---
+ .../av/include/media/stagefright/MetaData.h        |  2 +-
+ .../av/media/libstagefright/MetaData.cpp           | 35 ++++++++++++++--------
+ 2 files changed, 24 insertions(+), 13 deletions(-)
+
+diff --git a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
+index 30d969d..0a8ff77 100644
+--- a/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
++++ b/media/libstagefright/frameworks/av/include/media/stagefright/MetaData.h
+@@ -248,7 +248,7 @@ private:
+             return mSize <= sizeof(u.reservoir);
+         }
+ 
+-        void allocateStorage(size_t size);
++        bool allocateStorage(size_t size);
+         void freeStorage();
+ 
+         void *storage() {
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
+index c832c96..cba324d 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MetaData.cpp
+@@ -220,7 +220,7 @@ bool MetaData::findData(uint32_t key, uint32_t *type,
+ }
+ 
+ MetaData::typed_data::typed_data()
+-    : mType(0),
++    : mType(TYPE_NONE),
+       mSize(0) {
+ }
+ 
+@@ -231,17 +231,19 @@ MetaData::typed_data::~typed_data() {
+ MetaData::typed_data::typed_data(const typed_data &from)
+     : mType(from.mType),
+       mSize(0) {
+-    allocateStorage(from.mSize);
+-    memcpy(storage(), from.storage(), mSize);
++    if (allocateStorage(from.mSize)) {
++        memcpy(storage(), from.storage(), mSize);
++    }
+ }
+ 
+ MetaData::typed_data &MetaData::typed_data::operator=(
+         const MetaData::typed_data &from) {
+     if (this != &from) {
+         clear();
+-        mType = from.mType;
+-        allocateStorage(from.mSize);
+-        memcpy(storage(), from.storage(), mSize);
++        if (allocateStorage(from.mSize)) {
++            mType = from.mType;
++            memcpy(storage(), from.storage(), mSize);
++        }
+     }
+ 
+     return *this;
+@@ -250,16 +252,17 @@ MetaData::typed_data &MetaData::typed_data::operator=(
+ void MetaData::typed_data::clear() {
+     freeStorage();
+ 
+-    mType = 0;
++    mType = TYPE_NONE;
+ }
+ 
+ void MetaData::typed_data::setData(
+         uint32_t type, const void *data, size_t size) {
+     clear();
+ 
+-    mType = type;
+-    allocateStorage(size);
+-    memcpy(storage(), data, size);
++    if (allocateStorage(size)) {
++        mType = type;
++        memcpy(storage(), data, size);
++    }
+ }
+ 
+ void MetaData::typed_data::getData(
+@@ -269,14 +272,22 @@ void MetaData::typed_data::getData(
+     *data = storage();
+ }
+ 
+-void MetaData::typed_data::allocateStorage(size_t size) {
++bool MetaData::typed_data::allocateStorage(size_t size) {
++    // Update mSize now, as it is needed by usesReservoir() below.
++    // (mSize will be reset if the allocation fails further below.)
+     mSize = size;
+ 
+     if (usesReservoir()) {
+-        return;
++        return true;
+     }
+ 
+     u.ext_data = malloc(mSize);
++    if (!u.ext_data) {
++      mType = TYPE_NONE;
++      mSize = 0;
++      return false;
++    }
++    return true;
+ }
+ 
+ void MetaData::typed_data::freeStorage() {
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
new file mode 100644
index 0000000000..688d7f903f
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt2.patch
@@ -0,0 +1,34 @@
+From 63c353cf8ec6b787936f602532026bd9923a16e4 Mon Sep 17 00:00:00 2001
+From: Gerald Squelart <gsquelart@mozilla.com>
+Date: Wed, 9 Dec 2015 10:00:13 +0100
+Subject: [PATCH] Bug 1216748 - p3. Ensure 'covr' data size cannot create
+ underflow - r=rillian, a=sylvestre
+
+---
+ .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp            | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+index c6aaf1d..a69fc14 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+@@ -1889,12 +1889,15 @@ status_t MPEG4Extractor::parseChunk(off64_t *offset, int depth) {
+             if (mFileMetaData != NULL) {
+                 ALOGV("chunk_data_size = %lld and data_offset = %lld",
+                         chunk_data_size, data_offset);
++                const int kSkipBytesOfDataBox = 16;
++                if (chunk_data_size <= kSkipBytesOfDataBox) {
++                  return ERROR_MALFORMED;
++                }
+                 sp<ABuffer> buffer = new ABuffer(chunk_data_size + 1);
+                 if (mDataSource->readAt(
+                     data_offset, buffer->data(), chunk_data_size) != (ssize_t)chunk_data_size) {
+                     return ERROR_IO;
+                 }
+-                const int kSkipBytesOfDataBox = 16;
+                 mFileMetaData->setData(
+                     kKeyAlbumArt, MetaData::TYPE_NONE,
+                     buffer->data() + kSkipBytesOfDataBox, chunk_data_size - kSkipBytesOfDataBox);
+-- 
+2.6.3
+
diff --git a/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
new file mode 100644
index 0000000000..2f3c95623d
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-7222-pt3.patch
@@ -0,0 +1,37 @@
+From 0221ef0c389bff196ff59fa18232467d3648b926 Mon Sep 17 00:00:00 2001
+From: Gerald Squelart <gsquelart@mozilla.com>
+Date: Wed, 9 Dec 2015 10:00:32 +0100
+Subject: [PATCH] Bug 1216748 - p4. Check other Metadata::setData uses -
+ r=rillian, a=sylvestre
+
+Found only one other use that needed better checks: the size of the pssh
+data was only checked after all items were added up; so it would be
+possible to create a set of big items such that they create an overflow,
+but the final sum looks reasonable.
+Instead each item size should be checked, and the sum should also be
+checked at each step.
+---
+ .../frameworks/av/media/libstagefright/MPEG4Extractor.cpp          | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+index a69fc14..413a495 100644
+--- a/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
++++ b/media/libstagefright/frameworks/av/media/libstagefright/MPEG4Extractor.cpp
+@@ -511,9 +511,10 @@ status_t MPEG4Extractor::readMetaData() {
+     uint64_t psshsize = 0;
+     for (size_t i = 0; i < mPssh.size(); i++) {
+         psshsize += 20 + mPssh[i].datalen;
+-    }
+-    if (psshsize > kMAX_ALLOCATION) {
+-        return ERROR_MALFORMED;
++        if (mPssh[i].datalen > kMAX_ALLOCATION - 20 ||
++            psshsize > kMAX_ALLOCATION) {
++            return ERROR_MALFORMED;
++        }
+     }
+     if (psshsize) {
+         char *buf = (char*)malloc(psshsize);
+-- 
+2.6.3
+