1 files changed, 185 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-2828.patch b/gnu/packages/patches/icecat-CVE-2016-2828.patch
new file mode 100644
index 0000000000..951eb4fc46
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2828.patch
@@ -0,0 +1,185 @@
+  changeset:   312096:dc190bd03d24
+  tag:         FIREFOX_45_2_0esr_BUILD2
+  tag:         FIREFOX_45_2_0esr_RELEASE
+  user:        Jeff Gilbert <jgilbert@mozilla.com>
+  Date:        Thu Apr 14 13:50:04 2016 -0700
+  summary:     Bug 1224199 - Destroy SharedSurfaces before ~GLContext(). - r=jrmuizel a=lizzard
+
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLBlitHelper.cpp
+--- a/gfx/gl/GLBlitHelper.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/GLBlitHelper.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -172,6 +172,9 @@
+ 
+ GLBlitHelper::~GLBlitHelper()
+ {
++    if (!mGL->MakeCurrent())
++        return;
++
+     DeleteTexBlitProgram();
+ 
+     GLuint tex[] = {
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.cpp
+--- a/gfx/gl/GLContext.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/GLContext.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -2079,12 +2079,13 @@
+     if (IsDestroyed())
+         return;
+ 
++    // Null these before they're naturally nulled after dtor, as we want GLContext to
++    // still be alive in *their* dtors.
++    mScreen = nullptr;
++    mBlitHelper = nullptr;
++    mReadTexImageHelper = nullptr;
++
+     if (MakeCurrent()) {
+-        DestroyScreenBuffer();
+-
+-        mBlitHelper = nullptr;
+-        mReadTexImageHelper = nullptr;
+-
+         mTexGarbageBin->GLContextTeardown();
+     } else {
+         NS_WARNING("MakeCurrent() failed during MarkDestroyed! Skipping GL object teardown.");
+@@ -2328,8 +2329,6 @@
+         return false;
+     }
+ 
+-    DestroyScreenBuffer();
+-
+     // This will rebind to 0 (Screen) if needed when
+     // it falls out of scope.
+     ScopedBindFramebuffer autoFB(this);
+@@ -2349,12 +2348,6 @@
+ }
+ 
+ void
+-GLContext::DestroyScreenBuffer()
+-{
+-    mScreen = nullptr;
+-}
+-
+-void
+ GLContext::ForceDirtyScreen()
+ {
+     ScopedBindFramebuffer autoFB(0);
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLContext.h
+--- a/gfx/gl/GLContext.h	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/GLContext.h	Thu Apr 14 13:50:04 2016 -0700
+@@ -3492,8 +3492,6 @@
+     friend class GLScreenBuffer;
+     UniquePtr<GLScreenBuffer> mScreen;
+ 
+-    void DestroyScreenBuffer();
+-
+     SharedSurface* mLockedSurface;
+ 
+ public:
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/GLReadTexImageHelper.cpp
+--- a/gfx/gl/GLReadTexImageHelper.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/GLReadTexImageHelper.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -31,6 +31,9 @@
+ 
+ GLReadTexImageHelper::~GLReadTexImageHelper()
+ {
++    if (!mGL->MakeCurrent())
++        return;
++
+     mGL->fDeleteProgram(mPrograms[0]);
+     mGL->fDeleteProgram(mPrograms[1]);
+     mGL->fDeleteProgram(mPrograms[2]);
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceANGLE.cpp
+--- a/gfx/gl/SharedSurfaceANGLE.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/SharedSurfaceANGLE.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -120,8 +120,10 @@
+ {
+     mEGL->fDestroySurface(Display(), mPBuffer);
+ 
++    if (!mGL->MakeCurrent())
++        return;
++
+     if (mFence) {
+-        mGL->MakeCurrent();
+         mGL->fDeleteFences(1, &mFence);
+     }
+ }
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceEGL.cpp
+--- a/gfx/gl/SharedSurfaceEGL.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/SharedSurfaceEGL.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -87,9 +87,12 @@
+ {
+     mEGL->fDestroyImage(Display(), mImage);
+ 
+-    mGL->MakeCurrent();
+-    mGL->fDeleteTextures(1, &mProdTex);
+-    mProdTex = 0;
++    if (mSync) {
++        // We can't call this unless we have the ext, but we will always have
++        // the ext if we have something to destroy.
++        mEGL->fDestroySync(Display(), mSync);
++        mSync = 0;
++    }
+ 
+     if (mConsTex) {
+         MOZ_ASSERT(mGarbageBin);
+@@ -97,12 +100,11 @@
+         mConsTex = 0;
+     }
+ 
+-    if (mSync) {
+-        // We can't call this unless we have the ext, but we will always have
+-        // the ext if we have something to destroy.
+-        mEGL->fDestroySync(Display(), mSync);
+-        mSync = 0;
+-    }
++    if (!mGL->MakeCurrent())
++        return;
++
++    mGL->fDeleteTextures(1, &mProdTex);
++    mProdTex = 0;
+ }
+ 
+ void
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceGralloc.cpp
+--- a/gfx/gl/SharedSurfaceGralloc.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/SharedSurfaceGralloc.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -154,7 +154,9 @@
+
+     DEBUG_PRINT("[SharedSurface_Gralloc %p] destroyed\n", this);
+ 
+-    mGL->MakeCurrent();
++    if (!mGL->MakeCurrent())
++        return;
++
+     mGL->fDeleteTextures(1, &mProdTex);
+ 
+     if (mSync) {
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/SharedSurfaceIO.cpp
+--- a/gfx/gl/SharedSurfaceIO.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/SharedSurfaceIO.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -111,11 +111,10 @@
+ 
+ SharedSurface_IOSurface::~SharedSurface_IOSurface()
+ {
+-    if (mProdTex) {
+-        DebugOnly<bool> success = mGL->MakeCurrent();
+-        MOZ_ASSERT(success);
+-        mGL->fDeleteTextures(1, &mProdTex);
+-    }
++    if (!mGL->MakeCurrent())
++        return;
++
++    mGL->fDeleteTextures(1, &mProdTex);
+ }
+ 
+ ////////////////////////////////////////////////////////////////////////
+diff -r b24e1cc592ec -r dc190bd03d24 gfx/gl/TextureGarbageBin.cpp
+--- a/gfx/gl/TextureGarbageBin.cpp	Mon Mar 07 11:51:12 2016 +0000
++++ b/gfx/gl/TextureGarbageBin.cpp	Thu Apr 14 13:50:04 2016 -0700
+@@ -36,6 +36,7 @@
+     if (!mGL)
+         return;
+ 
++    MOZ_RELEASE_ASSERT(mGL->IsCurrent());
+     while (!mGarbageTextures.empty()) {
+         GLuint tex = mGarbageTextures.top();
+         mGarbageTextures.pop();