Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu
Hi,
I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
updates. It contains the same updates as current icedove.
On Wed, Mar 23, 2011 at 10:15:16PM +0100, Moritz Mühlenhoff wrote:
[..snip..]
> We should fix iceowl updates which only update the Mozilla copies via
> s-p-u. If there're targeted vulnerabilities against iceowl (e.g. buffer
> overflow during contact import), we can push these through s.d.o.
>
> Cheers,
> Moritz
The debdiff is attached.
Cheers,
-- Guido
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.37-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru iceowl-1.0~b1+dfsg2/debian/changelog iceowl-1.0~b1+dfsg2/debian/changelog
--- iceowl-1.0~b1+dfsg2/debian/changelog 2011-01-31 08:39:23.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/changelog 2011-03-27 16:30:44.000000000 +0200
@@ -1,3 +1,23 @@
+iceowl (1.0~b1+dfsg2-2.squeeze1) stable-proposed-updates; urgency=low
+
+ * [b5181a9] backported patches from xulrunner fixes mfsa2011-{01-08,10}
+ - MFSA 2011-01 aka CVE-2011-0053: Miscellaneous memory safety hazards
+ (rv:1.9.2.14/ 1.9.1.17)
+ - MFSA 2011-02 aka CVE-2011-0051: Recursive eval call causes confirm
+ dialogs to evaluate to true
+ - MFSA 2011-03 aka CVE-2011-0055: Use-after-free error in JSON.stringify
+ - MFSA 2011-04 aka CVE-2011-0054: Buffer overflow in JavaScript upvarMap
+ - MFSA 2011-05 aka CVE-2011-0056: Buffer overflow in JavaScript atom map
+ - MFSA 2011-06 aka CVE-2011-0057: Use-after-free error using Web Workers
+ - MFSA 2011-07 aka CVE-2011-0058: Memory corruption during text run
+ construction (Windows)
+ - MFSA 2011-08 aka CVE-2010-1585: ParanoidFragmentSink allows javascript:
+ URLs in chrome documents
+ - MFSA 2011-10 aka CVE-2011-0059: CSRF risk with plugins and 307 redirects
+ Patches taken from icedove 3.0.11-1+squeeze1
+
+ -- Guido Günther <agx@sigxcpu.org> Fri, 11 Mar 2011 19:36:07 +0100
+
iceowl (1.0~b1+dfsg2-2) unstable; urgency=low
* [528ae26] Don't error-out when run-time libsqlite is older than build-time
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,86 @@
+From: Neil Deakin <neil@mozilla.com>
+Date: Fri, 21 Jan 2011 14:48:59 -0500
+Subject: Bug 553808, assertion setting template datasources, r=smaug, a=clegnitto
+
+---
+ content/xul/templates/src/nsXULTemplateBuilder.cpp | 19 ++++++++-----------
+ content/xul/templates/src/nsXULTemplateBuilder.h | 15 +++++++++++++++
+ 2 files changed, 23 insertions(+), 11 deletions(-)
+
+diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
+index 08016d9..5ae3122 100644
+--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
+@@ -1115,14 +1115,9 @@ nsXULTemplateBuilder::AttributeChanged(nsIDocument* aDocument,
+ // Check for a change to the 'datasources' attribute. If so, setup
+ // mDB by parsing the new value and rebuild.
+ else if (aAttribute == nsGkAtoms::datasources) {
+- Uninit(PR_FALSE); // Reset results
+-
+- PRBool shouldDelay;
+- LoadDataSources(aDocument, &shouldDelay);
+- if (!shouldDelay)
+- nsContentUtils::AddScriptRunner(
+- NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this,
+- RunnableRebuild));
++ nsContentUtils::AddScriptRunner(
++ NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this,
++ RunnableLoadAndRebuild));
+ }
+ }
+ }
+@@ -1139,8 +1134,9 @@ nsXULTemplateBuilder::ContentRemoved(nsIDocument* aDocument,
+ if (mQueryProcessor)
+ mQueryProcessor->Done();
+
+- // use false since content is going away anyway
+- Uninit(PR_FALSE);
++ // Pass false to Uninit since content is going away anyway
++ nsContentUtils::AddScriptRunner(
++ NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitFalse));
+
+ aDocument->RemoveObserver(this);
+
+@@ -1177,7 +1173,8 @@ nsXULTemplateBuilder::NodeWillBeDestroyed(const nsINode* aNode)
+ mCompDB = nsnull;
+ mRoot = nsnull;
+
+- Uninit(PR_TRUE);
++ nsContentUtils::AddScriptRunner(
++ NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitTrue));
+ }
+
+
+diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
+index b938f4f..764cc86 100644
+--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
+@@ -46,6 +46,7 @@
+ #include "nsStubDocumentObserver.h"
+ #include "nsIScriptSecurityManager.h"
+ #include "nsIContent.h"
++#include "nsIDocument.h"
+ #include "nsIObserver.h"
+ #include "nsIRDFCompositeDataSource.h"
+ #include "nsIRDFContainer.h"
+@@ -153,6 +154,20 @@ public:
+ RebuildAll() = 0; // must be implemented by subclasses
+
+ void RunnableRebuild() { Rebuild(); }
++ void RunnableLoadAndRebuild() {
++ Uninit(PR_FALSE); // Reset results
++
++ nsCOMPtr<nsIDocument> doc = mRoot ? mRoot->GetDocument() : nsnull;
++ if (doc) {
++ PRBool shouldDelay;
++ LoadDataSources(doc, &shouldDelay);
++ if (!shouldDelay) {
++ Rebuild();
++ }
++ }
++ }
++ void UninitFalse() { Uninit(PR_FALSE); }
++ void UninitTrue() { Uninit(PR_TRUE); }
+
+ /**
+ * Find the <template> tag that applies for this builder
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,21 @@
+From: David Mandelin <dmandelin@mozilla.com>
+Date: Wed, 21 Apr 2010 11:37:18 -0700
+Subject: Bug 558531: fix typo in JS_ResolveStandardClass, r=waldo, a=blocking
+
+---
+ js/src/jsapi.cpp | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
+index 25e4b08..bac3756 100644
+--- a/mozilla/js/src/jsapi.cpp
++++ b/mozilla/js/src/jsapi.cpp
+@@ -1561,7 +1561,7 @@ JS_ResolveStandardClass(JSContext *cx, JSObject *obj, jsval id,
+ if (!atom)
+ return JS_FALSE;
+ if (idstr == ATOM_TO_STRING(atom)) {
+- stdnm = &standard_class_names[i];
++ stdnm = &object_prototype_names[i];
+ break;
+ }
+ }
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,49 @@
+From: Jeff Walden <jwalden@mit.edu>
+Date: Tue, 13 Apr 2010 13:34:31 -0700
+Subject: Bug 558541 - Simplify some code in js_SetPropertyHelper to make it more understandable. r=jorendorff, a=blocking1.9.1.17
+
+---
+ js/src/jsobj.cpp | 16 +++++++++++-----
+ 1 files changed, 11 insertions(+), 5 deletions(-)
+
+diff --git a/mozilla/js/src/jsobj.cpp b/mozilla/js/src/jsobj.cpp
+index 857ba8a..78a577a 100644
+--- a/mozilla/js/src/jsobj.cpp
++++ b/mozilla/js/src/jsobj.cpp
+@@ -4468,6 +4468,12 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
+ (SCOPE_IS_SEALED(scope) && (attrs & JSPROP_SHARED))) {
+ JS_UNLOCK_SCOPE(cx, scope);
+
++ PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).rofills++);
++ if (cacheResult) {
++ JS_ASSERT_NOT_ON_TRACE(cx);
++ TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
++ }
++
+ /*
+ * Here, we'll either return true or goto read_only_error, which
+ * reports a strict warning or throws an error. So we redefine
+@@ -4480,18 +4486,18 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
+ if (attrs & JSPROP_READONLY) {
+ if (!JS_HAS_STRICT_OPTION(cx)) {
+ /* Just return true per ECMA if not in strict mode. */
+- PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).rofills++);
+- if (cacheResult)
+- TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
+ return JS_TRUE;
+- error: // TRACE_2 jumps here in case of error.
+- return JS_FALSE;
+ }
+
+ /* Strict mode: report a read-only strict warning. */
+ flags = JSREPORT_STRICT | JSREPORT_WARNING;
+ }
+ goto read_only_error;
++
++#ifdef JS_TRACER
++ error: // TRACE_2 jumps here in case of error.
++ return JS_FALSE;
++#endif
+ }
+
+ if (pobj != obj) {
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,85 @@
+From: Igor Bukanov <igor@mir2.org>
+Date: Thu, 20 Jan 2011 19:52:04 +0100
+Subject: bug 563243 - backport of Blake Kaplan's tracemonkey/mozilla-central patch. a=clegnitto
+
+---
+ js/src/jsapi.cpp | 45 +++++++++++++++------------------------------
+ 1 files changed, 15 insertions(+), 30 deletions(-)
+
+diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
+index bac3756..37cacb4 100644
+--- a/mozilla/js/src/jsapi.cpp
++++ b/mozilla/js/src/jsapi.cpp
+@@ -4440,12 +4440,11 @@ js_generic_fast_native_method_dispatcher(JSContext *cx, uintN argc, jsval *vp)
+ fs = (JSFunctionSpec *) JSVAL_TO_PRIVATE(fsv);
+ JS_ASSERT((~fs->flags & (JSFUN_FAST_NATIVE | JSFUN_GENERIC_NATIVE)) == 0);
+
+- /*
+- * We know that vp[2] is valid because JS_DefineFunctions, which is our
+- * only (indirect) referrer, defined us as requiring at least one argument
+- * (notice how it passes fs->nargs + 1 as the next-to-last argument to
+- * JS_DefineFunction).
+- */
++ if (argc < 1) {
++ js_ReportMissingArg(cx, vp, 0);
++ return JS_FALSE;
++ }
++
+ if (JSVAL_IS_PRIMITIVE(vp[2])) {
+ /*
+ * Make sure that this is an object or null, as required by the generic
+@@ -4470,15 +4469,9 @@ js_generic_fast_native_method_dispatcher(JSContext *cx, uintN argc, jsval *vp)
+ */
+ if (!js_ComputeThis(cx, JS_FALSE, vp + 2))
+ return JS_FALSE;
+- /*
+- * Protect against argc underflowing. By calling js_ComputeThis, we made
+- * it as if the static was called with one parameter, the explicit |this|
+- * object.
+- */
+- if (argc != 0) {
+- /* Clear the last parameter in case too few arguments were passed. */
+- vp[2 + --argc] = JSVAL_VOID;
+- }
++
++ /* Clear the last parameter in case too few arguments were passed. */
++ vp[2 + --argc] = JSVAL_VOID;
+
+ native =
+ #ifdef JS_TRACER
+@@ -4504,12 +4497,11 @@ js_generic_native_method_dispatcher(JSContext *cx, JSObject *obj,
+ JS_ASSERT((fs->flags & (JSFUN_FAST_NATIVE | JSFUN_GENERIC_NATIVE)) ==
+ JSFUN_GENERIC_NATIVE);
+
+- /*
+- * We know that argv[0] is valid because JS_DefineFunctions, which is our
+- * only (indirect) referrer, defined us as requiring at least one argument
+- * (notice how it passes fs->nargs + 1 as the next-to-last argument to
+- * JS_DefineFunction).
+- */
++ if (argc < 1) {
++ js_ReportMissingArg(cx, argv - 2, 0);
++ return JS_FALSE;
++ }
++
+ if (JSVAL_IS_PRIMITIVE(argv[0])) {
+ /*
+ * Make sure that this is an object or null, as required by the generic
+@@ -4537,15 +4529,8 @@ js_generic_native_method_dispatcher(JSContext *cx, JSObject *obj,
+ js_GetTopStackFrame(cx)->thisp = JSVAL_TO_OBJECT(argv[-1]);
+ JS_ASSERT(cx->fp->argv == argv);
+
+- /*
+- * Protect against argc underflowing. By calling js_ComputeThis, we made
+- * it as if the static was called with one parameter, the explicit |this|
+- * object.
+- */
+- if (argc != 0) {
+- /* Clear the last parameter in case too few arguments were passed. */
+- argv[--argc] = JSVAL_VOID;
+- }
++ /* Clear the last parameter in case too few arguments were passed. */
++ argv[--argc] = JSVAL_VOID;
+
+ return fs->call(cx, JSVAL_TO_OBJECT(argv[-1]), argc, argv, rval);
+ }
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,20 @@
+From: Josh Aas <joshmoz@gmail.com>
+Date: Wed, 8 Dec 2010 16:16:09 -0500
+Subject: Bug 573873: Bustage fix. a=dveditz
+
+---
+ content/base/public/nsContentUtils.h | 1 +
+ 1 files changed, 1 insertions(+), 0 deletions(-)
+
+diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
+index 6a4626b..127d803 100644
+--- a/mozilla/content/base/public/nsContentUtils.h
++++ b/mozilla/content/base/public/nsContentUtils.h
+@@ -115,6 +115,7 @@ class nsIXTFService;
+ class nsIBidiKeyboard;
+ #endif
+ class nsIMIMEHeaderParam;
++class nsIChannel;
+
+ extern const char kLoadAsData[];
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,345 @@
+From: Josh Aas <joshmoz@gmail.com>
+Date: Wed, 8 Dec 2010 15:38:35 -0500
+Subject: Bug 573873: Fix bug in HTTP handling for plugins. r=jst a=dveditz
+
+---
+ content/base/public/nsContentUtils.h | 4 +-
+ content/base/public/nsIContentUtils.h | 19 ++++
+ content/base/src/nsContentUtils.cpp | 39 ++++++---
+ layout/build/nsLayoutCID.h | 4 +
+ layout/build/nsLayoutModule.cpp | 5 +
+ modules/plugin/base/src/nsPluginHostImpl.cpp | 114 ++++++++++++++++++++++----
+ 6 files changed, 156 insertions(+), 29 deletions(-)
+
+diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
+index b3c7b11..6a4626b 100644
+--- a/mozilla/content/base/public/nsContentUtils.h
++++ b/mozilla/content/base/public/nsContentUtils.h
+@@ -1380,7 +1380,9 @@ public:
+
+ static JSContext *GetCurrentJSContext();
+
+-
++
++ // Returns NS_OK for same origin, error (NS_ERROR_DOM_BAD_URI) if not.
++ static nsresult CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel);
+ static nsIInterfaceRequestor* GetSameOriginChecker();
+
+ static nsIThreadJSContextStack* ThreadJSContextStack()
+diff --git a/mozilla/content/base/public/nsIContentUtils.h b/mozilla/content/base/public/nsIContentUtils.h
+index 35a4f1f..fab84e5 100644
+--- a/mozilla/content/base/public/nsIContentUtils.h
++++ b/mozilla/content/base/public/nsIContentUtils.h
+@@ -37,6 +37,8 @@
+ #ifndef nsIContentUtils_h__
+ #define nsIContentUtils_h__
+
++class nsIChannel;
++
+ // C4EA618E-A3D9-4524-8EEA-E92F26FC44DB
+ #define NS_ICONTENTUTILS_IID \
+ { 0xC4EA618E, 0xA3D9, 0x4524, \
+@@ -53,4 +55,21 @@ public:
+
+ NS_DEFINE_STATIC_IID_ACCESSOR(nsIContentUtils, NS_ICONTENTUTILS_IID)
+
++// {fbff0101-84ad-49f0-aea0-97ee4863bf55}
++#define NS_ICONTENTUTILS2_IID \
++{ 0xfbff0101, 0x84ad, 0x49f0, \
++{ 0xae, 0xa0, 0x97, 0xee, 0x48, 0x63, 0xbf, 0x55 } }
++
++class nsIContentUtils2 : public nsISupports
++{
++public:
++ NS_DECLARE_STATIC_IID_ACCESSOR(NS_ICONTENTUTILS2_IID)
++ NS_DECL_ISUPPORTS
++
++ // Returns NS_OK for same origin, error (NS_ERROR_DOM_BAD_URI) if not.
++ virtual nsresult CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel);
++};
++
++NS_DEFINE_STATIC_IID_ACCESSOR(nsIContentUtils2, NS_ICONTENTUTILS2_IID)
++
+ #endif /* nsIContentUtils_h__ */
+diff --git a/mozilla/content/base/src/nsContentUtils.cpp b/mozilla/content/base/src/nsContentUtils.cpp
+index d4409ac..fdda952 100644
+--- a/mozilla/content/base/src/nsContentUtils.cpp
++++ b/mozilla/content/base/src/nsContentUtils.cpp
+@@ -4372,6 +4372,14 @@ nsIContentUtils::IsSafeToRunScript()
+ return nsContentUtils::IsSafeToRunScript();
+ }
+
++NS_IMPL_ISUPPORTS1(nsIContentUtils2, nsIContentUtils2)
++
++nsresult
++nsIContentUtils2::CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel)
++{
++ return nsContentUtils::CheckSameOrigin(aOldChannel, aNewChannel);
++}
++
+ /* static */
+ PRBool
+ nsContentUtils::AddScriptRunner(nsIRunnable* aRunnable)
+@@ -4601,20 +4609,12 @@ nsContentUtils::GetSameOriginChecker()
+ return sSameOriginChecker;
+ }
+
+-
+-NS_IMPL_ISUPPORTS2(nsSameOriginChecker,
+- nsIChannelEventSink,
+- nsIInterfaceRequestor)
+-
+-NS_IMETHODIMP
+-nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
+- nsIChannel *aNewChannel,
+- PRUint32 aFlags)
++/* static */
++nsresult
++nsContentUtils::CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel)
+ {
+- NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
+- if (!nsContentUtils::GetSecurityManager()) {
++ if (!nsContentUtils::GetSecurityManager())
+ return NS_ERROR_NOT_AVAILABLE;
+- }
+
+ nsCOMPtr<nsIPrincipal> oldPrincipal;
+ nsContentUtils::GetSecurityManager()->
+@@ -4631,9 +4631,24 @@ nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
+ if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) {
+ rv = oldPrincipal->CheckMayLoad(newOriginalURI, PR_FALSE);
+ }
++
+ return rv;
+ }
+
++NS_IMPL_ISUPPORTS2(nsSameOriginChecker,
++ nsIChannelEventSink,
++ nsIInterfaceRequestor)
++
++NS_IMETHODIMP
++nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
++ nsIChannel *aNewChannel,
++ PRUint32 aFlags)
++{
++ NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
++
++ return nsContentUtils::CheckSameOrigin(aOldChannel, aNewChannel);
++}
++
+ NS_IMETHODIMP
+ nsSameOriginChecker::GetInterface(const nsIID & aIID, void **aResult)
+ {
+diff --git a/mozilla/layout/build/nsLayoutCID.h b/mozilla/layout/build/nsLayoutCID.h
+index 7bdd04c..ea01eaf 100644
+--- a/mozilla/layout/build/nsLayoutCID.h
++++ b/mozilla/layout/build/nsLayoutCID.h
+@@ -234,6 +234,10 @@
+ #define NS_ICONTENTUTILS_CID \
+ { 0x762C4AE7, 0xB923, 0x422F, { 0xB9, 0x7E, 0xB9, 0xBF, 0xC1, 0xEF, 0x7B, 0xF0 } }
+
++// {7f5fef90-44bf-4d5c-a9fa-884eb7e7cdee}
++#define NS_ICONTENTUTILS2_CID \
++{ 0x7f5fef90, 0x44bf, 0x4d5c, { 0xa9, 0xfa, 0x88, 0x4e, 0xb7, 0xe7, 0xcd, 0xee } }
++
+ #ifdef MOZ_MEDIA
+ #define NS_HTMLAUDIOELEMENT_CID \
+ { /* 1d40026b-4c44-4f6f-b158-26bb5e9c65e9 */ \
+diff --git a/mozilla/layout/build/nsLayoutModule.cpp b/mozilla/layout/build/nsLayoutModule.cpp
+index 7590300..0d31df8 100644
+--- a/mozilla/layout/build/nsLayoutModule.cpp
++++ b/mozilla/layout/build/nsLayoutModule.cpp
+@@ -544,6 +544,7 @@ MAKE_CTOR(CreateVideoDocument, nsIDocument, NS_NewVid
+ #endif
+
+ NS_GENERIC_FACTORY_CONSTRUCTOR(nsIContentUtils)
++NS_GENERIC_FACTORY_CONSTRUCTOR(nsIContentUtils2)
+
+ #ifdef MOZ_ENABLE_CANVAS
+ MAKE_CTOR(CreateCanvasRenderingContext2D, nsIDOMCanvasRenderingContext2D, NS_NewCanvasRenderingContext2D)
+@@ -1483,6 +1484,10 @@ static const nsModuleComponentInfo gComponents[] = {
+ "@mozilla.org/content/contentutils;1",
+ nsIContentUtilsConstructor },
+
++ { "Content Utils 2",
++ NS_ICONTENTUTILS2_CID,
++ "@mozilla.org/content/contentutils2;1",
++ nsIContentUtils2Constructor },
+ };
+
+ NS_IMPL_NSGETMODULE_WITH_CTOR(nsLayoutModule, gComponents, Initialize)
+diff --git a/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp b/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
+index 331428d..e9053cb 100644
+--- a/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
++++ b/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
+@@ -176,6 +176,10 @@
+ #include "nsIContentPolicy.h"
+ #include "nsContentPolicyUtils.h"
+ #include "nsContentErrors.h"
++#include "nsIContentUtils.h"
++
++#include "nsIInterfaceRequestor.h"
++#include "nsIChannelEventSink.h"
+
+ #if defined(XP_UNIX) && defined(MOZ_WIDGET_GTK2) & defined(MOZ_X11)
+ #include <gdk/gdkx.h> // for GDK_DISPLAY()
+@@ -1224,7 +1228,9 @@ private:
+ class nsPluginStreamListenerPeer : public nsIStreamListener,
+ public nsIProgressEventSink,
+ public nsIHttpHeaderVisitor,
+- public nsSupportsWeakReference
++ public nsSupportsWeakReference,
++ public nsIInterfaceRequestor,
++ public nsIChannelEventSink
+ {
+ public:
+ nsPluginStreamListenerPeer();
+@@ -1235,6 +1241,8 @@ public:
+ NS_DECL_NSIREQUESTOBSERVER
+ NS_DECL_NSISTREAMLISTENER
+ NS_DECL_NSIHTTPHEADERVISITOR
++ NS_DECL_NSIINTERFACEREQUESTOR
++ NS_DECL_NSICHANNELEVENTSINK
+
+ // Called by GetURL and PostURL (via NewStream)
+ nsresult Initialize(nsIURI *aURL,
+@@ -1259,6 +1267,7 @@ private:
+ nsresult SetUpCache(nsIURI* aURL); // todo: see about removing this...
+ nsresult SetUpStreamListener(nsIRequest* request, nsIURI* aURL);
+ nsresult SetupPluginCacheFile(nsIChannel* channel);
++ nsresult GetInterfaceGlobal(const nsIID& aIID, void** result);
+
+ nsIURI *mURL;
+ nsIPluginInstanceOwner *mOwner;
+@@ -1676,11 +1685,13 @@ nsPluginStreamListenerPeer::~nsPluginStreamListenerPeer()
+ delete mDataForwardToRequest;
+ }
+
+-NS_IMPL_ISUPPORTS4(nsPluginStreamListenerPeer,
++NS_IMPL_ISUPPORTS6(nsPluginStreamListenerPeer,
+ nsIStreamListener,
+ nsIRequestObserver,
+ nsIHttpHeaderVisitor,
+- nsISupportsWeakReference)
++ nsISupportsWeakReference,
++ nsIInterfaceRequestor,
++ nsIChannelEventSink)
+
+ // Called as a result of GetURL and PostURL
+ nsresult nsPluginStreamListenerPeer::Initialize(nsIURI *aURL,
+@@ -2487,6 +2498,89 @@ nsPluginStreamListenerPeer::VisitHeader(const nsACString &header, const nsACStri
+ PromiseFlatCString(value).get());
+ }
+
++nsresult
++nsPluginStreamListenerPeer::GetInterfaceGlobal(const nsIID& aIID, void** result)
++{
++ if (!mInstance) {
++ return NS_ERROR_FAILURE;
++ }
++
++ nsCOMPtr<nsIPluginInstancePeer> instancePeer;
++ nsresult rv = mInstance->GetPeer(getter_AddRefs(instancePeer));
++ if (NS_FAILED(rv) || !instancePeer) {
++ return NS_ERROR_FAILURE;
++ }
++
++ nsCOMPtr<nsPIPluginInstancePeer> pInstancePeer(do_QueryInterface(instancePeer));
++ nsCOMPtr<nsIPluginInstanceOwner> owner;
++ rv = pInstancePeer->GetOwner(getter_AddRefs(owner));
++ if (NS_SUCCEEDED(rv) && owner) {
++ nsCOMPtr<nsIDocument> doc;
++ nsresult rv = owner->GetDocument(getter_AddRefs(doc));
++ if (NS_SUCCEEDED(rv) && doc) {
++ nsPIDOMWindow *window = doc->GetWindow();
++ if (window) {
++ nsCOMPtr<nsIWebNavigation> webNav = do_GetInterface(window);
++ nsCOMPtr<nsIInterfaceRequestor> ir = do_QueryInterface(webNav);
++ return ir->GetInterface(aIID, result);
++ }
++ }
++ }
++
++ return NS_ERROR_FAILURE;
++}
++
++NS_IMETHODIMP
++nsPluginStreamListenerPeer::GetInterface(const nsIID& aIID, void** result)
++{
++ // Provide nsIChannelEventSink ourselves, otherwise let our document's
++ // window provide the interface.
++
++ if (aIID.Equals(NS_GET_IID(nsIChannelEventSink))) {
++ return QueryInterface(aIID, result);
++ }
++
++ return GetInterfaceGlobal(aIID, result);
++}
++
++NS_IMETHODIMP
++nsPluginStreamListenerPeer::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newChannel, PRUint32 flags)
++{
++ // Don't allow cross-origin 307 POST redirects. Fall back to channel event sink for window.
++
++ nsCOMPtr<nsIHttpChannel> oldHttpChannel(do_QueryInterface(oldChannel));
++ if (oldHttpChannel) {
++ PRUint32 responseStatus;
++ nsresult rv = oldHttpChannel->GetResponseStatus(&responseStatus);
++ if (NS_FAILED(rv)) {
++ return rv;
++ }
++ if (responseStatus == 307) {
++ nsCAutoString method;
++ rv = oldHttpChannel->GetRequestMethod(method);
++ if (NS_FAILED(rv)) {
++ return rv;
++ }
++ if (method.EqualsLiteral("POST")) {
++ nsCOMPtr<nsIContentUtils2> contentUtils2 = do_GetService("@mozilla.org/content/contentutils2;1");
++ NS_ENSURE_TRUE(contentUtils2, NS_ERROR_FAILURE);
++ rv = contentUtils2->CheckSameOrigin(oldChannel, newChannel);
++ if (NS_FAILED(rv)) {
++ return rv;
++ }
++ }
++ }
++ }
++
++ nsCOMPtr<nsIChannelEventSink> channelEventSink;
++ nsresult rv = GetInterfaceGlobal(NS_GET_IID(nsIChannelEventSink), getter_AddRefs(channelEventSink));
++ if (NS_FAILED(rv)) {
++ return NS_ERROR_FAILURE;
++ }
++
++ return channelEventSink->OnChannelRedirect(oldChannel, newChannel, flags);
++}
++
+ nsPluginHostImpl::nsPluginHostImpl()
+ {
+ mPluginsLoaded = PR_FALSE;
+@@ -5714,24 +5808,12 @@ NS_IMETHODIMP nsPluginHostImpl::NewPluginURLStream(const nsString& aURL,
+ rv = listenerPeer->Initialize(url, aInstance, aListener);
+
+ if (NS_SUCCEEDED(rv)) {
+- nsCOMPtr<nsIInterfaceRequestor> callbacks;
+- if (doc) {
+- // Get the script global object owner and use that as the
+- // notification callback.
+- nsIScriptGlobalObject* global = doc->GetScriptGlobalObject();
+- if (global) {
+- nsCOMPtr<nsIWebNavigation> webNav = do_GetInterface(global);
+- callbacks = do_QueryInterface(webNav);
+- }
+- }
+-
+ nsCOMPtr<nsIChannel> channel;
+-
+ rv = NS_NewChannel(getter_AddRefs(channel), url, nsnull,
+ nsnull, /* do not add this internal plugin's channel
+ on the load group otherwise this channel could be canceled
+ form |nsWebShell::OnLinkClickSync| bug 166613 */
+- callbacks);
++ listenerPeer);
+ if (NS_FAILED(rv))
+ return rv;
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,82 @@
+From: Mats Palmgren <matspal@gmail.com>
+Date: Wed, 19 Jan 2011 00:13:49 +0100
+Subject: Bug 576649. r=dbaron a=blocking1.9.1.17
+
+---
+ layout/base/nsCSSFrameConstructor.cpp | 12 +++++++-----
+ layout/base/nsFrameManager.cpp | 20 +++++++++++++-------
+ 2 files changed, 20 insertions(+), 12 deletions(-)
+
+diff --git a/mozilla/layout/base/nsCSSFrameConstructor.cpp b/mozilla/layout/base/nsCSSFrameConstructor.cpp
+index 09b2695..52bfc64 100644
+--- a/mozilla/layout/base/nsCSSFrameConstructor.cpp
++++ b/mozilla/layout/base/nsCSSFrameConstructor.cpp
+@@ -9693,13 +9693,15 @@ UpdateViewsForTree(nsIFrame* aFrame, nsIViewManager* aViewManager,
+ if (!(child->GetStateBits() & NS_FRAME_OUT_OF_FLOW)
+ || (child->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER)) {
+ // only do frames that don't have placeholders
+- if (nsGkAtoms::placeholderFrame == child->GetType()) { // placeholder
+- // get out of flow frame and start over there
++ if (nsGkAtoms::placeholderFrame == child->GetType()) {
++ // do the out-of-flow frame and its continuations
+ nsIFrame* outOfFlowFrame =
+ nsPlaceholderFrame::GetRealFrameForPlaceholder(child);
+-
+- DoApplyRenderingChangeToTree(outOfFlowFrame, aViewManager,
+- aFrameManager, aChange);
++ do {
++ DoApplyRenderingChangeToTree(outOfFlowFrame, aViewManager,
++ aFrameManager, aChange);
++ } while ((outOfFlowFrame = outOfFlowFrame->GetNextContinuation()) &&
++ (outOfFlowFrame->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
+ }
+ else { // regular frame
+ UpdateViewsForTree(child, aViewManager, aFrameManager, aChange);
+diff --git a/mozilla/layout/base/nsFrameManager.cpp b/mozilla/layout/base/nsFrameManager.cpp
+index 4704dab..c9f3e25 100644
+--- a/mozilla/layout/base/nsFrameManager.cpp
++++ b/mozilla/layout/base/nsFrameManager.cpp
+@@ -22,6 +22,7 @@
+ * the Initial Developer. All Rights Reserved.
+ *
+ * Contributor(s):
++ * Mats Palmgren <matspal@gmail.com>
+ *
+ * Alternatively, the contents of this file may be used under the terms of
+ * either of the GNU General Public License Version 2 or later (the "GPL"),
+@@ -935,12 +936,14 @@ nsresult
+ nsFrameManager::ReParentStyleContext(nsIFrame* aFrame)
+ {
+ if (nsGkAtoms::placeholderFrame == aFrame->GetType()) {
+- // Also reparent the out-of-flow
++ // Also reparent the out-of-flow and all its continuations.
+ nsIFrame* outOfFlow =
+ nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
+ NS_ASSERTION(outOfFlow, "no out-of-flow frame");
+-
+- ReParentStyleContext(outOfFlow);
++ do {
++ ReParentStyleContext(outOfFlow);
++ } while ((outOfFlow = outOfFlow->GetNextContinuation()) &&
++ (outOfFlow->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
+ }
+
+ // DO NOT verify the style tree before reparenting. The frame
+@@ -1483,10 +1486,13 @@ nsFrameManager::ReResolveStyleContext(nsPresContext *aPresContext,
+
+ // |nsFrame::GetParentStyleContextFrame| checks being out
+ // of flow so that this works correctly.
+- ReResolveStyleContext(aPresContext, outOfFlowFrame,
+- content, aChangeList,
+- NS_SubtractHint(aMinChange,
+- nsChangeHint_ReflowFrame));
++ do {
++ ReResolveStyleContext(aPresContext, outOfFlowFrame,
++ content, aChangeList,
++ NS_SubtractHint(aMinChange,
++ nsChangeHint_ReflowFrame));
++ } while ((outOfFlowFrame = outOfFlowFrame->GetNextContinuation()) &&
++ (outOfFlowFrame->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
+
+ // reresolve placeholder's context under the same parent
+ // as the out-of-flow frame
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,21 @@
+From: Igor Bukanov <igor@mir2.org>
+Date: Thu, 20 Jan 2011 00:24:55 +0100
+Subject: bug 600853 - regression fix r=brendan a=clegnitto
+
+---
+ js/src/jsgc.cpp | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/mozilla/js/src/jsgc.cpp b/mozilla/js/src/jsgc.cpp
+index 44b6098..51ac97e 100644
+--- a/mozilla/js/src/jsgc.cpp
++++ b/mozilla/js/src/jsgc.cpp
+@@ -947,7 +947,7 @@ NewGCArena(JSContext *cx)
+ JSGCArenaInfo *a;
+
+ JSRuntime *rt = cx->runtime;
+- if (rt->gcBytes >= rt->gcMaxBytes && HAS_TITLES_TO_SHARE(cx))
++ if (rt->gcBytes >= rt->gcMaxBytes && !HAS_TITLES_TO_SHARE(cx))
+ return NULL;
+
+ #if CHUNKED_ARENA_ALLOCATION
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,206 @@
+From: Jonas Sicking <jonas@sicking.cc>
+Date: Mon, 13 Dec 2010 14:24:55 -0800
+Subject: Bug 602115: Fix XSLT error handling bugs. r=peterv a=dveditz
+
+---
+ content/xslt/crashtests/602115.html | 22 ++++++++++
+ content/xslt/crashtests/crashtests.list | 1 +
+ content/xslt/src/xslt/txExecutionState.cpp | 49 ++++++---------------
+ content/xslt/src/xslt/txExecutionState.h | 9 ++--
+ content/xslt/src/xslt/txMozillaXSLTProcessor.cpp | 12 ++++--
+ 5 files changed, 49 insertions(+), 44 deletions(-)
+ create mode 100644 content/xslt/crashtests/602115.html
+
+diff --git a/mozilla/content/xslt/crashtests/602115.html b/mozilla/content/xslt/crashtests/602115.html
+new file mode 100644
+index 0000000..ad42d76
+--- /dev/null
++++ b/mozilla/content/xslt/crashtests/602115.html
+@@ -0,0 +1,22 @@
++<!DOCTYPE html>
++<script>
++
++try {
++ var docType = document.implementation.createDocumentType(undefined, '', '');
++ var doc = document.implementation.createDocument('', '', null);
++ var xp = new XSLTProcessor;
++ xp.importStylesheet(doc);
++ xp.transformToDocument(docType);
++}
++catch (ex) {}
++
++try {
++ docType = document.implementation.createDocumentType(undefined, '', '');
++ doc = document.implementation.createDocument('', '', null);
++ xp = new XSLTProcessor;
++ xp.importStylesheet(doc);
++ xp.transformToFragment(docType, document);
++}
++catch (ex) {}
++
++</script>
+diff --git a/mozilla/content/xslt/crashtests/crashtests.list b/mozilla/content/xslt/crashtests/crashtests.list
+index ba6447d..d44f34f 100644
+--- a/mozilla/content/xslt/crashtests/crashtests.list
++++ b/mozilla/content/xslt/crashtests/crashtests.list
+@@ -8,3 +8,4 @@ load 485286.xml
+ load 528300.xml
+ load 528488.xml
+ load 545927.html
++load 602115.html
+diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.cpp b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
+index d8f5ec7..a2aa72a 100644
+--- a/mozilla/content/xslt/src/xslt/txExecutionState.cpp
++++ b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
+@@ -90,9 +90,6 @@ txExecutionState::txExecutionState(txStylesheet* aStylesheet,
+ mNextInstruction(nsnull),
+ mLocalVariables(nsnull),
+ mRecursionDepth(0),
+- mTemplateRules(nsnull),
+- mTemplateRulesBufferSize(0),
+- mTemplateRuleCount(0),
+ mEvalContext(nsnull),
+ mInitialEvalContext(nsnull),
+ mGlobalParams(nsnull),
+@@ -109,12 +106,6 @@ txExecutionState::~txExecutionState()
+ delete mResultHandler;
+ delete mLocalVariables;
+ delete mEvalContext;
+-
+- PRInt32 i;
+- for (i = 0; i < mTemplateRuleCount; ++i) {
+- NS_IF_RELEASE(mTemplateRules[i].mModeLocalName);
+- }
+- delete [] mTemplateRules;
+
+ txStackIterator varsIter(&mLocalVarsStack);
+ while (varsIter.hasNext()) {
+@@ -204,7 +195,11 @@ txExecutionState::init(const txXPathNode& aNode,
+ nsresult
+ txExecutionState::end(nsresult aResult)
+ {
+- popTemplateRule();
++ NS_ASSERTION(NS_FAILED(aResult) || mTemplateRules.Length() == 1,
++ "Didn't clean up template rules properly");
++ if (NS_SUCCEEDED(aResult)) {
++ popTemplateRule();
++ }
+ return mOutputHandler->endDocument(aResult);
+ }
+
+@@ -408,35 +403,18 @@ txExecutionState::pushTemplateRule(txStylesheet::ImportFrame* aFrame,
+ const txExpandedName& aMode,
+ txVariableMap* aParams)
+ {
+- if (mTemplateRuleCount == mTemplateRulesBufferSize) {
+- PRInt32 newSize =
+- mTemplateRulesBufferSize ? mTemplateRulesBufferSize * 2 : 10;
+- TemplateRule* newRules = new TemplateRule[newSize];
+- NS_ENSURE_TRUE(newRules, NS_ERROR_OUT_OF_MEMORY);
+-
+- memcpy(newRules, mTemplateRules,
+- mTemplateRuleCount * sizeof(TemplateRule));
+- delete [] mTemplateRules;
+- mTemplateRules = newRules;
+- mTemplateRulesBufferSize = newSize;
+- }
+-
+- mTemplateRules[mTemplateRuleCount].mFrame = aFrame;
+- mTemplateRules[mTemplateRuleCount].mModeNsId = aMode.mNamespaceID;
+- mTemplateRules[mTemplateRuleCount].mModeLocalName = aMode.mLocalName;
+- mTemplateRules[mTemplateRuleCount].mParams = aParams;
+- NS_IF_ADDREF(mTemplateRules[mTemplateRuleCount].mModeLocalName);
+- ++mTemplateRuleCount;
+-
+- return NS_OK;
++ TemplateRule* rule = mTemplateRules.AppendElement();
++ rule->mFrame = aFrame;
++ rule->mModeNsId = aMode.mNamespaceID;
++ rule->mModeLocalName = aMode.mLocalName;
++ rule->mParams = aParams;
+ }
+
+ void
+ txExecutionState::popTemplateRule()
+ {
+- // decrement outside of RELEASE, that would decrement twice
+- --mTemplateRuleCount;
+- NS_IF_RELEASE(mTemplateRules[mTemplateRuleCount].mModeLocalName);
++ NS_PRECONDITION(!mTemplateRules.IsEmpty(), "No rules to pop");
++ mTemplateRules.RemoveElementAt(mTemplateRules.Length() - 1);
+ }
+
+ txIEvalContext*
+@@ -500,7 +478,8 @@ txExecutionState::getKeyNodes(const txExpandedName& aKeyName,
+ txExecutionState::TemplateRule*
+ txExecutionState::getCurrentTemplateRule()
+ {
+- return mTemplateRules + mTemplateRuleCount - 1;
++ NS_PRECONDITION(!mTemplateRules.IsEmpty(), "No current rule!");
++ return &mTemplateRules[mTemplateRules.Length() - 1];
+ }
+
+ txInstruction*
+diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.h b/mozilla/content/xslt/src/xslt/txExecutionState.h
+index 2975780..a8e4025 100644
+--- a/mozilla/content/xslt/src/xslt/txExecutionState.h
++++ b/mozilla/content/xslt/src/xslt/txExecutionState.h
+@@ -104,10 +104,11 @@ public:
+ /**
+ * Struct holding information about a current template rule
+ */
+- struct TemplateRule {
++ class TemplateRule {
++ public:
+ txStylesheet::ImportFrame* mFrame;
+ PRInt32 mModeNsId;
+- nsIAtom* mModeLocalName;
++ nsCOMPtr<nsIAtom> mModeLocalName;
+ txVariableMap* mParams;
+ };
+
+@@ -173,9 +174,7 @@ private:
+ nsRefPtr<txAExprResult> mGlobalVarPlaceholderValue;
+ PRInt32 mRecursionDepth;
+
+- TemplateRule* mTemplateRules;
+- PRInt32 mTemplateRulesBufferSize;
+- PRInt32 mTemplateRuleCount;
++ nsAutoTArray<TemplateRule, 10> mTemplateRules;
+
+ txIEvalContext* mEvalContext;
+ txIEvalContext* mInitialEvalContext;
+diff --git a/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp b/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
+index 1d0be61..9288986 100644
+--- a/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
++++ b/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
+@@ -677,10 +677,12 @@ txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument *aOutputDoc,
+ mObserver);
+ es.mOutputHandlerFactory = &handlerFactory;
+
+- es.init(*sourceNode, &mVariables);
++ nsresult rv = es.init(*sourceNode, &mVariables);
+
+ // Process root of XML source document
+- nsresult rv = txXSLTProcessor::execute(es);
++ if (NS_SUCCEEDED(rv)) {
++ rv = txXSLTProcessor::execute(es);
++ }
+
+ nsresult endRv = es.end(rv);
+ if (NS_SUCCEEDED(rv)) {
+@@ -734,10 +736,12 @@ txMozillaXSLTProcessor::TransformToFragment(nsIDOMNode *aSource,
+ txToFragmentHandlerFactory handlerFactory(*aResult);
+ es.mOutputHandlerFactory = &handlerFactory;
+
+- es.init(*sourceNode, &mVariables);
++ rv = es.init(*sourceNode, &mVariables);
+
+ // Process root of XML source document
+- rv = txXSLTProcessor::execute(es);
++ if (NS_SUCCEEDED(rv)) {
++ rv = txXSLTProcessor::execute(es);
++ }
+ // XXX setup exception context, bug 204658
+ nsresult endRv = es.end(rv);
+ if (NS_SUCCEEDED(rv)) {
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,50 @@
+From: Jonathan Kew <jfkthame@gmail.com>
+Date: Sat, 1 Jan 2011 15:50:48 +0000
+Subject: bug 607160 - check text length computations. r=roc approval1.9.1.17=clegnitto
+
+---
+ layout/generic/nsTextFrameThebes.cpp | 16 +++++++++++++---
+ 1 files changed, 13 insertions(+), 3 deletions(-)
+
+diff --git a/mozilla/layout/generic/nsTextFrameThebes.cpp b/mozilla/layout/generic/nsTextFrameThebes.cpp
+index 690b689..924e2ca 100644
+--- a/mozilla/layout/generic/nsTextFrameThebes.cpp
++++ b/mozilla/layout/generic/nsTextFrameThebes.cpp
+@@ -816,6 +816,7 @@ private:
+ // on the line, or null if there was no previous leaf frame.
+ nsIFrame* mCommonAncestorWithLastFrame;
+ // mMaxTextLength is an upper bound on the size of the text in all mapped frames
++ // The value PR_UINT32_MAX represents overflow; text will be discarded
+ PRUint32 mMaxTextLength;
+ PRPackedBool mDoubleByteText;
+ PRPackedBool mBidiEnabled;
+@@ -1232,8 +1233,11 @@ void BuildTextRunsScanner::FlushFrames(PRBool aFlushLineBreaks, PRBool aSuppress
+ }
+ } else {
+ nsAutoTArray<PRUint8,BIG_TEXT_NODE_SIZE> buffer;
+- if (!buffer.AppendElements(mMaxTextLength*(mDoubleByteText ? 2 : 1)))
++ PRUint32 bufferSize = mMaxTextLength*(mDoubleByteText ? 2 : 1);
++ if (bufferSize < mMaxTextLength || bufferSize == PR_UINT32_MAX ||
++ !buffer.AppendElements(bufferSize)) {
+ return;
++ }
+ textRun = BuildTextRunForFrames(buffer.Elements());
+ }
+ }
+@@ -1277,8 +1281,14 @@ void BuildTextRunsScanner::FlushLineBreaks(gfxTextRun* aTrailingTextRun)
+
+ void BuildTextRunsScanner::AccumulateRunInfo(nsTextFrame* aFrame)
+ {
+- NS_ASSERTION(mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength(), "integer overflow");
+- mMaxTextLength += aFrame->GetContentLength();
++ if (mMaxTextLength != PR_UINT32_MAX) {
++ NS_ASSERTION(mMaxTextLength < PR_UINT32_MAX - aFrame->GetContentLength(), "integer overflow");
++ if (mMaxTextLength >= PR_UINT32_MAX - aFrame->GetContentLength()) {
++ mMaxTextLength = PR_UINT32_MAX;
++ } else {
++ mMaxTextLength += aFrame->GetContentLength();
++ }
++ }
+ mDoubleByteText |= aFrame->GetFragment()->Is2b();
+ mLastFrame = aFrame;
+ mCommonAncestorWithLastFrame = aFrame->GetParent();
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch 2011-03-27 16:11:13.000000000 +0200
@@ -0,0 +1,47 @@
+From: Neil Deakin <neil@mozilla.com>
+Date: Fri, 21 Jan 2011 13:22:19 -0800
+Subject: Bug 608687, clear mRoot after uninitializing so that template generated content gets removed, r=smaug, a=clegnitto
+
+---
+ content/xul/templates/src/nsXULTemplateBuilder.cpp | 2 --
+ content/xul/templates/src/nsXULTemplateBuilder.h | 7 +++++--
+ 2 files changed, 5 insertions(+), 4 deletions(-)
+
+diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
+index 5ae3122..d8c8f55 100644
+--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
+@@ -1152,7 +1152,6 @@ nsXULTemplateBuilder::ContentRemoved(nsIDocument* aDocument,
+
+ mDB = nsnull;
+ mCompDB = nsnull;
+- mRoot = nsnull;
+ mDataSource = nsnull;
+ }
+ }
+@@ -1171,7 +1170,6 @@ nsXULTemplateBuilder::NodeWillBeDestroyed(const nsINode* aNode)
+ mDataSource = nsnull;
+ mDB = nsnull;
+ mCompDB = nsnull;
+- mRoot = nsnull;
+
+ nsContentUtils::AddScriptRunner(
+ NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitTrue));
+diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
+index 764cc86..c24276a 100644
+--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
+@@ -166,8 +166,11 @@ public:
+ }
+ }
+ }
+- void UninitFalse() { Uninit(PR_FALSE); }
+- void UninitTrue() { Uninit(PR_TRUE); }
++
++ // mRoot should not be cleared until after Uninit is finished so that
++ // generated content can be removed during uninitialization.
++ void UninitFalse() { Uninit(PR_FALSE); mRoot = nsnull; }
++ void UninitTrue() { Uninit(PR_TRUE); mRoot = nsnull; }
+
+ /**
+ * Find the <template> tag that applies for this builder
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch 2011-03-27 16:11:14.000000000 +0200
@@ -0,0 +1,136 @@
+From: Steven Michaud <smichaud@pobox.com>
+Date: Mon, 29 Nov 2010 13:47:03 -0600
+Subject: Bug 611910 - r=josh a=blocking1.9.1.17+
+
+---
+ modules/plugin/base/src/nsNPAPIPlugin.cpp | 84 ++++++++++++++++++++++-
+ modules/plugin/base/src/nsNPAPIPluginInstance.h | 5 +-
+ 2 files changed, 87 insertions(+), 2 deletions(-)
+
+diff --git a/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp b/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
+index 0a91443..8d8e8a1 100644
+--- a/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
++++ b/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
+@@ -89,6 +89,8 @@
+ #include "nsIHttpAuthManager.h"
+ #include "nsICookieService.h"
+
++#include "nsNetUtil.h"
++
+ static PRLock *sPluginThreadAsyncCallLock = nsnull;
+ static PRCList sPendingAsyncCalls = PR_INIT_STATIC_CLIST(&sPendingAsyncCalls);
+
+@@ -1711,7 +1713,87 @@ _getproperty(NPP npp, NPObject* npobj, NPIdentifier property,
+ ("NPN_GetProperty(npp %p, npobj %p, property %p) called\n",
+ npp, npobj, property));
+
+- return npobj->_class->getProperty(npobj, property, result);
++ if (!npobj->_class->getProperty(npobj, property, result))
++ return false;
++
++ // If a Java plugin tries to get the document.URL or document.documentURI
++ // property from us, don't pass back a value that Java won't be able to
++ // understand -- one that will make the URL(String) constructor throw a
++ // MalformedURL exception. Passing such a value causes Java Plugin2 to
++ // crash (to throw a RuntimeException in Plugin2Manager.getDocumentBase()).
++ // Also don't pass back a value that Java is likely to mishandle.
++
++ nsNPAPIPluginInstance* inst = (nsNPAPIPluginInstance*) npp->ndata;
++ if (!inst)
++ return false;
++ if (!inst->mIsJavaPlugin)
++ return true;
++
++ if (!NPVARIANT_IS_STRING(*result))
++ return true;
++
++ NPUTF8* propertyName = _utf8fromidentifier(property);
++ if (!propertyName)
++ return true;
++ bool notURL =
++ (PL_strcasecmp(propertyName, "URL") &&
++ PL_strcasecmp(propertyName, "documentURI"));
++ _memfree(propertyName);
++ if (notURL)
++ return true;
++
++ NPObject* window_obj = _getwindowobject(npp);
++ if (!window_obj)
++ return true;
++
++ NPVariant doc_v;
++ NPObject* document_obj = nsnull;
++ NPIdentifier doc_id = _getstringidentifier("document");
++ bool ok = npobj->_class->getProperty(window_obj, doc_id, &doc_v);
++ _releaseobject(window_obj);
++ if (ok) {
++ if (NPVARIANT_IS_OBJECT(doc_v)) {
++ document_obj = NPVARIANT_TO_OBJECT(doc_v);
++ } else {
++ _releasevariantvalue(&doc_v);
++ return true;
++ }
++ } else {
++ return true;
++ }
++ _releaseobject(document_obj);
++ if (document_obj != npobj)
++ return true;
++
++ NPString urlnp = NPVARIANT_TO_STRING(*result);
++ nsXPIDLCString url;
++ url.Assign(urlnp.utf8characters, urlnp.utf8length);
++
++ PRBool javaCompatible = PR_FALSE;
++ if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(url, &javaCompatible)))
++ javaCompatible = PR_FALSE;
++ if (javaCompatible)
++ return true;
++
++ // If Java won't be able to interpret the original value of document.URL or
++ // document.documentURI, or is likely to mishandle it, pass back something
++ // that Java will understand but won't be able to use to access the network,
++ // and for which same-origin checks will always fail.
++
++ if (inst->mFakeURL.IsVoid()) {
++ // Abort (do an error return) if NS_MakeRandomInvalidURLString() fails.
++ if (NS_FAILED(NS_MakeRandomInvalidURLString(inst->mFakeURL))) {
++ _releasevariantvalue(result);
++ return false;
++ }
++ }
++
++ _releasevariantvalue(result);
++ char* fakeurl = (char *) _memalloc(inst->mFakeURL.Length() + 1);
++ strcpy(fakeurl, inst->mFakeURL);
++ STRINGZ_TO_NPVARIANT(fakeurl, *result);
++
++ return true;
+ }
+
+ bool NP_CALLBACK
+diff --git a/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h b/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
+index 45f7325..e738832 100644
+--- a/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
++++ b/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
+@@ -161,16 +161,19 @@ protected:
+ PRPackedBool mTransparent;
+ PRPackedBool mStarted;
+ PRPackedBool mCached;
+- PRPackedBool mIsJavaPlugin;
+ PRPackedBool mWantsAllNetworkStreams;
+
+ public:
++ PRPackedBool mIsJavaPlugin;
++
+ // True while creating the plugin, or calling NPP_SetWindow() on it.
+ PRPackedBool mInPluginInitCall;
+ PRLibrary* fLibrary;
+ nsInstanceStream *mStreams;
+
+ nsVoidArray mPopupStates;
++
++ nsXPIDLCString mFakeURL;
+ };
+
+ #endif // nsNPAPIPluginInstance_h_
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,62 @@
+From: Steven Michaud <smichaud@pobox.com>
+Date: Thu, 2 Dec 2010 11:29:08 -0600
+Subject: Bug 613376 - r=josh a1.9.1.16=dveditz
+
+---
+ dom/src/base/nsGlobalWindow.cpp | 14 ++++++++++++++
+ layout/generic/nsObjectFrame.cpp | 17 ++++++++++++++++-
+ 2 files changed, 30 insertions(+), 1 deletions(-)
+
+diff --git a/mozilla/dom/src/base/nsGlobalWindow.cpp b/mozilla/dom/src/base/nsGlobalWindow.cpp
+index f053126..de29213 100644
+--- a/mozilla/dom/src/base/nsGlobalWindow.cpp
++++ b/mozilla/dom/src/base/nsGlobalWindow.cpp
+@@ -461,6 +461,20 @@ nsDummyJavaPluginOwner::Destroy()
+ NS_IMETHODIMP
+ nsDummyJavaPluginOwner::SetInstance(nsIPluginInstance *aInstance)
+ {
++ // If we're going to null out mInstance after use, be sure to call
++ // InvalidateOwner() here, since it now won't be called from
++ // nsDummyJavaPluginOwner::Destroy().
++ if (mInstance && !aInstance) {
++ nsCOMPtr<nsIPluginInstancePeer> peer;
++ mInstance->GetPeer(getter_AddRefs(peer));
++
++ nsCOMPtr<nsIPluginInstancePeer2_1_9_1_BRANCH> peer2(do_QueryInterface(peer));
++
++ // This plugin owner is going away, tell the peer.
++ if (peer2)
++ peer2->InvalidateOwner();
++ }
++
+ mInstance = aInstance;
+
+ return NS_OK;
+diff --git a/mozilla/layout/generic/nsObjectFrame.cpp b/mozilla/layout/generic/nsObjectFrame.cpp
+index 643f3cb..628e82d 100644
+--- a/mozilla/layout/generic/nsObjectFrame.cpp
++++ b/mozilla/layout/generic/nsObjectFrame.cpp
+@@ -2333,7 +2333,22 @@ NS_INTERFACE_MAP_END
+ NS_IMETHODIMP
+ nsPluginInstanceOwner::SetInstance(nsIPluginInstance *aInstance)
+ {
+- NS_ASSERTION(!mInstance || !aInstance, "mInstance should only be set once!");
++ NS_ASSERTION(!mInstance || !aInstance, "mInstance should only be set or unset!");
++
++ // If we're going to null out mInstance after use, be sure to call
++ // InvalidateOwner() here, since it now won't be called from our
++ // destructor.
++ if (mInstance && !aInstance) {
++ nsCOMPtr<nsIPluginInstancePeer> peer;
++ mInstance->GetPeer(getter_AddRefs(peer));
++
++ nsCOMPtr<nsIPluginInstancePeer2_1_9_1_BRANCH> peer2(do_QueryInterface(peer));
++
++ if (peer2) {
++ // Tell the peer that its owner is going away.
++ peer2->InvalidateOwner();
++ }
++ }
+
+ mInstance = aInstance;
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,260 @@
+From: Ehsan Akhgari <ehsan@mozilla.com>
+Date: Mon, 29 Nov 2010 13:50:09 -0500
+Subject: Bug 614116 - Enforce HTTP mode when setting a storage value for in-memory databases; r=mayhemer a=dveditz
+
+---
+ dom/src/storage/nsDOMStorageMemoryDB.cpp | 2 +
+ dom/tests/mochitest/Makefile.in | 1 +
+ dom/tests/mochitest/globalstorage/Makefile.in | 54 ++++++++++++
+ .../globalstorage/iframe_bug614116-1.html | 30 +++++++
+ .../globalstorage/iframe_bug614116-2.html | 24 ++++++
+ .../mochitest/globalstorage/test_bug614116.html | 86 ++++++++++++++++++++
+ 6 files changed, 197 insertions(+), 0 deletions(-)
+ create mode 100644 dom/tests/mochitest/globalstorage/Makefile.in
+ create mode 100644 dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
+ create mode 100644 dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
+ create mode 100644 dom/tests/mochitest/globalstorage/test_bug614116.html
+
+diff --git a/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp b/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
+index 1c45e80..034e521 100644
+--- a/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
++++ b/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
+@@ -220,6 +220,8 @@ nsDOMStorageMemoryDB::SetKey(nsDOMStorage* aStorage,
+ }
+ else
+ {
++ if (!aSecure && item->mSecure)
++ return NS_ERROR_DOM_SECURITY_ERR;
+ usage -= aKey.Length() + item->mValue.Length();
+ if (usage > aQuota) {
+ return NS_ERROR_DOM_QUOTA_REACHED;
+diff --git a/mozilla/dom/tests/mochitest/Makefile.in b/mozilla/dom/tests/mochitest/Makefile.in
+index 9e3d220..51c39b4 100644
+--- a/mozilla/dom/tests/mochitest/Makefile.in
++++ b/mozilla/dom/tests/mochitest/Makefile.in
+@@ -53,6 +53,7 @@ DIRS += \
+ general \
+ whatwg \
+ geolocation \
++ globalstorage \
+ localstorage \
+ sessionstorage \
+ $(NULL)
+diff --git a/mozilla/dom/tests/mochitest/globalstorage/Makefile.in b/mozilla/dom/tests/mochitest/globalstorage/Makefile.in
+new file mode 100644
+index 0000000..199e7a6
+--- /dev/null
++++ b/mozilla/dom/tests/mochitest/globalstorage/Makefile.in
+@@ -0,0 +1,54 @@
++#
++# ***** BEGIN LICENSE BLOCK *****
++# Version: MPL 1.1/GPL 2.0/LGPL 2.1
++#
++# The contents of this file are subject to the Mozilla Public License Version
++# 1.1 (the "License"); you may not use this file except in compliance with
++# the License. You may obtain a copy of the License at
++# http://www.mozilla.org/MPL/
++#
++# Software distributed under the License is distributed on an "AS IS" basis,
++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
++# for the specific language governing rights and limitations under the
++# License.
++#
++# The Original Code is mozilla.org code.
++#
++# The Initial Developer of the Original Code is
++# Mozilla Foundation.
++# Portions created by the Initial Developer are Copyright (C) 2010
++# the Initial Developer. All Rights Reserved.
++#
++# Contributor(s):
++#
++# Alternatively, the contents of this file may be used under the terms of
++# either of the GNU General Public License Version 2 or later (the "GPL"),
++# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
++# in which case the provisions of the GPL or the LGPL are applicable instead
++# of those above. If you wish to allow use of your version of this file only
++# under the terms of either the GPL or the LGPL, and not to allow others to
++# use your version of this file under the terms of the MPL, indicate your
++# decision by deleting the provisions above and replace them with the notice
++# and other provisions required by the GPL or the LGPL. If you do not delete
++# the provisions above, a recipient may use your version of this file under
++# the terms of any one of the MPL, the GPL or the LGPL.
++#
++# ***** END LICENSE BLOCK *****
++
++DEPTH = ../../../..
++topsrcdir = @top_srcdir@
++srcdir = @srcdir@
++VPATH = @srcdir@
++relativesrcdir = dom/tests/mochitest/globalstorage
++
++include $(DEPTH)/config/autoconf.mk
++include $(topsrcdir)/config/rules.mk
++
++_TEST_FILES = \
++ test_bug614116.html \
++ iframe_bug614116-1.html \
++ iframe_bug614116-2.html \
++ $(NULL)
++
++libs:: $(_TEST_FILES)
++ $(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
+diff --git a/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
+new file mode 100644
+index 0000000..12742fb
+--- /dev/null
++++ b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
+@@ -0,0 +1,30 @@
++<!DOCTYPE html>
++<html>
++ <body onload="loaded()">
++ <script>
++ function loaded() {
++ parent.postMessage("loaded", "http://mochi.test:8888";);
++ }
++
++ function onMessageReceived(e) {
++ switch (e.data) {
++ case "getdata":
++ parent.postMessage("data:" + globalStorage["example.com"].data, "http://mochi.test:8888";);
++ break;
++ case "setdata":
++ var didSucceed = true;
++ try {
++ globalStorage["example.com"].data = "value2";
++ } catch(e) {
++ didSucceed = false;
++ }
++ parent.postMessage("success:" + didSucceed, "http://mochi.test:8888";);
++ parent.postMessage("dataset2:" + globalStorage["example.com"].data, "http://mochi.test:8888";);
++ break;
++ }
++ }
++
++ addEventListener("message", onMessageReceived, false);
++ </script>
++ </body>
++</html>
+diff --git a/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
+new file mode 100644
+index 0000000..66777b1
+--- /dev/null
++++ b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
+@@ -0,0 +1,24 @@
++<!DOCTYPE html>
++<html>
++ <body onload="loaded()">
++ <script>
++ function loaded() {
++ parent.postMessage("loaded", "http://mochi.test:8888";);
++ }
++
++ function onMessageReceived(e) {
++ switch (e.data) {
++ case "getdata":
++ parent.postMessage("data2:" + globalStorage["example.com"].data, "http://mochi.test:8888";);
++ break;
++ case "setdata":
++ globalStorage["example.com"].data = "value";
++ parent.postMessage("dataset:" + globalStorage["example.com"].data, "http://mochi.test:8888";);
++ break;
++ }
++ }
++
++ addEventListener("message", onMessageReceived, false);
++ </script>
++ </body>
++</html>
+diff --git a/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html b/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html
+new file mode 100644
+index 0000000..1ebc91d
+--- /dev/null
++++ b/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html
+@@ -0,0 +1,86 @@
++<!DOCTYPE HTML>
++<html>
++<!--
++https://bugzilla.mozilla.org/show_bug.cgi?id=614116
++-->
++<head>
++ <title>Test for Bug 614116</title>
++ <script type="application/javascript" src="/MochiKit/packed.js"></script>
++ <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
++ <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
++ <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
++</head>
++<body>
++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=614116";>Mozilla Bug 614116</a>
++<p id="display"></p>
++<div id="content">
++<iframe id="http"></iframe>
++<iframe id="https"></iframe>
++</div>
++<pre id="test">
++<script type="application/javascript">
++
++/** Test for Bug 614116 **/
++SimpleTest.waitForExplicitFinish();
++addLoadEvent(function() {
++ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
++
++ const httpDomain = "http://example.com";;
++ const httpsDomain = "https://example.com";;
++ const path = "/tests/dom/tests/mochitest/globalstorage/";
++
++ var pm = Components.classes["@mozilla.org/permissionmanager;1"]
++ .getService(Components.interfaces.nsIPermissionManager);
++ var ios = Components.classes["@mozilla.org/network/io-service;1"]
++ .getService(Components.interfaces.nsIIOService);
++ pm.add(ios.newURI(httpDomain, null, null), "cookie", Components.interfaces.nsICookiePermission.ACCESS_SESSION);
++ pm.add(ios.newURI(httpsDomain, null, null), "cookie", Components.interfaces.nsICookiePermission.ACCESS_SESSION);
++
++ var http = document.getElementById("http");
++ var https = document.getElementById("https");
++
++ function finishTest() {
++ netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
++ pm.remove("example.com", "cookie");
++ SimpleTest.finish();
++ }
++
++ var loaded = 0;
++ function onMessageReceived(e) {
++ switch (e.data) {
++ case "loaded":
++ ++loaded;
++ ok(loaded <= 2, "Two iframes should be loaded at most");
++ if (loaded == 2) {
++ https.contentWindow.postMessage("setdata", httpsDomain);
++ }
++ break;
++ default:
++ if (e.data.indexOf("dataset:") == 0) {
++ is(e.data.substr(8), "value", "Correct value should be set");
++ http.contentWindow.postMessage("getdata", httpDomain);
++ } else if (e.data.indexOf("data:") == 0) {
++ is(e.data.substr(5), "undefined", "Data should not be available in HTTP mode");
++ http.contentWindow.postMessage("setdata", httpDomain);
++ } else if (e.data.indexOf("dataset2:") == 0) {
++ is(e.data.substr(9), "undefined", "Correct value should be set");
++ https.contentWindow.postMessage("getdata", httpsDomain);
++ } else if (e.data.indexOf("data2:") == 0) {
++ is(e.data.substr(6), "value", "Data should not be modified in HTTP mode");
++ finishTest();
++ } else if (e.data.indexOf("success:") == 0) {
++ is(e.data.substr(8), "false", "Setting the value in HTTP mode should fail");
++ }
++ }
++ }
++
++ window.addEventListener("message", onMessageReceived, false);
++
++ http.src = httpDomain + path + "iframe_bug614116-1.html";
++ https.src = httpsDomain + path + "iframe_bug614116-2.html";
++});
++
++</script>
++</pre>
++</body>
++</html>
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,290 @@
+From: Igor Bukanov <igor@mir2.org>
+Date: Thu, 6 Jan 2011 15:06:04 +0100
+Subject: Bug 614499, release old mListRoot members, r=bz a=clegnitto
+
+---
+ docshell/shistory/src/nsSHTransaction.cpp | 8 ++++--
+ docshell/shistory/src/nsSHistory.cpp | 7 +++++-
+ js/src/jsapi.cpp | 1 -
+ js/src/jscntxt.cpp | 1 +
+ js/src/jscntxt.h | 35 +++++++++++++++-------------
+ js/src/jsgc.cpp | 34 +++++++++++++++------------
+ js/src/jslock.cpp | 18 +++++---------
+ 7 files changed, 57 insertions(+), 47 deletions(-)
+
+diff --git a/mozilla/docshell/shistory/src/nsSHTransaction.cpp b/mozilla/docshell/shistory/src/nsSHTransaction.cpp
+index 7df1552..2050349 100644
+--- a/mozilla/docshell/shistory/src/nsSHTransaction.cpp
++++ b/mozilla/docshell/shistory/src/nsSHTransaction.cpp
+@@ -111,10 +111,12 @@ nsSHTransaction::GetNext(nsISHTransaction * * aResult)
+ NS_IMETHODIMP
+ nsSHTransaction::SetNext(nsISHTransaction * aNext)
+ {
+- NS_ENSURE_SUCCESS(aNext->SetPrev(this), NS_ERROR_FAILURE);
++ if (aNext) {
++ NS_ENSURE_SUCCESS(aNext->SetPrev(this), NS_ERROR_FAILURE);
++ }
+
+- mNext = aNext;
+- return NS_OK;
++ mNext = aNext;
++ return NS_OK;
+ }
+
+ NS_IMETHODIMP
+diff --git a/mozilla/docshell/shistory/src/nsSHistory.cpp b/mozilla/docshell/shistory/src/nsSHistory.cpp
+index afee7cc..3fd1beb 100644
+--- a/mozilla/docshell/shistory/src/nsSHistory.cpp
++++ b/mozilla/docshell/shistory/src/nsSHistory.cpp
+@@ -569,9 +569,14 @@ nsSHistory::PurgeHistory(PRInt32 aEntries)
+ PRInt32 cnt = 0;
+ while (cnt < aEntries) {
+ nsCOMPtr<nsISHTransaction> nextTxn;
+- if (mListRoot)
++ if (mListRoot) {
+ mListRoot->GetNext(getter_AddRefs(nextTxn));
++ mListRoot->SetNext(nsnull);
++ }
+ mListRoot = nextTxn;
++ if (mListRoot) {
++ mListRoot->SetPrev(nsnull);
++ }
+ cnt++;
+ }
+ mLength -= cnt;
+diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
+index f0cc5a7..25e4b08 100644
+--- a/mozilla/js/src/jsapi.cpp
++++ b/mozilla/js/src/jsapi.cpp
+@@ -805,7 +805,6 @@ JS_NewRuntime(uint32 maxbytes)
+ rt->titleSharingDone = JS_NEW_CONDVAR(rt->gcLock);
+ if (!rt->titleSharingDone)
+ goto bad;
+- rt->titleSharingTodo = NO_TITLE_SHARING_TODO;
+ rt->debuggerLock = JS_NEW_LOCK();
+ if (!rt->debuggerLock)
+ goto bad;
+diff --git a/mozilla/js/src/jscntxt.cpp b/mozilla/js/src/jscntxt.cpp
+index f2d69fb..62f2502 100644
+--- a/mozilla/js/src/jscntxt.cpp
++++ b/mozilla/js/src/jscntxt.cpp
+@@ -141,6 +141,7 @@ NewThread(jsword id)
+ JS_INIT_CLIST(&thread->contextList);
+ thread->id = id;
+ InitThreadData(&thread->data);
++ thread->titleSharingTodo = NO_TITLE_SHARING_TODO;
+ return thread;
+ }
+
+diff --git a/mozilla/js/src/jscntxt.h b/mozilla/js/src/jscntxt.h
+index 8fdecb0..4ca1bfa 100644
+--- a/mozilla/js/src/jscntxt.h
++++ b/mozilla/js/src/jscntxt.h
+@@ -273,6 +273,19 @@ struct JSThread {
+ /* Indicates that the thread is waiting in ClaimTitle from jslock.cpp. */
+ JSTitle *titleToShare;
+
++ /* Linked list of titles that this thread must share. */
++ JSTitle *titleSharingTodo;
++
++/*
++ * Magic terminator for the rt->titleSharingTodo linked list, threaded through
++ * title->u.link. This hack allows us to test whether a title is on the list
++ * by asking whether title->u.link is non-null. We use a large, likely bogus
++ * pointer here to distinguish this value from any valid u.count (small int)
++ * value.
++ */
++#define NO_TITLE_SHARING_TODO ((JSTitle *) 0xfeedbeef)
++#define HAS_TITLES_TO_SHARE(cx) ((cx)->thread->titleSharingTodo != NO_TITLE_SHARING_TODO)
++
+ /* Factored out of JSThread for !JS_THREADSAFE embedding in JSRuntime. */
+ JSThreadData data;
+ };
+@@ -298,7 +311,12 @@ js_InitContextThread(JSContext *cx);
+ extern void
+ js_ClearContextThread(JSContext *cx);
+
+-#endif /* JS_THREADSAFE */
++
++#else /* !JS_THREADSAFE */
++
++#define HAS_TITLES_TO_SHARE(cx) JS_FALSE
++
++#endif /* !JS_THREADSAFE */
+
+ typedef enum JSDestroyContextMode {
+ JSDCM_NO_GC,
+@@ -482,23 +500,8 @@ struct JSRuntime {
+ * State for sharing single-threaded titles, once a second thread tries to
+ * lock a title. The titleSharingDone condvar is protected by rt->gcLock
+ * to minimize number of locks taken in JS_EndRequest.
+- *
+- * The titleSharingTodo linked list is likewise "global" per runtime, not
+- * one-list-per-context, to conserve space over all contexts, optimizing
+- * for the likely case that titles become shared rarely, and among a very
+- * small set of threads (contexts).
+ */
+ PRCondVar *titleSharingDone;
+- JSTitle *titleSharingTodo;
+-
+-/*
+- * Magic terminator for the rt->titleSharingTodo linked list, threaded through
+- * title->u.link. This hack allows us to test whether a title is on the list
+- * by asking whether title->u.link is non-null. We use a large, likely bogus
+- * pointer here to distinguish this value from any valid u.count (small int)
+- * value.
+- */
+-#define NO_TITLE_SHARING_TODO ((JSTitle *) 0xfeedbeef)
+
+ /*
+ * Lock serializing trapList and watchPointList accesses, and count of all
+diff --git a/mozilla/js/src/jsgc.cpp b/mozilla/js/src/jsgc.cpp
+index c4faae1..44b6098 100644
+--- a/mozilla/js/src/jsgc.cpp
++++ b/mozilla/js/src/jsgc.cpp
+@@ -941,12 +941,13 @@ RemoveChunkFromList(JSRuntime *rt, JSGCChunkInfo *ci)
+ #endif
+
+ static JSGCArenaInfo *
+-NewGCArena(JSRuntime *rt)
++NewGCArena(JSContext *cx)
+ {
+ jsuword chunk;
+ JSGCArenaInfo *a;
+
+- if (rt->gcBytes >= rt->gcMaxBytes)
++ JSRuntime *rt = cx->runtime;
++ if (rt->gcBytes >= rt->gcMaxBytes && HAS_TITLES_TO_SHARE(cx))
+ return NULL;
+
+ #if CHUNKED_ARENA_ALLOCATION
+@@ -1795,10 +1796,11 @@ EnsureLocalFreeList(JSContext *cx)
+ #endif
+
+ static JS_INLINE bool
+-IsGCThresholdReached(JSRuntime *rt)
++IsGCThresholdReached(JSContext *cx)
+ {
++ JSRuntime *rt = cx->runtime;
+ #ifdef JS_GC_ZEAL
+- if (rt->gcZeal >= 1)
++ if (rt->gcZeal >= 1 && !HAS_TITLES_TO_SHARE(cx))
+ return true;
+ #endif
+
+@@ -1807,8 +1809,9 @@ IsGCThresholdReached(JSRuntime *rt)
+ * zero (see the js_InitGC function) the return value is false when
+ * the gcBytes value is close to zero at the JS engine start.
+ */
+- return rt->gcMallocBytes >= rt->gcMaxMallocBytes ||
+- rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100;
++ return (rt->gcMallocBytes >= rt->gcMaxMallocBytes ||
++ rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100) &&
++ !HAS_TITLES_TO_SHARE(cx);
+ }
+
+ void *
+@@ -1883,7 +1886,7 @@ js_NewGCThing(JSContext *cx, uintN flags, size_t nbytes)
+ #endif
+
+ arenaList = &rt->gcArenaList[flindex];
+- doGC = IsGCThresholdReached(rt);
++ doGC = IsGCThresholdReached(cx);
+ for (;;) {
+ if (doGC
+ #ifdef JS_TRACER
+@@ -1969,9 +1972,9 @@ testReservedObjects:
+ }
+ #endif
+
+- a = NewGCArena(rt);
++ a = NewGCArena(cx);
+ if (!a) {
+- if (doGC || JS_ON_TRACE(cx))
++ if (doGC || JS_ON_TRACE(cx) || HAS_TITLES_TO_SHARE(cx))
+ goto fail;
+ doGC = true;
+ continue;
+@@ -2105,7 +2108,7 @@ RefillDoubleFreeList(JSContext *cx)
+ return NULL;
+ }
+
+- if (IsGCThresholdReached(rt))
++ if (IsGCThresholdReached(cx))
+ goto do_gc;
+
+ /*
+@@ -2119,10 +2122,10 @@ RefillDoubleFreeList(JSContext *cx)
+ ARENA_INFO_OFFSET) {
+ if (doubleFlags == DOUBLE_BITMAP_SENTINEL ||
+ !((JSGCArenaInfo *) doubleFlags)->prev) {
+- a = NewGCArena(rt);
++ a = NewGCArena(cx);
+ if (!a) {
+ do_gc:
+- if (didGC || JS_ON_TRACE(cx)) {
++ if (didGC || JS_ON_TRACE(cx) || HAS_TITLES_TO_SHARE(cx)) {
+ METER(rt->gcStats.doubleArenaStats.fail++);
+ JS_UNLOCK_GC(rt);
+ js_ReportOutOfMemory(cx);
+@@ -2298,9 +2301,10 @@ js_AddAsGCBytes(JSContext *cx, size_t sz)
+ JSRuntime *rt;
+
+ rt = cx->runtime;
+- if (rt->gcBytes >= rt->gcMaxBytes ||
+- sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) ||
+- IsGCThresholdReached(rt)) {
++ if ((rt->gcBytes >= rt->gcMaxBytes ||
++ sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) ||
++ IsGCThresholdReached(cx)) &&
++ !HAS_TITLES_TO_SHARE(cx)) {
+ if (JS_ON_TRACE(cx)) {
+ /*
+ * If we can't leave the trace, signal OOM condition, otherwise
+diff --git a/mozilla/js/src/jslock.cpp b/mozilla/js/src/jslock.cpp
+index 273e8d2..2305183 100644
+--- a/mozilla/js/src/jslock.cpp
++++ b/mozilla/js/src/jslock.cpp
+@@ -428,18 +428,14 @@ FinishSharingTitle(JSContext *cx, JSTitle *title);
+ static void
+ ShareTitle(JSContext *cx, JSTitle *title)
+ {
+- JSRuntime *rt;
+- JSTitle **todop;
+-
+- rt = cx->runtime;
+ if (title->u.link) {
+- for (todop = &rt->titleSharingTodo; *todop != title;
+- todop = &(*todop)->u.link) {
++ JSThread *ownerThread = title->ownercx->thread;
++ JSTitle **todop = &ownerThread->titleSharingTodo;
++ for (; *todop != title; todop = &(*todop)->u.link)
+ JS_ASSERT(*todop != NO_TITLE_SHARING_TODO);
+- }
+ *todop = title->u.link;
+ title->u.link = NULL; /* null u.link for sanity ASAP */
+- JS_NOTIFY_ALL_CONDVAR(rt->titleSharingDone);
++ JS_NOTIFY_ALL_CONDVAR(cx->runtime->titleSharingDone);
+ }
+ FinishSharingTitle(cx, title);
+ }
+@@ -619,8 +615,8 @@ ClaimTitle(JSTitle *title, JSContext *cx)
+ */
+ if (!title->u.link) {
+ js_HoldScope(TITLE_TO_SCOPE(title));
+- title->u.link = rt->titleSharingTodo;
+- rt->titleSharingTodo = title;
++ title->u.link = ownercx->thread->titleSharingTodo;
++ ownercx->thread->titleSharingTodo = title;
+ }
+
+ /*
+@@ -683,7 +679,7 @@ js_ShareWaitingTitles(JSContext *cx)
+ bool shared;
+
+ /* See whether cx has any single-threaded titles to start sharing. */
+- todop = &cx->runtime->titleSharingTodo;
++ todop = &cx->thread->titleSharingTodo;
+ shared = false;
+ while ((title = *todop) != NO_TITLE_SHARING_TODO) {
+ if (title->ownercx != cx) {
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,23 @@
+From: Igor Bukanov <igor@mir2.org>
+Date: Thu, 6 Jan 2011 14:46:43 +0100
+Subject: bug 616009 r=gal a1.9.1.17=clegnitto
+
+---
+ js/src/json.cpp | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/mozilla/js/src/json.cpp b/mozilla/js/src/json.cpp
+index ab91f06..35c0a9e 100644
+--- a/mozilla/js/src/json.cpp
++++ b/mozilla/js/src/json.cpp
+@@ -267,8 +267,8 @@ JO(JSContext *cx, jsval *vp, StringifyContext *scx)
+ if (!scx->callback(&c, 1, scx->data))
+ return JS_FALSE;
+
+- jsval vec[3] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL};
+- JSAutoTempValueRooter tvr(cx, 3, vec);
++ jsval vec[] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL, *vp};
++ JSAutoTempValueRooter tvr(cx, JS_ARRAY_LENGTH(vec), vec);
+ jsval& key = vec[0];
+ jsval& outputValue = vec[1];
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,21 @@
+From: Olli Pettay <Olli.Pettay@helsinki.fi>
+Date: Thu, 30 Dec 2010 12:11:21 +0200
+Subject: Bug 616659, Initialize eButtonPressed to 1, r=dolske+gavin, a=clegnitto
+
+---
+ .../windowwatcher/src/nsPromptService.cpp | 2 ++
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp b/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
+index 2653c81..0edcf1e 100644
+--- a/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
++++ b/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
+@@ -779,6 +779,8 @@ nsPromptService::DoDialog(nsIDOMWindow *aParent,
+ aParent = activeParent;
+ }
+
++ aParamBlock->SetInt(eButtonPressed, 1);
++
+ nsCOMPtr<nsISupports> arguments(do_QueryInterface(aParamBlock));
+ nsCOMPtr<nsIDOMWindow> dialog;
+ rv = mWatcher->OpenWindow(aParent, aChromeURL, "_blank",
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,30 @@
+From: Igor Bukanov <igor@mir2.org>
+Date: Wed, 19 Jan 2011 12:05:09 +0100
+Subject: bug 622015, r=brendan a=clegnitto
+
+---
+ js/src/jsinterp.cpp | 4 +++-
+ 1 files changed, 3 insertions(+), 1 deletions(-)
+
+diff --git a/mozilla/js/src/jsinterp.cpp b/mozilla/js/src/jsinterp.cpp
+index 2519e42..6337d50 100644
+--- a/mozilla/js/src/jsinterp.cpp
++++ b/mozilla/js/src/jsinterp.cpp
+@@ -7200,7 +7200,6 @@ js_Interpret(JSContext *cx)
+ // Handle other exceptions as if they came from the imacro-calling pc.
+ regs.pc = fp->imacpc;
+ fp->imacpc = NULL;
+- atoms = script->atomMap.vector;
+ }
+
+ JS_ASSERT((size_t)((fp->imacpc ? fp->imacpc : regs.pc) - script->code) < script->length);
+@@ -7223,6 +7222,9 @@ js_Interpret(JSContext *cx)
+ JSTryNote *tn, *tnlimit;
+ uint32 offset;
+
++ /* Restore atoms local in case we will resume. */
++ atoms = script->atomMap.vector;
++
+ /* Call debugger throw hook if set. */
+ handler = cx->debugHooks->throwHook;
+ if (handler) {
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,74 @@
+From: Luke Wagner <lw@mozilla.com>
+Date: Thu, 20 Jan 2011 16:11:19 -0800
+Subject: Bug 626631 - nsAutoJSValHolder should root its jsval (r=gal,a=clegnitto)
+
+---
+ js/src/xpconnect/public/nsAutoJSValHolder.h | 14 ++++----------
+ 1 files changed, 4 insertions(+), 10 deletions(-)
+
+diff --git a/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h b/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
+index 6a57dc8..af0fd52 100644
+--- a/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
++++ b/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
+@@ -54,7 +54,6 @@ public:
+ nsAutoJSValHolder()
+ : mRt(NULL)
+ , mVal(JSVAL_NULL)
+- , mGCThing(NULL)
+ , mHeld(JS_FALSE)
+ {
+ // nothing to do
+@@ -76,11 +75,11 @@ public:
+
+ /**
+ * Hold by rooting on the runtime.
+- * Note that mGCThing may be JSVAL_NULL, which is not a problem.
++ * Note that mVal may be JSVAL_NULL, which is not a problem.
+ */
+ JSBool Hold(JSRuntime* aRt) {
+ if (!mHeld) {
+- if (JS_AddNamedRootRT(aRt, &mGCThing, "nsAutoJSValHolder")) {
++ if (JS_AddNamedRootRT(aRt, &mVal, "nsAutoJSValHolder")) {
+ mRt = aRt;
+ mHeld = JS_TRUE;
+ } else {
+@@ -91,7 +90,7 @@ public:
+ }
+
+ /**
+- * Manually release, nullifying mVal, mGCThing, and mRt, but returning
++ * Manually release, nullifying mVal and mRt, but returning
+ * the original jsval.
+ */
+ jsval Release() {
+@@ -100,12 +99,11 @@ public:
+ jsval oldval = mVal;
+
+ if (mHeld) {
+- JS_RemoveRootRT(mRt, &mGCThing); // infallible
++ JS_RemoveRootRT(mRt, &mVal); // infallible
+ mHeld = JS_FALSE;
+ }
+
+ mVal = JSVAL_NULL;
+- mGCThing = NULL;
+ mRt = NULL;
+
+ return oldval;
+@@ -152,16 +150,12 @@ public:
+ }
+ #endif
+ mVal = aOther;
+- mGCThing = JSVAL_IS_GCTHING(aOther)
+- ? JSVAL_TO_GCTHING(aOther)
+- : NULL;
+ return *this;
+ }
+
+ private:
+ JSRuntime* mRt;
+ jsval mVal;
+- void* mGCThing;
+ JSBool mHeld;
+ };
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,223 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Wed, 20 Oct 2010 09:11:16 -0700
+Subject: Don't split a surrogate pair over two output buffers. Bug 600974, r=emk, a1.9.1.17=dveditz
+
+---
+ intl/uconv/ucvcn/nsGBKToUnicode.cpp | 11 +++-
+ intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp | 97 +++++++++++++++++++----------
+ intl/uconv/ucvlatin/nsUCS2BEToUnicode.h | 2 +
+ 3 files changed, 73 insertions(+), 37 deletions(-)
+
+diff --git a/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp b/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
+index 186f738..e466546 100644
+--- a/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
++++ b/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
+@@ -197,8 +197,7 @@ NS_IMETHODIMP nsGBKToUnicode::ConvertNoBuff(const char* aSrc,
+ *aDest = UCS2_NO_MAPPING;
+ } else {
+ // let's try supplement mapping
+- NS_ASSERTION(( (iDestlen+1) <= (*aDestLength) ), "no enouth output memory");
+- if ( (iDestlen+1) <= (*aDestLength) )
++ if ( (iDestlen+1) < (*aDestLength) )
+ {
+ if(DecodeToSurrogate(aSrc, aDest))
+ {
+@@ -209,7 +208,13 @@ NS_IMETHODIMP nsGBKToUnicode::ConvertNoBuff(const char* aSrc,
+ *aDest = UCS2_NO_MAPPING;
+ }
+ } else {
+- *aDest = UCS2_NO_MAPPING;
++ if (*aDestLength < 2) {
++ NS_ERROR("insufficient space in output buffer");
++ *aDest = UCS2_NO_MAPPING;
++ } else {
++ rv = NS_OK_UDEC_MOREOUTPUT;
++ break;
++ }
+ }
+ }
+ } else {
+diff --git a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
+index 02fcae5..7093e1d 100644
+--- a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
++++ b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
+@@ -42,14 +42,16 @@
+ #include <string.h>
+ #include "prtypes.h"
+
+-#define STATE_NORMAL 0
+-#define STATE_HALF_CODE_POINT 1
+-#define STATE_FIRST_CALL 2
+-#define STATE_FOUND_BOM 3
++#define STATE_NORMAL 0
++#define STATE_HALF_CODE_POINT 1
++#define STATE_FIRST_CALL 2
++#define STATE_FOUND_BOM 3
++#define STATE_ODD_SURROGATE_PAIR 4
+
+ static nsresult
+ UTF16ConvertToUnicode(PRUint8& aState, PRUint8& aOddByte,
+- PRUnichar& aOddHighSurrogate, const char * aSrc,
++ PRUnichar& aOddHighSurrogate, PRUnichar& aOddLowSurrogate,
++ const char * aSrc,
+ PRInt32 * aSrcLength, PRUnichar * aDest,
+ PRInt32 * aDestLength,
+ PRBool aSwapBytes)
+@@ -59,32 +61,51 @@ UTF16ConvertToUnicode(PRUint8& aState, PRUint8& aOddByte,
+ PRUnichar* dest = aDest;
+ PRUnichar* destEnd = aDest + *aDestLength;
+
+- if(STATE_FOUND_BOM == aState) // caller found a BOM
+- {
+- if (*aSrcLength < 2)
+- return NS_ERROR_ILLEGAL_INPUT;
+- src+=2;
+- aState = STATE_NORMAL;
+- } else if(STATE_FIRST_CALL == aState) { // first time called
+- if (*aSrcLength < 2)
+- return NS_ERROR_ILLEGAL_INPUT;
+-
+- // Eliminate BOM (0xFEFF). Note that different endian case is taken care of
+- // in |Convert| of LE and BE converters. Here, we only have to
+- // deal with the same endian case. That is, 0xFFFE (byte-swapped BOM) is
+- // illegal.
+- if(0xFEFF == *((PRUnichar*)src)) {
++ switch(aState) {
++ case STATE_FOUND_BOM:
++ if (*aSrcLength < 2)
++ return NS_ERROR_ILLEGAL_INPUT;
+ src+=2;
+- } else if(0xFFFE == *((PRUnichar*)src)) {
+- *aSrcLength=0;
+- *aDestLength=0;
+- return NS_ERROR_ILLEGAL_INPUT;
+- }
+- aState = STATE_NORMAL;
++ aState = STATE_NORMAL;
++ break;
++
++ case STATE_FIRST_CALL: // first time called
++ if (*aSrcLength < 2)
++ return NS_ERROR_ILLEGAL_INPUT;
++
++ // Eliminate BOM (0xFEFF). Note that different endian case is taken care
++ // of in |Convert| of LE and BE converters. Here, we only have to
++ // deal with the same endian case. That is, 0xFFFE (byte-swapped BOM) is
++ // illegal.
++ if(0xFEFF == *((PRUnichar*)src)) {
++ src+=2;
++ } else if(0xFFFE == *((PRUnichar*)src)) {
++ *aSrcLength=0;
++ *aDestLength=0;
++ return NS_ERROR_ILLEGAL_INPUT;
++ }
++ aState = STATE_NORMAL;
++ break;
++
++ case STATE_ODD_SURROGATE_PAIR:
++ if (*aDestLength < 2)
++ *dest++ = UCS2_REPLACEMENT_CHAR;
++ else {
++ *dest++ = aOddHighSurrogate;
++ *dest++ = aOddLowSurrogate;
++ aOddHighSurrogate = aOddLowSurrogate = 0;
++ aState = STATE_NORMAL;
++ }
++ break;
++
++ case STATE_NORMAL:
++ case STATE_HALF_CODE_POINT:
++ default:
++ break;
+ }
+
+ if (src == srcEnd) {
+- *aDestLength = 0;
++ *aDestLength = dest - aDest;
+ return NS_OK;
+ }
+
+@@ -136,17 +157,19 @@ have_codepoint:
+ oddHighSurrogate = u;
+ }
+ else /* if (NS_IS_LOW_SURROGATE(u)) */ {
+- if (oddHighSurrogate) {
+- if (dest == destEnd - 1) {
+- *dest++ = UCS2_REPLACEMENT_CHAR;
++ if (oddHighSurrogate && *aDestLength > 1) {
++ if (dest + 1 >= destEnd) {
++ aOddLowSurrogate = u;
++ aOddHighSurrogate = oddHighSurrogate;
++ aState = STATE_ODD_SURROGATE_PAIR;
+ goto error;
+ }
+ *dest++ = oddHighSurrogate;
+ *dest++ = u;
+- oddHighSurrogate = 0;
+ } else {
+ *dest++ = UCS2_REPLACEMENT_CHAR;
+ }
++ oddHighSurrogate = 0;
+ }
+ }
+ if (src != srcEnd) {
+@@ -173,6 +196,7 @@ nsUTF16ToUnicodeBase::Reset()
+ mState = STATE_FIRST_CALL;
+ mOddByte = 0;
+ mOddHighSurrogate = 0;
++ mOddLowSurrogate = 0;
+ return NS_OK;
+ }
+
+@@ -181,9 +205,11 @@ nsUTF16ToUnicodeBase::GetMaxLength(const char * aSrc, PRInt32 aSrcLength,
+ PRInt32 * aDestLength)
+ {
+ // the left-over data of the previous run have to be taken into account.
+- *aDestLength = (aSrcLength +
+- ((STATE_HALF_CODE_POINT == mState) ? 1 : 0)) / 2 +
+- ((mOddHighSurrogate != 0) ? 1 : 0);
++ *aDestLength = (aSrcLength + ((STATE_HALF_CODE_POINT == mState) ? 1 : 0)) / 2;
++ if (mOddHighSurrogate)
++ (*aDestLength)++;
++ if (mOddLowSurrogate)
++ (*aDestLength)++;
+ return NS_OK;
+ }
+
+@@ -212,6 +238,7 @@ nsUTF16BEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
+ #endif
+
+ nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
++ mOddLowSurrogate,
+ aSrc, aSrcLength, aDest, aDestLength,
+ #ifdef IS_LITTLE_ENDIAN
+ PR_TRUE
+@@ -246,6 +273,7 @@ nsUTF16LEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
+ #endif
+
+ nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
++ mOddLowSurrogate,
+ aSrc, aSrcLength, aDest, aDestLength,
+ #ifdef IS_BIG_ENDIAN
+ PR_TRUE
+@@ -304,6 +332,7 @@ nsUTF16ToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
+ }
+
+ nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
++ mOddLowSurrogate,
+ aSrc, aSrcLength, aDest, aDestLength,
+ #ifdef IS_BIG_ENDIAN
+ (mEndian == kLittleEndian)
+diff --git a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
+index 4bd7034..b46ea9a 100644
+--- a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
++++ b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
+@@ -62,6 +62,8 @@ protected:
+ PRUint8 mOddByte;
+ // to store an odd high surrogate left over between runs
+ PRUnichar mOddHighSurrogate;
++ // to store an odd low surrogate left over between runs
++ PRUnichar mOddLowSurrogate;
+ };
+
+ // UTF-16 big endian
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,77 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Thu, 14 Oct 2010 00:44:34 -0700
+Subject: Don't split a surrogate pair over two output buffers. Bug 600974, r=emk, dbaron, a1.9.1.17=dveditz
+
+---
+ intl/uconv/src/nsUTF8ToUnicode.cpp | 39 ++++++++++++++++++++++++++++++++---
+ 1 files changed, 35 insertions(+), 4 deletions(-)
+
+diff --git a/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp b/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
+index 6563dbd..9bcc699 100644
+--- a/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
++++ b/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
+@@ -64,6 +64,15 @@ NS_IMETHODIMP NS_NewUTF8ToUnicode(nsISupports* aOuter,
+ return res;
+ }
+
++static PRUnichar* EmitSurrogatePair(PRUint32 ucs4, PRUnichar* aDest)
++{
++ NS_ASSERTION(ucs4 > 0xFFFF, "Should be a supplementary character");
++ ucs4 -= 0x00010000;
++ *aDest++ = 0xD800 | (0x000003FF & (ucs4 >> 10));
++ *aDest++ = 0xDC00 | (0x000003FF & ucs4);
++ return aDest;
++}
++
+ //----------------------------------------------------------------------
+ // Class nsUTF8ToUnicode [implementation]
+
+@@ -136,12 +145,28 @@ NS_IMETHODIMP nsUTF8ToUnicode::Convert(const char * aSrc,
+
+ nsresult res = NS_OK; // conversion result
+
++ out = aDest;
++ if (mState == 0xFF) {
++ // Emit supplementary character left over from previous iteration. If the
++ // buffer size is insufficient, treat it as an illegal character.
++ if (aDestLen < 2) {
++ NS_ERROR("Output buffer insufficient to hold supplementary character");
++ mState = 0;
++ return NS_ERROR_ILLEGAL_INPUT;
++ }
++ out = EmitSurrogatePair(mUcs4, out);
++ mUcs4 = 0;
++ mState = 0;
++ mBytes = 1;
++ mFirst = PR_FALSE;
++ }
++
+ // Set mFirst to PR_FALSE now so we don't have to every time through the ASCII
+ // branch within the loop.
+ if (mFirst && aSrcLen && (0 == (0x80 & (*aSrc))))
+ mFirst = PR_FALSE;
+
+- for (in = aSrc, out = aDest; ((in < inend) && (out < outend)); ++in) {
++ for (in = aSrc; ((in < inend) && (out < outend)); ++in) {
+ if (0 == mState) {
+ // When mState is zero we expect either a US-ASCII character or a
+ // multi-octet sequence.
+@@ -227,9 +252,15 @@ NS_IMETHODIMP nsUTF8ToUnicode::Convert(const char * aSrc,
+ }
+ if (mUcs4 > 0xFFFF) {
+ // mUcs4 is in the range 0x10000 - 0x10FFFF. Output a UTF-16 pair
+- mUcs4 -= 0x00010000;
+- *out++ = 0xD800 | (0x000003FF & (mUcs4 >> 10));
+- *out++ = 0xDC00 | (0x000003FF & mUcs4);
++ if (out + 2 > outend) {
++ // insufficient space left in the buffer. Keep mUcs4 for the
++ // next iteration.
++ mState = 0xFF;
++ ++in;
++ res = NS_OK_UDEC_MOREOUTPUT;
++ break;
++ }
++ out = EmitSurrogatePair(mUcs4, out);
+ } else if (UNICODE_BYTE_ORDER_MARK != mUcs4 || !mFirst) {
+ // Don't output the BOM only if it is the first character
+ *out++ = mUcs4;
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,432 @@
+From: Peter Van der Beken <peterv@propagandism.org>
+Date: Wed, 19 Jan 2011 15:26:52 -0800
+Subject: Fix for bug 605672 (Fix reason for invalid scope assertion). r=jst, a=clegnitto.
+
+---
+ content/base/public/nsContentUtils.h | 17 +++---
+ content/base/src/nsContentUtils.cpp | 96 +++++++++++++++++---------------
+ content/base/src/nsDOMDocumentType.cpp | 13 ++--
+ content/base/src/nsDocument.cpp | 8 +--
+ content/base/src/nsNodeUtils.cpp | 23 +++----
+ content/base/src/nsNodeUtils.h | 15 ++---
+ 6 files changed, 83 insertions(+), 89 deletions(-)
+
+diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
+index 62282b6..b3c7b11 100644
+--- a/mozilla/content/base/public/nsContentUtils.h
++++ b/mozilla/content/base/public/nsContentUtils.h
+@@ -160,20 +160,18 @@ public:
+ nsIDocument *aOldDocument);
+
+ /**
+- * Get a scope from aOldDocument and one from aNewDocument. Also get a
+- * context through one of the scopes, from the stack or the safe context.
++ * Get a scope from aNewDocument. Also get a context through the scope of one
++ * of the documents, from the stack or the safe context.
+ *
+- * @param aOldDocument The document to get aOldScope from.
++ * @param aOldDocument The document to try to get a context from. May be null.
+ * @param aNewDocument The document to get aNewScope from.
+ * @param aCx [out] Context gotten through one of the scopes, from the stack
+ * or the safe context.
+- * @param aOldScope [out] Scope gotten from aOldDocument.
+ * @param aNewScope [out] Scope gotten from aNewDocument.
+ */
+- static nsresult GetContextAndScopes(nsIDocument *aOldDocument,
+- nsIDocument *aNewDocument,
+- JSContext **aCx, JSObject **aOldScope,
+- JSObject **aNewScope);
++ static nsresult GetContextAndScope(nsIDocument *aOldDocument,
++ nsIDocument *aNewDocument,
++ JSContext **aCx, JSObject **aNewScope);
+
+ /**
+ * When a document's scope changes (e.g., from document.open(), call this
+@@ -182,6 +180,8 @@ public:
+ static nsresult ReparentContentWrappersInScope(nsIScriptGlobalObject *aOldScope,
+ nsIScriptGlobalObject *aNewScope);
+
++ static JSObject *GetCachedWrapper(nsWrapperCache *aCache);
++
+ static PRBool IsCallerChrome();
+
+ static PRBool IsCallerTrustedForRead();
+@@ -1413,7 +1413,6 @@ private:
+
+ static nsresult doReparentContentWrapper(nsIContent *aChild,
+ JSContext *cx,
+- JSObject *aOldGlobal,
+ JSObject *aNewGlobal,
+ nsIDocument *aOldDocument,
+ nsIDocument *aNewDocument);
+diff --git a/mozilla/content/base/src/nsContentUtils.cpp b/mozilla/content/base/src/nsContentUtils.cpp
+index 8d2be95..d4409ac 100644
+--- a/mozilla/content/base/src/nsContentUtils.cpp
++++ b/mozilla/content/base/src/nsContentUtils.cpp
+@@ -1094,22 +1094,37 @@ nsContentUtils::InProlog(nsINode *aNode)
+ }
+
+ // static
++JSObject*
++nsContentUtils::GetCachedWrapper(nsWrapperCache *aCache)
++{
++ JSObject *obj = nsnull;
++ nsIXPConnectWrappedNative *wrapper =
++ static_cast<nsIXPConnectWrappedNative*>(aCache->GetWrapper());
++ if (wrapper) {
++ wrapper->GetJSObject(&obj);
++ }
++
++ return obj;
++}
++
++// static
+ nsresult
+ nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
+ JSContext *cx,
+- JSObject *aOldGlobal,
+ JSObject *aNewGlobal,
+ nsIDocument *aOldDocument,
+ nsIDocument *aNewDocument)
+ {
+- nsCOMPtr<nsIXPConnectJSObjectHolder> old_wrapper;
+-
+ nsresult rv;
+
+- rv = sXPConnect->ReparentWrappedNativeIfFound(cx, aOldGlobal, aNewGlobal,
+- aNode,
+- getter_AddRefs(old_wrapper));
+- NS_ENSURE_SUCCESS(rv, rv);
++ JSObject *wrapper = GetCachedWrapper(aNode);
++ if (wrapper) {
++ nsCOMPtr<nsIXPConnectJSObjectHolder> old_wrapper;
++ rv = sXPConnect->ReparentWrappedNativeIfFound(cx, wrapper, aNewGlobal,
++ aNode,
++ getter_AddRefs(old_wrapper));
++ NS_ENSURE_SUCCESS(rv, rv);
++ }
+
+ // Whether or not aChild is already wrapped we must iterate through
+ // its descendants since there's no guarantee that a descendant isn't
+@@ -1123,8 +1138,7 @@ nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
+ nsIContent *child = aNode->GetChildAt(i);
+ NS_ENSURE_TRUE(child, NS_ERROR_UNEXPECTED);
+
+- rv = doReparentContentWrapper(child, cx,
+- aOldGlobal, aNewGlobal,
++ rv = doReparentContentWrapper(child, cx, aNewGlobal,
+ aOldDocument, aNewDocument);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+@@ -1133,22 +1147,17 @@ nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
+ }
+
+ static JSContext *
+-GetContextFromDocument(nsIDocument *aDocument, JSObject** aGlobalObject)
++GetContextFromDocument(nsIDocument *aDocument)
+ {
+ nsIScriptGlobalObject *sgo = aDocument->GetScopeObject();
+ if (!sgo) {
+ // No script global, no context.
+-
+- *aGlobalObject = nsnull;
+-
+ return nsnull;
+ }
+
+- *aGlobalObject = sgo->GetGlobalJSObject();
+-
+ nsIScriptContext *scx = sgo->GetContext();
+ if (!scx) {
+- // No context left in the old scope...
++ // No context left in the scope...
+
+ return nsnull;
+ }
+@@ -1170,54 +1179,41 @@ nsContentUtils::ReparentContentWrapper(nsIContent *aContent,
+ }
+
+ JSContext *cx;
+- JSObject *oldScope, *newScope;
+- nsresult rv = GetContextAndScopes(aOldDocument, aNewDocument, &cx, &oldScope,
+- &newScope);
++ JSObject *newScope;
++ nsresult rv = GetContextAndScope(aOldDocument, aNewDocument, &cx, &newScope);
+ NS_ENSURE_SUCCESS(rv, rv);
+
+ if (!cx) {
+ return NS_OK;
+ }
+
+- return doReparentContentWrapper(aContent, cx, oldScope, newScope,
++ return doReparentContentWrapper(aContent, cx, newScope,
+ aOldDocument, aNewDocument);
+ }
+
+ // static
+ nsresult
+-nsContentUtils::GetContextAndScopes(nsIDocument *aOldDocument,
+- nsIDocument *aNewDocument, JSContext **aCx,
+- JSObject **aOldScope, JSObject **aNewScope)
++nsContentUtils::GetContextAndScope(nsIDocument *aOldDocument,
++ nsIDocument *aNewDocument, JSContext **aCx,
++ JSObject **aNewScope)
+ {
+ *aCx = nsnull;
+- *aOldScope = nsnull;
+ *aNewScope = nsnull;
+
+- JSObject *newScope = nsnull;
+- nsIScriptGlobalObject *newSGO = aNewDocument->GetScopeObject();
+- if (!newSGO || !(newScope = newSGO->GetGlobalJSObject())) {
+- return NS_OK;
++ JSObject *newScope = GetCachedWrapper(aNewDocument);
++ JSObject *global;
++ if (!newScope) {
++ nsIScriptGlobalObject *newSGO = aNewDocument->GetScopeObject();
++ if (!newSGO || !(global = newSGO->GetGlobalJSObject())) {
++ return NS_OK;
++ }
+ }
+
+ NS_ENSURE_TRUE(sXPConnect, NS_ERROR_NOT_INITIALIZED);
+
+- // Make sure to get our hands on the right scope object, since
+- // GetWrappedNativeOfNativeObject doesn't call PreCreate and hence won't get
+- // the right scope if we pass in something bogus. The right scope lives on
+- // the script global of the old document.
+- // XXXbz note that if GetWrappedNativeOfNativeObject did call PreCreate it
+- // would get the wrong scope (that of the _new_ document), so we should be
+- // glad it doesn't!
+- JSObject *oldScope = nsnull;
+- JSContext *cx = GetContextFromDocument(aOldDocument, &oldScope);
+-
+- if (!oldScope) {
+- return NS_OK;
+- }
+-
++ JSContext *cx = aOldDocument ? GetContextFromDocument(aOldDocument) : nsnull;
+ if (!cx) {
+- JSObject *dummy;
+- cx = GetContextFromDocument(aNewDocument, &dummy);
++ cx = GetContextFromDocument(aNewDocument);
+
+ if (!cx) {
+ // No context reachable from the old or new document, use the
+@@ -1239,8 +1235,18 @@ nsContentUtils::GetContextAndScopes(nsIDocument *aOldDocument,
+ }
+ }
+
++ if (!newScope && cx) {
++ nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
++ jsval v;
++ nsresult rv = sXPConnect->WrapNativeToJSVal(cx, global, aNewDocument,
++ &NS_GET_IID(nsISupports), &v,
++ getter_AddRefs(holder));
++ NS_ENSURE_SUCCESS(rv, rv);
++
++ newScope = JSVAL_TO_OBJECT(v);
++ }
++
+ *aCx = cx;
+- *aOldScope = oldScope;
+ *aNewScope = newScope;
+
+ return NS_OK;
+diff --git a/mozilla/content/base/src/nsDOMDocumentType.cpp b/mozilla/content/base/src/nsDOMDocumentType.cpp
+index 8904cc8..d4f1fab 100644
+--- a/mozilla/content/base/src/nsDOMDocumentType.cpp
++++ b/mozilla/content/base/src/nsDOMDocumentType.cpp
+@@ -264,16 +264,15 @@ nsDOMDocumentType::BindToTree(nsIDocument *aDocument, nsIContent *aParent,
+
+ mNodeInfo.swap(newNodeInfo);
+
+- nsCOMPtr<nsIDocument> oldOwnerDoc =
+- do_QueryInterface(nsContentUtils::GetDocumentFromContext());
+- nsIDocument *newOwnerDoc = nimgr->GetDocument();
+- if (oldOwnerDoc && newOwnerDoc) {
++ JSObject *oldScope = nsContentUtils::GetCachedWrapper(this);
++ if (oldScope) {
+ nsIXPConnect *xpc = nsContentUtils::XPConnect();
+
+ JSContext *cx = nsnull;
+- JSObject *oldScope = nsnull, *newScope = nsnull;
+- nsresult rv = nsContentUtils::GetContextAndScopes(oldOwnerDoc, newOwnerDoc, &cx,
+- &oldScope, &newScope);
++ JSObject *newScope = nsnull;
++ nsresult rv = nsContentUtils::GetContextAndScope(nsnull,
++ nimgr->GetDocument(),
++ &cx, &newScope);
+ if (cx && xpc) {
+ nsISupports *node = NS_ISUPPORTS_CAST(nsIContent*, this);
+ nsCOMPtr<nsIXPConnectJSObjectHolder> oldWrapper;
+diff --git a/mozilla/content/base/src/nsDocument.cpp b/mozilla/content/base/src/nsDocument.cpp
+index da61037..425cbdf 100644
+--- a/mozilla/content/base/src/nsDocument.cpp
++++ b/mozilla/content/base/src/nsDocument.cpp
+@@ -6006,17 +6006,15 @@ nsDocument::AdoptNode(nsIDOMNode *aAdoptedNode, nsIDOMNode **aResult)
+ PRBool sameDocument = oldDocument == this;
+
+ JSContext *cx = nsnull;
+- JSObject *oldScope = nsnull;
+ JSObject *newScope = nsnull;
+- if (!sameDocument && oldDocument) {
+- rv = nsContentUtils::GetContextAndScopes(oldDocument, this, &cx, &oldScope,
+- &newScope);
++ if (!sameDocument) {
++ rv = nsContentUtils::GetContextAndScope(oldDocument, this, &cx, &newScope);
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+ nsCOMArray<nsINode> nodesWithProperties;
+ rv = nsNodeUtils::Adopt(adoptedNode, sameDocument ? nsnull : mNodeInfoManager,
+- cx, oldScope, newScope, nodesWithProperties);
++ cx, newScope, nodesWithProperties);
+ if (NS_FAILED(rv)) {
+ // Disconnect all nodes from their parents, since some have the old document
+ // as their ownerDocument and some have this as their ownerDocument.
+diff --git a/mozilla/content/base/src/nsNodeUtils.cpp b/mozilla/content/base/src/nsNodeUtils.cpp
+index 09249a4..ef4fd61 100755
+--- a/mozilla/content/base/src/nsNodeUtils.cpp
++++ b/mozilla/content/base/src/nsNodeUtils.cpp
+@@ -481,12 +481,11 @@ nsNodeUtils::CloneNodeImpl(nsINode *aNode, PRBool aDeep, nsIDOMNode **aResult)
+ class AdoptFuncData {
+ public:
+ AdoptFuncData(nsIDOMElement *aElement, nsNodeInfoManager *aNewNodeInfoManager,
+- JSContext *aCx, JSObject *aOldScope, JSObject *aNewScope,
++ JSContext *aCx, JSObject *aNewScope,
+ nsCOMArray<nsINode> &aNodesWithProperties)
+ : mElement(aElement),
+ mNewNodeInfoManager(aNewNodeInfoManager),
+ mCx(aCx),
+- mOldScope(aOldScope),
+ mNewScope(aNewScope),
+ mNodesWithProperties(aNodesWithProperties)
+ {
+@@ -495,7 +494,6 @@ public:
+ nsIDOMElement *mElement;
+ nsNodeInfoManager *mNewNodeInfoManager;
+ JSContext *mCx;
+- JSObject *mOldScope;
+ JSObject *mNewScope;
+ nsCOMArray<nsINode> &mNodesWithProperties;
+ };
+@@ -514,8 +512,7 @@ AdoptFunc(nsAttrHashKey::KeyType aKey, nsIDOMNode *aData, void* aUserArg)
+ nsCOMPtr<nsIDOMNode> node;
+ nsresult rv = nsNodeUtils::CloneAndAdopt(attr, clone, PR_TRUE,
+ data->mNewNodeInfoManager,
+- data->mCx, data->mOldScope,
+- data->mNewScope,
++ data->mCx, data->mNewScope,
+ data->mNodesWithProperties,
+ nsnull, getter_AddRefs(node));
+
+@@ -533,15 +530,14 @@ AdoptFunc(nsAttrHashKey::KeyType aKey, nsIDOMNode *aData, void* aUserArg)
+ nsresult
+ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
+ nsNodeInfoManager *aNewNodeInfoManager,
+- JSContext *aCx, JSObject *aOldScope,
+- JSObject *aNewScope,
++ JSContext *aCx, JSObject *aNewScope,
+ nsCOMArray<nsINode> &aNodesWithProperties,
+ nsINode *aParent, nsIDOMNode **aResult)
+ {
+ NS_PRECONDITION((!aClone && aNewNodeInfoManager) || !aCx,
+ "If cloning or not getting a new nodeinfo we shouldn't "
+ "rewrap");
+- NS_PRECONDITION(!aCx || (aOldScope && aNewScope), "Must have scopes");
++ NS_PRECONDITION(!aCx || aNewScope, "Must have scopes");
+ NS_PRECONDITION(!aParent || !aNode->IsNodeOfType(nsINode::eDOCUMENT),
+ "Can't insert document nodes into a parent");
+
+@@ -640,11 +636,12 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
+ elem->RecompileScriptEventListeners();
+ }
+
+- if (aCx) {
++ JSObject *wrapper = nsContentUtils::GetCachedWrapper(aNode);
++ if (aCx && wrapper) {
+ nsIXPConnect *xpc = nsContentUtils::XPConnect();
+ if (xpc) {
+ nsCOMPtr<nsIXPConnectJSObjectHolder> oldWrapper;
+- rv = xpc->ReparentWrappedNativeIfFound(aCx, aOldScope, aNewScope, aNode,
++ rv = xpc->ReparentWrappedNativeIfFound(aCx, wrapper, aNewScope, aNode,
+ getter_AddRefs(oldWrapper));
+ if (NS_FAILED(rv)) {
+ aNode->mNodeInfo.swap(nodeInfo);
+@@ -667,8 +664,8 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+
+- AdoptFuncData data(element, nodeInfoManager, aCx, aOldScope,
+- aNewScope, aNodesWithProperties);
++ AdoptFuncData data(element, nodeInfoManager, aCx, aNewScope,
++ aNodesWithProperties);
+
+ PRUint32 count = map->Enumerate(AdoptFunc, &data);
+ NS_ENSURE_TRUE(count == map->Count(), NS_ERROR_FAILURE);
+@@ -702,7 +699,7 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
+ for (i = 0; i < length; ++i) {
+ nsCOMPtr<nsIDOMNode> child;
+ rv = CloneAndAdopt(aNode->GetChildAt(i), aClone, PR_TRUE, nodeInfoManager,
+- aCx, aOldScope, aNewScope, aNodesWithProperties,
++ aCx, aNewScope, aNodesWithProperties,
+ clone, getter_AddRefs(child));
+ NS_ENSURE_SUCCESS(rv, rv);
+ }
+diff --git a/mozilla/content/base/src/nsNodeUtils.h b/mozilla/content/base/src/nsNodeUtils.h
+index ee4c9c2..8776175 100755
+--- a/mozilla/content/base/src/nsNodeUtils.h
++++ b/mozilla/content/base/src/nsNodeUtils.h
+@@ -163,8 +163,7 @@ public:
+ nsIDOMNode **aResult)
+ {
+ return CloneAndAdopt(aNode, PR_TRUE, aDeep, aNewNodeInfoManager, nsnull,
+- nsnull, nsnull, aNodesWithProperties, nsnull,
+- aResult);
++ nsnull, aNodesWithProperties, nsnull, aResult);
+ }
+
+ /**
+@@ -182,20 +181,18 @@ public:
+ * @param aCx Context to use for reparenting the wrappers, or null if no
+ * reparenting should be done. Must be null if aNewNodeInfoManager
+ * is null.
+- * @param aOldScope Old scope for the wrappers. May be null if aCx is null.
+ * @param aNewScope New scope for the wrappers. May be null if aCx is null.
+ * @param aNodesWithProperties All nodes (from amongst aNode and its
+ * descendants) with properties.
+ */
+ static nsresult Adopt(nsINode *aNode, nsNodeInfoManager *aNewNodeInfoManager,
+- JSContext *aCx, JSObject *aOldScope,
+- JSObject *aNewScope,
++ JSContext *aCx, JSObject *aNewScope,
+ nsCOMArray<nsINode> &aNodesWithProperties)
+ {
+ nsCOMPtr<nsIDOMNode> dummy;
+ return CloneAndAdopt(aNode, PR_FALSE, PR_TRUE, aNewNodeInfoManager, aCx,
+- aOldScope, aNewScope, aNodesWithProperties,
+- nsnull, getter_AddRefs(dummy));
++ aNewScope, aNodesWithProperties, nsnull,
++ getter_AddRefs(dummy));
+ }
+
+ /**
+@@ -302,7 +299,6 @@ private:
+ * @param aCx Context to use for reparenting the wrappers, or null if no
+ * reparenting should be done. Must be null if aClone is PR_TRUE or
+ * if aNewNodeInfoManager is null.
+- * @param aOldScope Old scope for the wrappers. May be null if aCx is null.
+ * @param aNewScope New scope for the wrappers. May be null if aCx is null.
+ * @param aNodesWithProperties All nodes (from amongst aNode and its
+ * descendants) with properties. If aClone is
+@@ -315,8 +311,7 @@ private:
+ */
+ static nsresult CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
+ nsNodeInfoManager *aNewNodeInfoManager,
+- JSContext *aCx, JSObject *aOldScope,
+- JSObject *aNewScope,
++ JSContext *aCx, JSObject *aNewScope,
+ nsCOMArray<nsINode> &aNodesWithProperties,
+ nsINode *aParent, nsIDOMNode **aResult);
+ };
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,27 @@
+From: Brendan Eich <brendan@mozilla.org>
+Date: Thu, 20 Jan 2011 15:48:18 -0800
+Subject: Fix hard-case destructurinv vs. for(var ...=... in ...) bug (558633, r=mrbkap, a=dveditz).
+
+---
+ js/src/jsparse.cpp | 8 +++++++-
+ 1 files changed, 7 insertions(+), 1 deletions(-)
+
+diff --git a/mozilla/js/src/jsparse.cpp b/mozilla/js/src/jsparse.cpp
+index 230e744..be5978e 100644
+--- a/mozilla/js/src/jsparse.cpp
++++ b/mozilla/js/src/jsparse.cpp
+@@ -3464,7 +3464,13 @@ BindDestructuringLHS(JSContext *cx, JSParseNode *pn, JSTreeContext *tc)
+
+ case TOK_DOT:
+ case TOK_LB:
+- pn->pn_op = JSOP_SETNAME;
++ /*
++ * We may be called on a name node that has already been specialized,
++ * in the very weird and ECMA-262-required "for (var [x] = i in o) ..."
++ * case. See bug 558633.
++ */
++ if (!(js_CodeSpec[pn->pn_op].format & JOF_SET))
++ pn->pn_op = JSOP_SETNAME;
+ break;
+
+ #if JS_HAS_LVALUE_RETURN
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,34 @@
+From: Brendan Eich <brendan@mozilla.org>
+Date: Wed, 8 Dec 2010 14:26:30 -0800
+Subject: Fix MakeUpvarForEval vs. normal upvar bookkeeping (615657, r=dmandelin, a=dveditz).
+
+---
+ js/src/jsemit.cpp | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/mozilla/js/src/jsemit.cpp b/mozilla/js/src/jsemit.cpp
+index 197b3d2..ad4d159 100644
+--- a/mozilla/js/src/jsemit.cpp
++++ b/mozilla/js/src/jsemit.cpp
+@@ -2203,10 +2203,9 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
+ JS_ASSERT(index == cg->upvarList.count - 1);
+
+ uint32 *vector = cg->upvarMap.vector;
+- if (!vector) {
+- uint32 length = cg->lexdeps.count;
+-
+- vector = (uint32 *) calloc(length, sizeof *vector);
++ uint32 length = cg->lexdeps.count;
++ if (!vector || cg->upvarMap.length != length) {
++ vector = (uint32 *) realloc(vector, length * sizeof *vector);
+ if (!vector) {
+ JS_ReportOutOfMemory(cx);
+ return JS_FALSE;
+@@ -2225,6 +2224,7 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
+ slot += tc->fun->nargs;
+ }
+
++ JS_ASSERT(index < cg->upvarMap.length);
+ vector[index] = MAKE_UPVAR_COOKIE(skip, slot);
+ }
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,35 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Mon, 27 Dec 2010 11:45:31 +0200
+Subject: Fix some errors with handling invalid sequences in the EUC-JP decoder. Bug 563618, r=emk, a1.9.1.17=LegNeato
+
+---
+ intl/uconv/ucvja/mozilla/nsJapaneseToUnicode.cpp | 8 ++++----
+ 1 files changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp b/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp
+index 629884f..9ce854c 100644
+--- a/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp
++++ b/mozilla/intl/uconv/ucvja/mozilla/nsJapaneseToUnicode.cpp
+@@ -322,10 +322,10 @@ NS_IMETHODIMP nsEUCJPToUnicodeV2::Convert(
+ if(0xFF == off) {
+ *dest++ = 0xFFFD;
+ // if the first byte is valid for EUC-JP but the second
+- // is not while being a valid US-ASCII(i.e. < 0xc0), save it
++ // is not while being a valid US-ASCII, save it
+ // instead of eating it up !
+- if ( ! (*src & 0xc0) )
+- *dest++ = (PRUnichar) *src;;
++ if ( (PRUint8)*src < (PRUint8)0x7f )
++ --src;
+ } else {
+ *dest++ = gJapaneseMap[mData+off];
+ }
+@@ -344,7 +344,7 @@ NS_IMETHODIMP nsEUCJPToUnicodeV2::Convert(
+ // if 0x8e is not followed by a valid JIS X 0201 byte
+ // but by a valid US-ASCII, save it instead of eating it up.
+ if ( (PRUint8)*src < (PRUint8)0x7f )
+- *dest++ = (PRUnichar) *src;
++ --src;
+ }
+ mState = 0;
+ if(dest >= destEnd)
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,27 @@
+From: Jonas Sicking <jonas@sicking.cc>
+Date: Wed, 19 Jan 2011 10:13:03 -0800
+Subject: followup for bug 602115. Missed this when I moved patch to this branch.
+
+---
+ content/xslt/src/xslt/txExecutionState.cpp | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.cpp b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
+index a2aa72a..8e00d68 100644
+--- a/mozilla/content/xslt/src/xslt/txExecutionState.cpp
++++ b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
+@@ -404,10 +404,14 @@ txExecutionState::pushTemplateRule(txStylesheet::ImportFrame* aFrame,
+ txVariableMap* aParams)
+ {
+ TemplateRule* rule = mTemplateRules.AppendElement();
++ NS_ENSURE_TRUE(rule, NS_ERROR_OUT_OF_MEMORY);
++
+ rule->mFrame = aFrame;
+ rule->mModeNsId = aMode.mNamespaceID;
+ rule->mModeLocalName = aMode.mLocalName;
+ rule->mParams = aParams;
++
++ return NS_OK;
+ }
+
+ void
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,125 @@
+From: Robert Sayre <sayrer@gmail.com>
+Date: Tue, 14 Dec 2010 21:26:27 +0100
+Subject: Properly check attribute URLs -- Bug 562547, r=jst, r+a=dveditz
+
+---
+ content/html/document/src/Makefile.in | 1 +
+ .../document/src/nsHTMLFragmentContentSink.cpp | 12 +++++++++---
+ content/xml/document/src/Makefile.in | 1 +
+ .../xml/document/src/nsXMLFragmentContentSink.cpp | 13 +++++++++++--
+ 4 files changed, 22 insertions(+), 5 deletions(-)
+
+diff --git a/mozilla/content/html/document/src/Makefile.in b/mozilla/content/html/document/src/Makefile.in
+index 780957e..7cf44ff 100644
+--- a/mozilla/content/html/document/src/Makefile.in
++++ b/mozilla/content/html/document/src/Makefile.in
+@@ -108,6 +108,7 @@ INCLUDES += \
+ -I$(srcdir)/../../../../layout/style \
+ -I$(srcdir)/../../../../dom/src/base \
+ -I$(srcdir)/../../../../xpcom/io \
++ -I$(srcdir)/../../../../caps/include \
+ $(NULL)
+
+ DEFINES += -D_IMPL_NS_LAYOUT
+diff --git a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
+index 0f26e7c..1ffbea8 100644
+--- a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
++++ b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
+@@ -59,6 +59,7 @@
+ #include "nsContentUtils.h"
+ #include "nsEscape.h"
+ #include "nsNodeInfoManager.h"
++#include "nsNullPrincipal.h"
+ #include "nsContentCreatorFunctions.h"
+ #include "nsNetUtil.h"
+ #include "nsIScriptSecurityManager.h"
+@@ -920,6 +921,8 @@ protected:
+ PRPackedBool mInStyle; // whether we're inside a style element
+ PRPackedBool mProcessComments; // used when comments are allowed
+
++ nsCOMPtr<nsIPrincipal> mNullPrincipal;
++
+ // Use nsTHashTable as a hash set for our whitelists
+ static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
+ static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
+@@ -1088,7 +1091,12 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
+ nsresult rv;
+ // use this to check for safe URIs in the few attributes that allow them
+ nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
++ PRUint32 flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
+ nsCOMPtr<nsIURI> baseURI;
++ if (!mNullPrincipal) {
++ mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
++ NS_ENSURE_SUCCESS(rv, rv);
++ }
+
+ for (PRInt32 i = ac - 1; i >= 0; i--) {
+ rv = NS_OK;
+@@ -1125,9 +1133,7 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
+ rv = NS_NewURI(getter_AddRefs(attrURI), v, nsnull, baseURI);
+ if (NS_SUCCEEDED(rv)) {
+ rv = secMan->
+- CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
+- attrURI,
+- nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
++ CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
+ }
+ }
+
+diff --git a/mozilla/content/xml/document/src/Makefile.in b/mozilla/content/xml/document/src/Makefile.in
+index 533119c..f9dee19 100644
+--- a/mozilla/content/xml/document/src/Makefile.in
++++ b/mozilla/content/xml/document/src/Makefile.in
+@@ -91,6 +91,7 @@ LOCAL_INCLUDES = \
+ -I$(srcdir)/../../../xul/content/src \
+ -I$(srcdir)/../../../events/src \
+ -I$(srcdir)/../../../../dom/src/base \
++ -I$(srcdir)/../../../../caps/include \
+ $(NULL)
+
+ DEFINES += -D_IMPL_NS_LAYOUT
+diff --git a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
+index dcc1909..5f471b6 100644
+--- a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
++++ b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
+@@ -49,6 +49,7 @@
+ #include "nsGkAtoms.h"
+ #include "nsINodeInfo.h"
+ #include "nsNodeInfoManager.h"
++#include "nsNullPrincipal.h"
+ #include "nsContentCreatorFunctions.h"
+ #include "nsDOMError.h"
+ #include "nsIConsoleService.h"
+@@ -516,6 +517,9 @@ public:
+ PRUint32 aLength);
+ protected:
+ PRUint32 mSkipLevel; // used when we descend into <style> or <script>
++
++ nsCOMPtr<nsIPrincipal> mNullPrincipal;
++
+ // Use nsTHashTable as a hash set for our whitelists
+ static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
+ static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
+@@ -637,6 +641,12 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
+ PRInt32 nameSpaceID;
+ nsCOMPtr<nsIAtom> prefix, localName;
+ nsCOMPtr<nsINodeInfo> nodeInfo;
++
++ if (!mNullPrincipal) {
++ mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
++ NS_ENSURE_SUCCESS(rv, rv);
++ }
++
+ while (*aAtts) {
+ nsContentUtils::SplitExpatName(aAtts[0], getter_AddRefs(prefix),
+ getter_AddRefs(localName), &nameSpaceID);
+@@ -652,8 +662,7 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
+ rv = NS_NewURI(getter_AddRefs(attrURI), nsDependentString(aAtts[1]),
+ nsnull, baseURI);
+ if (NS_SUCCEEDED(rv)) {
+- rv = secMan->CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
+- attrURI, flags);
++ rv = secMan->CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
+ }
+ }
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-563618.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-563618.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-563618.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-563618.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,136 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Mon, 27 Dec 2010 11:45:31 +0200
+Subject: Tests for bug 563618
+
+---
+ intl/uconv/crashtests/563618.html | 12 +++++
+ intl/uconv/crashtests/crashtests.list | 1 +
+ intl/uconv/tests/unit/test_bug563618.js | 79 +++++++++++++++++++++++++++++++
+ testing/crashtest/crashtests.list | 1 +
+ 4 files changed, 93 insertions(+), 0 deletions(-)
+ create mode 100644 intl/uconv/crashtests/563618.html
+ create mode 100644 intl/uconv/crashtests/crashtests.list
+ create mode 100644 intl/uconv/tests/unit/test_bug563618.js
+
+diff --git a/mozilla/intl/uconv/crashtests/563618.html b/mozilla/intl/uconv/crashtests/563618.html
+new file mode 100644
+index 0000000..e36b664
+--- /dev/null
++++ b/mozilla/intl/uconv/crashtests/563618.html
+@@ -0,0 +1,12 @@
++<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd";>
++<html>
++<head>
++ <meta content="text/html; charset=euc-jp"
++ http-equiv="content-type">
++ <title>Serbian Glyph Test</title>
++</head>
++<body>
++
++ <p style="font-size: 20pt;">�</p>
++</body>
++</html>
+diff --git a/mozilla/intl/uconv/crashtests/crashtests.list b/mozilla/intl/uconv/crashtests/crashtests.list
+new file mode 100644
+index 0000000..5d92626
+--- /dev/null
++++ b/mozilla/intl/uconv/crashtests/crashtests.list
+@@ -0,0 +1 @@
++load 563618.html
+diff --git a/mozilla/intl/uconv/tests/unit/test_bug563618.js b/mozilla/intl/uconv/tests/unit/test_bug563618.js
+new file mode 100644
+index 0000000..314066c
+--- /dev/null
++++ b/mozilla/intl/uconv/tests/unit/test_bug563618.js
+@@ -0,0 +1,79 @@
++/* Test case for bug 563618
++ *
++ * Uses nsIConverterInputStream to decode invalid EUC-JP text
++ *
++ */
++
++const test = [
++// 0: 0x8e followed by hi byte, not valid JIS X 0201
++ ["abcdefghijklmnopqrstuvwxyz12test00%8e%80foobar",
++// expected: one replacement character, invalid byte eaten
++ "abcdefghijklmnopqrstuvwxyz12test00\uFFFDfoobar"],
++// 1: 0x8e followed by ASCII
++ ["abcdefghijklmnopqrstuvwxyz12test01%8efoobar",
++// expected: one replacement character, invalid byte not eaten
++ "abcdefghijklmnopqrstuvwxyz12test01\uFFFDfoobar"],
++// 2: JIS X 0208 lead byte followed by invalid hi byte
++ ["abcdefghijklmnopqrstuvwxyz12test02%bf%80foobar",
++// expected: one replacement character, invalid byte eaten
++ "abcdefghijklmnopqrstuvwxyz12test02\uFFFDfoobar"],
++// 3: JIS X 0208 lead byte followed by ASCII
++ ["abcdefghijklmnopqrstuvwxyz12test03%bffoobar",
++// expected: one replacement character, invalid byte not eaten
++ "abcdefghijklmnopqrstuvwxyz12test03\uFFFDfoobar"]];
++
++const IOService = Components.Constructor("@mozilla.org/network/io-service;1",
++ "nsIIOService");
++const ConverterInputStream =
++ Components.Constructor("@mozilla.org/intl/converter-input-stream;1",
++ "nsIConverterInputStream",
++ "init");
++const ios = new IOService();
++
++function testCase(testText, expectedText, bufferLength, charset)
++{
++ var dataURI = "data:text/plain;charset=" + charset + "," + testText;
++
++ var channel = ios.newChannel(dataURI, "", null);
++ var testInputStream = channel.open();
++ var testConverter = new ConverterInputStream(testInputStream,
++ charset,
++ bufferLength,
++ 0xFFFD);
++
++ if (!(testConverter instanceof
++ Components.interfaces.nsIUnicharLineInputStream))
++ throw "not line input stream";
++
++ var outStr = "";
++ var more;
++ do {
++ // read the line and check for eof
++ var line = {};
++ more = testConverter.readLine(line);
++ outStr += line.value;
++ } while (more);
++
++ if (outStr != expectedText) {
++ dump("Failed with bufferLength = " + bufferLength + "\n");
++ if (outStr.length == expectedText.length) {
++ for (i = 0; i < outStr.length; ++i) {
++ if (outStr.charCodeAt(i) != expectedText.charCodeAt(i)) {
++ dump(i + ": " + outStr.charCodeAt(i).toString(16) + " != " + expectedText.charCodeAt(i).toString(16) + "\n");
++ }
++ }
++ }
++ }
++
++ // escape the strings before comparing for better readability
++ do_check_eq(escape(outStr), escape(expectedText));
++}
++
++function run_test()
++{
++ for (var i = 0; i < test.length; ++i) {
++ for (var bufferLength = 32; bufferLength < 40; ++ bufferLength) {
++ testCase(test[i][0], test[i][1], bufferLength, "EUC-JP");
++ }
++ }
++}
+diff --git a/mozilla/testing/crashtest/crashtests.list b/mozilla/testing/crashtest/crashtests.list
+index 7ee2b9d..21d93c3 100644
+--- a/mozilla/testing/crashtest/crashtests.list
++++ b/mozilla/testing/crashtest/crashtests.list
+@@ -33,6 +33,7 @@ include ../../editor/composer/src/crashtests/crashtests.list
+ include ../../editor/txmgr/tests/crashtests/crashtests.list
+
+ include ../../intl/lwbrk/src/crashtests/crashtests.list
++include ../../intl/uconv/crashtests/crashtests.list
+
+ include ../../js/src/xpconnect/crashtests/crashtests.list
+
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,326 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Wed, 20 Oct 2010 09:11:15 -0700
+Subject: Tests for bug 600974, a=test
+
+---
+ intl/uconv/tests/unit/test_bug317216.js | 79 +++++++++++++++++---------
+ layout/reftests/bugs/600974-1-ref.html | 2 +-
+ layout/reftests/bugs/600974-1.html | 2 +-
+ layout/reftests/bugs/600974-2.html | 94 +++++++++++++++++++++++++++++++
+ layout/reftests/bugs/600974-3.html | Bin 0 -> 11314 bytes
+ layout/reftests/bugs/reftest.list | 2 +
+ 6 files changed, 150 insertions(+), 29 deletions(-)
+ create mode 100644 layout/reftests/bugs/600974-2.html
+ create mode 100644 layout/reftests/bugs/600974-3.html
+
+diff --git a/mozilla/intl/uconv/tests/unit/test_bug317216.js b/mozilla/intl/uconv/tests/unit/test_bug317216.js
+index bf57419..746c63e 100644
+--- a/mozilla/intl/uconv/tests/unit/test_bug317216.js
++++ b/mozilla/intl/uconv/tests/unit/test_bug317216.js
+@@ -11,53 +11,53 @@
+
+ const test = [
+ // 0: Valid surrogate pair
+- ["%00%2D%00%2D%D8%35%DC%20%00%2D%00%2D",
++ ["%D8%35%DC%20%00%2D%00%2D",
+ // expected: surrogate pair
+- "--\uD835\uDC20--"],
++ "\uD835\uDC20--"],
+ // 1: Lone high surrogate
+- ["%00%2D%00%2D%D8%35%00%2D%00%2D",
++ ["%D8%35%00%2D%00%2D",
+ // expected: one replacement char
+- "--\uFFFD--"],
++ "\uFFFD--"],
+ // 2: Lone low surrogate
+- ["%00%2D%00%2D%DC%20%00%2D%00%2D",
++ ["%DC%20%00%2D%00%2D",
+ // expected: one replacement char
+- "--\uFFFD--"],
++ "\uFFFD--"],
+ // 3: Two high surrogates
+- ["%00%2D%00%2D%D8%35%D8%35%00%2D%00%2D",
++ ["%D8%35%D8%35%00%2D%00%2D",
+ // expected: two replacement chars
+- "--\uFFFD\uFFFD--"],
++ "\uFFFD\uFFFD--"],
+ // 4: Two low surrogates
+- ["%00%2D%00%2D%DC%20%DC%20%00%2D%00%2D",
++ ["%DC%20%DC%20%00%2D%00%2D",
+ // expected: two replacement chars
+- "--\uFFFD\uFFFD--"],
++ "\uFFFD\uFFFD--"],
+ // 5: Low surrogate followed by high surrogate
+- ["%00%2D%00%2D%DC%20%D8%35%00%2D%00%2D",
++ ["%DC%20%D8%35%00%2D%00%2D",
+ // expected: two replacement chars
+- "--\uFFFD\uFFFD--"],
++ "\uFFFD\uFFFD--"],
+ // 6: Lone high surrogate followed by valid surrogate pair
+- ["%00%2D%00%2D%D8%35%D8%35%DC%20%00%2D%00%2D",
++ ["%D8%35%D8%35%DC%20%00%2D%00%2D",
+ // expected: replacement char followed by surrogate pair
+- "--\uFFFD\uD835\uDC20--"],
++ "\uFFFD\uD835\uDC20--"],
+ // 7: Lone low surrogate followed by valid surrogate pair
+- ["%00%2D%00%2D%DC%20%D8%35%DC%20%00%2D%00%2D",
++ ["%DC%20%D8%35%DC%20%00%2D%00%2D",
+ // expected: replacement char followed by surrogate pair
+- "--\uFFFD\uD835\uDC20--"],
++ "\uFFFD\uD835\uDC20--"],
+ // 8: Valid surrogate pair followed by lone high surrogate
+- ["%00%2D%00%2D%D8%35%DC%20%D8%35%00%2D%00%2D",
++ ["%D8%35%DC%20%D8%35%00%2D%00%2D",
+ // expected: surrogate pair followed by replacement char
+- "--\uD835\uDC20\uFFFD--"],
++ "\uD835\uDC20\uFFFD--"],
+ // 9: Valid surrogate pair followed by lone low surrogate
+- ["%00%2D%00%2D%D8%35%DC%20%DC%20%00%2D%00%2D",
++ ["%D8%35%DC%20%DC%20%00%2D%00%2D",
+ // expected: surrogate pair followed by replacement char
+- "--\uD835\uDC20\uFFFD--"],
++ "\uD835\uDC20\uFFFD--"],
+ // 10: Lone high surrogate at the end of the input
+- ["%00%2D%00%2D%00%2D%00%2D%D8%35%",
++ ["%D8%35%",
+ // expected: nothing
+- "----"],
++ ""],
+ // 11: Half code unit at the end of the input
+- ["%00%2D%00%2D%00%2D%00%2D%D8",
++ ["%D8",
+ // expected: nothing
+- "----"]];
++ ""]];
+
+ const IOService = Components.Constructor("@mozilla.org/network/io-service;1",
+ "nsIIOService");
+@@ -95,15 +95,40 @@ function testCase(testText, expectedText, bufferLength, charset)
+ do_check_eq(escape(outStr), escape(expectedText));
+ }
+
++// Add 32 dummy characters to the test text to work around the minimum buffer
++// size of an ns*Buffer
++const MINIMUM_BUFFER_SIZE=32;
++function padBytes(str)
++{
++ var padding = "";
++ for (var i = 0; i < MINIMUM_BUFFER_SIZE; ++i) {
++ padding += "%00%2D";
++ }
++ return padding + str;
++}
++
++function padUnichars(str)
++{
++ var padding = "";
++ for (var i = 0; i < MINIMUM_BUFFER_SIZE; ++i) {
++ padding += "-";
++ }
++ return padding + str;
++}
++
+ // Byte-swap %-encoded utf-16
+ function flip(str) { return str.replace(/(%..)(%..)/g, "$2$1"); }
+
+ function run_test()
+ {
+ for (var i = 0; i < 12; ++i) {
+- for (var bufferLength = 4; bufferLength < 8; ++ bufferLength) {
+- testCase(test[i][0], test[i][1], bufferLength, "UTF-16BE");
+- testCase(flip(test[i][0]), test[i][1], bufferLength, "UTF-16LE");
++ for (var bufferLength = MINIMUM_BUFFER_SIZE;
++ bufferLength < MINIMUM_BUFFER_SIZE + 4;
++ ++ bufferLength) {
++ var testText = padBytes(test[i][0]);
++ var expectedText = padUnichars(test[i][1]);
++ testCase(testText, expectedText, bufferLength, "UTF-16BE");
++ testCase(flip(testText), expectedText, bufferLength, "UTF-16LE");
+ }
+ }
+ }
+diff --git a/mozilla/layout/reftests/bugs/600974-1-ref.html b/mozilla/layout/reftests/bugs/600974-1-ref.html
+index 9bf883b..71b6ce9 100644
+--- a/mozilla/layout/reftests/bugs/600974-1-ref.html
++++ b/mozilla/layout/reftests/bugs/600974-1-ref.html
+@@ -1,5 +1,5 @@
+ <!DOCTYPE HTML>
+-<html>
++<html lang="en" style="font-family: serif; font-size: 16px">
+ <head>
+ <meta http-equiv="Content-Type"
+ content="text/html; charset=ISO-8859-1">
+diff --git a/mozilla/layout/reftests/bugs/600974-1.html b/mozilla/layout/reftests/bugs/600974-1.html
+index 13de69f..9cbfee1 100644
+--- a/mozilla/layout/reftests/bugs/600974-1.html
++++ b/mozilla/layout/reftests/bugs/600974-1.html
+@@ -1,7 +1,7 @@
+ <!DOCTYPE html>
+ <!-- This is a test for decoding supplementary characters. It contains text in
+ Unicode plane 1 encoded as UTF-8. Don't reencode it in any way. -->
+-<html>
++<html lang="en" style="font-family: serif; font-size: 16px">
+ <head>
+ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
+ </head>
+diff --git a/mozilla/layout/reftests/bugs/600974-2.html b/mozilla/layout/reftests/bugs/600974-2.html
+new file mode 100644
+index 0000000..5c14bde
+--- /dev/null
++++ b/mozilla/layout/reftests/bugs/600974-2.html
+@@ -0,0 +1,94 @@
++<!DOCTYPE HTML>
++<!-- This is a test for decoding supplementary characters. It contains text in
++ Unicode plane 1 encoded as GB18030. Don't reencode it in any way. -->
++<html lang="en" style="font-family: serif; font-size: 16px">
++<head>
++ <meta http-equiv="Content-Type" content="text/html; charset=gb18030">
++ <title></title>
++</head>
++<body>
++<p>�3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3� �3��3��3� �3��3��3��3�,
++�3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3� �3��3��3��3�. �3��3��3��3��3��3��3�
++�3��3��3� �3��3��3��3� �3��3��3��3�, �3��3��3� �3��3��3��3��3��3� �3��3��3��3��3��3�. �3��3��3��3�
++�3��3��3��3��3��3��3� �3��3��3��3� �3��3��3��3� �3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3��3� �3��3�
++�3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3�. �3��3��3��3��3��3��3� �3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3�. �3��3��3��3��3��3� �3��3��3� �3��3��3��3��3� �3��3��3��3�,
++�3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3� �3��3��3��3��3��3��3��3�,
++�3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3��3�, �3��3��3��3�
++�3��3��3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3�, �3��3��3� �3��3��3��3��3��3��3��3��3��3�
++�3��3��3��3� �3��3��3��3��3��3� �3��3� �3��3��3��3��3�. �3��3��3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3� �3��3��3� �3��3��3��3� �3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3�.
++�3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3�, �3��3�
++�3��3��3��3��3��3��3� �3��3��3� �3��3��3��3��3��3��3� �3��3�. �3��3��3� �3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3�. �3��3��3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3��3��3� �3��3� �3��3��3��3��3�
++�3��3��3��3��3�, �3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3�, �3��3��3�
++�3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3��3� �3��3�.
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3�.
++�3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3�, �3��3��3��3� �3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3�, �3��3��3��3� �3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3�, �3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3�
++�3��3� �3��3��3��3��3�. �3��3��3� �3��3� �3��3��3��3� �3��3��3��3��3��3�, �3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3��3��3��3� �3��3� �3��3��3��3�,
++�3��3��3��3��3��3��3� �3��3��3� �3��3��3��3��3��3��3��3� �3��3��3�, �3��3��3��3��3��3��3��3��3�
++�3��3��3��3� �3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3�,
++�3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3��3� �3��3��3�,
++�3��3��3��3��3��3��3� �3��3� �3��3��3��3�.
++�3��3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3� �3��3��3��3�, �3��3��3� �3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3� �3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3�, �3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3��3��3��3� �3��3��3�. �3��3��3� �3��3� �3��3��3��3�, �3��3��3��3��3��3��3��3��3� �3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3�, �3��3��3��3��3��3��3��3� �3��3� �3��3��3��3��3�.
++�3��3��3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3� �3��3��3� �3��3��3��3�. �3��3��3��3��3��3��3�
++�3��3��3��3� �3��3��3��3��3��3�, �3��3��3��3��3��3� �3��3� �3��3��3��3��3��3��3� �3��3��3�,
++�3��3��3��3��3��3��3� �3��3��3��3� �3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3�
++�3��3� �3��3��3��3� �3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3�. �3��3��3� �3��3��3��3��3��3��3�
++�3��3��3��3��3� �3��3��3��3�, �3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3��3� �3��3� �3��3��3��3��3��3��3��3�
++�3��3��3��3�. �3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3�
++�3��3��3� �3��3��3��3��3��3��3�. �3��3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3�
++�3��3��3��3��3� �3��3� �3��3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3��3��3�. �3��3��3��3�
++�3��3��3� �3��3��3��3��3� �3��3� �3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3��3��3��3��3��3�
++�3��3��3� �3��3��3� �3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3� �3��3��3��3� �3��3�
++�3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3� �3��3�
++�3��3��3��3��3�. �3��3� �3��3� �3��3��3��3��3��3� �3��3��3��3��3�, �3��3��3��3� �3��3��3��3��3��3��3�
++�3��3��3��3�. �3��3��3� �3��3��3� �3��3��3��3��3� �3��3��3��3��3��3�, �3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3�. �3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3�, �3��3��3��3��3��3� �3��3�
++�3��3��3��3��3��3��3��3� �3��3�, �3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3�. �3��3��3��3�
++�3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3��3��3�.
++�3��3� �3��3��3��3� �3��3��3��3�, �3��3��3��3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3�, �3��3��3��3��3��3��3��3��3� �3� �3��3��3��3�.
++�3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3��3��3� �3��3��3��3� �3��3��3�
++�3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3� �3� �3��3��3��3��3��3�.
++�3��3��3��3��3� �3��3� �3��3��3��3��3��3� �3��3��3��3��3� �3��3��3��3� �3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3� �3��3��3��3��3� �3��3��3��3�. �3��3��3� �3��3� �3��3��3��3��3��3�
++�3��3��3��3��3�, �3��3� �3��3��3��3��3��3� �3��3��3��3��3��3�. �3��3��3��3��3� �3��3�
++�3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3��3�,
++�3��3��3��3��3��3� �3��3� �3��3��3��3��3��3� �3��3��3��3��3��3��3�, �3��3��3� �3��3��3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3�, �3��3��3� �3��3��3��3��3��3��3� �3��3� �3��3��3��3� �3��3�
++�3��3��3��3�. �3��3��3��3��3��3��3� �3��3��3��3� �3��3��3��3��3��3��3��3�.
++�3��3��3��3��3��3��3��3��3��3��3��3� �3��3��3� �3��3��3��3� �3��3� �3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3� �3� �3��3� �3��3��3��3�. �3��3��3��3��3� �3��3�
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3�, �3��3� �3��3��3��3��3��3��3��3� �3��3��3��3�
++�3��3��3��3��3��3� �3��3��3�. �3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3�
++�3��3��3��3� �3��3��3��3��3��3� �3��3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3�
++�3��3��3��3��3��3��3��3�. �3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3��3�,
++�3��3��3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3�, �3��3��3��3��3��3��3��3�
++�3��3��3� �3��3��3��3��3�. �3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3� �3��3��3��3� �3��3��3��3�.
++�3��3��3��3��3��3��3� �3��3��3��3� �3��3��3��3� �3��3��3��3��3�. �3��3��3��3� �3��3��3��3��3��3�,
++�3��3��3��3� �3��3��3� �3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3�, �3��3��3��3��3�
++�3��3��3��3� �3��3��3��3��3��3��3��3� �3��3�, �3��3��3� �3��3��3��3��3��3��3��3� �3��3��3��3� �3��3�
++�3� �3��3��3��3��3�. �3��3��3��3��3��3��3��3��3� �3��3� �3��3��3��3� �3��3� �3��3��3�
++�3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3�. �3��3��3��3��3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3��3��3��3� �3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3��3��3��3�. �3��3��3��3��3� �3��3��3��3��3��3��3��3��3�, �3��3��3��3� �3��3��3�
++�3��3��3��3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3��3��3��3��3��3�, �3��3��3��3��3��3� �3��3��3��3�
++�3��3��3��3��3��3��3� �3��3��3��3��3�, �3��3��3� �3��3��3��3� �3��3��3��3��3��3��3��3��3�
++�3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3� �3��3��3��3��3��3�. �3��3��3��3��3��3��3��3�
++�3��3��3��3��3��3��3��3� �3��3��3��3��3��3��3� �3��3��3��3��3� �3��3��3� �3��3��3��3��3��3��3��3�. </p>
++</body>
++</html>
+diff --git a/mozilla/layout/reftests/bugs/600974-3.html b/mozilla/layout/reftests/bugs/600974-3.html
+new file mode 100644
+index 0000000000000000000000000000000000000000..136cee96bafd67c369f2f83530db2209844fda14
+GIT binary patch
+literal 11314
+zc-o~J$#UF8w9ow&!WS+|QaO-A;^dM*K@}7n%z>kcoy1in7|#T3ND7Jy7kNf;L}`|c
+zr1>pQd<yW?>gBy&HKtthNUiSIZ{J$~{LA*)2ka61l09Sx>>KtK`<P|yQ@H<vea;>*
+zF5cgOzYNBnu@g3dyW#&KTvK)o_fxog!oFu`@OuO!kKz6ZX1!ofVPwKyvQzl`4&FS6
+z>jlg|gt-^+?lHjZ?+@Xwhjj+CZ^HOz0%i|qnBBvg$o<a6yMBbjuloBMo=@b?$MD?m
+zcL-zs{cX7Vebw6|f&E0RI$)mwb+_3avF{_X<A-90Gnk22^?RzFGXcA&;3v4d5Nmrb
+z4IFz0^Pa>0nZ)5KyU+FntUbYxDXi$Z(T_fnG~R%_Ls)eJZ!XwfF|X&x35?&9{2k^^
+zVC-jjcUMq$2Pi!UIBMr(fN~_BdampXj!%WGdaR}}`v#2s05UmYKMD*UO323&{sHWN
+z3Qv1T0>it0wvxatP31i#$BEeOKH=*g!e%OX*wg+1o^Fw6E=Di~`|Ml6`wRJW${zgn
+z(cizowSsE{R|(gGW$?d(YYkTeSEonka&E2Gh|xyQZ^cv5&z7)SmNO2&GdX`LXP0uU
+zRrBO78x3KOaH!;}nY{0zT#1>b#AVq1rWiX#WA7zgfs?>wt5)fqHWG3tMwW8rC0y?S
+z`^;IRFq<K~2kx|pllop_btcFA9UFm3C7)&zhQhh=P^Lz%G+!02o&23?NhtZ$2+s=P
+zs_<WGs4bDvLS8E+Z^{El)_z_ORR1Q&lmykB(&8(Z99Nt#B~^36--U$UNnQ@z8g_b(
+zxL9i}6qicPp|=(t4Uy@vD)(s07QtW3`&O=KHAQQLU5Buv(pNLzAq`YkAZFPZ5T0+5
+zJPT*%8qHWL_+rKk;nryUa-#K(mWE4-+68NPi*PaifNFx-VWqWhoP~2q|3<EDB3hty
+zxeG`+r6sj|gROe7Q_Pzx>F-=_V!NCpn<+KkisBa0Yc&6+z~Wa#QH?A_t?^q|T4Tc&
+zoS~goQi}boxxi;5^;dcI8PSu5#FDsY8DI|b`CYD?>)i`0IvIZz=UQe(9i?pxi+3IJ
+zR$=W>7%Z{H5*uxhHC!S%1{>RU3KXwO<fjU4C6(rc8+W;PH1~MC63MYbwz1UE)qJBr
+z17;J%zX2XcR4$Rd&QT<4N64I7i0vUb@&*|DO)!%9^AZ(Zm2NKNTARbh!jz9Lkq#T0
+z(h*8|-Yvp-@aP%#x`=aYl)Z4IgC?er*Wz4Ly(Bj7Mhw0a+$?JEc_0^|nG_!tqgv$G
+zbzDHcXQ}<dN<zjKWg<as<yMX5&A9T1nzo8WMV~jKIg_F;migro?x%G#gw<)(V=r`+
+zDv>_hd3e|=jo(Of*;s5&vZyP|!W+#i?#*Lqj320cY1v8{k*mrG)LzB4s*Z4870%Oe
+ztec~(E$jn~7TNhSmw94`<aTN0?i-Js+#1H0f5mc^@m}5Kzt2(@$Q#?SvDA?(t|_4?
+zQD|J=BL0T`mOopx^{_#5Z!8{%D6E3KRz9vpdn%rqtgqXV_og1nM@FMU>xgS1gTDPS
+zI(wnjkn5ZL8BSaR$_^KJt){I;v25;C!d;{?A6J3;tBcy=>IP-MVSGDpl^)ZoTt@-h
+zmzR->-`DSOv$Qk^S7>CVF=;(<TXDHS(lZioEnR4BTD;a1&LwzIi&n_XRZ<>n%OlZ<
+zm+hS6&^<VszqV?Oib%zc90S!;#1RvrjrPW43lBuba~(mpR^_ln)m=rba<|ISZv&jf
+zy11?z&Fly+<2+qDe)#=QMKr8K+>BOvI+_#+tD02(K6>09k-ukBkc`UZYZ%{HEGab(
+zR3>hJvy)PaS9X4XGxuum5VgY8tgqFpNNY0fAsI|UUAH%$h*4X4AdOxWN*>_K74kD%
+zq{Y-`3*@7z{~ObhtWk#4X-y4b6z*R6uz3~ips5OEjeMNpb|WhZ9MxM#N+z#)i}smW
+z*+qk7m=g;O&!&8%6(_arCFxe+m`%M!xc}baj!&dMNN2J`re(Z#xKeIVY;*chD4K0>
+zMDkdDI<9PyhgE)OjcUbgbnGj<nb-9@mWB$y1%&m#B)JT>29u}7yOuax*rM!=YDN(~
+z>*2w;UpUyhKFF_QZb!$j)qKa=BfO(8&wNd&F?FoJXT!Z`h;|JZ_9C&fG=BuA@nAR2
+z8{Yx7tKbURuj)JaIYRj!K1B?l6__qdr|VDZJ9sLS(U`ayRBm-M(p3cQHPKTl69s5J
+zF{X#*=J9cVbzOhs?~@xEOg{N1>PEHN&!kTv{O1OlryJy}U0)#xmzviFiLV=cVumDc
+z?85JDV)~u-gM8Gvf}7do7GG7qafQ548;Qd_>ND(~%^PnW*jTo1v@C45^rYI=*l=gS
+zjaBiC-tUcgvMMrprqa{3)fd8<35_B(vaH6Nk#HF|F}#g+Dw8^$ULkK&5?i1=8dKZ5
+zb<e`;>5^(0(RxMlrgR4(odxkEoR~F-^HYDGh%;WEr0=~`fzuwxn6q;FbxCRS19h_8
+zFKJA*HqHXm*>q0MCd@ZW+?%tfyY~x}bGv=@_z8`B4z$owxJZ5vlJ4_|`hGNWG=vBL
+z?@NPh=QzqodGT<6Bb*C|&#HDiy^QtZ(h)TGbon#qOnkR$ZMUzq@<eQMGr)LPIhOgw
+zzG}ho-p^?sJc+Np-x&I1g}?4Ix*0yB=c6n>&K>_ZS2Wfny}kJI@>G9=Nx!-@UwXpx
+Ef8nX`XaE2J
+
+literal 0
+Hc-jL100001
+
+diff --git a/mozilla/layout/reftests/bugs/reftest.list b/mozilla/layout/reftests/bugs/reftest.list
+index 87a8b4e..427a2d4 100644
+--- a/mozilla/layout/reftests/bugs/reftest.list
++++ b/mozilla/layout/reftests/bugs/reftest.list
+@@ -1054,4 +1054,6 @@ fails == 494667-2.html 494667-2-ref.html # needs bug 155955 (not on 1.9.1 branch
+ != 513318-2.xul 513318-2-ref.xul
+ != 513318-3.xul 513318-3-ref.xul
+ == 600974-1.html 600974-1-ref.html
++== 600974-2.html 600974-1-ref.html
++== 600974-3.html 600974-1-ref.html
+ == 603423-1.html 603423-1-ref.html
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974.patch iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974.patch
--- iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974.patch 1970-01-01 01:00:00.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/security/squeeze1/Tests-for-bug-600974.patch 2011-03-27 16:11:15.000000000 +0200
@@ -0,0 +1,142 @@
+From: Simon Montagu <smontagu@smontagu.org>
+Date: Thu, 14 Oct 2010 00:44:33 -0700
+Subject: Tests for bug 600974
+
+---
+ layout/reftests/bugs/600974-1-ref.html | 93 ++++++++++++++++++++++++++++++++
+ layout/reftests/bugs/600974-1.html | 15 +++++
+ layout/reftests/bugs/reftest.list | 1 +
+ 3 files changed, 109 insertions(+), 0 deletions(-)
+ create mode 100644 layout/reftests/bugs/600974-1-ref.html
+ create mode 100644 layout/reftests/bugs/600974-1.html
+
+diff --git a/mozilla/layout/reftests/bugs/600974-1-ref.html b/mozilla/layout/reftests/bugs/600974-1-ref.html
+new file mode 100644
+index 0000000..9bf883b
+--- /dev/null
++++ b/mozilla/layout/reftests/bugs/600974-1-ref.html
+@@ -0,0 +1,93 @@
++<!DOCTYPE HTML>
++<html>
++<head>
++ <meta http-equiv="Content-Type"
++ content="text/html; charset=ISO-8859-1">
++ <title></title>
++</head>
++<body>
++<p>𝙻𝚘𝚛𝚎𝚖 𝚒𝚙𝚜𝚞𝚖 𝚍𝚘𝚕𝚘𝚛 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝,
++𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐 𝚎𝚕𝚒𝚝. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖
++𝚟𝚎𝚕 𝚊𝚛𝚌𝚞 𝚗𝚒𝚋𝚑, 𝚟𝚎𝚕 𝚍𝚒𝚌𝚝𝚞𝚖 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙲𝚛𝚊𝚜
++𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚎𝚕𝚒𝚝 𝚎𝚐𝚎𝚝 𝚗𝚞𝚗𝚌 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗 𝚎𝚝
++𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚟𝚎𝚕𝚒𝚝 𝚊𝚕𝚒𝚚𝚞𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎 𝚟𝚎𝚕
++𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚍𝚒𝚊𝚖,
++𝚟𝚎𝚕 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚛𝚊𝚜 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊,
++𝚟𝚎𝚕𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚌𝚞𝚛𝚜𝚞𝚜, 𝚗𝚒𝚜𝚕
++𝚙𝚞𝚛𝚞𝚜 𝚙𝚘𝚛𝚝𝚝𝚒𝚝𝚘𝚛 𝚚𝚞𝚊𝚖, 𝚗𝚘𝚗 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐
++𝚎𝚛𝚘𝚜 𝚖𝚊𝚞𝚛𝚒𝚜 𝚎𝚞 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚕𝚞𝚌𝚝𝚞𝚜
++𝚗𝚒𝚜𝚒 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚗𝚒𝚜𝚕 𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖.
++𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚊𝚕𝚒𝚚𝚞𝚊𝚖 𝚕𝚎𝚘, 𝚒𝚍
++𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚜𝚎𝚖 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚒𝚍. 𝚂𝚎𝚍 𝚕𝚊𝚘𝚛𝚎𝚎𝚝
++𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚘𝚛𝚗𝚊𝚛𝚎
++𝚟𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚙𝚘𝚛𝚝𝚊. 𝙰𝚎𝚗𝚎𝚊𝚗 𝚒𝚍 𝚍𝚘𝚕𝚘𝚛
++𝚍𝚘𝚕𝚘𝚛, 𝚗𝚎𝚌 𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌
++𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚒𝚜𝚕, 𝚗𝚘𝚗
++𝚜𝚌𝚎𝚕𝚎𝚛𝚒𝚜𝚚𝚞𝚎 𝚍𝚘𝚕𝚘𝚛 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚒𝚍.
++𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚜𝚞𝚜𝚌𝚒𝚙𝚒𝚝.
++𝙽𝚞𝚗𝚌 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖, 𝚊𝚗𝚝𝚎 𝚟𝚒𝚝𝚊𝚎
++𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚛𝚑𝚘𝚗𝚌𝚞𝚜, 𝚗𝚞𝚗𝚌 𝚗𝚒𝚋𝚑
++𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚝𝚞𝚛𝚙𝚒𝚜, 𝚒𝚗 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚕𝚊𝚌𝚞𝚜 𝚕𝚎𝚘
++𝚞𝚝 𝚛𝚒𝚜𝚞𝚜. 𝚂𝚎𝚍 𝚒𝚗 𝚎𝚗𝚒𝚖 𝚝𝚘𝚛𝚝𝚘𝚛, 𝚟𝚒𝚝𝚊𝚎
++𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚛𝚒𝚜𝚞𝚜. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚖𝚒 𝚎𝚛𝚊𝚝,
++𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚎𝚌 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚗𝚘𝚗, 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖
++𝚎𝚐𝚎𝚝 𝚎𝚛𝚘𝚜. 𝙵𝚞𝚜𝚌𝚎 𝚕𝚊𝚌𝚞𝚜 𝚖𝚊𝚜𝚜𝚊,
++𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚟𝚒𝚝𝚊𝚎 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚜𝚎𝚍,
++𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚒𝚗 𝚚𝚞𝚊𝚖.
++𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚗𝚎𝚌 𝚊𝚛𝚌𝚞 𝚚𝚞𝚊𝚖, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝
++𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚕𝚊𝚌𝚞𝚜. 𝚂𝚎𝚍 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎
++𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖 𝚗𝚒𝚜𝚕, 𝚊𝚝 𝚏𝚎𝚛𝚖𝚎𝚗𝚝𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜
++𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌. 𝚂𝚎𝚍 𝚖𝚒 𝚚𝚞𝚊𝚖, 𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝
++𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚟𝚎𝚕, 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚊𝚌 𝚖𝚊𝚜𝚜𝚊.
++𝚅𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚟𝚎𝚕 𝚛𝚒𝚜𝚞𝚜 𝚙𝚘𝚛𝚝𝚊 𝚖𝚊𝚞𝚛𝚒𝚜
++𝚝𝚎𝚖𝚙𝚘𝚛 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚎𝚞 𝚟𝚎𝚕 𝚍𝚒𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎
++𝚎𝚛𝚘𝚜 𝚕𝚒𝚋𝚎𝚛𝚘, 𝚝𝚎𝚖𝚙𝚘𝚛 𝚞𝚝 𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌,
++𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚎𝚐𝚎𝚝 𝚎𝚕𝚒𝚝. 𝙳𝚘𝚗𝚎𝚌 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚘𝚍𝚒𝚘
++𝚊𝚝 𝚗𝚒𝚋𝚑 𝚟𝚊𝚛𝚒𝚞𝚜 𝚝𝚛𝚒𝚜𝚝𝚒𝚚𝚞𝚎. 𝚂𝚎𝚍 𝚛𝚑𝚘𝚗𝚌𝚞𝚜
++𝚙𝚘𝚛𝚝𝚊 𝚘𝚛𝚌𝚒, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚘𝚛𝚌𝚒
++𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚟𝚒𝚝𝚊𝚎. 𝙴𝚝𝚒𝚊𝚖 𝚎𝚞 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊
++𝚎𝚛𝚘𝚜. 𝙸𝚗 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚕𝚒𝚋𝚎𝚛𝚘
++𝚜𝚎𝚍 𝚎𝚐𝚎𝚜𝚝𝚊𝚜. 𝙳𝚞𝚒𝚜 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎
++𝚛𝚒𝚜𝚞𝚜 𝚒𝚍 𝚛𝚞𝚝𝚛𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊 𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒. 𝙳𝚞𝚒𝚜
++𝚟𝚎𝚕 𝚙𝚞𝚛𝚞𝚜 𝚊𝚌 𝚕𝚒𝚋𝚎𝚛𝚘 𝚛𝚞𝚝𝚛𝚞𝚖 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜
++𝚜𝚎𝚍 𝚟𝚎𝚕 𝚊𝚞𝚐𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚎𝚐𝚎𝚝 𝚍𝚒𝚊𝚖 𝚎𝚝
++𝚕𝚒𝚋𝚎𝚛𝚘 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚗𝚘𝚗 𝚎𝚝
++𝚙𝚞𝚛𝚞𝚜. 𝚄𝚝 𝚎𝚞 𝚕𝚎𝚌𝚝𝚞𝚜 𝚙𝚞𝚛𝚞𝚜, 𝚎𝚐𝚎𝚝 𝚐𝚛𝚊𝚟𝚒𝚍𝚊
++𝚎𝚛𝚊𝚝. 𝚂𝚎𝚍 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚕𝚒𝚐𝚞𝚕𝚊, 𝚎𝚐𝚎𝚝 𝚕𝚞𝚌𝚝𝚞𝚜
++𝚎𝚛𝚊𝚝. 𝙼𝚊𝚞𝚛𝚒𝚜 𝚜𝚊𝚙𝚒𝚎𝚗 𝚎𝚜𝚝, 𝚖𝚊𝚝𝚝𝚒𝚜 𝚞𝚝
++𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚎𝚝, 𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚗𝚎𝚌 𝚗𝚞𝚗𝚌. 𝙽𝚞𝚗𝚌
++𝚝𝚎𝚖𝚙𝚞𝚜 𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚞𝚛𝚗𝚊 𝚟𝚒𝚝𝚊𝚎 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖.
++𝙸𝚗 𝚗𝚞𝚗𝚌 𝚗𝚒𝚜𝚒, 𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚟𝚎𝚕 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊
++𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝, 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚊 𝚍𝚒𝚊𝚖.
++𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚕 𝚕𝚒𝚐𝚞𝚕𝚊 𝚎𝚐𝚎𝚝 𝚕𝚎𝚘
++𝚊𝚞𝚌𝚝𝚘𝚛 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜 𝚊 𝚝𝚘𝚛𝚝𝚘𝚛.
++𝙴𝚝𝚒𝚊𝚖 𝚊𝚝 𝚕𝚎𝚌𝚝𝚞𝚜 𝚟𝚒𝚝𝚊𝚎 𝚊𝚗𝚝𝚎 𝚝𝚎𝚖𝚙𝚞𝚜
++𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝 𝚟𝚒𝚝𝚊𝚎 𝚎𝚕𝚒𝚝. 𝙽𝚊𝚖 𝚒𝚗 𝚝𝚞𝚛𝚙𝚒𝚜
++𝚒𝚙𝚜𝚞𝚖, 𝚊𝚝 𝚖𝚊𝚝𝚝𝚒𝚜 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙽𝚞𝚕𝚕𝚊 𝚎𝚝
++𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚕𝚊𝚌𝚒𝚗𝚒𝚊,
++𝚝𝚞𝚛𝚙𝚒𝚜 𝚞𝚝 𝚍𝚒𝚌𝚝𝚞𝚖 𝚜𝚘𝚍𝚊𝚕𝚎𝚜, 𝚍𝚞𝚒 𝚗𝚒𝚜𝚒
++𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒𝚜 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚎𝚍 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚖𝚒 𝚎𝚕𝚒𝚝 𝚞𝚝
++𝚗𝚒𝚋𝚑. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚎𝚛𝚊𝚝 𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝.
++𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚌 𝚎𝚕𝚒𝚝 𝚒𝚍 𝚓𝚞𝚜𝚝𝚘
++𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚘𝚛𝚗𝚊𝚛𝚎 𝚊 𝚒𝚗 𝚍𝚒𝚊𝚖. 𝙼𝚘𝚛𝚋𝚒 𝚊𝚝
++𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊 𝚕𝚎𝚌𝚝𝚞𝚜. 𝙳𝚘𝚗𝚎𝚌 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜
++𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚏𝚎𝚕𝚒𝚜, 𝚒𝚍 𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚞𝚛𝚗𝚊
++𝚖𝚊𝚝𝚝𝚒𝚜 𝚗𝚎𝚌. 𝚄𝚝 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚝𝚞𝚛𝚙𝚒𝚜 𝚟𝚎𝚕
++𝚚𝚞𝚊𝚖 𝚝𝚎𝚖𝚙𝚘𝚛 𝚎𝚐𝚎𝚝 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜 𝚗𝚎𝚚𝚞𝚎
++𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎. 𝚂𝚞𝚜𝚙𝚎𝚗𝚍𝚒𝚜𝚜𝚎 𝚝𝚎𝚕𝚕𝚞𝚜 𝚗𝚒𝚜𝚒,
++𝚑𝚎𝚗𝚍𝚛𝚎𝚛𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚘𝚜𝚞𝚎𝚛𝚎 𝚎𝚐𝚎𝚝, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝
++𝚜𝚎𝚍 𝚖𝚎𝚝𝚞𝚜. 𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝
++𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. 𝙼𝚘𝚛𝚋𝚒 𝚝𝚎𝚖𝚙𝚞𝚜 𝚗𝚞𝚗𝚌 𝚗𝚞𝚗𝚌.
++𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚚𝚞𝚒𝚜 𝚘𝚛𝚌𝚒 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚗𝚌 𝚜𝚎𝚖𝚙𝚎𝚛,
++𝚊𝚛𝚌𝚞 𝚗𝚘𝚗 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖, 𝚕𝚘𝚛𝚎𝚖
++𝚞𝚛𝚗𝚊 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚖𝚒, 𝚗𝚎𝚌 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚎𝚗𝚒𝚖 𝚖𝚒
++𝚊 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚎𝚝 𝚎𝚕𝚒𝚝 𝚒𝚗 𝚜𝚎𝚖
++𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎
++𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚛𝚞𝚝𝚛𝚞𝚖 𝚕𝚎𝚌𝚝𝚞𝚜 𝚌𝚘𝚖𝚖𝚘𝚍𝚘
++𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙴𝚝𝚒𝚊𝚖 𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊, 𝚚𝚞𝚊𝚖 𝚗𝚎𝚌
++𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗, 𝚝𝚞𝚛𝚙𝚒𝚜 𝚗𝚒𝚜𝚒
++𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚎𝚕𝚎𝚖𝚎𝚗𝚝𝚞𝚖
++𝚍𝚘𝚕𝚘𝚛 𝚕𝚘𝚛𝚎𝚖 𝚟𝚒𝚝𝚊𝚎 𝚕𝚒𝚐𝚞𝚕𝚊. 𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝
++𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚟𝚎𝚕𝚒𝚝 𝚜𝚎𝚍 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. </p>
++</body>
++</html>
+diff --git a/mozilla/layout/reftests/bugs/600974-1.html b/mozilla/layout/reftests/bugs/600974-1.html
+new file mode 100644
+index 0000000..13de69f
+--- /dev/null
++++ b/mozilla/layout/reftests/bugs/600974-1.html
+@@ -0,0 +1,15 @@
++<!DOCTYPE html>
++<!-- This is a test for decoding supplementary characters. It contains text in
++ Unicode plane 1 encoded as UTF-8. Don't reencode it in any way. -->
++<html>
++<head>
++ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
++</head>
++<body>
++<p>𝙻𝚘𝚛𝚎𝚖 𝚒𝚙𝚜𝚞𝚖 𝚍𝚘𝚕𝚘𝚛 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝, 𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐 𝚎𝚕𝚒𝚝. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚟𝚎𝚕 𝚊𝚛𝚌𝚞 𝚗𝚒𝚋𝚑, 𝚟𝚎𝚕 𝚍𝚒𝚌𝚝𝚞𝚖 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙲𝚛𝚊𝚜 𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚎𝚕𝚒𝚝 𝚎𝚐𝚎𝚝 𝚗𝚞𝚗𝚌 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗 𝚎𝚝 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚟𝚎𝚕𝚒𝚝 𝚊𝚕𝚒𝚚𝚞𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎 𝚟𝚎𝚕 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚍𝚒𝚊𝚖, 𝚟𝚎𝚕 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚛𝚊𝚜 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊, 𝚟𝚎𝚕𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚌𝚞𝚛𝚜𝚞𝚜, 𝚗𝚒𝚜𝚕 𝚙𝚞𝚛𝚞𝚜 𝚙𝚘𝚛𝚝𝚝𝚒𝚝𝚘𝚛 𝚚𝚞𝚊𝚖, 𝚗𝚘𝚗 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐 𝚎𝚛𝚘𝚜 𝚖𝚊𝚞𝚛𝚒𝚜 𝚎𝚞 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚕𝚞𝚌𝚝𝚞𝚜 𝚗𝚒𝚜𝚒 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚗𝚒𝚜𝚕 𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚊𝚕𝚒𝚚𝚞𝚊𝚖 𝚕𝚎𝚘, 𝚒𝚍 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚜𝚎𝚖 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚒𝚍. 𝚂𝚎𝚍 𝚕𝚊𝚘𝚛𝚎𝚎𝚝 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚘𝚛𝚗𝚊𝚛𝚎 𝚟𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚙𝚘𝚛𝚝𝚊. 𝙰𝚎𝚗𝚎𝚊𝚗 𝚒𝚍 𝚍𝚘𝚕𝚘𝚛 𝚍𝚘𝚕𝚘𝚛, 𝚗𝚎𝚌 𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚒𝚜𝚕, 𝚗𝚘𝚗 𝚜𝚌𝚎𝚕𝚎𝚛𝚒𝚜𝚚𝚞𝚎 𝚍𝚘𝚕𝚘𝚛 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚒𝚍. 𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚜𝚞𝚜𝚌𝚒𝚙𝚒𝚝. 𝙽𝚞𝚗𝚌 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖, 𝚊𝚗𝚝𝚎 𝚟𝚒𝚝𝚊𝚎 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚛𝚑𝚘𝚗𝚌𝚞𝚜, 𝚗𝚞𝚗𝚌 𝚗𝚒𝚋𝚑 𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚝𝚞𝚛𝚙𝚒𝚜, 𝚒𝚗 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚕𝚊𝚌𝚞𝚜 𝚕𝚎𝚘 𝚞𝚝 𝚛𝚒𝚜𝚞𝚜. 𝚂𝚎𝚍 𝚒𝚗 𝚎𝚗𝚒𝚖 𝚝𝚘𝚛𝚝𝚘𝚛, 𝚟𝚒𝚝𝚊𝚎 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚛𝚒𝚜𝚞𝚜. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚖𝚒 𝚎𝚛𝚊𝚝, 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚎𝚌 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚗𝚘𝚗, 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖 𝚎𝚐𝚎𝚝 𝚎𝚛𝚘𝚜. 𝙵𝚞𝚜𝚌𝚎 𝚕𝚊𝚌𝚞𝚜 𝚖𝚊𝚜𝚜𝚊, 𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚟𝚒𝚝𝚊𝚎 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚜𝚎𝚍, 𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚒𝚗 𝚚𝚞𝚊𝚖.
++
++𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚗𝚎𝚌 𝚊𝚛𝚌𝚞 𝚚𝚞𝚊𝚖, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚕𝚊𝚌𝚞𝚜. 𝚂𝚎𝚍 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖 𝚗𝚒𝚜𝚕, 𝚊𝚝 𝚏𝚎𝚛𝚖𝚎𝚗𝚝𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜 𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌. 𝚂𝚎𝚍 𝚖𝚒 𝚚𝚞𝚊𝚖, 𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚟𝚎𝚕, 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚊𝚌 𝚖𝚊𝚜𝚜𝚊. 𝚅𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚟𝚎𝚕 𝚛𝚒𝚜𝚞𝚜 𝚙𝚘𝚛𝚝𝚊 𝚖𝚊𝚞𝚛𝚒𝚜 𝚝𝚎𝚖𝚙𝚘𝚛 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚎𝚞 𝚟𝚎𝚕 𝚍𝚒𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎 𝚎𝚛𝚘𝚜 𝚕𝚒𝚋𝚎𝚛𝚘, 𝚝𝚎𝚖𝚙𝚘𝚛 𝚞𝚝 𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌, 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚎𝚐𝚎𝚝 𝚎𝚕𝚒𝚝. 𝙳𝚘𝚗𝚎𝚌 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚘𝚍𝚒𝚘 𝚊𝚝 𝚗𝚒𝚋𝚑 𝚟𝚊𝚛𝚒𝚞𝚜 𝚝𝚛𝚒𝚜𝚝𝚒𝚚𝚞𝚎. 𝚂𝚎𝚍 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚙𝚘𝚛𝚝𝚊 𝚘𝚛𝚌𝚒, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚘𝚛𝚌𝚒 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚟𝚒𝚝𝚊𝚎. 𝙴𝚝𝚒𝚊𝚖 𝚎𝚞 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚎𝚛𝚘𝚜. 𝙸𝚗 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚕𝚒𝚋𝚎𝚛𝚘 𝚜𝚎𝚍 𝚎𝚐𝚎𝚜𝚝𝚊𝚜. 𝙳𝚞𝚒𝚜 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎 𝚛𝚒𝚜𝚞𝚜 𝚒𝚍 𝚛𝚞𝚝𝚛𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊 𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒. 𝙳𝚞𝚒𝚜 𝚟𝚎𝚕 𝚙𝚞𝚛𝚞𝚜 𝚊𝚌 𝚕𝚒𝚋𝚎𝚛𝚘 𝚛𝚞𝚝𝚛𝚞𝚖 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜 𝚜𝚎𝚍 𝚟𝚎𝚕 𝚊𝚞𝚐𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚎𝚐𝚎𝚝 𝚍𝚒𝚊𝚖 𝚎𝚝 𝚕𝚒𝚋𝚎𝚛𝚘 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚗𝚘𝚗 𝚎𝚝 𝚙𝚞𝚛𝚞𝚜. 𝚄𝚝 𝚎𝚞 𝚕𝚎𝚌𝚝𝚞𝚜 𝚙𝚞𝚛𝚞𝚜, 𝚎𝚐𝚎𝚝 𝚐𝚛𝚊𝚟𝚒𝚍𝚊 𝚎𝚛𝚊𝚝. 𝚂𝚎𝚍 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚕𝚒𝚐𝚞𝚕𝚊, 𝚎𝚐𝚎𝚝 𝚕𝚞𝚌𝚝𝚞𝚜 𝚎𝚛𝚊𝚝. 𝙼𝚊𝚞𝚛𝚒𝚜 𝚜𝚊𝚙𝚒𝚎𝚗 𝚎𝚜𝚝, 𝚖𝚊𝚝𝚝𝚒𝚜 𝚞𝚝 𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚎𝚝, 𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚗𝚎𝚌 𝚗𝚞𝚗𝚌. 𝙽𝚞𝚗𝚌 𝚝𝚎𝚖𝚙𝚞𝚜 𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚞𝚛𝚗𝚊 𝚟𝚒𝚝𝚊𝚎 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖.
++
++𝙸𝚗 𝚗𝚞𝚗𝚌 𝚗𝚒𝚜𝚒, 𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚟𝚎𝚕 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝, 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚊 𝚍𝚒𝚊𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚕 𝚕𝚒𝚐𝚞𝚕𝚊 𝚎𝚐𝚎𝚝 𝚕𝚎𝚘 𝚊𝚞𝚌𝚝𝚘𝚛 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜 𝚊 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙴𝚝𝚒𝚊𝚖 𝚊𝚝 𝚕𝚎𝚌𝚝𝚞𝚜 𝚟𝚒𝚝𝚊𝚎 𝚊𝚗𝚝𝚎 𝚝𝚎𝚖𝚙𝚞𝚜 𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝 𝚟𝚒𝚝𝚊𝚎 𝚎𝚕𝚒𝚝. 𝙽𝚊𝚖 𝚒𝚗 𝚝𝚞𝚛𝚙𝚒𝚜 𝚒𝚙𝚜𝚞𝚖, 𝚊𝚝 𝚖𝚊𝚝𝚝𝚒𝚜 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙽𝚞𝚕𝚕𝚊 𝚎𝚝 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚕𝚊𝚌𝚒𝚗𝚒𝚊, 𝚝𝚞𝚛𝚙𝚒𝚜 𝚞𝚝 𝚍𝚒𝚌𝚝𝚞𝚖 𝚜𝚘𝚍𝚊𝚕𝚎𝚜, 𝚍𝚞𝚒 𝚗𝚒𝚜𝚒 𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒𝚜 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚎𝚍 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚖𝚒 𝚎𝚕𝚒𝚝 𝚞𝚝 𝚗𝚒𝚋𝚑. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚎𝚛𝚊𝚝 𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚌 𝚎𝚕𝚒𝚝 𝚒𝚍 𝚓𝚞𝚜𝚝𝚘 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚘𝚛𝚗𝚊𝚛𝚎 𝚊 𝚒𝚗 𝚍𝚒𝚊𝚖. 𝙼𝚘𝚛𝚋𝚒 𝚊𝚝 𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊 𝚕𝚎𝚌𝚝𝚞𝚜. 𝙳𝚘𝚗𝚎𝚌 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜 𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚏𝚎𝚕𝚒𝚜, 𝚒𝚍 𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚞𝚛𝚗𝚊 𝚖𝚊𝚝𝚝𝚒𝚜 𝚗𝚎𝚌. 𝚄𝚝 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚝𝚞𝚛𝚙𝚒𝚜 𝚟𝚎𝚕 𝚚𝚞𝚊𝚖 𝚝𝚎𝚖𝚙𝚘𝚛 𝚎𝚐𝚎𝚝 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜 𝚗𝚎𝚚𝚞𝚎 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎. 𝚂𝚞𝚜𝚙𝚎𝚗𝚍𝚒𝚜𝚜𝚎 𝚝𝚎𝚕𝚕𝚞𝚜 𝚗𝚒𝚜𝚒, 𝚑𝚎𝚗𝚍𝚛𝚎𝚛𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚘𝚜𝚞𝚎𝚛𝚎 𝚎𝚐𝚎𝚝, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚜𝚎𝚍 𝚖𝚎𝚝𝚞𝚜. 𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. 𝙼𝚘𝚛𝚋𝚒 𝚝𝚎𝚖𝚙𝚞𝚜 𝚗𝚞𝚗𝚌 𝚗𝚞𝚗𝚌. 𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚚𝚞𝚒𝚜 𝚘𝚛𝚌𝚒 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚗𝚌 𝚜𝚎𝚖𝚙𝚎𝚛, 𝚊𝚛𝚌𝚞 𝚗𝚘𝚗 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖, 𝚕𝚘𝚛𝚎𝚖 𝚞𝚛𝚗𝚊 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚖𝚒, 𝚗𝚎𝚌 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚎𝚗𝚒𝚖 𝚖𝚒 𝚊 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚎𝚝 𝚎𝚕𝚒𝚝 𝚒𝚗 𝚜𝚎𝚖 𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚛𝚞𝚝𝚛𝚞𝚖 𝚕𝚎𝚌𝚝𝚞𝚜 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙴𝚝𝚒𝚊𝚖 𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊, 𝚚𝚞𝚊𝚖 𝚗𝚎𝚌 𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗, 𝚝𝚞𝚛𝚙𝚒𝚜 𝚗𝚒𝚜𝚒 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚎𝚕𝚎𝚖𝚎𝚗𝚝𝚞𝚖 𝚍𝚘𝚕𝚘𝚛 𝚕𝚘𝚛𝚎𝚖 𝚟𝚒𝚝𝚊𝚎 𝚕𝚒𝚐𝚞𝚕𝚊. 𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚟𝚎𝚕𝚒𝚝 𝚜𝚎𝚍 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. </p>
++ </body>
++</html>
+diff --git a/mozilla/layout/reftests/bugs/reftest.list b/mozilla/layout/reftests/bugs/reftest.list
+index 9537e65..87a8b4e 100644
+--- a/mozilla/layout/reftests/bugs/reftest.list
++++ b/mozilla/layout/reftests/bugs/reftest.list
+@@ -1053,4 +1053,5 @@ fails == 494667-2.html 494667-2-ref.html # needs bug 155955 (not on 1.9.1 branch
+ == 513318-1.xul 513318-1-ref.xul
+ != 513318-2.xul 513318-2-ref.xul
+ != 513318-3.xul 513318-3-ref.xul
++== 600974-1.html 600974-1-ref.html
+ == 603423-1.html 603423-1-ref.html
diff -Nru iceowl-1.0~b1+dfsg2/debian/patches/series iceowl-1.0~b1+dfsg2/debian/patches/series
--- iceowl-1.0~b1+dfsg2/debian/patches/series 2011-01-31 08:35:55.000000000 +0100
+++ iceowl-1.0~b1+dfsg2/debian/patches/series 2011-03-27 16:11:15.000000000 +0200
@@ -13,3 +13,33 @@
Don-t-build-unused-bsdiff.patch
Revert-post-release-version-bump.patch
Don-t-error-out-when-run-time-libsqlite-is-older-tha.patch
+security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch
+security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch
+security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch
+security/squeeze1/Tests-for-bug-563618.patch
+security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch
+security/squeeze1/Tests-for-bug-600974.patch
+security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch
+security/squeeze1/Tests-for-bug-600974-a-test.patch
+security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch
+security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch
+security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch
+security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch
+security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch
+security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch
+security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch
+security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch
+security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch
+security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch
+security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch
+security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch
+security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch
+security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch
+security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch
+security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch
+security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch
+security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch
+security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch
+security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch
+security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch
+security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch
Reply to: