Add fix for CVE-2016-9079 remote code execution, aka mfsa2016-92,

taken from firefox.

PKGREVISION -> 7.

4 files changed, 103 insertions, 3 deletions

diff --git a/www/seamonkey/Makefile b/www/seamonkey/Makefile
index 4f9faca4db3..748a9d54ad6 100644
--- a/www/seamonkey/Makefile
+++ b/www/seamonkey/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.149 2016/12/04 05:17:44 ryoon Exp $
+# $NetBSD: Makefile,v 1.150 2016/12/15 07:48:19 dholland Exp $
 
 DISTNAME=	seamonkey-${SM_VER}.source
 PKGNAME=	seamonkey-${SM_VER:S/b/beta/}
-PKGREVISION=	6
+PKGREVISION=	7
 SM_VER=		2.40
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_MOZILLA:=seamonkey/releases/${SM_VER}/source/}
diff --git a/www/seamonkey/distinfo b/www/seamonkey/distinfo
index fb97c8a7695..168c0b2453d 100644
--- a/www/seamonkey/distinfo
+++ b/www/seamonkey/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.140 2016/12/07 22:01:28 maya Exp $
+$NetBSD: distinfo,v 1.141 2016/12/15 07:48:19 dholland Exp $
 
 SHA1 (seamonkey-2.40.source.tar.xz) = ecf99bc7478319835a0e19f35ed5b7b1aa2c0046
 RMD160 (seamonkey-2.40.source.tar.xz) = 4030688f145fdf35a6d2728d097cf7cda8e50231
@@ -31,6 +31,8 @@ SHA1 (patch-mozilla_dom_media_moz.build) = e21f162f6fb2f053e3e04a8273033b92bd6a7
 SHA1 (patch-mozilla_dom_plugins_ipc_PluginModuleChild.cpp) = 005a611073f3a8b865d19e7204df9d40e5e1c3ff
 SHA1 (patch-mozilla_dom_plugins_ipc_PluginModuleChild.h) = 14038ce0ee2b38db6c7952056a97a65839a2c1a9
 SHA1 (patch-mozilla_dom_plugins_ipc_PluginProcessChild.cpp) = ef2b3f3c134be64c9dbb688e36a8b767c25a008a
+SHA1 (patch-mozilla_dom_smil_nsSMILTimeContainer.cpp) = 8040334532157965086a6926aea2cb42707c9be3
+SHA1 (patch-mozilla_dom_smil_nsSMILTimeContainer.h) = ca80d3991d3025bc9ebe7091be4fd01ffcf75839
 SHA1 (patch-mozilla_dom_system_OSFileConstants.cpp) = f78d502489013f855c1616d8941b960aa73760a2
 SHA1 (patch-mozilla_extensions_spellcheck_hunspell_glue_mozHunspell.cpp) = 5c7d5429bd9a84fd2fffa86c3bd1d34d67f66681
 SHA1 (patch-mozilla_gfx_cairo_libpixman_src_pixman-arm-neon-asm.S) = 818a1b1cb48bc04e91581709065948cef362aebe
diff --git a/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.cpp b/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.cpp
new file mode 100644
index 00000000000..a2d0e42c9d4
--- /dev/null
+++ b/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.cpp
@@ -0,0 +1,78 @@
+$NetBSD: patch-mozilla_dom_smil_nsSMILTimeContainer.cpp,v 1.1 2016/12/15 07:48:19 dholland Exp $
+
+Fix for CVE-2016-9079, aka
+https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
+from the firefox 45.5.1esr distfile,
+which is the same as
+https://hg.mozilla.org/integration/mozilla-inbound/rev/9271347b07d201df26cdffde75483c0b0001528c
+linked from https://bugzilla.mozilla.org/show_bug.cgi?id=1321066
+
+--- mozilla/dom/smil/nsSMILTimeContainer.cpp.orig	2016-01-19 02:48:35.000000000 +0000
++++ mozilla/dom/smil/nsSMILTimeContainer.cpp
+@@ -9,6 +9,8 @@
+ #include "nsSMILTimedElement.h"
+ #include <algorithm>
+ 
++#include "mozilla/AutoRestore.h"
++
+ nsSMILTimeContainer::nsSMILTimeContainer()
+ :
+   mParent(nullptr),
+@@ -18,6 +20,7 @@ nsSMILTimeContainer::nsSMILTimeContainer
+   mNeedsPauseSample(false),
+   mNeedsRewind(false),
+   mIsSeeking(false),
++  mHoldingEntries(false),
+   mPauseState(PAUSE_BEGIN)
+ {
+ }
+@@ -213,12 +216,14 @@ nsSMILTimeContainer::AddMilestone(const 
+   // time may change (e.g. if attributes are changed on the timed element in
+   // between samples). If this happens, then we may do an unecessary sample
+   // but that's pretty cheap.
++  MOZ_RELEASE_ASSERT(!mHoldingEntries);
+   return mMilestoneEntries.Push(MilestoneEntry(aMilestone, aElement));
+ }
+ 
+ void
+ nsSMILTimeContainer::ClearMilestones()
+ {
++  MOZ_RELEASE_ASSERT(!mHoldingEntries);
+   mMilestoneEntries.Clear();
+ }
+ 
+@@ -259,6 +264,8 @@ nsSMILTimeContainer::PopMilestoneElement
+              "Trying to pop off earliest times but we have earlier ones that "
+              "were overlooked");
+ 
++  MOZ_RELEASE_ASSERT(!mHoldingEntries);
++
+   bool gotOne = false;
+   while (!mMilestoneEntries.IsEmpty() &&
+       mMilestoneEntries.Top().mMilestone == containerMilestone)
+@@ -273,6 +280,8 @@ nsSMILTimeContainer::PopMilestoneElement
+ void
+ nsSMILTimeContainer::Traverse(nsCycleCollectionTraversalCallback* aCallback)
+ {
++  AutoRestore<bool> saveHolding(mHoldingEntries);
++  mHoldingEntries = true;
+   const MilestoneEntry* p = mMilestoneEntries.Elements();
+   while (p < mMilestoneEntries.Elements() + mMilestoneEntries.Length()) {
+     NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(*aCallback, "mTimebase");
+@@ -284,6 +293,7 @@ nsSMILTimeContainer::Traverse(nsCycleCol
+ void
+ nsSMILTimeContainer::Unlink()
+ {
++  MOZ_RELEASE_ASSERT(!mHoldingEntries);
+   mMilestoneEntries.Clear();
+ }
+ 
+@@ -307,6 +317,8 @@ nsSMILTimeContainer::NotifyTimeChange()
+   // milestone elements. This is because any timed element with dependents and
+   // with significant transitions yet to fire should have their next milestone
+   // registered. Other timed elements don't matter.
++  AutoRestore<bool> saveHolding(mHoldingEntries);
++  mHoldingEntries = true;
+   const MilestoneEntry* p = mMilestoneEntries.Elements();
+ #if DEBUG
+   uint32_t queueLength = mMilestoneEntries.Length();
diff --git a/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.h b/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.h
new file mode 100644
index 00000000000..2637f245ffa
--- /dev/null
+++ b/www/seamonkey/patches/patch-mozilla_dom_smil_nsSMILTimeContainer.h
@@ -0,0 +1,20 @@
+$NetBSD: patch-mozilla_dom_smil_nsSMILTimeContainer.h,v 1.1 2016/12/15 07:48:19 dholland Exp $
+
+Fix for CVE-2016-9079, aka
+https://www.mozilla.org/en-US/security/advisories/mfsa2016-92/
+from the firefox 45.5.1esr distfile,
+which is the same as
+https://hg.mozilla.org/integration/mozilla-inbound/rev/9271347b07d201df26cdffde75483c0b0001528c
+linked from https://bugzilla.mozilla.org/show_bug.cgi?id=1321066
+
+--- mozilla/dom/smil/nsSMILTimeContainer.h.orig	2016-01-19 02:49:17.000000000 +0000
++++ mozilla/dom/smil/nsSMILTimeContainer.h
+@@ -267,6 +267,8 @@ protected:
+   bool mNeedsRewind; // Backwards seek performed
+   bool mIsSeeking; // Currently in the middle of a seek operation
+ 
++  bool mHoldingEntries; // True if there's a raw pointer to mMilestoneEntries on the stack.
++
+   // A bitfield of the pause state for all pause requests
+   uint32_t mPauseState;
+