head	1.2;
access;
symbols
	pkgsrc-2016Q4:1.1.0.2
	pkgsrc-2016Q4-base:1.1;
locks; strict;
comment	@// @;


1.2
date	2017.03.07.20.45.43;	author ryoon;	state dead;
branches;
next	1.1;
commitid	cj2gfa0XmazzZEIz;

1.1
date	2016.12.03.09.58.26;	author ryoon;	state Exp;
branches;
next	;
commitid	uIUIk0K6tuQSqwwz;


desc
@@


1.2
log
@Update to 52.0

* Switch to GTK3 build
* Remove py-sqlite2 dependency, fix PR pkg/52032

Changelog:
New
    Added support for WebAssembly, an emerging standard that brings near-native performance to Web-based games, apps, and software libraries without the use of plugins.

    Added automatic captive portal detection, for easier access to Wi-Fi hotspots. When accessing the Internet via a captive portal, Firefox will alert users and open the portal login page in a new tab.

    Added user warnings for non-secure HTTP pages with logins. Firefox now displays a "This connection is not secure" message when users click into the username and password fields on pages that don't use HTTPS.

    Implemented the Strict Secure Cookies specification which forbids insecure HTTP sites from setting cookies with the "secure" attribute. In some cases, this will prevent an insecure site from setting a cookie with the same name as an existing "secure" cookie from the same base domain.

    Enhanced Sync to allow users to send and open tabs from one device to another.

Fixed
    Various security fixes

    Improved text input for third-party keyboard layouts on Windows. This will address some keyboard layouts that
      * have chained dead keys
      * input two or more characters with a non-printable key or a dead key sequence
      * input a character even when a dead key sequence failed to compose a character

Changed
    Removed support for Netscape Plugin API (NPAPI) plugins other than Flash. Silverlight, Java, Acrobat and the like are no longer supported.

    Removed Battery Status API to reduce fingerprinting of users by trackers

    Improved experience for downloads:
      * Notification in the toolbar when a download fails
      * Quick access to five most recent downloads rather than three
      * Larger buttons for canceling and restarting downloads

    Display (but allow users to override) an "Untrusted Connection" error when encountering SHA-1 certificates that chain up to a root certificate included in Mozilla's CA Certificate Program. (Note: Firefox continues to permit SHA-1 certificates that chain to manually imported root certificates.) Read more about the Mozilla Security Team's plans to deprecate SHA-1

    Migrated Firefox users on Windows XP and Windows Vista operating systems to the extended support release (ESR) version of Firefox.

    When not using Direct2D on Windows, Skia is used for content rendering

Developer
    Enabled CSS Grid Layout, opening up a world of new possibilities for graphic design

    Redesigned Responsive Design Mode to include device selection, network throttling, and more

    Improved security for screen sharing, which now shows a preview and no longer requires a whitelisted domain

unresolved
    Google Hangouts temporarily won't work

Security fixes:
 #CVE-2017-5400: asm.js JIT-spray bypass of ASLR and DEP
 #CVE-2017-5401: Memory Corruption when handling ErrorResult
 #CVE-2017-5402: Use-after-free working with events in FontFace objects
 #CVE-2017-5403: Use-after-free using addRange to add range to an incorrect root object
 #CVE-2017-5404: Use-after-free working with ranges in selections
 #CVE-2017-5406: Segmentation fault in Skia with canvas operations
 #CVE-2017-5407: Pixel and history stealing via floating-point timing side channel with SVG filters
 #CVE-2017-5410: Memory corruption during JavaScript garbage collection incremental sweeping
 #CVE-2017-5411: Use-after-free in Buffer Storage in libGLES
 #CVE-2017-5409: File deletion via callback parameter in Mozilla Windows Updater and Maintenance Service
 #CVE-2017-5408: Cross-origin reading of video captions in violation of CORS
 #CVE-2017-5412: Buffer overflow read in SVG filters
 #CVE-2017-5413: Segmentation fault during bidirectional operations
 #CVE-2017-5414: File picker can choose incorrect default directory
 #CVE-2017-5415: Addressbar spoofing through blob URL
 #CVE-2017-5416: Null dereference crash in HttpChannel
 #CVE-2017-5417: Addressbar spoofing by draging and dropping URLs
 #CVE-2017-5425: Overly permissive Gecko Media Plugin sandbox regular expression access
 #CVE-2017-5426: Gecko Media Plugin sandbox is not started if seccomp-bpf filter is running
 #CVE-2017-5427: Non-existent chrome.manifest file loaded during startup
 #CVE-2017-5418: Out of bounds read when parsing HTTP digest authorization responses
 #CVE-2017-5419: Repeated authentication prompts lead to DOS attack
 #CVE-2017-5420: Javascript: URLs can obfuscate addressbar location
 #CVE-2017-5405: FTP response codes can cause use of uninitialized values for ports
 #CVE-2017-5421: Print preview spoofing
 #CVE-2017-5422: DOS attack by using view-source: protocol repeatedly in one hyperlink
 #CVE-2017-5399: Memory safety bugs fixed in Firefox 52
 #CVE-2017-5398: Memory safety bugs fixed in Firefox 52 and Firefox ESR 45.8
@
text
@$NetBSD: patch-gfx_thebes_gfxFontUtils.cpp,v 1.1 2016/12/03 09:58:26 ryoon Exp $

--- gfx/thebes/gfxFontUtils.cpp.orig	2016-10-31 20:15:32.000000000 +0000
+++ gfx/thebes/gfxFontUtils.cpp
@@@@ -918,16 +918,18 @@@@ IsValidSFNTVersion(uint32_t version)
            version == TRUETYPE_TAG('t','r','u','e');
 }
 
-// copy and swap UTF-16 values, assume no surrogate pairs, can be in place
+// Copy and swap UTF-16 values, assume no surrogate pairs, can be in place.
+// aInBuf and aOutBuf are NOT necessarily 16-bit-aligned, so we should avoid
+// accessing them directly as uint16_t* values.
+// aLen is count of UTF-16 values, so the byte buffers are twice that.
 static void
-CopySwapUTF16(const uint16_t *aInBuf, uint16_t *aOutBuf, uint32_t aLen)
+CopySwapUTF16(const char* aInBuf, char* aOutBuf, uint32_t aLen)
 {
-    const uint16_t *end = aInBuf + aLen;
+    const char* end = aInBuf + aLen * 2;
     while (aInBuf < end) {
-        uint16_t value = *aInBuf;
-        *aOutBuf = (value >> 8) | (value & 0xff) << 8;
-        aOutBuf++;
-        aInBuf++;
+        uint8_t b0 = *aInBuf++;
+        *aOutBuf++ = *aInBuf++;
+        *aOutBuf++ = b0;
     }
 }
 
@@@@ -1441,13 +1443,13 @@@@ gfxFontUtils::DecodeFontName(const char 
     if (csName[0] == 0) {
         // empty charset name: data is utf16be, no need to instantiate a converter
         uint32_t strLen = aByteLen / 2;
-#ifdef IS_LITTLE_ENDIAN
         aName.SetLength(strLen);
-        CopySwapUTF16(reinterpret_cast<const uint16_t*>(aNameData),
-                      reinterpret_cast<uint16_t*>(aName.BeginWriting()), strLen);
+#ifdef IS_LITTLE_ENDIAN
+        CopySwapUTF16(aNameData, reinterpret_cast<char*>(aName.BeginWriting()),
+                      strLen);
 #else
-        aName.Assign(reinterpret_cast<const char16_t*>(aNameData), strLen);
-#endif    
+        memcpy(aName.BeginWriting(), aNameData, strLen * 2);
+#endif
         return true;
     }
 
@


1.1
log
@Update to 50.0.2

* Change default audio support to ALSA.
  You can use OSS or pulseaudio via ALSA plugin package.

Changelog:
50.0.2:
Fixed in Firefox 50.0.2
 #CVE-2016-9079: Use-after-free in SVG Animation

50.0.1:
Fixed
   *Firefox crashes with 3rd party Chinese IME when using IME text

Security vulnerabilities fixed in Firefox 50.0.1:
 #CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect

50.0:

New
   *Playback video on more sites without plugins with WebM EME Support for Widevine on Windows and Mac
   *Improved performance for SDK extensions or extensions using the SDK module loader
   *Added download protection for a large number of executable file types on Windows, Mac and Linux
   *Increased availability of WebGL to more than 98 percent of users on Windows 7 and newer
   *Added Guarani (gn) locale
   *Added option to Find in page that allows users to limit search to whole words only
   *Updates to keyboard shortcuts
       *Set a preference to have Ctrl+Tab cycle through tabs in recently used order
       *View a page in Reader Mode by using Ctrl+Alt+R (command+alt+r on Mac)

Fixed
   *Login cookies are now saved for sites with a high number of cookies (Bug 1264192)
   *Various security fixes

   *Fixed rendering of dashed and dotted borders with rounded corners (border-radius)

Changed
   *The link to check for plugin security updates has been removed from the addon manager as Firefox automatically checks for plugin updates
   *Blocked versions of libavcodec older than 54.35.1
   *Added a built-in Emoji set for operating systems without native Emoji fonts (Windows 8.0 and lower and Linux)

Developer
   *Changes for web developers

Security vulnerabilities fixed in Firefox 50:
 #CVE-2016-5296: Heap-buffer-overflow WRITE in rasterize_edges_1
 #CVE-2016-5292: URL parsing causes crash
 #CVE-2016-5293: Write to arbitrary file with Mozilla Updater and Maintenance Service using updater.log hardlink
 #CVE-2016-5294: Arbitrary target directory for result files of update process
 #CVE-2016-5297: Incorrect argument length checking in JavaScript
 #CVE-2016-9064: Add-ons update must verify IDs match between current and new versions
 #CVE-2016-9065: Firefox for Android location bar spoofing using fullscreen
 #CVE-2016-9066: Integer overflow leading to a buffer overflow in nsScriptLoadHandler
 #CVE-2016-9067: heap-use-after-free in nsINode::ReplaceOrInsertBefore
 #CVE-2016-9068: heap-use-after-free in nsRefreshDriver
 #CVE-2016-9072: 64-bit NPAPI sandbox isn't enabled on fresh profile
 #CVE-2016-9075: WebExtensions can access the mozAddonManager API and use it to gain elevated privileges
 #CVE-2016-9077: Canvas filters allow feDisplacementMaps to be applied to cross-origin images, allowing timing attacks on them
 #CVE-2016-5291: Same-origin policy violation using local HTML file and saved shortcut file
 #CVE-2016-5295: Mozilla Maintenance Service: Ability to read arbitrary files as SYSTEM
 #CVE-2016-5298: SSL indicator can mislead the user about the real URL visited
 #CVE-2016-5299: Firefox AuthToken in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissionsPI key (glocation) in broadcast protected with signature-level permission can be accessed by an application installed beforehand that defines the same permissions
 #CVE-2016-9062: Private browsing browser traces (Android) in browser.db and wal file
 #CVE-2016-9070: Sidebar bookmark can have reference to chrome window
 #CVE-2016-9073: windows.create schema doesn't specify "format": "relativeUrl"
 #CVE-2016-9074: Insufficient timing side-channel resistance in divSpoiler
 #CVE-2016-9076: select dropdown menu can be used for URL bar spoofing on e10s
 #CVE-2016-9063: Possible integer overflow to fix inside XML_Parse in Expat
 #CVE-2016-9071: Probe browser history via HSTS/301 redirect + CSP
 #CVE-2016-5289: Memory safety bugs fixed in Firefox 50
 #CVE-2016-5290: Memory safety bugs fixed in Firefox 50 and Firefox ESR 45.5
@
text
@d1 1
a1 1
$NetBSD$
@