new features

* Updated Firefox Login Manager to allow HTTPS pages to use saved
    HTTP logins.
  * Added features to Reader Mode that make it easier on the eyes and
    the ears
  * Improved video performance for users on systems that support
    SSE3 without hardware acceleration
  * Added context menu controls to HTML5 audio and video that let users
    loops files or play files at 1.25x speed
  * Improvements in about:memory reports for tracking font memory usage
  security related
  * MFSA 2016-85
    CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
    mozilla::net::IsValidReferrerPolicy
    CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
    nsCaseTransformTextRunFactory::TransformString
    CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
    PropertyProvider::GetSpacingInternal
    CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
    CVE-2016-5273 (bmo#1280387) - crash in
    mozilla::a11y::HyperTextAccessible::GetChildOffset
    CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
    mozilla::a11y::DocAccessible::ProcessInvalidationList
    CVE-2016-5274 (bmo#1282076) - use-after-free in
    nsFrameManager::CaptureFrameState
    CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
    CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
    mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
    CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
    nsBMPEncoder::AddImageFrame

OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=548

MozillaFirefox.changes

@@ -2,10 +2,53 @@
 Tue Sep 20 07:09:52 UTC 2016 - wr@rosenauer.org
 
 - update to Firefox 49.0 (boo#999701)
+  new features
+  * Updated Firefox Login Manager to allow HTTPS pages to use saved
+    HTTP logins.
+  * Added features to Reader Mode that make it easier on the eyes and
+    the ears
+  * Improved video performance for users on systems that support
+    SSE3 without hardware acceleration
+  * Added context menu controls to HTML5 audio and video that let users
+    loops files or play files at 1.25x speed
+  * Improvements in about:memory reports for tracking font memory usage
+  security related
+  * MFSA 2016-85
+    CVE-2016-2827 (bmo#1289085) - Out-of-bounds read in
+    mozilla::net::IsValidReferrerPolicy
+    CVE-2016-5270 (bmo#1291016) - Heap-buffer-overflow in
+    nsCaseTransformTextRunFactory::TransformString
+    CVE-2016-5271 (bmo#1288946) - Out-of-bounds read in
+    PropertyProvider::GetSpacingInternal
+    CVE-2016-5272 (bmo#1297934) - Bad cast in nsImageGeometryMixin
+    CVE-2016-5273 (bmo#1280387) - crash in
+    mozilla::a11y::HyperTextAccessible::GetChildOffset
+    CVE-2016-5276 (bmo#1287721) - Heap-use-after-free in
+    mozilla::a11y::DocAccessible::ProcessInvalidationList
+    CVE-2016-5274 (bmo#1282076) - use-after-free in
+    nsFrameManager::CaptureFrameState
+    CVE-2016-5277 (bmo#1291665) - Heap-use-after-free in nsRefreshDriver::Tick
+    CVE-2016-5275 (bmo#1287316) - global-buffer-overflow in
+    mozilla::gfx::FilterSupport::ComputeSourceNeededRegions
+    CVE-2016-5278 (bmo#1294677) - Heap-buffer-overflow in
+    nsBMPEncoder::AddImageFrame
+    CVE-2016-5279 (bmo#1249522) - Full local path of files is available
+    to web pages after drag and drop
+    CVE-2016-5280 (bmo#1289970) - Use-after-free in
+    mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap
+    CVE-2016-5281 (bmo#1284690) - use-after-free in DOMSVGLength
+    CVE-2016-5282 (bmo#932335) - Don't allow content to request favicons
+    from non-whitelisted schemes
+    CVE-2016-5283 (bmo#928187) - <iframe src> fragment timing attack can
+    reveal cross-origin data
+    CVE-2016-5284 (bmo#1303127) - Add-on update site certificate pin expiration
+    CVE-2016-5256 - Memory safety bugs fixed in Firefox 49
+    CVE-2016-5257 - Memory safety bugs fixed in Firefox 49 and Firefox ESR 45.4
 - removed obsolete patches:
   * mozilla-aarch64-48bit-va.patch
   * mozilla-exclude-nametablecpp.patch
   * mozilla-old_configure-bmo1282843.patch
+- added patch mozilla-skia-overflow.patch (bmo#1304114)
 - requires NSS 3.25
 
 -------------------------------------------------------------------

MozillaFirefox.spec

@@ -146,6 +146,7 @@ Patch10:        mozilla-no-stdcxx-check.patch
 Patch11:        mozilla-reduce-files-per-UnifiedBindings.patch
 Patch12:        mozilla-gtk3_20.patch
 Patch13:        mozilla-check_return.patch
+Patch14:        mozilla-skia-overflow.patch
 Patch17:        mozilla-binutils-visibility.patch
 # Firefox/browser
 Patch101:       firefox-kde.patch
@@ -262,6 +263,7 @@ cd $RPM_BUILD_DIR/mozilla
 %patch12 -p1
 %endif
 %patch13 -p1
+%patch14 -p1
 %patch17 -p1
 # Firefox
 %patch101 -p1

mozilla-skia-overflow.patch

@@ -0,0 +1,32 @@
+# HG changeset patch
+# User Lee Salzman <lsalzman@mozilla.com>
+# Date 1474489725 14400
+#      Wed Sep 21 16:28:45 2016 -0400
+# Node ID 38a427a913b57080374b9966466b8f436ec39eb8
+# Parent  4dfd3f00543d1d7adc3f0f852e6f32fbca6f3420
+fix invalid Sk4f store to SkColor in SkPixmap::erase
+
+MozReview-Commit-ID: 840x1nXgYns
+
+diff --git a/gfx/skia/skia/src/core/SkPixmap.cpp b/gfx/skia/skia/src/core/SkPixmap.cpp
+--- a/gfx/skia/skia/src/core/SkPixmap.cpp
++++ b/gfx/skia/skia/src/core/SkPixmap.cpp
+@@ -221,17 +221,17 @@ bool SkPixmap::erase(const SkColor4f& or
+         pm = *this;
+     }
+ 
+     const SkColor4f color = origColor.pin();
+ 
+     if (kRGBA_F16_SkColorType != pm.colorType()) {
+         Sk4f c4 = Sk4f::Load(color.vec());
+         SkColor c;
+-        (c4 * Sk4f(255) + Sk4f(0.5f)).store(&c);
++        SkNx_cast<uint8_t>(c4 * Sk4f(255) + Sk4f(0.5f)).store(&c);
+         return pm.erase(c);
+     }
+ 
+     const uint64_t half4 = color.premul().toF16();
+     for (int y = 0; y < pm.height(); ++y) {
+         sk_memset64(pm.writable_addr64(0, y), half4, pm.width());
+     }
+     return true;