Debian Bug report logs - #619850
pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff

version graph

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Guido Günther <agx@sigxcpu.org>

Date: Sun, 27 Mar 2011 20:31:02 UTC

Severity: normal

Tags: confirmed, squeeze

Fixed in version 6.0.2

Done: Adam D. Barratt <adam@adam-barratt.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sun, 27 Mar 2011 20:31:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 27 Mar 2011 20:31:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sun, 27 Mar 2011 22:27:01 +0200
[Message part 1 (text/plain, inline)]
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Hi,
I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
updates. It contains the same updates as current icedove. 

On Wed, Mar 23, 2011 at 10:15:16PM +0100, Moritz Mühlenhoff wrote:
[..snip..] 
> We should fix iceowl updates which only update the Mozilla copies via
> s-p-u. If there're targeted vulnerabilities against iceowl (e.g. buffer
> overflow during contact import), we can push these through s.d.o.
>
> Cheers,
>        Moritz

The debdiff is attached.
Cheers,
 -- Guido


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 2.6.37-2-686 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
[1.0~b1+dfsg2-2.squeeze1.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sat, 30 Apr 2011 16:03:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 30 Apr 2011 16:03:03 GMT) Full text and rfc822 format available.

Message #10 received at 619850@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Guido Günther <agx@sigxcpu.org>, 619850@bugs.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sat, 30 Apr 2011 16:57:53 +0100
[Apologies for managing to miss this earlier]

Hi,

On Sun, 2011-03-27 at 22:27 +0200, Guido Günther wrote:,
> I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
> updates. It contains the same updates as current icedove. 

Presumably this now requires a further update, in light of at least
MFSA2011-12?

> On Wed, Mar 23, 2011 at 10:15:16PM +0100, Moritz Mühlenhoff wrote:
> [..snip..] 
> > We should fix iceowl updates which only update the Mozilla copies via
> > s-p-u. If there're targeted vulnerabilities against iceowl (e.g. buffer
> > overflow during contact import), we can push these through s.d.o.

Given the lack of support from upstream for iceowl beta releases, do
they actually provide details of which portions of updates might be
iceowl-specific?

I do note that the discussion before the release about updating iceowl
in stable very much implied that security updates would be pushed via
the security archive, albeit not as the security team's top priority.

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sun, 08 May 2011 12:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 08 May 2011 12:39:03 GMT) Full text and rfc822 format available.

Message #15 received at 619850@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 619850@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sun, 8 May 2011 14:35:19 +0200
[Message part 1 (text/plain, inline)]
On Sat, Apr 30, 2011 at 04:57:53PM +0100, Adam D. Barratt wrote:
> [Apologies for managing to miss this earlier]
> 
> Hi,
> 
> On Sun, 2011-03-27 at 22:27 +0200, Guido Günther wrote:,
> > I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
> > updates. It contains the same updates as current icedove. 
> 
> Presumably this now requires a further update, in light of at least
> MFSA2011-12?

Indeed. I've added all the patches that got added to xulrunner and
icedove recently (attached).

> 
> > On Wed, Mar 23, 2011 at 10:15:16PM +0100, Moritz Mühlenhoff wrote:
> > [..snip..] 
> > > We should fix iceowl updates which only update the Mozilla copies via
> > > s-p-u. If there're targeted vulnerabilities against iceowl (e.g. buffer
> > > overflow during contact import), we can push these through s.d.o.
> 
> Given the lack of support from upstream for iceowl beta releases, do
> they actually provide details of which portions of updates might be
> iceowl-specific?

Sunbird (standalone) is not supported by Mozilla anymore as of 1.0b1:

	http://en.wikipedia.org/wiki/Mozilla_Sunbird

Mozilla didn't put out any advisories for lightning or sunbird ever:

	http://www.mozilla.org/security/known-vulnerabilities/

> I do note that the discussion before the release about updating iceowl
> in stable very much implied that security updates would be pushed via
> the security archive, albeit not as the security team's top priority.

The update in stable was necessary to move iceowl to the same codebase
as icedove/xulrunner making it possible to reuse the patches. I'm
putting the security team on cc: so we can figure out how to best get
the updated iceowl versions into stable.
Cheers,
 -- Guido

[1.0~b1+dfsg2-2+squeeze2.diff (text/x-diff, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Tue, 07 Jun 2011 07:27:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Tue, 07 Jun 2011 07:27:09 GMT) Full text and rfc822 format available.

Message #20 received at 619850@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 619850@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Tue, 7 Jun 2011 09:25:01 +0200
On Sun, May 08, 2011 at 02:35:19PM +0200, Guido Günther wrote:
> On Sat, Apr 30, 2011 at 04:57:53PM +0100, Adam D. Barratt wrote:
> > [Apologies for managing to miss this earlier]
> > 
> > Hi,
> > 
> > On Sun, 2011-03-27 at 22:27 +0200, Guido Günther wrote:,
> > > I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
> > > updates. It contains the same updates as current icedove. 
> > 
> > Presumably this now requires a further update, in light of at least
> > MFSA2011-12?
> 
> Indeed. I've added all the patches that got added to xulrunner and
> icedove recently (attached).

Ping. Can this be pushed to s-p-u?
Cheers,
 -- Guido

> 
> > 
> > > On Wed, Mar 23, 2011 at 10:15:16PM +0100, Moritz Mühlenhoff wrote:
> > > [..snip..] 
> > > > We should fix iceowl updates which only update the Mozilla copies via
> > > > s-p-u. If there're targeted vulnerabilities against iceowl (e.g. buffer
> > > > overflow during contact import), we can push these through s.d.o.
> > 
> > Given the lack of support from upstream for iceowl beta releases, do
> > they actually provide details of which portions of updates might be
> > iceowl-specific?
> 
> Sunbird (standalone) is not supported by Mozilla anymore as of 1.0b1:
> 
> 	http://en.wikipedia.org/wiki/Mozilla_Sunbird
> 
> Mozilla didn't put out any advisories for lightning or sunbird ever:
> 
> 	http://www.mozilla.org/security/known-vulnerabilities/
> 
> > I do note that the discussion before the release about updating iceowl
> > in stable very much implied that security updates would be pushed via
> > the security archive, albeit not as the security team's top priority.
> 
> The update in stable was necessary to move iceowl to the same codebase
> as icedove/xulrunner making it possible to reuse the patches. I'm
> putting the security team on cc: so we can figure out how to best get
> the updated iceowl versions into stable.
> Cheers,
>  -- Guido
> 

> diff --git a/debian/changelog b/debian/changelog
> index 3d49bcc..f923ca0 100644
> --- a/debian/changelog
> +++ b/debian/changelog
> @@ -1,3 +1,40 @@
> +iceowl (1.0~b1+dfsg2-2+squeeze2) stable-proposed-updates; urgency=low
> +
> +  * [0e4ac0a] Apply security updates from xulrunner/icedove:
> +      - MFSA 2011-12 aka CVE-2011-0069, CVE-2011-0070, CVE-2011-0072,
> +                         CVE-2011-0074, CVE-2011-0075, CVE-2011-0077,
> +                         CVE-2011-0078, CVE-2011-0080:
> +        Miscellaneous memory safety hazards (rv:2.0.1/ 1.9.2.17/ 1.9.1.19)
> +      - MFSA 2011-13 aka CVE-2011-0065, CVE-2011-0066, CVE-2011-0073:
> +        Multiple dangling pointer vulnerabilities
> +      - MFSA 2011-14 aka CVE-2011-0067: Information stealing via form history
> +      - MFSA 2011-16 aka CVE-2011-0071: Directory traversal in resource:
> +        protocol
> +  * [51a3ea8] gfx/ots/include/opentype-sanitiser.h: strict alignment issues
> +    when displaying OpenType font. Patch taken from icedove.
> +
> + -- Guido Günther <agx@sigxcpu.org>  Sun, 08 May 2011 12:24:58 +0200
> +
> +iceowl (1.0~b1+dfsg2-2+squeeze1) stable-proposed-updates; urgency=low
> +
> +  * [b5181a9] backported patches from xulrunner fixes mfsa2011-{01-08,10}
> +    - MFSA 2011-01 aka CVE-2011-0053: Miscellaneous memory safety hazards
> +      (rv:1.9.2.14/ 1.9.1.17)
> +    - MFSA 2011-02 aka CVE-2011-0051: Recursive eval call causes confirm
> +      dialogs to evaluate to true
> +    - MFSA 2011-03 aka CVE-2011-0055: Use-after-free error in JSON.stringify
> +    - MFSA 2011-04 aka CVE-2011-0054: Buffer overflow in JavaScript upvarMap
> +    - MFSA 2011-05 aka CVE-2011-0056: Buffer overflow in JavaScript atom map
> +    - MFSA 2011-06 aka CVE-2011-0057: Use-after-free error using Web Workers
> +    - MFSA 2011-07 aka CVE-2011-0058: Memory corruption during text run
> +      construction (Windows)
> +    - MFSA 2011-08 aka CVE-2010-1585: ParanoidFragmentSink allows javascript:
> +      URLs in chrome documents
> +    - MFSA 2011-10 aka CVE-2011-0059: CSRF risk with plugins and 307 redirects
> +    Patches taken from icedove 3.0.11-1+squeeze1
> +
> + -- Guido Günther <agx@sigxcpu.org>  Fri, 11 Mar 2011 19:36:07 +0100
> +
>  iceowl (1.0~b1+dfsg2-2) unstable; urgency=low
>  
>    * [528ae26] Don't error-out when run-time libsqlite is older than build-time
> diff --git a/debian/gbp.conf b/debian/gbp.conf
> index bbd08ba..42142a6 100644
> --- a/debian/gbp.conf
> +++ b/debian/gbp.conf
> @@ -1,6 +1,7 @@
>  [DEFAULT]
>  upstream-branch = dfsg-upstream
>  upstream-tag = dfsg-upstream/%(version)s
> +debian-branch = squeeze
>  
>  [git-import-orig]
>  upstream-branch = upstream
> diff --git a/debian/patches/Bug-643137-strict-alignment-issues-when-displaying-O.patch b/debian/patches/Bug-643137-strict-alignment-issues-when-displaying-O.patch
> new file mode 100644
> index 0000000..caa3bd3
> --- /dev/null
> +++ b/debian/patches/Bug-643137-strict-alignment-issues-when-displaying-O.patch
> @@ -0,0 +1,30 @@
> +From e1cd1a61c0115bfca18ba1555ac78c1dd983c182 Mon Sep 17 00:00:00 2001
> +From: Landry Breuil <landry@openbsd.org>
> +Date: Fri, 25 Mar 2011 04:04:18 -3600
> +Subject: [PATCH] Bug 643137 - strict alignment issues when displaying
> + OpenType fonts on sparc64. r=roc
> +
> +---
> + gfx/ots/include/opentype-sanitiser.h |    6 ++++--
> + 1 files changed, 4 insertions(+), 2 deletions(-)
> +
> +diff --git a/mozilla/gfx/ots/include/opentype-sanitiser.h b/mozilla/gfx/ots/include/opentype-sanitiser.h
> +index ad719c1..f913692 100644
> +--- a/mozilla/gfx/ots/include/opentype-sanitiser.h
> ++++ b/mozilla/gfx/ots/include/opentype-sanitiser.h
> +@@ -68,8 +68,10 @@ class OTSStream {
> +     }
> + 
> +     while (length >= 4) {
> +-      chksum_ += ntohl(*reinterpret_cast<const uint32_t*>(
> +-          reinterpret_cast<const uint8_t*>(data) + offset));
> ++      uint32_t tmp;
> ++      std::memcpy(&tmp, reinterpret_cast<const uint8_t *>(data) + offset,
> ++        sizeof(uint32_t));
> ++      chksum_ += ntohl(tmp);
> +       length -= 4;
> +       offset += 4;
> +     }
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch b/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch
> new file mode 100644
> index 0000000..6aa105c
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch
> @@ -0,0 +1,86 @@
> +From: Neil Deakin <neil@mozilla.com>
> +Date: Fri, 21 Jan 2011 14:48:59 -0500
> +Subject: Bug 553808, assertion setting template datasources, r=smaug, a=clegnitto
> +
> +---
> + content/xul/templates/src/nsXULTemplateBuilder.cpp |   19 ++++++++-----------
> + content/xul/templates/src/nsXULTemplateBuilder.h   |   15 +++++++++++++++
> + 2 files changed, 23 insertions(+), 11 deletions(-)
> +
> +diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> +index 08016d9..5ae3122 100644
> +--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> ++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> +@@ -1115,14 +1115,9 @@ nsXULTemplateBuilder::AttributeChanged(nsIDocument* aDocument,
> +         // Check for a change to the 'datasources' attribute. If so, setup
> +         // mDB by parsing the new value and rebuild.
> +         else if (aAttribute == nsGkAtoms::datasources) {
> +-            Uninit(PR_FALSE);  // Reset results
> +-            
> +-            PRBool shouldDelay;
> +-            LoadDataSources(aDocument, &shouldDelay);
> +-            if (!shouldDelay)
> +-                nsContentUtils::AddScriptRunner(
> +-                    NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this,
> +-                                           RunnableRebuild));
> ++            nsContentUtils::AddScriptRunner(
> ++                NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this,
> ++                                       RunnableLoadAndRebuild));
> +         }
> +     }
> + }
> +@@ -1139,8 +1134,9 @@ nsXULTemplateBuilder::ContentRemoved(nsIDocument* aDocument,
> +         if (mQueryProcessor)
> +             mQueryProcessor->Done();
> + 
> +-        // use false since content is going away anyway
> +-        Uninit(PR_FALSE);
> ++        // Pass false to Uninit since content is going away anyway
> ++        nsContentUtils::AddScriptRunner(
> ++            NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitFalse));
> + 
> +         aDocument->RemoveObserver(this);
> + 
> +@@ -1177,7 +1173,8 @@ nsXULTemplateBuilder::NodeWillBeDestroyed(const nsINode* aNode)
> +     mCompDB = nsnull;
> +     mRoot = nsnull;
> + 
> +-    Uninit(PR_TRUE);
> ++    nsContentUtils::AddScriptRunner(
> ++        NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitTrue));
> + }
> + 
> + 
> +diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> +index b938f4f..764cc86 100644
> +--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> ++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> +@@ -46,6 +46,7 @@
> + #include "nsStubDocumentObserver.h"
> + #include "nsIScriptSecurityManager.h"
> + #include "nsIContent.h"
> ++#include "nsIDocument.h"
> + #include "nsIObserver.h"
> + #include "nsIRDFCompositeDataSource.h"
> + #include "nsIRDFContainer.h"
> +@@ -153,6 +154,20 @@ public:
> +     RebuildAll() = 0; // must be implemented by subclasses
> + 
> +     void RunnableRebuild() { Rebuild(); }
> ++    void RunnableLoadAndRebuild() {
> ++      Uninit(PR_FALSE);  // Reset results
> ++
> ++      nsCOMPtr<nsIDocument> doc = mRoot ? mRoot->GetDocument() : nsnull;
> ++      if (doc) {
> ++        PRBool shouldDelay;
> ++        LoadDataSources(doc, &shouldDelay);
> ++        if (!shouldDelay) {
> ++          Rebuild();
> ++        }
> ++      }
> ++    }
> ++    void UninitFalse() { Uninit(PR_FALSE); }
> ++    void UninitTrue() { Uninit(PR_TRUE); }
> + 
> +     /**
> +      * Find the <template> tag that applies for this builder
> diff --git a/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch b/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch
> new file mode 100644
> index 0000000..66da392
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch
> @@ -0,0 +1,21 @@
> +From: David Mandelin <dmandelin@mozilla.com>
> +Date: Wed, 21 Apr 2010 11:37:18 -0700
> +Subject: Bug 558531: fix typo in JS_ResolveStandardClass, r=waldo, a=blocking
> +
> +---
> + js/src/jsapi.cpp |    2 +-
> + 1 files changed, 1 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
> +index 25e4b08..bac3756 100644
> +--- a/mozilla/js/src/jsapi.cpp
> ++++ b/mozilla/js/src/jsapi.cpp
> +@@ -1561,7 +1561,7 @@ JS_ResolveStandardClass(JSContext *cx, JSObject *obj, jsval id,
> +                 if (!atom)
> +                     return JS_FALSE;
> +                 if (idstr == ATOM_TO_STRING(atom)) {
> +-                    stdnm = &standard_class_names[i];
> ++                    stdnm = &object_prototype_names[i];
> +                     break;
> +                 }
> +             }
> diff --git a/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch b/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch
> new file mode 100644
> index 0000000..daf0475
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch
> @@ -0,0 +1,49 @@
> +From: Jeff Walden <jwalden@mit.edu>
> +Date: Tue, 13 Apr 2010 13:34:31 -0700
> +Subject: Bug 558541 - Simplify some code in js_SetPropertyHelper to make it more understandable. r=jorendorff, a=blocking1.9.1.17
> +
> +---
> + js/src/jsobj.cpp |   16 +++++++++++-----
> + 1 files changed, 11 insertions(+), 5 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsobj.cpp b/mozilla/js/src/jsobj.cpp
> +index 857ba8a..78a577a 100644
> +--- a/mozilla/js/src/jsobj.cpp
> ++++ b/mozilla/js/src/jsobj.cpp
> +@@ -4468,6 +4468,12 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
> +             (SCOPE_IS_SEALED(scope) && (attrs & JSPROP_SHARED))) {
> +             JS_UNLOCK_SCOPE(cx, scope);
> + 
> ++            PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).rofills++);
> ++            if (cacheResult) {
> ++                JS_ASSERT_NOT_ON_TRACE(cx);
> ++                TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
> ++            }
> ++
> +             /*
> +              * Here, we'll either return true or goto read_only_error, which
> +              * reports a strict warning or throws an error.  So we redefine
> +@@ -4480,18 +4486,18 @@ js_SetPropertyHelper(JSContext *cx, JSObject *obj, jsid id, JSBool cacheResult,
> +             if (attrs & JSPROP_READONLY) {
> +                 if (!JS_HAS_STRICT_OPTION(cx)) {
> +                     /* Just return true per ECMA if not in strict mode. */
> +-                    PCMETER(cacheResult && JS_PROPERTY_CACHE(cx).rofills++);
> +-                    if (cacheResult)
> +-                        TRACE_2(SetPropHit, JS_NO_PROP_CACHE_FILL, sprop);
> +                     return JS_TRUE;
> +-                error: // TRACE_2 jumps here in case of error.
> +-                    return JS_FALSE;
> +                 }
> + 
> +                 /* Strict mode: report a read-only strict warning. */
> +                 flags = JSREPORT_STRICT | JSREPORT_WARNING;
> +             }
> +             goto read_only_error;
> ++
> ++#ifdef JS_TRACER
> ++          error: // TRACE_2 jumps here in case of error.
> ++            return JS_FALSE;
> ++#endif
> +         }
> + 
> +         if (pobj != obj) {
> diff --git a/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch b/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch
> new file mode 100644
> index 0000000..3496912
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch
> @@ -0,0 +1,20 @@
> +From: Josh Aas <joshmoz@gmail.com>
> +Date: Wed, 8 Dec 2010 16:16:09 -0500
> +Subject: Bug 573873: Bustage fix. a=dveditz
> +
> +---
> + content/base/public/nsContentUtils.h |    1 +
> + 1 files changed, 1 insertions(+), 0 deletions(-)
> +
> +diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
> +index 6a4626b..127d803 100644
> +--- a/mozilla/content/base/public/nsContentUtils.h
> ++++ b/mozilla/content/base/public/nsContentUtils.h
> +@@ -115,6 +115,7 @@ class nsIXTFService;
> + class nsIBidiKeyboard;
> + #endif
> + class nsIMIMEHeaderParam;
> ++class nsIChannel;
> + 
> + extern const char kLoadAsData[];
> + 
> diff --git a/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch b/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch
> new file mode 100644
> index 0000000..2eb32de
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch
> @@ -0,0 +1,345 @@
> +From: Josh Aas <joshmoz@gmail.com>
> +Date: Wed, 8 Dec 2010 15:38:35 -0500
> +Subject: Bug 573873: Fix bug in HTTP handling for plugins. r=jst a=dveditz
> +
> +---
> + content/base/public/nsContentUtils.h         |    4 +-
> + content/base/public/nsIContentUtils.h        |   19 ++++
> + content/base/src/nsContentUtils.cpp          |   39 ++++++---
> + layout/build/nsLayoutCID.h                   |    4 +
> + layout/build/nsLayoutModule.cpp              |    5 +
> + modules/plugin/base/src/nsPluginHostImpl.cpp |  114 ++++++++++++++++++++++----
> + 6 files changed, 156 insertions(+), 29 deletions(-)
> +
> +diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
> +index b3c7b11..6a4626b 100644
> +--- a/mozilla/content/base/public/nsContentUtils.h
> ++++ b/mozilla/content/base/public/nsContentUtils.h
> +@@ -1380,7 +1380,9 @@ public:
> + 
> +   static JSContext *GetCurrentJSContext();
> + 
> +-                                             
> ++
> ++  // Returns NS_OK for same origin, error (NS_ERROR_DOM_BAD_URI) if not.
> ++  static nsresult CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel);
> +   static nsIInterfaceRequestor* GetSameOriginChecker();
> + 
> +   static nsIThreadJSContextStack* ThreadJSContextStack()
> +diff --git a/mozilla/content/base/public/nsIContentUtils.h b/mozilla/content/base/public/nsIContentUtils.h
> +index 35a4f1f..fab84e5 100644
> +--- a/mozilla/content/base/public/nsIContentUtils.h
> ++++ b/mozilla/content/base/public/nsIContentUtils.h
> +@@ -37,6 +37,8 @@
> + #ifndef nsIContentUtils_h__
> + #define nsIContentUtils_h__
> + 
> ++class nsIChannel;
> ++
> + // C4EA618E-A3D9-4524-8EEA-E92F26FC44DB
> + #define NS_ICONTENTUTILS_IID \
> + { 0xC4EA618E, 0xA3D9, 0x4524, \
> +@@ -53,4 +55,21 @@ public:
> + 
> + NS_DEFINE_STATIC_IID_ACCESSOR(nsIContentUtils, NS_ICONTENTUTILS_IID)
> + 
> ++// {fbff0101-84ad-49f0-aea0-97ee4863bf55}
> ++#define NS_ICONTENTUTILS2_IID \
> ++{ 0xfbff0101, 0x84ad, 0x49f0, \
> ++{ 0xae, 0xa0, 0x97, 0xee, 0x48, 0x63, 0xbf, 0x55 } }
> ++
> ++class nsIContentUtils2 : public nsISupports
> ++{
> ++public:
> ++  NS_DECLARE_STATIC_IID_ACCESSOR(NS_ICONTENTUTILS2_IID)
> ++  NS_DECL_ISUPPORTS
> ++
> ++  // Returns NS_OK for same origin, error (NS_ERROR_DOM_BAD_URI) if not.
> ++  virtual nsresult CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel);
> ++};
> ++
> ++NS_DEFINE_STATIC_IID_ACCESSOR(nsIContentUtils2, NS_ICONTENTUTILS2_IID)
> ++
> + #endif /* nsIContentUtils_h__ */
> +diff --git a/mozilla/content/base/src/nsContentUtils.cpp b/mozilla/content/base/src/nsContentUtils.cpp
> +index d4409ac..fdda952 100644
> +--- a/mozilla/content/base/src/nsContentUtils.cpp
> ++++ b/mozilla/content/base/src/nsContentUtils.cpp
> +@@ -4372,6 +4372,14 @@ nsIContentUtils::IsSafeToRunScript()
> +   return nsContentUtils::IsSafeToRunScript();
> + }
> + 
> ++NS_IMPL_ISUPPORTS1(nsIContentUtils2, nsIContentUtils2)
> ++
> ++nsresult
> ++nsIContentUtils2::CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel)
> ++{
> ++  return nsContentUtils::CheckSameOrigin(aOldChannel, aNewChannel);
> ++}
> ++
> + /* static */
> + PRBool
> + nsContentUtils::AddScriptRunner(nsIRunnable* aRunnable)
> +@@ -4601,20 +4609,12 @@ nsContentUtils::GetSameOriginChecker()
> +   return sSameOriginChecker;
> + }
> + 
> +-
> +-NS_IMPL_ISUPPORTS2(nsSameOriginChecker,
> +-                   nsIChannelEventSink,
> +-                   nsIInterfaceRequestor)
> +-
> +-NS_IMETHODIMP
> +-nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
> +-                                       nsIChannel *aNewChannel,
> +-                                       PRUint32    aFlags)
> ++/* static */
> ++nsresult
> ++nsContentUtils::CheckSameOrigin(nsIChannel *aOldChannel, nsIChannel *aNewChannel)
> + {
> +-  NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
> +-  if (!nsContentUtils::GetSecurityManager()) {
> ++  if (!nsContentUtils::GetSecurityManager())
> +     return NS_ERROR_NOT_AVAILABLE;
> +-  }
> + 
> +   nsCOMPtr<nsIPrincipal> oldPrincipal;
> +   nsContentUtils::GetSecurityManager()->
> +@@ -4631,9 +4631,24 @@ nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
> +   if (NS_SUCCEEDED(rv) && newOriginalURI != newURI) {
> +     rv = oldPrincipal->CheckMayLoad(newOriginalURI, PR_FALSE);
> +   }
> ++
> +   return rv;
> + }
> + 
> ++NS_IMPL_ISUPPORTS2(nsSameOriginChecker,
> ++                   nsIChannelEventSink,
> ++                   nsIInterfaceRequestor)
> ++
> ++NS_IMETHODIMP
> ++nsSameOriginChecker::OnChannelRedirect(nsIChannel *aOldChannel,
> ++                                       nsIChannel *aNewChannel,
> ++                                       PRUint32    aFlags)
> ++{
> ++  NS_PRECONDITION(aNewChannel, "Redirecting to null channel?");
> ++
> ++  return nsContentUtils::CheckSameOrigin(aOldChannel, aNewChannel);
> ++}
> ++
> + NS_IMETHODIMP
> + nsSameOriginChecker::GetInterface(const nsIID & aIID, void **aResult)
> + {
> +diff --git a/mozilla/layout/build/nsLayoutCID.h b/mozilla/layout/build/nsLayoutCID.h
> +index 7bdd04c..ea01eaf 100644
> +--- a/mozilla/layout/build/nsLayoutCID.h
> ++++ b/mozilla/layout/build/nsLayoutCID.h
> +@@ -234,6 +234,10 @@
> + #define NS_ICONTENTUTILS_CID \
> + { 0x762C4AE7, 0xB923, 0x422F, { 0xB9, 0x7E, 0xB9, 0xBF, 0xC1, 0xEF, 0x7B, 0xF0 } }
> + 
> ++// {7f5fef90-44bf-4d5c-a9fa-884eb7e7cdee}
> ++#define NS_ICONTENTUTILS2_CID \
> ++{ 0x7f5fef90, 0x44bf, 0x4d5c, { 0xa9, 0xfa, 0x88, 0x4e, 0xb7, 0xe7, 0xcd, 0xee } }
> ++
> + #ifdef MOZ_MEDIA
> + #define NS_HTMLAUDIOELEMENT_CID                   \
> + { /* 1d40026b-4c44-4f6f-b158-26bb5e9c65e9 */      \
> +diff --git a/mozilla/layout/build/nsLayoutModule.cpp b/mozilla/layout/build/nsLayoutModule.cpp
> +index 7590300..0d31df8 100644
> +--- a/mozilla/layout/build/nsLayoutModule.cpp
> ++++ b/mozilla/layout/build/nsLayoutModule.cpp
> +@@ -544,6 +544,7 @@ MAKE_CTOR(CreateVideoDocument,            nsIDocument,                 NS_NewVid
> + #endif
> + 
> + NS_GENERIC_FACTORY_CONSTRUCTOR(nsIContentUtils)
> ++NS_GENERIC_FACTORY_CONSTRUCTOR(nsIContentUtils2)
> + 
> + #ifdef MOZ_ENABLE_CANVAS
> + MAKE_CTOR(CreateCanvasRenderingContext2D, nsIDOMCanvasRenderingContext2D, NS_NewCanvasRenderingContext2D)
> +@@ -1483,6 +1484,10 @@ static const nsModuleComponentInfo gComponents[] = {
> +       "@mozilla.org/content/contentutils;1",
> +       nsIContentUtilsConstructor },
> + 
> ++    { "Content Utils 2",
> ++      NS_ICONTENTUTILS2_CID,
> ++      "@mozilla.org/content/contentutils2;1",
> ++      nsIContentUtils2Constructor },
> + };
> + 
> + NS_IMPL_NSGETMODULE_WITH_CTOR(nsLayoutModule, gComponents, Initialize)
> +diff --git a/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp b/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
> +index 331428d..e9053cb 100644
> +--- a/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
> ++++ b/mozilla/modules/plugin/base/src/nsPluginHostImpl.cpp
> +@@ -176,6 +176,10 @@
> + #include "nsIContentPolicy.h"
> + #include "nsContentPolicyUtils.h"
> + #include "nsContentErrors.h"
> ++#include "nsIContentUtils.h"
> ++
> ++#include "nsIInterfaceRequestor.h"
> ++#include "nsIChannelEventSink.h"
> + 
> + #if defined(XP_UNIX) && defined(MOZ_WIDGET_GTK2) & defined(MOZ_X11)
> + #include <gdk/gdkx.h> // for GDK_DISPLAY()
> +@@ -1224,7 +1228,9 @@ private:
> + class nsPluginStreamListenerPeer : public nsIStreamListener,
> +                                    public nsIProgressEventSink,
> +                                    public nsIHttpHeaderVisitor,
> +-                                   public nsSupportsWeakReference
> ++                                   public nsSupportsWeakReference,
> ++                                   public nsIInterfaceRequestor,
> ++                                   public nsIChannelEventSink
> + {
> + public:
> +   nsPluginStreamListenerPeer();
> +@@ -1235,6 +1241,8 @@ public:
> +   NS_DECL_NSIREQUESTOBSERVER
> +   NS_DECL_NSISTREAMLISTENER
> +   NS_DECL_NSIHTTPHEADERVISITOR
> ++  NS_DECL_NSIINTERFACEREQUESTOR
> ++  NS_DECL_NSICHANNELEVENTSINK
> + 
> +   // Called by GetURL and PostURL (via NewStream)
> +   nsresult Initialize(nsIURI *aURL,
> +@@ -1259,6 +1267,7 @@ private:
> +   nsresult SetUpCache(nsIURI* aURL); // todo: see about removing this...
> +   nsresult SetUpStreamListener(nsIRequest* request, nsIURI* aURL);
> +   nsresult SetupPluginCacheFile(nsIChannel* channel);
> ++  nsresult GetInterfaceGlobal(const nsIID& aIID, void** result);
> + 
> +   nsIURI                  *mURL;
> +   nsIPluginInstanceOwner  *mOwner;
> +@@ -1676,11 +1685,13 @@ nsPluginStreamListenerPeer::~nsPluginStreamListenerPeer()
> +   delete mDataForwardToRequest;
> + }
> + 
> +-NS_IMPL_ISUPPORTS4(nsPluginStreamListenerPeer,
> ++NS_IMPL_ISUPPORTS6(nsPluginStreamListenerPeer,
> +                    nsIStreamListener,
> +                    nsIRequestObserver,
> +                    nsIHttpHeaderVisitor,
> +-                   nsISupportsWeakReference)
> ++                   nsISupportsWeakReference,
> ++                   nsIInterfaceRequestor,
> ++                   nsIChannelEventSink)
> + 
> + // Called as a result of GetURL and PostURL
> + nsresult nsPluginStreamListenerPeer::Initialize(nsIURI *aURL,
> +@@ -2487,6 +2498,89 @@ nsPluginStreamListenerPeer::VisitHeader(const nsACString &header, const nsACStri
> +                                      PromiseFlatCString(value).get());
> + }
> + 
> ++nsresult
> ++nsPluginStreamListenerPeer::GetInterfaceGlobal(const nsIID& aIID, void** result)
> ++{
> ++  if (!mInstance) {
> ++    return NS_ERROR_FAILURE;
> ++  }
> ++
> ++  nsCOMPtr<nsIPluginInstancePeer> instancePeer;
> ++  nsresult rv = mInstance->GetPeer(getter_AddRefs(instancePeer));
> ++  if (NS_FAILED(rv) || !instancePeer) {
> ++    return NS_ERROR_FAILURE;
> ++  }
> ++
> ++  nsCOMPtr<nsPIPluginInstancePeer> pInstancePeer(do_QueryInterface(instancePeer));
> ++  nsCOMPtr<nsIPluginInstanceOwner> owner;
> ++  rv = pInstancePeer->GetOwner(getter_AddRefs(owner));
> ++  if (NS_SUCCEEDED(rv) && owner) {
> ++    nsCOMPtr<nsIDocument> doc;
> ++    nsresult rv = owner->GetDocument(getter_AddRefs(doc));
> ++    if (NS_SUCCEEDED(rv) && doc) {
> ++      nsPIDOMWindow *window = doc->GetWindow();
> ++      if (window) {
> ++        nsCOMPtr<nsIWebNavigation> webNav = do_GetInterface(window);
> ++        nsCOMPtr<nsIInterfaceRequestor> ir = do_QueryInterface(webNav);
> ++        return ir->GetInterface(aIID, result);
> ++      }
> ++    }
> ++  }
> ++
> ++  return NS_ERROR_FAILURE;
> ++}
> ++
> ++NS_IMETHODIMP
> ++nsPluginStreamListenerPeer::GetInterface(const nsIID& aIID, void** result)
> ++{
> ++  // Provide nsIChannelEventSink ourselves, otherwise let our document's
> ++  // window provide the interface.
> ++
> ++  if (aIID.Equals(NS_GET_IID(nsIChannelEventSink))) {
> ++    return QueryInterface(aIID, result);
> ++  }
> ++
> ++  return GetInterfaceGlobal(aIID, result);
> ++}
> ++
> ++NS_IMETHODIMP
> ++nsPluginStreamListenerPeer::OnChannelRedirect(nsIChannel *oldChannel, nsIChannel *newChannel, PRUint32 flags)
> ++{
> ++  // Don't allow cross-origin 307 POST redirects. Fall back to channel event sink for window.
> ++
> ++  nsCOMPtr<nsIHttpChannel> oldHttpChannel(do_QueryInterface(oldChannel));
> ++  if (oldHttpChannel) {
> ++    PRUint32 responseStatus;
> ++    nsresult rv = oldHttpChannel->GetResponseStatus(&responseStatus);
> ++    if (NS_FAILED(rv)) {
> ++      return rv;
> ++    }
> ++    if (responseStatus == 307) {
> ++      nsCAutoString method;
> ++      rv = oldHttpChannel->GetRequestMethod(method);
> ++      if (NS_FAILED(rv)) {
> ++        return rv;
> ++      }
> ++      if (method.EqualsLiteral("POST")) {
> ++        nsCOMPtr<nsIContentUtils2> contentUtils2 = do_GetService("@mozilla.org/content/contentutils2;1");
> ++        NS_ENSURE_TRUE(contentUtils2, NS_ERROR_FAILURE);
> ++        rv = contentUtils2->CheckSameOrigin(oldChannel, newChannel);
> ++        if (NS_FAILED(rv)) {
> ++          return rv;
> ++        }
> ++      }
> ++    }
> ++  }
> ++
> ++  nsCOMPtr<nsIChannelEventSink> channelEventSink;
> ++  nsresult rv = GetInterfaceGlobal(NS_GET_IID(nsIChannelEventSink), getter_AddRefs(channelEventSink));
> ++  if (NS_FAILED(rv)) {
> ++    return NS_ERROR_FAILURE;
> ++  }
> ++
> ++  return channelEventSink->OnChannelRedirect(oldChannel, newChannel, flags);
> ++}
> ++
> + nsPluginHostImpl::nsPluginHostImpl()
> + {
> +   mPluginsLoaded = PR_FALSE;
> +@@ -5714,24 +5808,12 @@ NS_IMETHODIMP nsPluginHostImpl::NewPluginURLStream(const nsString& aURL,
> +     rv = listenerPeer->Initialize(url, aInstance, aListener);
> + 
> +     if (NS_SUCCEEDED(rv)) {
> +-      nsCOMPtr<nsIInterfaceRequestor> callbacks;
> +-      if (doc) {
> +-        // Get the script global object owner and use that as the
> +-        // notification callback.
> +-        nsIScriptGlobalObject* global = doc->GetScriptGlobalObject();
> +-        if (global) {
> +-          nsCOMPtr<nsIWebNavigation> webNav = do_GetInterface(global);
> +-          callbacks = do_QueryInterface(webNav);
> +-        }
> +-      }
> +-
> +       nsCOMPtr<nsIChannel> channel;
> +-
> +       rv = NS_NewChannel(getter_AddRefs(channel), url, nsnull,
> +         nsnull, /* do not add this internal plugin's channel
> +                 on the load group otherwise this channel could be canceled
> +                 form |nsWebShell::OnLinkClickSync| bug 166613 */
> +-        callbacks);
> ++        listenerPeer);
> +       if (NS_FAILED(rv))
> +         return rv;
> + 
> diff --git a/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch b/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch
> new file mode 100644
> index 0000000..2b13840
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch
> @@ -0,0 +1,82 @@
> +From: Mats Palmgren <matspal@gmail.com>
> +Date: Wed, 19 Jan 2011 00:13:49 +0100
> +Subject: Bug 576649. r=dbaron a=blocking1.9.1.17
> +
> +---
> + layout/base/nsCSSFrameConstructor.cpp |   12 +++++++-----
> + layout/base/nsFrameManager.cpp        |   20 +++++++++++++-------
> + 2 files changed, 20 insertions(+), 12 deletions(-)
> +
> +diff --git a/mozilla/layout/base/nsCSSFrameConstructor.cpp b/mozilla/layout/base/nsCSSFrameConstructor.cpp
> +index 09b2695..52bfc64 100644
> +--- a/mozilla/layout/base/nsCSSFrameConstructor.cpp
> ++++ b/mozilla/layout/base/nsCSSFrameConstructor.cpp
> +@@ -9693,13 +9693,15 @@ UpdateViewsForTree(nsIFrame* aFrame, nsIViewManager* aViewManager,
> +       if (!(child->GetStateBits() & NS_FRAME_OUT_OF_FLOW)
> +           || (child->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER)) {
> +         // only do frames that don't have placeholders
> +-        if (nsGkAtoms::placeholderFrame == child->GetType()) { // placeholder
> +-          // get out of flow frame and start over there
> ++        if (nsGkAtoms::placeholderFrame == child->GetType()) {
> ++          // do the out-of-flow frame and its continuations
> +           nsIFrame* outOfFlowFrame =
> +             nsPlaceholderFrame::GetRealFrameForPlaceholder(child);
> +-
> +-          DoApplyRenderingChangeToTree(outOfFlowFrame, aViewManager,
> +-                                       aFrameManager, aChange);
> ++          do {
> ++            DoApplyRenderingChangeToTree(outOfFlowFrame, aViewManager,
> ++                                         aFrameManager, aChange);
> ++          } while ((outOfFlowFrame = outOfFlowFrame->GetNextContinuation()) &&
> ++                   (outOfFlowFrame->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
> +         }
> +         else {  // regular frame
> +           UpdateViewsForTree(child, aViewManager, aFrameManager, aChange);
> +diff --git a/mozilla/layout/base/nsFrameManager.cpp b/mozilla/layout/base/nsFrameManager.cpp
> +index 4704dab..c9f3e25 100644
> +--- a/mozilla/layout/base/nsFrameManager.cpp
> ++++ b/mozilla/layout/base/nsFrameManager.cpp
> +@@ -22,6 +22,7 @@
> +  * the Initial Developer. All Rights Reserved.
> +  *
> +  * Contributor(s):
> ++ *   Mats Palmgren <matspal@gmail.com>
> +  *
> +  * Alternatively, the contents of this file may be used under the terms of
> +  * either of the GNU General Public License Version 2 or later (the "GPL"),
> +@@ -935,12 +936,14 @@ nsresult
> + nsFrameManager::ReParentStyleContext(nsIFrame* aFrame)
> + {
> +   if (nsGkAtoms::placeholderFrame == aFrame->GetType()) {
> +-    // Also reparent the out-of-flow
> ++    // Also reparent the out-of-flow and all its continuations.
> +     nsIFrame* outOfFlow =
> +       nsPlaceholderFrame::GetRealFrameForPlaceholder(aFrame);
> +     NS_ASSERTION(outOfFlow, "no out-of-flow frame");
> +-
> +-    ReParentStyleContext(outOfFlow);
> ++    do {
> ++      ReParentStyleContext(outOfFlow);
> ++    } while ((outOfFlow = outOfFlow->GetNextContinuation()) &&
> ++             (outOfFlow->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
> +   }
> + 
> +   // DO NOT verify the style tree before reparenting.  The frame
> +@@ -1483,10 +1486,13 @@ nsFrameManager::ReResolveStyleContext(nsPresContext     *aPresContext,
> + 
> +               // |nsFrame::GetParentStyleContextFrame| checks being out
> +               // of flow so that this works correctly.
> +-              ReResolveStyleContext(aPresContext, outOfFlowFrame,
> +-                                    content, aChangeList,
> +-                                    NS_SubtractHint(aMinChange,
> +-                                                    nsChangeHint_ReflowFrame));
> ++              do {
> ++                ReResolveStyleContext(aPresContext, outOfFlowFrame,
> ++                                      content, aChangeList,
> ++                                      NS_SubtractHint(aMinChange,
> ++                                                      nsChangeHint_ReflowFrame));
> ++              } while ((outOfFlowFrame = outOfFlowFrame->GetNextContinuation()) &&
> ++                       (outOfFlowFrame->GetStateBits() & NS_FRAME_IS_OVERFLOW_CONTAINER));
> + 
> +               // reresolve placeholder's context under the same parent
> +               // as the out-of-flow frame
> diff --git a/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch b/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch
> new file mode 100644
> index 0000000..e17772b
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch
> @@ -0,0 +1,206 @@
> +From: Jonas Sicking <jonas@sicking.cc>
> +Date: Mon, 13 Dec 2010 14:24:55 -0800
> +Subject: Bug 602115: Fix XSLT error handling bugs. r=peterv a=dveditz
> +
> +---
> + content/xslt/crashtests/602115.html              |   22 ++++++++++
> + content/xslt/crashtests/crashtests.list          |    1 +
> + content/xslt/src/xslt/txExecutionState.cpp       |   49 ++++++---------------
> + content/xslt/src/xslt/txExecutionState.h         |    9 ++--
> + content/xslt/src/xslt/txMozillaXSLTProcessor.cpp |   12 ++++--
> + 5 files changed, 49 insertions(+), 44 deletions(-)
> + create mode 100644 content/xslt/crashtests/602115.html
> +
> +diff --git a/mozilla/content/xslt/crashtests/602115.html b/mozilla/content/xslt/crashtests/602115.html
> +new file mode 100644
> +index 0000000..ad42d76
> +--- /dev/null
> ++++ b/mozilla/content/xslt/crashtests/602115.html
> +@@ -0,0 +1,22 @@
> ++<!DOCTYPE html>
> ++<script>
> ++
> ++try {
> ++  var docType = document.implementation.createDocumentType(undefined, '', '');
> ++  var doc = document.implementation.createDocument('', '', null);
> ++  var xp = new XSLTProcessor;
> ++  xp.importStylesheet(doc);
> ++  xp.transformToDocument(docType);
> ++}
> ++catch (ex) {}
> ++
> ++try {
> ++  docType = document.implementation.createDocumentType(undefined, '', '');
> ++  doc = document.implementation.createDocument('', '', null);
> ++  xp = new XSLTProcessor;
> ++  xp.importStylesheet(doc);
> ++  xp.transformToFragment(docType, document);
> ++}
> ++catch (ex) {}
> ++
> ++</script>
> +diff --git a/mozilla/content/xslt/crashtests/crashtests.list b/mozilla/content/xslt/crashtests/crashtests.list
> +index ba6447d..d44f34f 100644
> +--- a/mozilla/content/xslt/crashtests/crashtests.list
> ++++ b/mozilla/content/xslt/crashtests/crashtests.list
> +@@ -8,3 +8,4 @@ load 485286.xml
> + load 528300.xml
> + load 528488.xml
> + load 545927.html
> ++load 602115.html
> +diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.cpp b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> +index d8f5ec7..a2aa72a 100644
> +--- a/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> ++++ b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> +@@ -90,9 +90,6 @@ txExecutionState::txExecutionState(txStylesheet* aStylesheet,
> +       mNextInstruction(nsnull),
> +       mLocalVariables(nsnull),
> +       mRecursionDepth(0),
> +-      mTemplateRules(nsnull),
> +-      mTemplateRulesBufferSize(0),
> +-      mTemplateRuleCount(0),
> +       mEvalContext(nsnull),
> +       mInitialEvalContext(nsnull),
> +       mGlobalParams(nsnull),
> +@@ -109,12 +106,6 @@ txExecutionState::~txExecutionState()
> +     delete mResultHandler;
> +     delete mLocalVariables;
> +     delete mEvalContext;
> +-
> +-    PRInt32 i;
> +-    for (i = 0; i < mTemplateRuleCount; ++i) {
> +-        NS_IF_RELEASE(mTemplateRules[i].mModeLocalName);
> +-    }
> +-    delete [] mTemplateRules;
> +     
> +     txStackIterator varsIter(&mLocalVarsStack);
> +     while (varsIter.hasNext()) {
> +@@ -204,7 +195,11 @@ txExecutionState::init(const txXPathNode& aNode,
> + nsresult
> + txExecutionState::end(nsresult aResult)
> + {
> +-    popTemplateRule();
> ++    NS_ASSERTION(NS_FAILED(aResult) || mTemplateRules.Length() == 1,
> ++                 "Didn't clean up template rules properly");
> ++    if (NS_SUCCEEDED(aResult)) {
> ++        popTemplateRule();
> ++    }
> +     return mOutputHandler->endDocument(aResult);
> + }
> + 
> +@@ -408,35 +403,18 @@ txExecutionState::pushTemplateRule(txStylesheet::ImportFrame* aFrame,
> +                                    const txExpandedName& aMode,
> +                                    txVariableMap* aParams)
> + {
> +-    if (mTemplateRuleCount == mTemplateRulesBufferSize) {
> +-        PRInt32 newSize =
> +-            mTemplateRulesBufferSize ? mTemplateRulesBufferSize * 2 : 10;
> +-        TemplateRule* newRules = new TemplateRule[newSize];
> +-        NS_ENSURE_TRUE(newRules, NS_ERROR_OUT_OF_MEMORY);
> +-        
> +-        memcpy(newRules, mTemplateRules,
> +-               mTemplateRuleCount * sizeof(TemplateRule));
> +-        delete [] mTemplateRules;
> +-        mTemplateRules = newRules;
> +-        mTemplateRulesBufferSize = newSize;
> +-    }
> +-
> +-    mTemplateRules[mTemplateRuleCount].mFrame = aFrame;
> +-    mTemplateRules[mTemplateRuleCount].mModeNsId = aMode.mNamespaceID;
> +-    mTemplateRules[mTemplateRuleCount].mModeLocalName = aMode.mLocalName;
> +-    mTemplateRules[mTemplateRuleCount].mParams = aParams;
> +-    NS_IF_ADDREF(mTemplateRules[mTemplateRuleCount].mModeLocalName);
> +-    ++mTemplateRuleCount;
> +-    
> +-    return NS_OK;
> ++    TemplateRule* rule = mTemplateRules.AppendElement();
> ++    rule->mFrame = aFrame;
> ++    rule->mModeNsId = aMode.mNamespaceID;
> ++    rule->mModeLocalName = aMode.mLocalName;
> ++    rule->mParams = aParams;
> + }
> + 
> + void
> + txExecutionState::popTemplateRule()
> + {
> +-    // decrement outside of RELEASE, that would decrement twice
> +-    --mTemplateRuleCount;
> +-    NS_IF_RELEASE(mTemplateRules[mTemplateRuleCount].mModeLocalName);
> ++    NS_PRECONDITION(!mTemplateRules.IsEmpty(), "No rules to pop");
> ++    mTemplateRules.RemoveElementAt(mTemplateRules.Length() - 1);
> + }
> + 
> + txIEvalContext*
> +@@ -500,7 +478,8 @@ txExecutionState::getKeyNodes(const txExpandedName& aKeyName,
> + txExecutionState::TemplateRule*
> + txExecutionState::getCurrentTemplateRule()
> + {
> +-    return mTemplateRules + mTemplateRuleCount - 1;
> ++    NS_PRECONDITION(!mTemplateRules.IsEmpty(), "No current rule!");
> ++    return &mTemplateRules[mTemplateRules.Length() - 1];
> + }
> + 
> + txInstruction*
> +diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.h b/mozilla/content/xslt/src/xslt/txExecutionState.h
> +index 2975780..a8e4025 100644
> +--- a/mozilla/content/xslt/src/xslt/txExecutionState.h
> ++++ b/mozilla/content/xslt/src/xslt/txExecutionState.h
> +@@ -104,10 +104,11 @@ public:
> +     /**
> +      * Struct holding information about a current template rule
> +      */
> +-    struct TemplateRule {
> ++    class TemplateRule {
> ++    public:
> +         txStylesheet::ImportFrame* mFrame;
> +         PRInt32 mModeNsId;
> +-        nsIAtom* mModeLocalName;
> ++        nsCOMPtr<nsIAtom> mModeLocalName;
> +         txVariableMap* mParams;
> +     };
> + 
> +@@ -173,9 +174,7 @@ private:
> +     nsRefPtr<txAExprResult> mGlobalVarPlaceholderValue;
> +     PRInt32 mRecursionDepth;
> + 
> +-    TemplateRule* mTemplateRules;
> +-    PRInt32 mTemplateRulesBufferSize;
> +-    PRInt32 mTemplateRuleCount;
> ++    nsAutoTArray<TemplateRule, 10> mTemplateRules;
> + 
> +     txIEvalContext* mEvalContext;
> +     txIEvalContext* mInitialEvalContext;
> +diff --git a/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp b/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
> +index 1d0be61..9288986 100644
> +--- a/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
> ++++ b/mozilla/content/xslt/src/xslt/txMozillaXSLTProcessor.cpp
> +@@ -677,10 +677,12 @@ txMozillaXSLTProcessor::TransformToDoc(nsIDOMDocument *aOutputDoc,
> +                                          mObserver);
> +     es.mOutputHandlerFactory = &handlerFactory;
> + 
> +-    es.init(*sourceNode, &mVariables);
> ++    nsresult rv = es.init(*sourceNode, &mVariables);
> + 
> +     // Process root of XML source document
> +-    nsresult rv = txXSLTProcessor::execute(es);
> ++    if (NS_SUCCEEDED(rv)) {
> ++        rv = txXSLTProcessor::execute(es);
> ++    }
> +     
> +     nsresult endRv = es.end(rv);
> +     if (NS_SUCCEEDED(rv)) {
> +@@ -734,10 +736,12 @@ txMozillaXSLTProcessor::TransformToFragment(nsIDOMNode *aSource,
> +     txToFragmentHandlerFactory handlerFactory(*aResult);
> +     es.mOutputHandlerFactory = &handlerFactory;
> + 
> +-    es.init(*sourceNode, &mVariables);
> ++    rv = es.init(*sourceNode, &mVariables);
> + 
> +     // Process root of XML source document
> +-    rv = txXSLTProcessor::execute(es);
> ++    if (NS_SUCCEEDED(rv)) {
> ++        rv = txXSLTProcessor::execute(es);
> ++    }
> +     // XXX setup exception context, bug 204658
> +     nsresult endRv = es.end(rv);
> +     if (NS_SUCCEEDED(rv)) {
> diff --git a/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch b/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch
> new file mode 100644
> index 0000000..046460c
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch
> @@ -0,0 +1,47 @@
> +From: Neil Deakin <neil@mozilla.com>
> +Date: Fri, 21 Jan 2011 13:22:19 -0800
> +Subject: Bug 608687, clear mRoot after uninitializing so that template generated content gets removed, r=smaug, a=clegnitto
> +
> +---
> + content/xul/templates/src/nsXULTemplateBuilder.cpp |    2 --
> + content/xul/templates/src/nsXULTemplateBuilder.h   |    7 +++++--
> + 2 files changed, 5 insertions(+), 4 deletions(-)
> +
> +diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> +index 5ae3122..d8c8f55 100644
> +--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> ++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.cpp
> +@@ -1152,7 +1152,6 @@ nsXULTemplateBuilder::ContentRemoved(nsIDocument* aDocument,
> + 
> +         mDB = nsnull;
> +         mCompDB = nsnull;
> +-        mRoot = nsnull;
> +         mDataSource = nsnull;
> +     }
> + }
> +@@ -1171,7 +1170,6 @@ nsXULTemplateBuilder::NodeWillBeDestroyed(const nsINode* aNode)
> +     mDataSource = nsnull;
> +     mDB = nsnull;
> +     mCompDB = nsnull;
> +-    mRoot = nsnull;
> + 
> +     nsContentUtils::AddScriptRunner(
> +         NS_NEW_RUNNABLE_METHOD(nsXULTemplateBuilder, this, UninitTrue));
> +diff --git a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> +index 764cc86..c24276a 100644
> +--- a/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> ++++ b/mozilla/content/xul/templates/src/nsXULTemplateBuilder.h
> +@@ -166,8 +166,11 @@ public:
> +         }
> +       }
> +     }
> +-    void UninitFalse() { Uninit(PR_FALSE); }
> +-    void UninitTrue() { Uninit(PR_TRUE); }
> ++
> ++    // mRoot should not be cleared until after Uninit is finished so that
> ++    // generated content can be removed during uninitialization.
> ++    void UninitFalse() { Uninit(PR_FALSE); mRoot = nsnull; }
> ++    void UninitTrue() { Uninit(PR_TRUE); mRoot = nsnull; }
> + 
> +     /**
> +      * Find the <template> tag that applies for this builder
> diff --git a/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch b/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch
> new file mode 100644
> index 0000000..4d29f94
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch
> @@ -0,0 +1,136 @@
> +From: Steven Michaud <smichaud@pobox.com>
> +Date: Mon, 29 Nov 2010 13:47:03 -0600
> +Subject: Bug 611910 - r=josh a=blocking1.9.1.17+
> +
> +---
> + modules/plugin/base/src/nsNPAPIPlugin.cpp       |   84 ++++++++++++++++++++++-
> + modules/plugin/base/src/nsNPAPIPluginInstance.h |    5 +-
> + 2 files changed, 87 insertions(+), 2 deletions(-)
> +
> +diff --git a/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp b/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
> +index 0a91443..8d8e8a1 100644
> +--- a/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
> ++++ b/mozilla/modules/plugin/base/src/nsNPAPIPlugin.cpp
> +@@ -89,6 +89,8 @@
> + #include "nsIHttpAuthManager.h"
> + #include "nsICookieService.h"
> + 
> ++#include "nsNetUtil.h"
> ++
> + static PRLock *sPluginThreadAsyncCallLock = nsnull;
> + static PRCList sPendingAsyncCalls = PR_INIT_STATIC_CLIST(&sPendingAsyncCalls);
> + 
> +@@ -1711,7 +1713,87 @@ _getproperty(NPP npp, NPObject* npobj, NPIdentifier property,
> +                  ("NPN_GetProperty(npp %p, npobj %p, property %p) called\n",
> +                   npp, npobj, property));
> + 
> +-  return npobj->_class->getProperty(npobj, property, result);
> ++  if (!npobj->_class->getProperty(npobj, property, result))
> ++    return false;
> ++
> ++  // If a Java plugin tries to get the document.URL or document.documentURI
> ++  // property from us, don't pass back a value that Java won't be able to
> ++  // understand -- one that will make the URL(String) constructor throw a
> ++  // MalformedURL exception.  Passing such a value causes Java Plugin2 to
> ++  // crash (to throw a RuntimeException in Plugin2Manager.getDocumentBase()).
> ++  // Also don't pass back a value that Java is likely to mishandle.
> ++
> ++  nsNPAPIPluginInstance* inst = (nsNPAPIPluginInstance*) npp->ndata;
> ++  if (!inst)
> ++    return false;
> ++  if (!inst->mIsJavaPlugin)
> ++    return true;
> ++
> ++  if (!NPVARIANT_IS_STRING(*result))
> ++    return true;
> ++
> ++  NPUTF8* propertyName = _utf8fromidentifier(property);
> ++  if (!propertyName)
> ++    return true;
> ++  bool notURL =
> ++    (PL_strcasecmp(propertyName, "URL") &&
> ++     PL_strcasecmp(propertyName, "documentURI"));
> ++  _memfree(propertyName);
> ++  if (notURL)
> ++    return true;
> ++
> ++  NPObject* window_obj = _getwindowobject(npp);
> ++  if (!window_obj)
> ++    return true;
> ++
> ++  NPVariant doc_v;
> ++  NPObject* document_obj = nsnull;
> ++  NPIdentifier doc_id = _getstringidentifier("document");
> ++  bool ok = npobj->_class->getProperty(window_obj, doc_id, &doc_v);
> ++  _releaseobject(window_obj);
> ++  if (ok) {
> ++    if (NPVARIANT_IS_OBJECT(doc_v)) {
> ++      document_obj = NPVARIANT_TO_OBJECT(doc_v);
> ++    } else {
> ++      _releasevariantvalue(&doc_v);
> ++      return true;
> ++    }
> ++  } else {
> ++    return true;
> ++  }
> ++  _releaseobject(document_obj);
> ++  if (document_obj != npobj)
> ++    return true;
> ++
> ++  NPString urlnp = NPVARIANT_TO_STRING(*result);
> ++  nsXPIDLCString url;
> ++  url.Assign(urlnp.utf8characters, urlnp.utf8length);
> ++
> ++  PRBool javaCompatible = PR_FALSE;
> ++  if (NS_FAILED(NS_CheckIsJavaCompatibleURLString(url, &javaCompatible)))
> ++    javaCompatible = PR_FALSE;
> ++  if (javaCompatible)
> ++    return true;
> ++
> ++  // If Java won't be able to interpret the original value of document.URL or
> ++  // document.documentURI, or is likely to mishandle it, pass back something
> ++  // that Java will understand but won't be able to use to access the network,
> ++  // and for which same-origin checks will always fail.
> ++
> ++  if (inst->mFakeURL.IsVoid()) {
> ++    // Abort (do an error return) if NS_MakeRandomInvalidURLString() fails.
> ++    if (NS_FAILED(NS_MakeRandomInvalidURLString(inst->mFakeURL))) {
> ++      _releasevariantvalue(result);
> ++      return false;
> ++    }
> ++  }
> ++
> ++  _releasevariantvalue(result);
> ++  char* fakeurl = (char *) _memalloc(inst->mFakeURL.Length() + 1);
> ++  strcpy(fakeurl, inst->mFakeURL);
> ++  STRINGZ_TO_NPVARIANT(fakeurl, *result);
> ++
> ++  return true;
> + }
> + 
> + bool NP_CALLBACK
> +diff --git a/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h b/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
> +index 45f7325..e738832 100644
> +--- a/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
> ++++ b/mozilla/modules/plugin/base/src/nsNPAPIPluginInstance.h
> +@@ -161,16 +161,19 @@ protected:
> +     PRPackedBool  mTransparent;
> +     PRPackedBool  mStarted;
> +     PRPackedBool  mCached;
> +-    PRPackedBool  mIsJavaPlugin;
> +     PRPackedBool  mWantsAllNetworkStreams;
> + 
> + public:
> ++    PRPackedBool  mIsJavaPlugin;
> ++
> +     // True while creating the plugin, or calling NPP_SetWindow() on it.
> +     PRPackedBool  mInPluginInitCall;
> +     PRLibrary* fLibrary;
> +     nsInstanceStream *mStreams;
> + 
> +     nsVoidArray mPopupStates;
> ++
> ++    nsXPIDLCString mFakeURL;
> + };
> + 
> + #endif // nsNPAPIPluginInstance_h_
> diff --git a/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch b/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch
> new file mode 100644
> index 0000000..450f644
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch
> @@ -0,0 +1,62 @@
> +From: Steven Michaud <smichaud@pobox.com>
> +Date: Thu, 2 Dec 2010 11:29:08 -0600
> +Subject: Bug 613376 - r=josh a1.9.1.16=dveditz
> +
> +---
> + dom/src/base/nsGlobalWindow.cpp  |   14 ++++++++++++++
> + layout/generic/nsObjectFrame.cpp |   17 ++++++++++++++++-
> + 2 files changed, 30 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/dom/src/base/nsGlobalWindow.cpp b/mozilla/dom/src/base/nsGlobalWindow.cpp
> +index f053126..de29213 100644
> +--- a/mozilla/dom/src/base/nsGlobalWindow.cpp
> ++++ b/mozilla/dom/src/base/nsGlobalWindow.cpp
> +@@ -461,6 +461,20 @@ nsDummyJavaPluginOwner::Destroy()
> + NS_IMETHODIMP
> + nsDummyJavaPluginOwner::SetInstance(nsIPluginInstance *aInstance)
> + {
> ++  // If we're going to null out mInstance after use, be sure to call
> ++  // InvalidateOwner() here, since it now won't be called from
> ++  // nsDummyJavaPluginOwner::Destroy().
> ++  if (mInstance && !aInstance) {
> ++    nsCOMPtr<nsIPluginInstancePeer> peer;
> ++    mInstance->GetPeer(getter_AddRefs(peer));
> ++
> ++    nsCOMPtr<nsIPluginInstancePeer2_1_9_1_BRANCH> peer2(do_QueryInterface(peer));
> ++
> ++    // This plugin owner is going away, tell the peer.
> ++    if (peer2)
> ++      peer2->InvalidateOwner();
> ++  }
> ++
> +   mInstance = aInstance;
> + 
> +   return NS_OK;
> +diff --git a/mozilla/layout/generic/nsObjectFrame.cpp b/mozilla/layout/generic/nsObjectFrame.cpp
> +index 643f3cb..628e82d 100644
> +--- a/mozilla/layout/generic/nsObjectFrame.cpp
> ++++ b/mozilla/layout/generic/nsObjectFrame.cpp
> +@@ -2333,7 +2333,22 @@ NS_INTERFACE_MAP_END
> + NS_IMETHODIMP
> + nsPluginInstanceOwner::SetInstance(nsIPluginInstance *aInstance)
> + {
> +-  NS_ASSERTION(!mInstance || !aInstance, "mInstance should only be set once!");
> ++  NS_ASSERTION(!mInstance || !aInstance, "mInstance should only be set or unset!");
> ++
> ++  // If we're going to null out mInstance after use, be sure to call
> ++  // InvalidateOwner() here, since it now won't be called from our
> ++  // destructor.
> ++  if (mInstance && !aInstance) {
> ++    nsCOMPtr<nsIPluginInstancePeer> peer;
> ++    mInstance->GetPeer(getter_AddRefs(peer));
> ++
> ++    nsCOMPtr<nsIPluginInstancePeer2_1_9_1_BRANCH> peer2(do_QueryInterface(peer));
> ++
> ++    if (peer2) {
> ++      // Tell the peer that its owner is going away.
> ++      peer2->InvalidateOwner();
> ++    }
> ++  }
> + 
> +   mInstance = aInstance;
> + 
> diff --git a/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch b/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch
> new file mode 100644
> index 0000000..784a7ac
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch
> @@ -0,0 +1,260 @@
> +From: Ehsan Akhgari <ehsan@mozilla.com>
> +Date: Mon, 29 Nov 2010 13:50:09 -0500
> +Subject: Bug 614116 - Enforce HTTP mode when setting a storage value for in-memory databases; r=mayhemer a=dveditz
> +
> +---
> + dom/src/storage/nsDOMStorageMemoryDB.cpp           |    2 +
> + dom/tests/mochitest/Makefile.in                    |    1 +
> + dom/tests/mochitest/globalstorage/Makefile.in      |   54 ++++++++++++
> + .../globalstorage/iframe_bug614116-1.html          |   30 +++++++
> + .../globalstorage/iframe_bug614116-2.html          |   24 ++++++
> + .../mochitest/globalstorage/test_bug614116.html    |   86 ++++++++++++++++++++
> + 6 files changed, 197 insertions(+), 0 deletions(-)
> + create mode 100644 dom/tests/mochitest/globalstorage/Makefile.in
> + create mode 100644 dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
> + create mode 100644 dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
> + create mode 100644 dom/tests/mochitest/globalstorage/test_bug614116.html
> +
> +diff --git a/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp b/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
> +index 1c45e80..034e521 100644
> +--- a/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
> ++++ b/mozilla/dom/src/storage/nsDOMStorageMemoryDB.cpp
> +@@ -220,6 +220,8 @@ nsDOMStorageMemoryDB::SetKey(nsDOMStorage* aStorage,
> +   }
> +   else
> +   {
> ++    if (!aSecure && item->mSecure)
> ++      return NS_ERROR_DOM_SECURITY_ERR;
> +     usage -= aKey.Length() + item->mValue.Length();
> +     if (usage > aQuota) {
> +       return NS_ERROR_DOM_QUOTA_REACHED;
> +diff --git a/mozilla/dom/tests/mochitest/Makefile.in b/mozilla/dom/tests/mochitest/Makefile.in
> +index 9e3d220..51c39b4 100644
> +--- a/mozilla/dom/tests/mochitest/Makefile.in
> ++++ b/mozilla/dom/tests/mochitest/Makefile.in
> +@@ -53,6 +53,7 @@ DIRS	+= \
> + 	general \
> + 	whatwg \
> + 	geolocation \
> ++	globalstorage \
> + 	localstorage \
> + 	sessionstorage \
> + 	$(NULL)
> +diff --git a/mozilla/dom/tests/mochitest/globalstorage/Makefile.in b/mozilla/dom/tests/mochitest/globalstorage/Makefile.in
> +new file mode 100644
> +index 0000000..199e7a6
> +--- /dev/null
> ++++ b/mozilla/dom/tests/mochitest/globalstorage/Makefile.in
> +@@ -0,0 +1,54 @@
> ++#
> ++# ***** BEGIN LICENSE BLOCK *****
> ++# Version: MPL 1.1/GPL 2.0/LGPL 2.1
> ++#
> ++# The contents of this file are subject to the Mozilla Public License Version
> ++# 1.1 (the "License"); you may not use this file except in compliance with
> ++# the License. You may obtain a copy of the License at
> ++# http://www.mozilla.org/MPL/
> ++#
> ++# Software distributed under the License is distributed on an "AS IS" basis,
> ++# WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
> ++# for the specific language governing rights and limitations under the
> ++# License.
> ++#
> ++# The Original Code is mozilla.org code.
> ++#
> ++# The Initial Developer of the Original Code is
> ++# Mozilla Foundation.
> ++# Portions created by the Initial Developer are Copyright (C) 2010
> ++# the Initial Developer. All Rights Reserved.
> ++#
> ++# Contributor(s):
> ++#
> ++# Alternatively, the contents of this file may be used under the terms of
> ++# either of the GNU General Public License Version 2 or later (the "GPL"),
> ++# or the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
> ++# in which case the provisions of the GPL or the LGPL are applicable instead
> ++# of those above. If you wish to allow use of your version of this file only
> ++# under the terms of either the GPL or the LGPL, and not to allow others to
> ++# use your version of this file under the terms of the MPL, indicate your
> ++# decision by deleting the provisions above and replace them with the notice
> ++# and other provisions required by the GPL or the LGPL. If you do not delete
> ++# the provisions above, a recipient may use your version of this file under
> ++# the terms of any one of the MPL, the GPL or the LGPL.
> ++#
> ++# ***** END LICENSE BLOCK *****
> ++
> ++DEPTH		= ../../../..
> ++topsrcdir	= @top_srcdir@
> ++srcdir		= @srcdir@
> ++VPATH		= @srcdir@
> ++relativesrcdir	= dom/tests/mochitest/globalstorage
> ++
> ++include $(DEPTH)/config/autoconf.mk
> ++include $(topsrcdir)/config/rules.mk
> ++
> ++_TEST_FILES	= \
> ++		test_bug614116.html \
> ++		iframe_bug614116-1.html \
> ++		iframe_bug614116-2.html \
> ++		$(NULL)
> ++
> ++libs:: 	$(_TEST_FILES)
> ++	$(INSTALL) $(foreach f,$^,"$f") $(DEPTH)/_tests/testing/mochitest/tests/$(relativesrcdir)
> +diff --git a/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
> +new file mode 100644
> +index 0000000..12742fb
> +--- /dev/null
> ++++ b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-1.html
> +@@ -0,0 +1,30 @@
> ++<!DOCTYPE html>
> ++<html>
> ++  <body onload="loaded()">
> ++    <script>
> ++      function loaded() {
> ++        parent.postMessage("loaded", "http://mochi.test:8888");
> ++      }
> ++
> ++      function onMessageReceived(e) {
> ++        switch (e.data) {
> ++        case "getdata":
> ++          parent.postMessage("data:" + globalStorage["example.com"].data, "http://mochi.test:8888");
> ++          break;
> ++        case "setdata":
> ++          var didSucceed = true;
> ++          try {
> ++            globalStorage["example.com"].data = "value2";
> ++          } catch(e) {
> ++            didSucceed = false;
> ++          }
> ++          parent.postMessage("success:" + didSucceed, "http://mochi.test:8888");
> ++          parent.postMessage("dataset2:" + globalStorage["example.com"].data, "http://mochi.test:8888");
> ++          break;
> ++        }
> ++      }
> ++
> ++      addEventListener("message", onMessageReceived, false);
> ++    </script>
> ++  </body>
> ++</html>
> +diff --git a/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
> +new file mode 100644
> +index 0000000..66777b1
> +--- /dev/null
> ++++ b/mozilla/dom/tests/mochitest/globalstorage/iframe_bug614116-2.html
> +@@ -0,0 +1,24 @@
> ++<!DOCTYPE html>
> ++<html>
> ++  <body onload="loaded()">
> ++    <script>
> ++      function loaded() {
> ++        parent.postMessage("loaded", "http://mochi.test:8888");
> ++      }
> ++
> ++      function onMessageReceived(e) {
> ++        switch (e.data) {
> ++        case "getdata":
> ++          parent.postMessage("data2:" + globalStorage["example.com"].data, "http://mochi.test:8888");
> ++          break;
> ++        case "setdata":
> ++          globalStorage["example.com"].data = "value";
> ++          parent.postMessage("dataset:" + globalStorage["example.com"].data, "http://mochi.test:8888");
> ++          break;
> ++        }
> ++      }
> ++
> ++      addEventListener("message", onMessageReceived, false);
> ++    </script>
> ++  </body>
> ++</html>
> +diff --git a/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html b/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html
> +new file mode 100644
> +index 0000000..1ebc91d
> +--- /dev/null
> ++++ b/mozilla/dom/tests/mochitest/globalstorage/test_bug614116.html
> +@@ -0,0 +1,86 @@
> ++<!DOCTYPE HTML>
> ++<html>
> ++<!--
> ++https://bugzilla.mozilla.org/show_bug.cgi?id=614116
> ++-->
> ++<head>
> ++  <title>Test for Bug 614116</title>
> ++  <script type="application/javascript" src="/MochiKit/packed.js"></script>
> ++  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
> ++  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
> ++  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
> ++</head>
> ++<body>
> ++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=614116">Mozilla Bug 614116</a>
> ++<p id="display"></p>
> ++<div id="content">
> ++<iframe id="http"></iframe>
> ++<iframe id="https"></iframe>
> ++</div>
> ++<pre id="test">
> ++<script type="application/javascript">
> ++
> ++/** Test for Bug 614116 **/
> ++SimpleTest.waitForExplicitFinish();
> ++addLoadEvent(function() {
> ++  netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> ++
> ++  const httpDomain = "http://example.com";
> ++  const httpsDomain = "https://example.com";
> ++  const path = "/tests/dom/tests/mochitest/globalstorage/";
> ++
> ++  var pm = Components.classes["@mozilla.org/permissionmanager;1"]
> ++                     .getService(Components.interfaces.nsIPermissionManager);
> ++  var ios = Components.classes["@mozilla.org/network/io-service;1"]
> ++                      .getService(Components.interfaces.nsIIOService);
> ++  pm.add(ios.newURI(httpDomain, null, null), "cookie", Components.interfaces.nsICookiePermission.ACCESS_SESSION);
> ++  pm.add(ios.newURI(httpsDomain, null, null), "cookie", Components.interfaces.nsICookiePermission.ACCESS_SESSION);
> ++
> ++  var http = document.getElementById("http");
> ++  var https = document.getElementById("https");
> ++
> ++  function finishTest() {
> ++    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> ++    pm.remove("example.com", "cookie");
> ++    SimpleTest.finish();
> ++  }
> ++
> ++  var loaded = 0;
> ++  function onMessageReceived(e) {
> ++    switch (e.data) {
> ++    case "loaded":
> ++      ++loaded;
> ++      ok(loaded <= 2, "Two iframes should be loaded at most");
> ++      if (loaded == 2) {
> ++        https.contentWindow.postMessage("setdata", httpsDomain);
> ++      }
> ++      break;
> ++    default:
> ++      if (e.data.indexOf("dataset:") == 0) {
> ++        is(e.data.substr(8), "value", "Correct value should be set");
> ++        http.contentWindow.postMessage("getdata", httpDomain);
> ++      } else if (e.data.indexOf("data:") == 0) {
> ++        is(e.data.substr(5), "undefined", "Data should not be available in HTTP mode");
> ++        http.contentWindow.postMessage("setdata", httpDomain);
> ++      } else if (e.data.indexOf("dataset2:") == 0) {
> ++        is(e.data.substr(9), "undefined", "Correct value should be set");
> ++        https.contentWindow.postMessage("getdata", httpsDomain);
> ++      } else if (e.data.indexOf("data2:") == 0) {
> ++        is(e.data.substr(6), "value", "Data should not be modified in HTTP mode");
> ++        finishTest();
> ++      } else if (e.data.indexOf("success:") == 0) {
> ++        is(e.data.substr(8), "false", "Setting the value in HTTP mode should fail");
> ++      }
> ++    }
> ++  }
> ++
> ++  window.addEventListener("message", onMessageReceived, false);
> ++
> ++  http.src = httpDomain + path + "iframe_bug614116-1.html";
> ++  https.src = httpsDomain + path + "iframe_bug614116-2.html";
> ++});
> ++
> ++</script>
> ++</pre>
> ++</body>
> ++</html>
> diff --git a/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch b/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch
> new file mode 100644
> index 0000000..4882fbd
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch
> @@ -0,0 +1,290 @@
> +From: Igor Bukanov <igor@mir2.org>
> +Date: Thu, 6 Jan 2011 15:06:04 +0100
> +Subject: Bug 614499, release old mListRoot members, r=bz a=clegnitto
> +
> +---
> + docshell/shistory/src/nsSHTransaction.cpp |    8 ++++--
> + docshell/shistory/src/nsSHistory.cpp      |    7 +++++-
> + js/src/jsapi.cpp                          |    1 -
> + js/src/jscntxt.cpp                        |    1 +
> + js/src/jscntxt.h                          |   35 +++++++++++++++-------------
> + js/src/jsgc.cpp                           |   34 +++++++++++++++------------
> + js/src/jslock.cpp                         |   18 +++++---------
> + 7 files changed, 57 insertions(+), 47 deletions(-)
> +
> +diff --git a/mozilla/docshell/shistory/src/nsSHTransaction.cpp b/mozilla/docshell/shistory/src/nsSHTransaction.cpp
> +index 7df1552..2050349 100644
> +--- a/mozilla/docshell/shistory/src/nsSHTransaction.cpp
> ++++ b/mozilla/docshell/shistory/src/nsSHTransaction.cpp
> +@@ -111,10 +111,12 @@ nsSHTransaction::GetNext(nsISHTransaction * * aResult)
> + NS_IMETHODIMP
> + nsSHTransaction::SetNext(nsISHTransaction * aNext)
> + {
> +-   NS_ENSURE_SUCCESS(aNext->SetPrev(this), NS_ERROR_FAILURE);
> ++  if (aNext) {
> ++    NS_ENSURE_SUCCESS(aNext->SetPrev(this), NS_ERROR_FAILURE);
> ++  }
> + 
> +-   mNext = aNext;
> +-   return NS_OK;
> ++  mNext = aNext;
> ++  return NS_OK;
> + }
> + 
> + NS_IMETHODIMP
> +diff --git a/mozilla/docshell/shistory/src/nsSHistory.cpp b/mozilla/docshell/shistory/src/nsSHistory.cpp
> +index afee7cc..3fd1beb 100644
> +--- a/mozilla/docshell/shistory/src/nsSHistory.cpp
> ++++ b/mozilla/docshell/shistory/src/nsSHistory.cpp
> +@@ -569,9 +569,14 @@ nsSHistory::PurgeHistory(PRInt32 aEntries)
> +   PRInt32 cnt = 0;
> +   while (cnt < aEntries) {
> +     nsCOMPtr<nsISHTransaction> nextTxn;
> +-    if (mListRoot)
> ++    if (mListRoot) {
> +       mListRoot->GetNext(getter_AddRefs(nextTxn));
> ++      mListRoot->SetNext(nsnull);
> ++    }
> +     mListRoot = nextTxn;
> ++    if (mListRoot) {
> ++      mListRoot->SetPrev(nsnull);
> ++    }
> +     cnt++;        
> +   }
> +   mLength -= cnt;
> +diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
> +index f0cc5a7..25e4b08 100644
> +--- a/mozilla/js/src/jsapi.cpp
> ++++ b/mozilla/js/src/jsapi.cpp
> +@@ -805,7 +805,6 @@ JS_NewRuntime(uint32 maxbytes)
> +     rt->titleSharingDone = JS_NEW_CONDVAR(rt->gcLock);
> +     if (!rt->titleSharingDone)
> +         goto bad;
> +-    rt->titleSharingTodo = NO_TITLE_SHARING_TODO;
> +     rt->debuggerLock = JS_NEW_LOCK();
> +     if (!rt->debuggerLock)
> +         goto bad;
> +diff --git a/mozilla/js/src/jscntxt.cpp b/mozilla/js/src/jscntxt.cpp
> +index f2d69fb..62f2502 100644
> +--- a/mozilla/js/src/jscntxt.cpp
> ++++ b/mozilla/js/src/jscntxt.cpp
> +@@ -141,6 +141,7 @@ NewThread(jsword id)
> +     JS_INIT_CLIST(&thread->contextList);
> +     thread->id = id;
> +     InitThreadData(&thread->data);
> ++    thread->titleSharingTodo = NO_TITLE_SHARING_TODO;
> +     return thread;
> + }
> + 
> +diff --git a/mozilla/js/src/jscntxt.h b/mozilla/js/src/jscntxt.h
> +index 8fdecb0..4ca1bfa 100644
> +--- a/mozilla/js/src/jscntxt.h
> ++++ b/mozilla/js/src/jscntxt.h
> +@@ -273,6 +273,19 @@ struct JSThread {
> +     /* Indicates that the thread is waiting in ClaimTitle from jslock.cpp. */
> +     JSTitle             *titleToShare;
> + 
> ++    /* Linked list of titles that this thread must share. */
> ++    JSTitle             *titleSharingTodo;
> ++
> ++/*
> ++ * Magic terminator for the rt->titleSharingTodo linked list, threaded through
> ++ * title->u.link.  This hack allows us to test whether a title is on the list
> ++ * by asking whether title->u.link is non-null.  We use a large, likely bogus
> ++ * pointer here to distinguish this value from any valid u.count (small int)
> ++ * value.
> ++ */
> ++#define NO_TITLE_SHARING_TODO   ((JSTitle *) 0xfeedbeef)
> ++#define HAS_TITLES_TO_SHARE(cx) ((cx)->thread->titleSharingTodo != NO_TITLE_SHARING_TODO)
> ++    
> +     /* Factored out of JSThread for !JS_THREADSAFE embedding in JSRuntime. */
> +     JSThreadData        data;
> + };
> +@@ -298,7 +311,12 @@ js_InitContextThread(JSContext *cx);
> + extern void
> + js_ClearContextThread(JSContext *cx);
> + 
> +-#endif /* JS_THREADSAFE */
> ++
> ++#else /* !JS_THREADSAFE */
> ++
> ++#define HAS_TITLES_TO_SHARE(cx) JS_FALSE
> ++
> ++#endif /* !JS_THREADSAFE */
> + 
> + typedef enum JSDestroyContextMode {
> +     JSDCM_NO_GC,
> +@@ -482,23 +500,8 @@ struct JSRuntime {
> +      * State for sharing single-threaded titles, once a second thread tries to
> +      * lock a title.  The titleSharingDone condvar is protected by rt->gcLock
> +      * to minimize number of locks taken in JS_EndRequest.
> +-     *
> +-     * The titleSharingTodo linked list is likewise "global" per runtime, not
> +-     * one-list-per-context, to conserve space over all contexts, optimizing
> +-     * for the likely case that titles become shared rarely, and among a very
> +-     * small set of threads (contexts).
> +      */
> +     PRCondVar           *titleSharingDone;
> +-    JSTitle             *titleSharingTodo;
> +-
> +-/*
> +- * Magic terminator for the rt->titleSharingTodo linked list, threaded through
> +- * title->u.link.  This hack allows us to test whether a title is on the list
> +- * by asking whether title->u.link is non-null.  We use a large, likely bogus
> +- * pointer here to distinguish this value from any valid u.count (small int)
> +- * value.
> +- */
> +-#define NO_TITLE_SHARING_TODO   ((JSTitle *) 0xfeedbeef)
> + 
> +     /*
> +      * Lock serializing trapList and watchPointList accesses, and count of all
> +diff --git a/mozilla/js/src/jsgc.cpp b/mozilla/js/src/jsgc.cpp
> +index c4faae1..44b6098 100644
> +--- a/mozilla/js/src/jsgc.cpp
> ++++ b/mozilla/js/src/jsgc.cpp
> +@@ -941,12 +941,13 @@ RemoveChunkFromList(JSRuntime *rt, JSGCChunkInfo *ci)
> + #endif
> + 
> + static JSGCArenaInfo *
> +-NewGCArena(JSRuntime *rt)
> ++NewGCArena(JSContext *cx)
> + {
> +     jsuword chunk;
> +     JSGCArenaInfo *a;
> + 
> +-    if (rt->gcBytes >= rt->gcMaxBytes)
> ++    JSRuntime *rt = cx->runtime;
> ++    if (rt->gcBytes >= rt->gcMaxBytes && HAS_TITLES_TO_SHARE(cx))
> +         return NULL;
> + 
> + #if CHUNKED_ARENA_ALLOCATION
> +@@ -1795,10 +1796,11 @@ EnsureLocalFreeList(JSContext *cx)
> + #endif
> + 
> + static JS_INLINE bool
> +-IsGCThresholdReached(JSRuntime *rt)
> ++IsGCThresholdReached(JSContext *cx)
> + {
> ++    JSRuntime *rt = cx->runtime;
> + #ifdef JS_GC_ZEAL
> +-    if (rt->gcZeal >= 1)
> ++    if (rt->gcZeal >= 1 && !HAS_TITLES_TO_SHARE(cx))
> +         return true;
> + #endif
> + 
> +@@ -1807,8 +1809,9 @@ IsGCThresholdReached(JSRuntime *rt)
> +      * zero (see the js_InitGC function) the return value is false when
> +      * the gcBytes value is close to zero at the JS engine start.
> +      */
> +-    return rt->gcMallocBytes >= rt->gcMaxMallocBytes ||
> +-           rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100;
> ++    return (rt->gcMallocBytes >= rt->gcMaxMallocBytes ||
> ++            rt->gcBytes / rt->gcTriggerFactor >= rt->gcLastBytes / 100) &&
> ++           !HAS_TITLES_TO_SHARE(cx);
> + }
> + 
> + void *
> +@@ -1883,7 +1886,7 @@ js_NewGCThing(JSContext *cx, uintN flags, size_t nbytes)
> + #endif
> + 
> +     arenaList = &rt->gcArenaList[flindex];
> +-    doGC = IsGCThresholdReached(rt);
> ++    doGC = IsGCThresholdReached(cx);
> +     for (;;) {
> +         if (doGC
> + #ifdef JS_TRACER
> +@@ -1969,9 +1972,9 @@ testReservedObjects:
> +             }
> + #endif
> + 
> +-            a = NewGCArena(rt);
> ++            a = NewGCArena(cx);
> +             if (!a) {
> +-                if (doGC || JS_ON_TRACE(cx))
> ++                if (doGC || JS_ON_TRACE(cx) || HAS_TITLES_TO_SHARE(cx))
> +                     goto fail;
> +                 doGC = true;
> +                 continue;
> +@@ -2105,7 +2108,7 @@ RefillDoubleFreeList(JSContext *cx)
> +         return NULL;
> +     }
> + 
> +-    if (IsGCThresholdReached(rt))
> ++    if (IsGCThresholdReached(cx))
> +         goto do_gc;
> + 
> +     /*
> +@@ -2119,10 +2122,10 @@ RefillDoubleFreeList(JSContext *cx)
> +             ARENA_INFO_OFFSET) {
> +             if (doubleFlags == DOUBLE_BITMAP_SENTINEL ||
> +                 !((JSGCArenaInfo *) doubleFlags)->prev) {
> +-                a = NewGCArena(rt);
> ++                a = NewGCArena(cx);
> +                 if (!a) {
> +                   do_gc:
> +-                    if (didGC || JS_ON_TRACE(cx)) {
> ++                    if (didGC || JS_ON_TRACE(cx) || HAS_TITLES_TO_SHARE(cx)) {
> +                         METER(rt->gcStats.doubleArenaStats.fail++);
> +                         JS_UNLOCK_GC(rt);
> +                         js_ReportOutOfMemory(cx);
> +@@ -2298,9 +2301,10 @@ js_AddAsGCBytes(JSContext *cx, size_t sz)
> +     JSRuntime *rt;
> + 
> +     rt = cx->runtime;
> +-    if (rt->gcBytes >= rt->gcMaxBytes ||
> +-        sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) ||
> +-        IsGCThresholdReached(rt)) {
> ++    if ((rt->gcBytes >= rt->gcMaxBytes ||
> ++         sz > (size_t) (rt->gcMaxBytes - rt->gcBytes) ||
> ++         IsGCThresholdReached(cx)) &&
> ++        !HAS_TITLES_TO_SHARE(cx)) {
> +         if (JS_ON_TRACE(cx)) {
> +             /*
> +              * If we can't leave the trace, signal OOM condition, otherwise
> +diff --git a/mozilla/js/src/jslock.cpp b/mozilla/js/src/jslock.cpp
> +index 273e8d2..2305183 100644
> +--- a/mozilla/js/src/jslock.cpp
> ++++ b/mozilla/js/src/jslock.cpp
> +@@ -428,18 +428,14 @@ FinishSharingTitle(JSContext *cx, JSTitle *title);
> + static void
> + ShareTitle(JSContext *cx, JSTitle *title)
> + {
> +-    JSRuntime *rt;
> +-    JSTitle **todop;
> +-
> +-    rt = cx->runtime;
> +     if (title->u.link) {
> +-        for (todop = &rt->titleSharingTodo; *todop != title;
> +-             todop = &(*todop)->u.link) {
> ++        JSThread *ownerThread = title->ownercx->thread;
> ++        JSTitle **todop = &ownerThread->titleSharingTodo;
> ++        for (; *todop != title; todop = &(*todop)->u.link)
> +             JS_ASSERT(*todop != NO_TITLE_SHARING_TODO);
> +-        }
> +         *todop = title->u.link;
> +         title->u.link = NULL;       /* null u.link for sanity ASAP */
> +-        JS_NOTIFY_ALL_CONDVAR(rt->titleSharingDone);
> ++        JS_NOTIFY_ALL_CONDVAR(cx->runtime->titleSharingDone);
> +     }
> +     FinishSharingTitle(cx, title);
> + }
> +@@ -619,8 +615,8 @@ ClaimTitle(JSTitle *title, JSContext *cx)
> +          */
> +         if (!title->u.link) {
> +             js_HoldScope(TITLE_TO_SCOPE(title));
> +-            title->u.link = rt->titleSharingTodo;
> +-            rt->titleSharingTodo = title;
> ++            title->u.link = ownercx->thread->titleSharingTodo;
> ++            ownercx->thread->titleSharingTodo = title;
> +         }
> + 
> +         /*
> +@@ -683,7 +679,7 @@ js_ShareWaitingTitles(JSContext *cx)
> +     bool shared;
> + 
> +     /* See whether cx has any single-threaded titles to start sharing. */
> +-    todop = &cx->runtime->titleSharingTodo;
> ++    todop = &cx->thread->titleSharingTodo;
> +     shared = false;
> +     while ((title = *todop) != NO_TITLE_SHARING_TODO) {
> +         if (title->ownercx != cx) {
> diff --git a/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch b/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch
> new file mode 100644
> index 0000000..75e38cf
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch
> @@ -0,0 +1,21 @@
> +From: Olli Pettay <Olli.Pettay@helsinki.fi>
> +Date: Thu, 30 Dec 2010 12:11:21 +0200
> +Subject: Bug 616659, Initialize eButtonPressed to 1, r=dolske+gavin, a=clegnitto
> +
> +---
> + .../windowwatcher/src/nsPromptService.cpp          |    2 ++
> + 1 files changed, 2 insertions(+), 0 deletions(-)
> +
> +diff --git a/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp b/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
> +index 2653c81..0edcf1e 100644
> +--- a/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
> ++++ b/mozilla/embedding/components/windowwatcher/src/nsPromptService.cpp
> +@@ -779,6 +779,8 @@ nsPromptService::DoDialog(nsIDOMWindow *aParent,
> +     aParent = activeParent;
> +   }
> + 
> ++  aParamBlock->SetInt(eButtonPressed, 1);
> ++
> +   nsCOMPtr<nsISupports> arguments(do_QueryInterface(aParamBlock));
> +   nsCOMPtr<nsIDOMWindow> dialog;
> +   rv = mWatcher->OpenWindow(aParent, aChromeURL, "_blank",
> diff --git a/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch b/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch
> new file mode 100644
> index 0000000..12f17ca
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch
> @@ -0,0 +1,74 @@
> +From: Luke Wagner <lw@mozilla.com>
> +Date: Thu, 20 Jan 2011 16:11:19 -0800
> +Subject: Bug 626631 - nsAutoJSValHolder should root its jsval (r=gal,a=clegnitto)
> +
> +---
> + js/src/xpconnect/public/nsAutoJSValHolder.h |   14 ++++----------
> + 1 files changed, 4 insertions(+), 10 deletions(-)
> +
> +diff --git a/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h b/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
> +index 6a57dc8..af0fd52 100644
> +--- a/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
> ++++ b/mozilla/js/src/xpconnect/public/nsAutoJSValHolder.h
> +@@ -54,7 +54,6 @@ public:
> +   nsAutoJSValHolder()
> +     : mRt(NULL)
> +     , mVal(JSVAL_NULL)
> +-    , mGCThing(NULL)
> +     , mHeld(JS_FALSE)
> +   {
> +     // nothing to do
> +@@ -76,11 +75,11 @@ public:
> + 
> +   /**
> +    * Hold by rooting on the runtime.
> +-   * Note that mGCThing may be JSVAL_NULL, which is not a problem.
> ++   * Note that mVal may be JSVAL_NULL, which is not a problem.
> +    */
> +   JSBool Hold(JSRuntime* aRt) {
> +     if (!mHeld) {
> +-      if (JS_AddNamedRootRT(aRt, &mGCThing, "nsAutoJSValHolder")) {
> ++      if (JS_AddNamedRootRT(aRt, &mVal, "nsAutoJSValHolder")) {
> +         mRt = aRt;
> +         mHeld = JS_TRUE;
> +       } else {
> +@@ -91,7 +90,7 @@ public:
> +   }
> + 
> +   /**
> +-   * Manually release, nullifying mVal, mGCThing, and mRt, but returning
> ++   * Manually release, nullifying mVal and mRt, but returning
> +    * the original jsval.
> +    */
> +   jsval Release() {
> +@@ -100,12 +99,11 @@ public:
> +     jsval oldval = mVal;
> + 
> +     if (mHeld) {
> +-      JS_RemoveRootRT(mRt, &mGCThing); // infallible
> ++      JS_RemoveRootRT(mRt, &mVal); // infallible
> +       mHeld = JS_FALSE;
> +     }
> + 
> +     mVal = JSVAL_NULL;
> +-    mGCThing = NULL;
> +     mRt = NULL;
> + 
> +     return oldval;
> +@@ -152,16 +150,12 @@ public:
> +     }
> + #endif
> +     mVal = aOther;
> +-    mGCThing = JSVAL_IS_GCTHING(aOther)
> +-             ? JSVAL_TO_GCTHING(aOther)
> +-             : NULL;
> +     return *this;
> +   }
> + 
> + private:
> +   JSRuntime* mRt;
> +   jsval mVal;
> +-  void* mGCThing;
> +   JSBool mHeld;
> + };
> + 
> diff --git a/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch b/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch
> new file mode 100644
> index 0000000..0ffc4a3
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch
> @@ -0,0 +1,223 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Wed, 20 Oct 2010 09:11:16 -0700
> +Subject: Don't split a surrogate pair over two output buffers. Bug 600974, r=emk, a1.9.1.17=dveditz
> +
> +---
> + intl/uconv/ucvcn/nsGBKToUnicode.cpp       |   11 +++-
> + intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp |   97 +++++++++++++++++++----------
> + intl/uconv/ucvlatin/nsUCS2BEToUnicode.h   |    2 +
> + 3 files changed, 73 insertions(+), 37 deletions(-)
> +
> +diff --git a/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp b/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
> +index 186f738..e466546 100644
> +--- a/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
> ++++ b/mozilla/intl/uconv/ucvcn/nsGBKToUnicode.cpp
> +@@ -197,8 +197,7 @@ NS_IMETHODIMP nsGBKToUnicode::ConvertNoBuff(const char* aSrc,
> +                *aDest = UCS2_NO_MAPPING;
> +            } else {
> +               // let's try supplement mapping
> +-             NS_ASSERTION(( (iDestlen+1) <= (*aDestLength) ), "no enouth output memory");
> +-             if ( (iDestlen+1) <= (*aDestLength) )
> ++             if ( (iDestlen+1) < (*aDestLength) )
> +              {
> +                if(DecodeToSurrogate(aSrc, aDest))
> +                {
> +@@ -209,7 +208,13 @@ NS_IMETHODIMP nsGBKToUnicode::ConvertNoBuff(const char* aSrc,
> +                  *aDest = UCS2_NO_MAPPING;
> +               }
> +              } else {
> +-               *aDest = UCS2_NO_MAPPING;
> ++               if (*aDestLength < 2) {
> ++                 NS_ERROR("insufficient space in output buffer");
> ++                 *aDest = UCS2_NO_MAPPING;
> ++               } else {
> ++                 rv = NS_OK_UDEC_MOREOUTPUT;
> ++                 break;
> ++               }
> +              }
> +            }
> +         } else {
> +diff --git a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> +index 02fcae5..7093e1d 100644
> +--- a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> ++++ b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> +@@ -42,14 +42,16 @@
> + #include <string.h>
> + #include "prtypes.h"
> + 
> +-#define STATE_NORMAL          0
> +-#define STATE_HALF_CODE_POINT 1
> +-#define STATE_FIRST_CALL      2
> +-#define STATE_FOUND_BOM       3
> ++#define STATE_NORMAL             0
> ++#define STATE_HALF_CODE_POINT    1
> ++#define STATE_FIRST_CALL         2
> ++#define STATE_FOUND_BOM          3
> ++#define STATE_ODD_SURROGATE_PAIR 4
> + 
> + static nsresult
> + UTF16ConvertToUnicode(PRUint8& aState, PRUint8& aOddByte,
> +-                      PRUnichar& aOddHighSurrogate, const char * aSrc,
> ++                      PRUnichar& aOddHighSurrogate, PRUnichar& aOddLowSurrogate,
> ++                      const char * aSrc,
> +                       PRInt32 * aSrcLength, PRUnichar * aDest,
> +                       PRInt32 * aDestLength,
> +                       PRBool aSwapBytes)
> +@@ -59,32 +61,51 @@ UTF16ConvertToUnicode(PRUint8& aState, PRUint8& aOddByte,
> +   PRUnichar* dest = aDest;
> +   PRUnichar* destEnd = aDest + *aDestLength;
> + 
> +-  if(STATE_FOUND_BOM == aState) // caller found a BOM
> +-  {
> +-    if (*aSrcLength < 2)
> +-      return NS_ERROR_ILLEGAL_INPUT;
> +-    src+=2;
> +-    aState = STATE_NORMAL;
> +-  } else if(STATE_FIRST_CALL == aState) { // first time called
> +-    if (*aSrcLength < 2)
> +-      return NS_ERROR_ILLEGAL_INPUT;
> +-
> +-    // Eliminate BOM (0xFEFF). Note that different endian case is taken care of
> +-    // in |Convert| of LE and BE converters. Here, we only have to
> +-    // deal with the same endian case. That is, 0xFFFE (byte-swapped BOM) is
> +-    // illegal.
> +-    if(0xFEFF == *((PRUnichar*)src)) {
> ++  switch(aState) {
> ++    case STATE_FOUND_BOM:
> ++      if (*aSrcLength < 2)
> ++        return NS_ERROR_ILLEGAL_INPUT;
> +       src+=2;
> +-    } else if(0xFFFE == *((PRUnichar*)src)) {
> +-      *aSrcLength=0;
> +-      *aDestLength=0;
> +-      return NS_ERROR_ILLEGAL_INPUT;
> +-    }  
> +-    aState = STATE_NORMAL;
> ++      aState = STATE_NORMAL;
> ++      break;
> ++
> ++    case STATE_FIRST_CALL: // first time called
> ++      if (*aSrcLength < 2)
> ++        return NS_ERROR_ILLEGAL_INPUT;
> ++
> ++      // Eliminate BOM (0xFEFF). Note that different endian case is taken care
> ++      // of in |Convert| of LE and BE converters. Here, we only have to
> ++      // deal with the same endian case. That is, 0xFFFE (byte-swapped BOM) is
> ++      // illegal.
> ++      if(0xFEFF == *((PRUnichar*)src)) {
> ++        src+=2;
> ++      } else if(0xFFFE == *((PRUnichar*)src)) {
> ++        *aSrcLength=0;
> ++        *aDestLength=0;
> ++        return NS_ERROR_ILLEGAL_INPUT;
> ++      }  
> ++      aState = STATE_NORMAL;
> ++      break;
> ++
> ++    case STATE_ODD_SURROGATE_PAIR:
> ++      if (*aDestLength < 2)
> ++        *dest++ = UCS2_REPLACEMENT_CHAR;
> ++      else {
> ++        *dest++ = aOddHighSurrogate;
> ++        *dest++ = aOddLowSurrogate;
> ++        aOddHighSurrogate = aOddLowSurrogate = 0;
> ++        aState = STATE_NORMAL;
> ++      }
> ++      break;
> ++
> ++    case STATE_NORMAL:
> ++    case STATE_HALF_CODE_POINT:
> ++    default:
> ++      break;
> +   }
> + 
> +   if (src == srcEnd) {
> +-    *aDestLength = 0;
> ++    *aDestLength = dest - aDest;
> +     return NS_OK;
> +   }
> + 
> +@@ -136,17 +157,19 @@ have_codepoint:
> +       oddHighSurrogate = u;
> +     }
> +     else /* if (NS_IS_LOW_SURROGATE(u)) */ {
> +-      if (oddHighSurrogate) {
> +-        if (dest == destEnd - 1) {
> +-          *dest++ = UCS2_REPLACEMENT_CHAR;
> ++      if (oddHighSurrogate && *aDestLength > 1) {
> ++        if (dest + 1 >= destEnd) {
> ++          aOddLowSurrogate = u;
> ++          aOddHighSurrogate = oddHighSurrogate;
> ++          aState = STATE_ODD_SURROGATE_PAIR;
> +           goto error;
> +         }
> +         *dest++ = oddHighSurrogate;
> +         *dest++ = u;
> +-        oddHighSurrogate = 0;
> +       } else {
> +         *dest++ = UCS2_REPLACEMENT_CHAR;
> +       }
> ++      oddHighSurrogate = 0;
> +     }
> +   }
> +   if (src != srcEnd) {
> +@@ -173,6 +196,7 @@ nsUTF16ToUnicodeBase::Reset()
> +   mState = STATE_FIRST_CALL;
> +   mOddByte = 0;
> +   mOddHighSurrogate = 0;
> ++  mOddLowSurrogate = 0;
> +   return NS_OK;
> + }
> + 
> +@@ -181,9 +205,11 @@ nsUTF16ToUnicodeBase::GetMaxLength(const char * aSrc, PRInt32 aSrcLength,
> +                                    PRInt32 * aDestLength)
> + {
> +   // the left-over data of the previous run have to be taken into account.
> +-  *aDestLength = (aSrcLength +
> +-                    ((STATE_HALF_CODE_POINT == mState) ? 1 : 0)) / 2 +
> +-                 ((mOddHighSurrogate != 0) ? 1 : 0);
> ++  *aDestLength = (aSrcLength + ((STATE_HALF_CODE_POINT == mState) ? 1 : 0)) / 2;
> ++  if (mOddHighSurrogate)
> ++    (*aDestLength)++;
> ++  if (mOddLowSurrogate)
> ++    (*aDestLength)++;
> +   return NS_OK;
> + }
> + 
> +@@ -212,6 +238,7 @@ nsUTF16BEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> + #endif
> + 
> +   nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
> ++                                      mOddLowSurrogate,
> +                                       aSrc, aSrcLength, aDest, aDestLength,
> + #ifdef IS_LITTLE_ENDIAN
> +                                       PR_TRUE
> +@@ -246,6 +273,7 @@ nsUTF16LEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> + #endif
> +     
> +   nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
> ++                                      mOddLowSurrogate,
> +                                       aSrc, aSrcLength, aDest, aDestLength,
> + #ifdef IS_BIG_ENDIAN
> +                                       PR_TRUE
> +@@ -304,6 +332,7 @@ nsUTF16ToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> +     }
> +     
> +     nsresult rv = UTF16ConvertToUnicode(mState, mOddByte, mOddHighSurrogate,
> ++                                        mOddLowSurrogate,
> +                                         aSrc, aSrcLength, aDest, aDestLength,
> + #ifdef IS_BIG_ENDIAN
> +                                         (mEndian == kLittleEndian)
> +diff --git a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
> +index 4bd7034..b46ea9a 100644
> +--- a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
> ++++ b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.h
> +@@ -62,6 +62,8 @@ protected:
> +   PRUint8 mOddByte;
> +   // to store an odd high surrogate left over between runs
> +   PRUnichar mOddHighSurrogate;
> ++  // to store an odd low surrogate left over between runs
> ++  PRUnichar mOddLowSurrogate;
> + };
> + 
> + // UTF-16 big endian
> diff --git a/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch b/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch
> new file mode 100644
> index 0000000..018fe5c
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch
> @@ -0,0 +1,77 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Thu, 14 Oct 2010 00:44:34 -0700
> +Subject: Don't split a surrogate pair over two output buffers. Bug 600974, r=emk, dbaron, a1.9.1.17=dveditz
> +
> +---
> + intl/uconv/src/nsUTF8ToUnicode.cpp |   39 ++++++++++++++++++++++++++++++++---
> + 1 files changed, 35 insertions(+), 4 deletions(-)
> +
> +diff --git a/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp b/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
> +index 6563dbd..9bcc699 100644
> +--- a/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
> ++++ b/mozilla/intl/uconv/src/nsUTF8ToUnicode.cpp
> +@@ -64,6 +64,15 @@ NS_IMETHODIMP NS_NewUTF8ToUnicode(nsISupports* aOuter,
> +   return res;
> + }
> + 
> ++static PRUnichar* EmitSurrogatePair(PRUint32 ucs4, PRUnichar* aDest)
> ++{
> ++  NS_ASSERTION(ucs4 > 0xFFFF, "Should be a supplementary character");
> ++  ucs4 -= 0x00010000;
> ++  *aDest++ = 0xD800 | (0x000003FF & (ucs4 >> 10));
> ++  *aDest++ = 0xDC00 | (0x000003FF & ucs4);
> ++  return aDest;
> ++}
> ++
> + //----------------------------------------------------------------------
> + // Class nsUTF8ToUnicode [implementation]
> + 
> +@@ -136,12 +145,28 @@ NS_IMETHODIMP nsUTF8ToUnicode::Convert(const char * aSrc,
> + 
> +   nsresult res = NS_OK; // conversion result
> + 
> ++  out = aDest;
> ++  if (mState == 0xFF) {
> ++    // Emit supplementary character left over from previous iteration. If the
> ++    // buffer size is insufficient, treat it as an illegal character.
> ++    if (aDestLen < 2) {
> ++      NS_ERROR("Output buffer insufficient to hold supplementary character");
> ++      mState = 0;
> ++      return NS_ERROR_ILLEGAL_INPUT;
> ++    }
> ++    out = EmitSurrogatePair(mUcs4, out);
> ++    mUcs4 = 0;
> ++    mState = 0;
> ++    mBytes = 1;
> ++    mFirst = PR_FALSE;
> ++  }
> ++
> +   // Set mFirst to PR_FALSE now so we don't have to every time through the ASCII
> +   // branch within the loop.
> +   if (mFirst && aSrcLen && (0 == (0x80 & (*aSrc))))
> +     mFirst = PR_FALSE;
> + 
> +-  for (in = aSrc, out = aDest; ((in < inend) && (out < outend)); ++in) {
> ++  for (in = aSrc; ((in < inend) && (out < outend)); ++in) {
> +     if (0 == mState) {
> +       // When mState is zero we expect either a US-ASCII character or a
> +       // multi-octet sequence.
> +@@ -227,9 +252,15 @@ NS_IMETHODIMP nsUTF8ToUnicode::Convert(const char * aSrc,
> +           }
> +           if (mUcs4 > 0xFFFF) {
> +             // mUcs4 is in the range 0x10000 - 0x10FFFF. Output a UTF-16 pair
> +-            mUcs4 -= 0x00010000;
> +-            *out++ = 0xD800 | (0x000003FF & (mUcs4 >> 10));
> +-            *out++ = 0xDC00 | (0x000003FF & mUcs4);
> ++            if (out + 2 > outend) {
> ++              // insufficient space left in the buffer. Keep mUcs4 for the
> ++              // next iteration.
> ++              mState = 0xFF;
> ++              ++in;
> ++              res = NS_OK_UDEC_MOREOUTPUT;
> ++              break;
> ++            }
> ++            out = EmitSurrogatePair(mUcs4, out);
> +           } else if (UNICODE_BYTE_ORDER_MARK != mUcs4 || !mFirst) {
> +             // Don't output the BOM only if it is the first character
> +             *out++ = mUcs4;
> diff --git a/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch b/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch
> new file mode 100644
> index 0000000..84279c5
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch
> @@ -0,0 +1,34 @@
> +From: Brendan Eich <brendan@mozilla.org>
> +Date: Wed, 8 Dec 2010 14:26:30 -0800
> +Subject: Fix MakeUpvarForEval vs. normal upvar bookkeeping (615657, r=dmandelin, a=dveditz).
> +
> +---
> + js/src/jsemit.cpp |    8 ++++----
> + 1 files changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsemit.cpp b/mozilla/js/src/jsemit.cpp
> +index 197b3d2..ad4d159 100644
> +--- a/mozilla/js/src/jsemit.cpp
> ++++ b/mozilla/js/src/jsemit.cpp
> +@@ -2203,10 +2203,9 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
> +             JS_ASSERT(index == cg->upvarList.count - 1);
> + 
> +             uint32 *vector = cg->upvarMap.vector;
> +-            if (!vector) {
> +-                uint32 length = cg->lexdeps.count;
> +-
> +-                vector = (uint32 *) calloc(length, sizeof *vector);
> ++            uint32 length = cg->lexdeps.count;
> ++            if (!vector || cg->upvarMap.length != length) {
> ++                vector = (uint32 *) realloc(vector, length * sizeof *vector);
> +                 if (!vector) {
> +                     JS_ReportOutOfMemory(cx);
> +                     return JS_FALSE;
> +@@ -2225,6 +2224,7 @@ BindNameToSlot(JSContext *cx, JSCodeGenerator *cg, JSParseNode *pn)
> +                     slot += tc->fun->nargs;
> +             }
> + 
> ++            JS_ASSERT(index < cg->upvarMap.length);
> +             vector[index] = MAKE_UPVAR_COOKIE(skip, slot);
> +         }
> + 
> diff --git a/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch b/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch
> new file mode 100644
> index 0000000..f62b51a
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch
> @@ -0,0 +1,432 @@
> +From: Peter Van der Beken <peterv@propagandism.org>
> +Date: Wed, 19 Jan 2011 15:26:52 -0800
> +Subject: Fix for bug 605672 (Fix reason for invalid scope assertion). r=jst, a=clegnitto.
> +
> +---
> + content/base/public/nsContentUtils.h   |   17 +++---
> + content/base/src/nsContentUtils.cpp    |   96 +++++++++++++++++---------------
> + content/base/src/nsDOMDocumentType.cpp |   13 ++--
> + content/base/src/nsDocument.cpp        |    8 +--
> + content/base/src/nsNodeUtils.cpp       |   23 +++----
> + content/base/src/nsNodeUtils.h         |   15 ++---
> + 6 files changed, 83 insertions(+), 89 deletions(-)
> +
> +diff --git a/mozilla/content/base/public/nsContentUtils.h b/mozilla/content/base/public/nsContentUtils.h
> +index 62282b6..b3c7b11 100644
> +--- a/mozilla/content/base/public/nsContentUtils.h
> ++++ b/mozilla/content/base/public/nsContentUtils.h
> +@@ -160,20 +160,18 @@ public:
> +                                          nsIDocument *aOldDocument);
> + 
> +   /**
> +-   * Get a scope from aOldDocument and one from aNewDocument. Also get a
> +-   * context through one of the scopes, from the stack or the safe context.
> ++   * Get a scope from aNewDocument. Also get a context through the scope of one
> ++   * of the documents, from the stack or the safe context.
> +    *
> +-   * @param aOldDocument The document to get aOldScope from.
> ++   * @param aOldDocument The document to try to get a context from. May be null.
> +    * @param aNewDocument The document to get aNewScope from.
> +    * @param aCx [out] Context gotten through one of the scopes, from the stack
> +    *                  or the safe context.
> +-   * @param aOldScope [out] Scope gotten from aOldDocument.
> +    * @param aNewScope [out] Scope gotten from aNewDocument.
> +    */
> +-  static nsresult GetContextAndScopes(nsIDocument *aOldDocument,
> +-                                      nsIDocument *aNewDocument,
> +-                                      JSContext **aCx, JSObject **aOldScope,
> +-                                      JSObject **aNewScope);
> ++  static nsresult GetContextAndScope(nsIDocument *aOldDocument,
> ++                                     nsIDocument *aNewDocument,
> ++                                     JSContext **aCx, JSObject **aNewScope);
> + 
> +   /**
> +    * When a document's scope changes (e.g., from document.open(), call this
> +@@ -182,6 +180,8 @@ public:
> +   static nsresult ReparentContentWrappersInScope(nsIScriptGlobalObject *aOldScope,
> +                                                  nsIScriptGlobalObject *aNewScope);
> + 
> ++  static JSObject *GetCachedWrapper(nsWrapperCache *aCache);
> ++
> +   static PRBool   IsCallerChrome();
> + 
> +   static PRBool   IsCallerTrustedForRead();
> +@@ -1413,7 +1413,6 @@ private:
> + 
> +   static nsresult doReparentContentWrapper(nsIContent *aChild,
> +                                            JSContext *cx,
> +-                                           JSObject *aOldGlobal,
> +                                            JSObject *aNewGlobal,
> +                                            nsIDocument *aOldDocument,
> +                                            nsIDocument *aNewDocument);
> +diff --git a/mozilla/content/base/src/nsContentUtils.cpp b/mozilla/content/base/src/nsContentUtils.cpp
> +index 8d2be95..d4409ac 100644
> +--- a/mozilla/content/base/src/nsContentUtils.cpp
> ++++ b/mozilla/content/base/src/nsContentUtils.cpp
> +@@ -1094,22 +1094,37 @@ nsContentUtils::InProlog(nsINode *aNode)
> + }
> + 
> + // static
> ++JSObject*
> ++nsContentUtils::GetCachedWrapper(nsWrapperCache *aCache)
> ++{
> ++  JSObject *obj = nsnull;
> ++  nsIXPConnectWrappedNative *wrapper =
> ++    static_cast<nsIXPConnectWrappedNative*>(aCache->GetWrapper());
> ++  if (wrapper) {
> ++    wrapper->GetJSObject(&obj);
> ++  }
> ++
> ++  return obj;
> ++}
> ++
> ++// static
> + nsresult
> + nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
> +                                          JSContext *cx,
> +-                                         JSObject *aOldGlobal,
> +                                          JSObject *aNewGlobal,
> +                                          nsIDocument *aOldDocument,
> +                                          nsIDocument *aNewDocument)
> + {
> +-  nsCOMPtr<nsIXPConnectJSObjectHolder> old_wrapper;
> +-
> +   nsresult rv;
> + 
> +-  rv = sXPConnect->ReparentWrappedNativeIfFound(cx, aOldGlobal, aNewGlobal,
> +-                                                aNode,
> +-                                                getter_AddRefs(old_wrapper));
> +-  NS_ENSURE_SUCCESS(rv, rv);
> ++  JSObject *wrapper = GetCachedWrapper(aNode);
> ++  if (wrapper) {
> ++    nsCOMPtr<nsIXPConnectJSObjectHolder> old_wrapper;
> ++    rv = sXPConnect->ReparentWrappedNativeIfFound(cx, wrapper, aNewGlobal,
> ++                                                  aNode,
> ++                                                  getter_AddRefs(old_wrapper));
> ++    NS_ENSURE_SUCCESS(rv, rv);
> ++  }
> + 
> +   // Whether or not aChild is already wrapped we must iterate through
> +   // its descendants since there's no guarantee that a descendant isn't
> +@@ -1123,8 +1138,7 @@ nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
> +     nsIContent *child = aNode->GetChildAt(i);
> +     NS_ENSURE_TRUE(child, NS_ERROR_UNEXPECTED);
> + 
> +-    rv = doReparentContentWrapper(child, cx, 
> +-                                  aOldGlobal, aNewGlobal,
> ++    rv = doReparentContentWrapper(child, cx, aNewGlobal,
> +                                   aOldDocument, aNewDocument);
> +     NS_ENSURE_SUCCESS(rv, rv);
> +   }
> +@@ -1133,22 +1147,17 @@ nsContentUtils::doReparentContentWrapper(nsIContent *aNode,
> + }
> + 
> + static JSContext *
> +-GetContextFromDocument(nsIDocument *aDocument, JSObject** aGlobalObject)
> ++GetContextFromDocument(nsIDocument *aDocument)
> + {
> +   nsIScriptGlobalObject *sgo = aDocument->GetScopeObject();
> +   if (!sgo) {
> +     // No script global, no context.
> +-
> +-    *aGlobalObject = nsnull;
> +-
> +     return nsnull;
> +   }
> + 
> +-  *aGlobalObject = sgo->GetGlobalJSObject();
> +-
> +   nsIScriptContext *scx = sgo->GetContext();
> +   if (!scx) {
> +-    // No context left in the old scope...
> ++    // No context left in the scope...
> + 
> +     return nsnull;
> +   }
> +@@ -1170,54 +1179,41 @@ nsContentUtils::ReparentContentWrapper(nsIContent *aContent,
> +   }
> + 
> +   JSContext *cx;
> +-  JSObject *oldScope, *newScope;
> +-  nsresult rv = GetContextAndScopes(aOldDocument, aNewDocument, &cx, &oldScope,
> +-                                    &newScope);
> ++  JSObject *newScope;
> ++  nsresult rv = GetContextAndScope(aOldDocument, aNewDocument, &cx, &newScope);
> +   NS_ENSURE_SUCCESS(rv, rv);
> + 
> +   if (!cx) {
> +     return NS_OK;
> +   }
> + 
> +-  return doReparentContentWrapper(aContent, cx, oldScope, newScope, 
> ++  return doReparentContentWrapper(aContent, cx, newScope,
> +                                   aOldDocument, aNewDocument);
> + }
> + 
> + // static
> + nsresult
> +-nsContentUtils::GetContextAndScopes(nsIDocument *aOldDocument,
> +-                                    nsIDocument *aNewDocument, JSContext **aCx,
> +-                                    JSObject **aOldScope, JSObject **aNewScope)
> ++nsContentUtils::GetContextAndScope(nsIDocument *aOldDocument,
> ++                                   nsIDocument *aNewDocument, JSContext **aCx,
> ++                                   JSObject **aNewScope)
> + {
> +   *aCx = nsnull;
> +-  *aOldScope = nsnull;
> +   *aNewScope = nsnull;
> + 
> +-  JSObject *newScope = nsnull;
> +-  nsIScriptGlobalObject *newSGO = aNewDocument->GetScopeObject();
> +-  if (!newSGO || !(newScope = newSGO->GetGlobalJSObject())) {
> +-    return NS_OK;
> ++  JSObject *newScope = GetCachedWrapper(aNewDocument);
> ++  JSObject *global;
> ++  if (!newScope) {
> ++    nsIScriptGlobalObject *newSGO = aNewDocument->GetScopeObject();
> ++    if (!newSGO || !(global = newSGO->GetGlobalJSObject())) {
> ++      return NS_OK;
> ++    }
> +   }
> + 
> +   NS_ENSURE_TRUE(sXPConnect, NS_ERROR_NOT_INITIALIZED);
> + 
> +-  // Make sure to get our hands on the right scope object, since
> +-  // GetWrappedNativeOfNativeObject doesn't call PreCreate and hence won't get
> +-  // the right scope if we pass in something bogus.  The right scope lives on
> +-  // the script global of the old document.
> +-  // XXXbz note that if GetWrappedNativeOfNativeObject did call PreCreate it
> +-  // would get the wrong scope (that of the _new_ document), so we should be
> +-  // glad it doesn't!
> +-  JSObject *oldScope = nsnull;
> +-  JSContext *cx = GetContextFromDocument(aOldDocument, &oldScope);
> +-
> +-  if (!oldScope) {
> +-    return NS_OK;
> +-  }
> +-
> ++  JSContext *cx = aOldDocument ? GetContextFromDocument(aOldDocument) : nsnull;
> +   if (!cx) {
> +-    JSObject *dummy;
> +-    cx = GetContextFromDocument(aNewDocument, &dummy);
> ++    cx = GetContextFromDocument(aNewDocument);
> + 
> +     if (!cx) {
> +       // No context reachable from the old or new document, use the
> +@@ -1239,8 +1235,18 @@ nsContentUtils::GetContextAndScopes(nsIDocument *aOldDocument,
> +     }
> +   }
> + 
> ++  if (!newScope && cx) {
> ++    nsCOMPtr<nsIXPConnectJSObjectHolder> holder;
> ++    jsval v;
> ++    nsresult rv = sXPConnect->WrapNativeToJSVal(cx, global, aNewDocument,
> ++                                                &NS_GET_IID(nsISupports), &v,
> ++                                                getter_AddRefs(holder));
> ++    NS_ENSURE_SUCCESS(rv, rv);
> ++
> ++    newScope = JSVAL_TO_OBJECT(v);
> ++  }
> ++
> +   *aCx = cx;
> +-  *aOldScope = oldScope;
> +   *aNewScope = newScope;
> + 
> +   return NS_OK;
> +diff --git a/mozilla/content/base/src/nsDOMDocumentType.cpp b/mozilla/content/base/src/nsDOMDocumentType.cpp
> +index 8904cc8..d4f1fab 100644
> +--- a/mozilla/content/base/src/nsDOMDocumentType.cpp
> ++++ b/mozilla/content/base/src/nsDOMDocumentType.cpp
> +@@ -264,16 +264,15 @@ nsDOMDocumentType::BindToTree(nsIDocument *aDocument, nsIContent *aParent,
> + 
> +     mNodeInfo.swap(newNodeInfo);
> + 
> +-    nsCOMPtr<nsIDocument> oldOwnerDoc =
> +-      do_QueryInterface(nsContentUtils::GetDocumentFromContext());
> +-    nsIDocument *newOwnerDoc = nimgr->GetDocument();
> +-    if (oldOwnerDoc && newOwnerDoc) {
> ++    JSObject *oldScope = nsContentUtils::GetCachedWrapper(this);
> ++    if (oldScope) {
> +       nsIXPConnect *xpc = nsContentUtils::XPConnect();
> + 
> +       JSContext *cx = nsnull;
> +-      JSObject *oldScope = nsnull, *newScope = nsnull;
> +-      nsresult rv = nsContentUtils::GetContextAndScopes(oldOwnerDoc, newOwnerDoc, &cx,
> +-                                                        &oldScope, &newScope);
> ++      JSObject *newScope = nsnull;
> ++      nsresult rv = nsContentUtils::GetContextAndScope(nsnull,
> ++                                                       nimgr->GetDocument(),
> ++                                                       &cx, &newScope);
> +       if (cx && xpc) {
> +         nsISupports *node = NS_ISUPPORTS_CAST(nsIContent*, this);
> +         nsCOMPtr<nsIXPConnectJSObjectHolder> oldWrapper;
> +diff --git a/mozilla/content/base/src/nsDocument.cpp b/mozilla/content/base/src/nsDocument.cpp
> +index da61037..425cbdf 100644
> +--- a/mozilla/content/base/src/nsDocument.cpp
> ++++ b/mozilla/content/base/src/nsDocument.cpp
> +@@ -6006,17 +6006,15 @@ nsDocument::AdoptNode(nsIDOMNode *aAdoptedNode, nsIDOMNode **aResult)
> +   PRBool sameDocument = oldDocument == this;
> + 
> +   JSContext *cx = nsnull;
> +-  JSObject *oldScope = nsnull;
> +   JSObject *newScope = nsnull;
> +-  if (!sameDocument && oldDocument) {
> +-    rv = nsContentUtils::GetContextAndScopes(oldDocument, this, &cx, &oldScope,
> +-                                             &newScope);
> ++  if (!sameDocument) {
> ++    rv = nsContentUtils::GetContextAndScope(oldDocument, this, &cx, &newScope);
> +     NS_ENSURE_SUCCESS(rv, rv);
> +   }
> + 
> +   nsCOMArray<nsINode> nodesWithProperties;
> +   rv = nsNodeUtils::Adopt(adoptedNode, sameDocument ? nsnull : mNodeInfoManager,
> +-                          cx, oldScope, newScope, nodesWithProperties);
> ++                          cx, newScope, nodesWithProperties);
> +   if (NS_FAILED(rv)) {
> +     // Disconnect all nodes from their parents, since some have the old document
> +     // as their ownerDocument and some have this as their ownerDocument.
> +diff --git a/mozilla/content/base/src/nsNodeUtils.cpp b/mozilla/content/base/src/nsNodeUtils.cpp
> +index 09249a4..ef4fd61 100755
> +--- a/mozilla/content/base/src/nsNodeUtils.cpp
> ++++ b/mozilla/content/base/src/nsNodeUtils.cpp
> +@@ -481,12 +481,11 @@ nsNodeUtils::CloneNodeImpl(nsINode *aNode, PRBool aDeep, nsIDOMNode **aResult)
> + class AdoptFuncData {
> + public:
> +   AdoptFuncData(nsIDOMElement *aElement, nsNodeInfoManager *aNewNodeInfoManager,
> +-                JSContext *aCx, JSObject *aOldScope, JSObject *aNewScope,
> ++                JSContext *aCx, JSObject *aNewScope,
> +                 nsCOMArray<nsINode> &aNodesWithProperties)
> +     : mElement(aElement),
> +       mNewNodeInfoManager(aNewNodeInfoManager),
> +       mCx(aCx),
> +-      mOldScope(aOldScope),
> +       mNewScope(aNewScope),
> +       mNodesWithProperties(aNodesWithProperties)
> +   {
> +@@ -495,7 +494,6 @@ public:
> +   nsIDOMElement *mElement;
> +   nsNodeInfoManager *mNewNodeInfoManager;
> +   JSContext *mCx;
> +-  JSObject *mOldScope;
> +   JSObject *mNewScope;
> +   nsCOMArray<nsINode> &mNodesWithProperties;
> + };
> +@@ -514,8 +512,7 @@ AdoptFunc(nsAttrHashKey::KeyType aKey, nsIDOMNode *aData, void* aUserArg)
> +   nsCOMPtr<nsIDOMNode> node;
> +   nsresult rv = nsNodeUtils::CloneAndAdopt(attr, clone, PR_TRUE,
> +                                            data->mNewNodeInfoManager,
> +-                                           data->mCx, data->mOldScope,
> +-                                           data->mNewScope,
> ++                                           data->mCx, data->mNewScope,
> +                                            data->mNodesWithProperties,
> +                                            nsnull, getter_AddRefs(node));
> + 
> +@@ -533,15 +530,14 @@ AdoptFunc(nsAttrHashKey::KeyType aKey, nsIDOMNode *aData, void* aUserArg)
> + nsresult
> + nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
> +                            nsNodeInfoManager *aNewNodeInfoManager,
> +-                           JSContext *aCx, JSObject *aOldScope,
> +-                           JSObject *aNewScope,
> ++                           JSContext *aCx, JSObject *aNewScope,
> +                            nsCOMArray<nsINode> &aNodesWithProperties,
> +                            nsINode *aParent, nsIDOMNode **aResult)
> + {
> +   NS_PRECONDITION((!aClone && aNewNodeInfoManager) || !aCx,
> +                   "If cloning or not getting a new nodeinfo we shouldn't "
> +                   "rewrap");
> +-  NS_PRECONDITION(!aCx || (aOldScope && aNewScope), "Must have scopes");
> ++  NS_PRECONDITION(!aCx || aNewScope, "Must have scopes");
> +   NS_PRECONDITION(!aParent || !aNode->IsNodeOfType(nsINode::eDOCUMENT),
> +                   "Can't insert document nodes into a parent");
> + 
> +@@ -640,11 +636,12 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
> +       elem->RecompileScriptEventListeners();
> +     }
> + 
> +-    if (aCx) {
> ++    JSObject *wrapper = nsContentUtils::GetCachedWrapper(aNode);
> ++    if (aCx && wrapper) {
> +       nsIXPConnect *xpc = nsContentUtils::XPConnect();
> +       if (xpc) {
> +         nsCOMPtr<nsIXPConnectJSObjectHolder> oldWrapper;
> +-        rv = xpc->ReparentWrappedNativeIfFound(aCx, aOldScope, aNewScope, aNode,
> ++        rv = xpc->ReparentWrappedNativeIfFound(aCx, wrapper, aNewScope, aNode,
> +                                                getter_AddRefs(oldWrapper));
> +         if (NS_FAILED(rv)) {
> +           aNode->mNodeInfo.swap(nodeInfo);
> +@@ -667,8 +664,8 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
> +         NS_ENSURE_SUCCESS(rv, rv);
> +       }
> + 
> +-      AdoptFuncData data(element, nodeInfoManager, aCx, aOldScope,
> +-                         aNewScope, aNodesWithProperties);
> ++      AdoptFuncData data(element, nodeInfoManager, aCx, aNewScope,
> ++                         aNodesWithProperties);
> + 
> +       PRUint32 count = map->Enumerate(AdoptFunc, &data);
> +       NS_ENSURE_TRUE(count == map->Count(), NS_ERROR_FAILURE);
> +@@ -702,7 +699,7 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
> +     for (i = 0; i < length; ++i) {
> +       nsCOMPtr<nsIDOMNode> child;
> +       rv = CloneAndAdopt(aNode->GetChildAt(i), aClone, PR_TRUE, nodeInfoManager,
> +-                         aCx, aOldScope, aNewScope, aNodesWithProperties,
> ++                         aCx, aNewScope, aNodesWithProperties,
> +                          clone, getter_AddRefs(child));
> +       NS_ENSURE_SUCCESS(rv, rv);
> +     }
> +diff --git a/mozilla/content/base/src/nsNodeUtils.h b/mozilla/content/base/src/nsNodeUtils.h
> +index ee4c9c2..8776175 100755
> +--- a/mozilla/content/base/src/nsNodeUtils.h
> ++++ b/mozilla/content/base/src/nsNodeUtils.h
> +@@ -163,8 +163,7 @@ public:
> +                         nsIDOMNode **aResult)
> +   {
> +     return CloneAndAdopt(aNode, PR_TRUE, aDeep, aNewNodeInfoManager, nsnull,
> +-                         nsnull, nsnull, aNodesWithProperties, nsnull,
> +-                         aResult);
> ++                         nsnull, aNodesWithProperties, nsnull, aResult);
> +   }
> + 
> +   /**
> +@@ -182,20 +181,18 @@ public:
> +    * @param aCx Context to use for reparenting the wrappers, or null if no
> +    *            reparenting should be done. Must be null if aNewNodeInfoManager
> +    *            is null.
> +-   * @param aOldScope Old scope for the wrappers. May be null if aCx is null.
> +    * @param aNewScope New scope for the wrappers. May be null if aCx is null.
> +    * @param aNodesWithProperties All nodes (from amongst aNode and its
> +    *                             descendants) with properties.
> +    */
> +   static nsresult Adopt(nsINode *aNode, nsNodeInfoManager *aNewNodeInfoManager,
> +-                        JSContext *aCx, JSObject *aOldScope,
> +-                        JSObject *aNewScope,
> ++                        JSContext *aCx, JSObject *aNewScope,
> +                         nsCOMArray<nsINode> &aNodesWithProperties)
> +   {
> +     nsCOMPtr<nsIDOMNode> dummy;
> +     return CloneAndAdopt(aNode, PR_FALSE, PR_TRUE, aNewNodeInfoManager, aCx,
> +-                         aOldScope, aNewScope, aNodesWithProperties,
> +-                         nsnull, getter_AddRefs(dummy));
> ++                         aNewScope, aNodesWithProperties, nsnull,
> ++                         getter_AddRefs(dummy));
> +   }
> + 
> +   /**
> +@@ -302,7 +299,6 @@ private:
> +    * @param aCx Context to use for reparenting the wrappers, or null if no
> +    *            reparenting should be done. Must be null if aClone is PR_TRUE or
> +    *            if aNewNodeInfoManager is null.
> +-   * @param aOldScope Old scope for the wrappers. May be null if aCx is null.
> +    * @param aNewScope New scope for the wrappers. May be null if aCx is null.
> +    * @param aNodesWithProperties All nodes (from amongst aNode and its
> +    *                             descendants) with properties. If aClone is
> +@@ -315,8 +311,7 @@ private:
> +    */
> +   static nsresult CloneAndAdopt(nsINode *aNode, PRBool aClone, PRBool aDeep,
> +                                 nsNodeInfoManager *aNewNodeInfoManager,
> +-                                JSContext *aCx, JSObject *aOldScope,
> +-                                JSObject *aNewScope,
> ++                                JSContext *aCx, JSObject *aNewScope,
> +                                 nsCOMArray<nsINode> &aNodesWithProperties,
> +                                 nsINode *aParent, nsIDOMNode **aResult);
> + };
> diff --git a/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch b/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch
> new file mode 100644
> index 0000000..1779378
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch
> @@ -0,0 +1,27 @@
> +From: Brendan Eich <brendan@mozilla.org>
> +Date: Thu, 20 Jan 2011 15:48:18 -0800
> +Subject: Fix hard-case destructurinv vs. for(var ...=... in ...) bug (558633, r=mrbkap, a=dveditz).
> +
> +---
> + js/src/jsparse.cpp |    8 +++++++-
> + 1 files changed, 7 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsparse.cpp b/mozilla/js/src/jsparse.cpp
> +index 230e744..be5978e 100644
> +--- a/mozilla/js/src/jsparse.cpp
> ++++ b/mozilla/js/src/jsparse.cpp
> +@@ -3464,7 +3464,13 @@ BindDestructuringLHS(JSContext *cx, JSParseNode *pn, JSTreeContext *tc)
> + 
> +       case TOK_DOT:
> +       case TOK_LB:
> +-        pn->pn_op = JSOP_SETNAME;
> ++        /*
> ++         * We may be called on a name node that has already been specialized,
> ++         * in the very weird and ECMA-262-required "for (var [x] = i in o) ..."
> ++         * case. See bug 558633.
> ++         */
> ++        if (!(js_CodeSpec[pn->pn_op].format & JOF_SET))
> ++            pn->pn_op = JSOP_SETNAME;
> +         break;
> + 
> + #if JS_HAS_LVALUE_RETURN
> diff --git a/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch b/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch
> new file mode 100644
> index 0000000..f123d37
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch
> @@ -0,0 +1,35 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Mon, 27 Dec 2010 11:45:31 +0200
> +Subject: Fix some errors with handling invalid sequences in the EUC-JP decoder. Bug 563618, r=emk, a1.9.1.17=LegNeato
> +
> +---
> + intl/uconv/ucvja/mozilla/nsJapaneseToUnicode.cpp |    8 ++++----
> + 1 files changed, 4 insertions(+), 4 deletions(-)
> +
> +diff --git a/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp b/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp
> +index 629884f..9ce854c 100644
> +--- a/mozilla/intl/uconv/ucvja/nsJapaneseToUnicode.cpp
> ++++ b/mozilla/intl/uconv/ucvja/mozilla/nsJapaneseToUnicode.cpp
> +@@ -322,10 +322,10 @@ NS_IMETHODIMP nsEUCJPToUnicodeV2::Convert(
> +             if(0xFF == off) {
> +               *dest++ = 0xFFFD;
> +                // if the first byte is valid for EUC-JP but the second 
> +-               // is not while being a valid US-ASCII(i.e. < 0xc0), save it
> ++               // is not while being a valid US-ASCII, save it
> +                // instead of eating it up !
> +-               if ( ! (*src & 0xc0)  )
> +-                 *dest++ = (PRUnichar) *src;;
> ++              if ( (PRUint8)*src < (PRUint8)0x7f )
> ++                --src;
> +             } else {
> +                *dest++ = gJapaneseMap[mData+off];
> +             }
> +@@ -344,7 +344,7 @@ NS_IMETHODIMP nsEUCJPToUnicodeV2::Convert(
> +               // if 0x8e is not followed by a valid JIS X 0201 byte
> +               // but by a valid US-ASCII, save it instead of eating it up.
> +               if ( (PRUint8)*src < (PRUint8)0x7f )
> +-                 *dest++ = (PRUnichar) *src;
> ++                --src;
> +             }
> +             mState = 0;
> +             if(dest >= destEnd)
> diff --git a/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch b/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch
> new file mode 100644
> index 0000000..9aff2d5
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch
> @@ -0,0 +1,125 @@
> +From: Robert Sayre <sayrer@gmail.com>
> +Date: Tue, 14 Dec 2010 21:26:27 +0100
> +Subject: Properly check attribute URLs -- Bug 562547, r=jst, r+a=dveditz
> +
> +---
> + content/html/document/src/Makefile.in              |    1 +
> + .../document/src/nsHTMLFragmentContentSink.cpp     |   12 +++++++++---
> + content/xml/document/src/Makefile.in               |    1 +
> + .../xml/document/src/nsXMLFragmentContentSink.cpp  |   13 +++++++++++--
> + 4 files changed, 22 insertions(+), 5 deletions(-)
> +
> +diff --git a/mozilla/content/html/document/src/Makefile.in b/mozilla/content/html/document/src/Makefile.in
> +index 780957e..7cf44ff 100644
> +--- a/mozilla/content/html/document/src/Makefile.in
> ++++ b/mozilla/content/html/document/src/Makefile.in
> +@@ -108,6 +108,7 @@ INCLUDES	+= \
> + 		-I$(srcdir)/../../../../layout/style \
> + 		-I$(srcdir)/../../../../dom/src/base \
> + 		-I$(srcdir)/../../../../xpcom/io \
> ++		-I$(srcdir)/../../../../caps/include \
> + 		$(NULL)
> + 
> + DEFINES += -D_IMPL_NS_LAYOUT
> +diff --git a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
> +index 0f26e7c..1ffbea8 100644
> +--- a/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
> ++++ b/mozilla/content/html/document/src/nsHTMLFragmentContentSink.cpp
> +@@ -59,6 +59,7 @@
> + #include "nsContentUtils.h"
> + #include "nsEscape.h"
> + #include "nsNodeInfoManager.h"
> ++#include "nsNullPrincipal.h"
> + #include "nsContentCreatorFunctions.h"
> + #include "nsNetUtil.h"
> + #include "nsIScriptSecurityManager.h"
> +@@ -920,6 +921,8 @@ protected:
> +   PRPackedBool mInStyle; // whether we're inside a style element
> +   PRPackedBool mProcessComments; // used when comments are allowed
> + 
> ++  nsCOMPtr<nsIPrincipal> mNullPrincipal;
> ++
> +   // Use nsTHashTable as a hash set for our whitelists
> +   static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
> +   static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
> +@@ -1088,7 +1091,12 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
> +   nsresult rv;
> +   // use this to check for safe URIs in the few attributes that allow them
> +   nsIScriptSecurityManager* secMan = nsContentUtils::GetSecurityManager();
> ++  PRUint32 flags = nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL;
> +   nsCOMPtr<nsIURI> baseURI;
> ++  if (!mNullPrincipal) {
> ++      mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
> ++      NS_ENSURE_SUCCESS(rv, rv);
> ++  }
> + 
> +   for (PRInt32 i = ac - 1; i >= 0; i--) {
> +     rv = NS_OK;
> +@@ -1125,9 +1133,7 @@ nsHTMLParanoidFragmentSink::AddAttributes(const nsIParserNode& aNode,
> +       rv = NS_NewURI(getter_AddRefs(attrURI), v, nsnull, baseURI);
> +       if (NS_SUCCEEDED(rv)) {
> +         rv = secMan->
> +-          CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
> +-                attrURI,
> +-                nsIScriptSecurityManager::DISALLOW_INHERIT_PRINCIPAL);
> ++          CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
> +       }
> +     }
> +     
> +diff --git a/mozilla/content/xml/document/src/Makefile.in b/mozilla/content/xml/document/src/Makefile.in
> +index 533119c..f9dee19 100644
> +--- a/mozilla/content/xml/document/src/Makefile.in
> ++++ b/mozilla/content/xml/document/src/Makefile.in
> +@@ -91,6 +91,7 @@ LOCAL_INCLUDES	= \
> + 		-I$(srcdir)/../../../xul/content/src \
> + 		-I$(srcdir)/../../../events/src \
> + 		-I$(srcdir)/../../../../dom/src/base \
> ++		-I$(srcdir)/../../../../caps/include \
> + 		$(NULL)
> + 
> + DEFINES += -D_IMPL_NS_LAYOUT
> +diff --git a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
> +index dcc1909..5f471b6 100644
> +--- a/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
> ++++ b/mozilla/content/xml/document/src/nsXMLFragmentContentSink.cpp
> +@@ -49,6 +49,7 @@
> + #include "nsGkAtoms.h"
> + #include "nsINodeInfo.h"
> + #include "nsNodeInfoManager.h"
> ++#include "nsNullPrincipal.h"
> + #include "nsContentCreatorFunctions.h"
> + #include "nsDOMError.h"
> + #include "nsIConsoleService.h"
> +@@ -516,6 +517,9 @@ public:
> +                                  PRUint32 aLength);
> + protected:
> +   PRUint32 mSkipLevel; // used when we descend into <style> or <script>
> ++
> ++  nsCOMPtr<nsIPrincipal> mNullPrincipal;
> ++
> +   // Use nsTHashTable as a hash set for our whitelists
> +   static nsTHashtable<nsISupportsHashKey>* sAllowedTags;
> +   static nsTHashtable<nsISupportsHashKey>* sAllowedAttributes;
> +@@ -637,6 +641,12 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
> +   PRInt32 nameSpaceID;
> +   nsCOMPtr<nsIAtom> prefix, localName;
> +   nsCOMPtr<nsINodeInfo> nodeInfo;
> ++
> ++  if (!mNullPrincipal) {
> ++      mNullPrincipal = do_CreateInstance(NS_NULLPRINCIPAL_CONTRACTID, &rv);
> ++      NS_ENSURE_SUCCESS(rv, rv);
> ++  }
> ++
> +   while (*aAtts) {
> +     nsContentUtils::SplitExpatName(aAtts[0], getter_AddRefs(prefix),
> +                                    getter_AddRefs(localName), &nameSpaceID);
> +@@ -652,8 +662,7 @@ nsXHTMLParanoidFragmentSink::AddAttributes(const PRUnichar** aAtts,
> +       rv = NS_NewURI(getter_AddRefs(attrURI), nsDependentString(aAtts[1]),
> +                      nsnull, baseURI);
> +       if (NS_SUCCEEDED(rv)) {
> +-        rv = secMan->CheckLoadURIWithPrincipal(mTargetDocument->NodePrincipal(),
> +-                                               attrURI, flags);
> ++        rv = secMan->CheckLoadURIWithPrincipal(mNullPrincipal, attrURI, flags);
> +       }
> +     }
> + 
> diff --git a/debian/patches/security/squeeze1/Tests-for-bug-563618.patch b/debian/patches/security/squeeze1/Tests-for-bug-563618.patch
> new file mode 100644
> index 0000000..a8096a4
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Tests-for-bug-563618.patch
> @@ -0,0 +1,136 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Mon, 27 Dec 2010 11:45:31 +0200
> +Subject: Tests for bug 563618
> +
> +---
> + intl/uconv/crashtests/563618.html       |   12 +++++
> + intl/uconv/crashtests/crashtests.list   |    1 +
> + intl/uconv/tests/unit/test_bug563618.js |   79 +++++++++++++++++++++++++++++++
> + testing/crashtest/crashtests.list       |    1 +
> + 4 files changed, 93 insertions(+), 0 deletions(-)
> + create mode 100644 intl/uconv/crashtests/563618.html
> + create mode 100644 intl/uconv/crashtests/crashtests.list
> + create mode 100644 intl/uconv/tests/unit/test_bug563618.js
> +
> +diff --git a/mozilla/intl/uconv/crashtests/563618.html b/mozilla/intl/uconv/crashtests/563618.html
> +new file mode 100644
> +index 0000000..e36b664
> +--- /dev/null
> ++++ b/mozilla/intl/uconv/crashtests/563618.html
> +@@ -0,0 +1,12 @@
> ++<!DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
> ++<html>
> ++<head>
> ++  <meta content="text/html; charset=euc-jp"
> ++ http-equiv="content-type">
> ++  <title>Serbian Glyph Test</title>
> ++</head>
> ++<body>
> ++                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
> ++  <p style="font-size: 20pt;">?</p>
> ++</body>
> ++</html>
> +diff --git a/mozilla/intl/uconv/crashtests/crashtests.list b/mozilla/intl/uconv/crashtests/crashtests.list
> +new file mode 100644
> +index 0000000..5d92626
> +--- /dev/null
> ++++ b/mozilla/intl/uconv/crashtests/crashtests.list
> +@@ -0,0 +1 @@
> ++load 563618.html
> +diff --git a/mozilla/intl/uconv/tests/unit/test_bug563618.js b/mozilla/intl/uconv/tests/unit/test_bug563618.js
> +new file mode 100644
> +index 0000000..314066c
> +--- /dev/null
> ++++ b/mozilla/intl/uconv/tests/unit/test_bug563618.js
> +@@ -0,0 +1,79 @@
> ++/* Test case for bug 563618
> ++ *
> ++ * Uses nsIConverterInputStream to decode invalid EUC-JP text
> ++ *
> ++ */
> ++
> ++const test = [
> ++// 0: 0x8e followed by hi byte, not valid JIS X 0201
> ++	      ["abcdefghijklmnopqrstuvwxyz12test00%8e%80foobar",
> ++//    expected: one replacement character, invalid byte eaten
> ++               "abcdefghijklmnopqrstuvwxyz12test00\uFFFDfoobar"],
> ++// 1: 0x8e followed by ASCII
> ++	      ["abcdefghijklmnopqrstuvwxyz12test01%8efoobar",
> ++//    expected: one replacement character, invalid byte not eaten
> ++               "abcdefghijklmnopqrstuvwxyz12test01\uFFFDfoobar"],
> ++// 2: JIS X 0208 lead byte followed by invalid hi byte
> ++              ["abcdefghijklmnopqrstuvwxyz12test02%bf%80foobar",
> ++//    expected: one replacement character, invalid byte eaten
> ++	       "abcdefghijklmnopqrstuvwxyz12test02\uFFFDfoobar"],
> ++// 3: JIS X 0208 lead byte followed by ASCII
> ++              ["abcdefghijklmnopqrstuvwxyz12test03%bffoobar",
> ++//    expected: one replacement character, invalid byte not eaten
> ++	       "abcdefghijklmnopqrstuvwxyz12test03\uFFFDfoobar"]];
> ++
> ++const IOService = Components.Constructor("@mozilla.org/network/io-service;1",
> ++                                         "nsIIOService");
> ++const ConverterInputStream =
> ++      Components.Constructor("@mozilla.org/intl/converter-input-stream;1",
> ++                             "nsIConverterInputStream",
> ++                             "init");
> ++const ios = new IOService();
> ++
> ++function testCase(testText, expectedText, bufferLength, charset)
> ++{
> ++  var dataURI = "data:text/plain;charset=" + charset + "," + testText;
> ++
> ++  var channel = ios.newChannel(dataURI, "", null);
> ++  var testInputStream = channel.open();
> ++  var testConverter = new ConverterInputStream(testInputStream,
> ++                                               charset,
> ++                                               bufferLength,
> ++                                               0xFFFD);
> ++
> ++  if (!(testConverter instanceof
> ++        Components.interfaces.nsIUnicharLineInputStream))
> ++    throw "not line input stream";
> ++
> ++  var outStr = "";
> ++  var more;
> ++  do {
> ++    // read the line and check for eof
> ++    var line = {};
> ++    more = testConverter.readLine(line);
> ++    outStr += line.value;
> ++  } while (more);
> ++
> ++  if (outStr != expectedText) {
> ++    dump("Failed with bufferLength = " + bufferLength + "\n");
> ++    if (outStr.length == expectedText.length) {
> ++      for (i = 0; i < outStr.length; ++i) {
> ++	if (outStr.charCodeAt(i) != expectedText.charCodeAt(i)) {
> ++	  dump(i + ": " + outStr.charCodeAt(i).toString(16) + " != " + expectedText.charCodeAt(i).toString(16) + "\n");
> ++	}
> ++      }
> ++    }
> ++  }
> ++
> ++  // escape the strings before comparing for better readability
> ++  do_check_eq(escape(outStr), escape(expectedText));
> ++}
> ++
> ++function run_test()
> ++{
> ++  for (var i = 0; i < test.length; ++i) {
> ++    for (var bufferLength = 32; bufferLength < 40; ++ bufferLength) {
> ++      testCase(test[i][0], test[i][1], bufferLength, "EUC-JP");
> ++    }
> ++  }
> ++}
> +diff --git a/mozilla/testing/crashtest/crashtests.list b/mozilla/testing/crashtest/crashtests.list
> +index 7ee2b9d..21d93c3 100644
> +--- a/mozilla/testing/crashtest/crashtests.list
> ++++ b/mozilla/testing/crashtest/crashtests.list
> +@@ -33,6 +33,7 @@ include ../../editor/composer/src/crashtests/crashtests.list
> + include ../../editor/txmgr/tests/crashtests/crashtests.list
> + 
> + include ../../intl/lwbrk/src/crashtests/crashtests.list
> ++include ../../intl/uconv/crashtests/crashtests.list
> + 
> + include ../../js/src/xpconnect/crashtests/crashtests.list
> + 
> diff --git a/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch b/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch
> new file mode 100644
> index 0000000..32b66f5
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Tests-for-bug-600974-a-test.patch
> @@ -0,0 +1,326 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Wed, 20 Oct 2010 09:11:15 -0700
> +Subject: Tests for bug 600974, a=test
> +
> +---
> + intl/uconv/tests/unit/test_bug317216.js |   79 +++++++++++++++++---------
> + layout/reftests/bugs/600974-1-ref.html  |    2 +-
> + layout/reftests/bugs/600974-1.html      |    2 +-
> + layout/reftests/bugs/600974-2.html      |   94 +++++++++++++++++++++++++++++++
> + layout/reftests/bugs/600974-3.html      |  Bin 0 -> 11314 bytes
> + layout/reftests/bugs/reftest.list       |    2 +
> + 6 files changed, 150 insertions(+), 29 deletions(-)
> + create mode 100644 layout/reftests/bugs/600974-2.html
> + create mode 100644 layout/reftests/bugs/600974-3.html
> +
> +diff --git a/mozilla/intl/uconv/tests/unit/test_bug317216.js b/mozilla/intl/uconv/tests/unit/test_bug317216.js
> +index bf57419..746c63e 100644
> +--- a/mozilla/intl/uconv/tests/unit/test_bug317216.js
> ++++ b/mozilla/intl/uconv/tests/unit/test_bug317216.js
> +@@ -11,53 +11,53 @@
> + 
> + const test = [
> + // 0: Valid surrogate pair
> +-              ["%00%2D%00%2D%D8%35%DC%20%00%2D%00%2D",
> ++              ["%D8%35%DC%20%00%2D%00%2D",
> + //    expected: surrogate pair
> +-               "--\uD835\uDC20--"],
> ++               "\uD835\uDC20--"],
> + // 1: Lone high surrogate
> +-              ["%00%2D%00%2D%D8%35%00%2D%00%2D",
> ++              ["%D8%35%00%2D%00%2D",
> + //    expected: one replacement char
> +-               "--\uFFFD--"],
> ++               "\uFFFD--"],
> + // 2: Lone low surrogate
> +-              ["%00%2D%00%2D%DC%20%00%2D%00%2D",
> ++              ["%DC%20%00%2D%00%2D",
> + //    expected: one replacement char
> +-               "--\uFFFD--"],
> ++               "\uFFFD--"],
> + // 3: Two high surrogates
> +-              ["%00%2D%00%2D%D8%35%D8%35%00%2D%00%2D",
> ++              ["%D8%35%D8%35%00%2D%00%2D",
> + //    expected: two replacement chars
> +-               "--\uFFFD\uFFFD--"],
> ++               "\uFFFD\uFFFD--"],
> + // 4: Two low surrogates
> +-              ["%00%2D%00%2D%DC%20%DC%20%00%2D%00%2D",
> ++              ["%DC%20%DC%20%00%2D%00%2D",
> + //    expected: two replacement chars
> +-              "--\uFFFD\uFFFD--"],
> ++	       "\uFFFD\uFFFD--"],
> + // 5: Low surrogate followed by high surrogate
> +-              ["%00%2D%00%2D%DC%20%D8%35%00%2D%00%2D",
> ++              ["%DC%20%D8%35%00%2D%00%2D",
> + //    expected: two replacement chars
> +-               "--\uFFFD\uFFFD--"],
> ++               "\uFFFD\uFFFD--"],
> + // 6: Lone high surrogate followed by valid surrogate pair
> +-              ["%00%2D%00%2D%D8%35%D8%35%DC%20%00%2D%00%2D",
> ++              ["%D8%35%D8%35%DC%20%00%2D%00%2D",
> + //    expected: replacement char followed by surrogate pair
> +-               "--\uFFFD\uD835\uDC20--"],
> ++               "\uFFFD\uD835\uDC20--"],
> + // 7: Lone low surrogate followed by valid surrogate pair
> +-              ["%00%2D%00%2D%DC%20%D8%35%DC%20%00%2D%00%2D",
> ++              ["%DC%20%D8%35%DC%20%00%2D%00%2D",
> + //    expected: replacement char followed by surrogate pair
> +-               "--\uFFFD\uD835\uDC20--"],
> ++               "\uFFFD\uD835\uDC20--"],
> + // 8: Valid surrogate pair followed by lone high surrogate
> +-              ["%00%2D%00%2D%D8%35%DC%20%D8%35%00%2D%00%2D",
> ++              ["%D8%35%DC%20%D8%35%00%2D%00%2D",
> + //    expected: surrogate pair followed by replacement char
> +-               "--\uD835\uDC20\uFFFD--"],
> ++               "\uD835\uDC20\uFFFD--"],
> + // 9: Valid surrogate pair followed by lone low surrogate
> +-              ["%00%2D%00%2D%D8%35%DC%20%DC%20%00%2D%00%2D",
> ++              ["%D8%35%DC%20%DC%20%00%2D%00%2D",
> + //    expected: surrogate pair followed by replacement char
> +-               "--\uD835\uDC20\uFFFD--"],
> ++               "\uD835\uDC20\uFFFD--"],
> + // 10: Lone high surrogate at the end of the input
> +-              ["%00%2D%00%2D%00%2D%00%2D%D8%35%",
> ++              ["%D8%35%",
> + //    expected: nothing
> +-               "----"],
> ++               ""],
> + // 11: Half code unit at the end of the input
> +-              ["%00%2D%00%2D%00%2D%00%2D%D8",
> ++              ["%D8",
> + //    expected: nothing
> +-              "----"]];
> ++              ""]];
> + 
> + const IOService = Components.Constructor("@mozilla.org/network/io-service;1",
> +                                          "nsIIOService");
> +@@ -95,15 +95,40 @@ function testCase(testText, expectedText, bufferLength, charset)
> +   do_check_eq(escape(outStr), escape(expectedText));
> + }
> + 
> ++// Add 32 dummy characters to the test text to work around the minimum buffer
> ++// size of an ns*Buffer
> ++const MINIMUM_BUFFER_SIZE=32;
> ++function padBytes(str)
> ++{
> ++  var padding = "";
> ++  for (var i = 0; i < MINIMUM_BUFFER_SIZE; ++i) {
> ++    padding += "%00%2D";
> ++  }
> ++  return padding + str;
> ++}
> ++
> ++function padUnichars(str)
> ++{
> ++  var padding = "";
> ++  for (var i = 0; i < MINIMUM_BUFFER_SIZE; ++i) {
> ++    padding += "-";
> ++  }
> ++  return padding + str;
> ++}
> ++
> + // Byte-swap %-encoded utf-16
> + function flip(str) { return str.replace(/(%..)(%..)/g, "$2$1"); }
> + 
> + function run_test()
> + {
> +   for (var i = 0; i < 12; ++i) {
> +-    for (var bufferLength = 4; bufferLength < 8; ++ bufferLength) {
> +-      testCase(test[i][0], test[i][1], bufferLength, "UTF-16BE");
> +-      testCase(flip(test[i][0]), test[i][1], bufferLength, "UTF-16LE");
> ++    for (var bufferLength = MINIMUM_BUFFER_SIZE;
> ++	 bufferLength < MINIMUM_BUFFER_SIZE + 4;
> ++	 ++ bufferLength) {
> ++      var testText = padBytes(test[i][0]);
> ++      var expectedText = padUnichars(test[i][1]);
> ++      testCase(testText, expectedText, bufferLength, "UTF-16BE");
> ++      testCase(flip(testText), expectedText, bufferLength, "UTF-16LE");
> +     }
> +   }
> + }
> +diff --git a/mozilla/layout/reftests/bugs/600974-1-ref.html b/mozilla/layout/reftests/bugs/600974-1-ref.html
> +index 9bf883b..71b6ce9 100644
> +--- a/mozilla/layout/reftests/bugs/600974-1-ref.html
> ++++ b/mozilla/layout/reftests/bugs/600974-1-ref.html
> +@@ -1,5 +1,5 @@
> + <!DOCTYPE HTML>
> +-<html>
> ++<html lang="en" style="font-family: serif; font-size: 16px">
> + <head>
> +   <meta http-equiv="Content-Type"
> +  content="text/html; charset=ISO-8859-1">
> +diff --git a/mozilla/layout/reftests/bugs/600974-1.html b/mozilla/layout/reftests/bugs/600974-1.html
> +index 13de69f..9cbfee1 100644
> +--- a/mozilla/layout/reftests/bugs/600974-1.html
> ++++ b/mozilla/layout/reftests/bugs/600974-1.html
> +@@ -1,7 +1,7 @@
> + <!DOCTYPE html>
> + <!-- This is a test for decoding supplementary characters. It contains text in
> +      Unicode plane 1 encoded as UTF-8. Don't reencode it in any way. -->
> +-<html>
> ++<html lang="en" style="font-family: serif; font-size: 16px">
> + <head>
> +  <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> + </head>
> +diff --git a/mozilla/layout/reftests/bugs/600974-2.html b/mozilla/layout/reftests/bugs/600974-2.html
> +new file mode 100644
> +index 0000000..5c14bde
> +--- /dev/null
> ++++ b/mozilla/layout/reftests/bugs/600974-2.html
> +@@ -0,0 +1,94 @@
> ++<!DOCTYPE HTML>
> ++<!-- This is a test for decoding supplementary characters. It contains text in
> ++     Unicode plane 1 encoded as GB18030. Don't reencode it in any way. -->
> ++<html lang="en" style="font-family: serif; font-size: 16px">
> ++<head>
> ++  <meta http-equiv="Content-Type" content="text/html; charset=gb18030">
> ++  <title></title>
> ++</head>
> ++<body>
> ++<p>?3?7?3?6?3?9?3?6?3?4 ?3?0?3?7?3?0?3?2?3?4 ?3?5?3?6?3?3?3?6?3?9 ?3?0?3?0?3?1 ?3?2?3?4?3?6?3?1,
> ++?3?4?3?6?3?5?3?0?3?6?3?4?3?1?3?6?3?1?3?2?3?9 ?3?2?3?5?3?0?3?7?3?0?3?0?3?4?3?0?3?5?3?8 ?3?6?3?3?3?0?3?1. ?3?6?3?3?3?0?3?8?3?2?3?2?3?4
> ++?3?3?3?6?3?3 ?3?2?3?9?3?4?3?2 ?3?5?3?0?3?3?3?9, ?3?3?3?6?3?3 ?3?5?3?0?3?4?3?1?3?2?3?4 ?3?1?3?6?3?9?3?1?3?6?3?9. ?3?8?3?9?3?2?3?0
> ++?3?0?3?2?3?4?3?2?3?3?3?0?3?0 ?3?6?3?3?3?0?3?1 ?3?6?3?8?3?6?3?1 ?3?5?3?2?3?5?3?4 ?3?0?3?6?3?3?3?3?3?0?3?4?3?0?3?1?3?2?3?5?3?0?3?5 ?3?6?3?1
> ++?3?4?3?6?3?4?3?4?3?6?3?5?3?6 ?3?3?3?6?3?3?3?0?3?1 ?3?2?3?3?3?0?3?8?3?2?3?2?3?4. ?3?2?3?2?3?0?3?0?3?8?3?2?3?6 ?3?3?3?6?3?3
> ++?3?3?3?0?3?3?3?6?3?5?3?5?3?2?3?4 ?3?4?3?2?3?2?3?9?3?0?3?0. ?3?9?3?2?3?3?3?3?3?2?3?4 ?3?5?3?6?3?4 ?3?7?3?6?3?3?3?0?3?0 ?3?5?3?0?3?2?3?4,
> ++?3?3?3?6?3?3 ?3?3?3?2?3?3?3?7?3?2?3?1?3?2?3?1?3?6 ?3?7?3?2?3?9?3?2?3?0. ?3?8?3?9?3?2?3?0 ?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2,
> ++?3?3?3?6?3?3?3?0?3?1 ?3?3?3?0?3?1?3?2?3?6 ?3?7?3?2?3?3?3?3?3?0?3?5?3?2?3?9 ?3?4?3?2?3?9?3?0?3?2?3?0, ?3?5?3?0?3?0?3?3
> ++?3?7?3?2?3?9?3?2?3?0 ?3?7?3?6?3?9?3?1?3?1?3?0?3?1?3?6?3?9 ?3?8?3?2?3?2?3?4, ?3?5?3?6?3?5 ?3?2?3?5?3?0?3?7?3?0?3?0?3?4?3?0?3?5?3?8
> ++?3?6?3?9?3?6?3?0 ?3?4?3?2?3?2?3?9?3?0?3?0 ?3?6?3?2 ?3?7?3?6?3?3?3?0?3?0. ?3?9?3?2?3?3?3?3?3?2?3?4 ?3?3?3?2?3?4?3?1?3?2?3?0
> ++?3?5?3?0?3?0?3?0 ?3?0?3?0?3?1 ?3?2?3?4?3?6?3?1 ?3?5?3?0?3?0?3?3 ?3?0?3?6?3?5?3?2?3?3?3?6?3?0 ?3?0?3?5?3?1?3?6?3?9?3?5?3?2?3?4.
> ++?3?1?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?3?3?2?3?3?3?7?3?2?3?1?3?2?3?1?3?6 ?3?2?3?3?3?0?3?8?3?2?3?2?3?4 ?3?3?3?6?3?6, ?3?0?3?5
> ++?3?9?3?9?3?6?3?5?3?4?3?2?3?0 ?3?0?3?6?3?4 ?3?4?3?6?3?4?3?4?3?6?3?5?3?6 ?3?0?3?5. ?3?4?3?6?3?5 ?3?3?3?2?3?6?3?9?3?6?3?6?3?1
> ++?3?0?3?5?3?1?3?6?3?9?3?5?3?2?3?4 ?3?4?3?6?3?5?3?5?3?0?3?4?3?6?3?5?3?1?3?2?3?4. ?3?9?3?2?3?3?3?3?3?2?3?4 ?3?6?3?9?3?5?3?2?3?9?3?6
> ++?3?3?3?6?3?0?3?1?3?0?3?3?3?2?3?3?3?2?3?4 ?3?7?3?6?3?9?3?1?3?2. ?3?6?3?6?3?5?3?6?3?2?3?5 ?3?0?3?5 ?3?5?3?6?3?3?3?6?3?9
> ++?3?5?3?6?3?3?3?6?3?9, ?3?5?3?6?3?4 ?3?6?3?3?3?6?3?0?3?7?3?6?3?5?3?5 ?3?5?3?6?3?8?3?2?3?6. ?3?9?3?6?3?5?3?6?3?4
> ++?3?1?3?0?3?5?3?4?3?0?3?5?3?2?3?5?3?1 ?3?4?3?6?3?4?3?4?3?6?3?5?3?6 ?3?5?3?0?3?0?3?3, ?3?5?3?6?3?5
> ++?3?0?3?4?3?6?3?3?3?6?3?9?3?0?3?0?3?8?3?2?3?6 ?3?5?3?6?3?3?3?6?3?9 ?3?2?3?4?3?4?3?2?3?4?3?0?3?2?3?5 ?3?0?3?5.
> ++?3?1?3?9?3?2?3?6?3?0?3?6?3?5?3?1 ?3?3?3?0?3?3?3?6?3?5?3?5?3?2?3?4 ?3?3?3?0?3?3?3?6?3?9?3?9?3?2 ?3?0?3?2?3?0?3?4?3?0?3?7?3?0?3?1.
> ++?3?9?3?2?3?5?3?4 ?3?4?3?6?3?5?3?5?3?0?3?4?3?6?3?5?3?1?3?2?3?4, ?3?2?3?5?3?1?3?6 ?3?3?3?0?3?1?3?2?3?6
> ++?3?4?3?6?3?5?3?5?3?0?3?4?3?6?3?5?3?1?3?2?3?4 ?3?9?3?9?3?6?3?5?3?4?3?2?3?0, ?3?5?3?2?3?5?3?4 ?3?5?3?0?3?3?3?9
> ++?3?7?3?2?3?3?3?3?3?0?3?5?3?2?3?9 ?3?1?3?2?3?9?3?7?3?0?3?0, ?3?0?3?5 ?3?3?3?6?3?3?3?6?3?9?3?1?3?0?3?0 ?3?3?3?2?3?4?3?2?3?0 ?3?3?3?6?3?6
> ++?3?2?3?1 ?3?9?3?0?3?0?3?2?3?0. ?3?4?3?6?3?5 ?3?0?3?5 ?3?6?3?5?3?0?3?4 ?3?1?3?6?3?9?3?1?3?6?3?9, ?3?3?3?0?3?1?3?2?3?6
> ++?3?2?3?4?3?4?3?2?3?4?3?0?3?2?3?5 ?3?9?3?0?3?0?3?2?3?0. ?3?6?3?3?3?0?3?8?3?2?3?2?3?4 ?3?4?3?0 ?3?6?3?9?3?2?3?1,
> ++?3?4?3?6?3?4?3?4?3?6?3?5?3?6 ?3?5?3?6?3?4 ?3?3?3?6?3?3?3?6?3?9?3?1?3?0?3?0 ?3?5?3?6?3?5, ?3?5?3?0?3?8?3?5?3?0?3?0?3?0?3?0?3?4
> ++?3?6?3?8?3?6?3?1 ?3?6?3?9?3?6?3?0. ?3?1?3?2?3?0?3?4?3?6 ?3?3?3?2?3?4?3?2?3?0 ?3?4?3?2?3?0?3?0?3?2,
> ++?3?4?3?6?3?5?3?0?3?6?3?4?3?1?3?6?3?1?3?2?3?9 ?3?3?3?0?3?1?3?2?3?6 ?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2 ?3?0?3?6?3?5,
> ++?3?3?3?0?3?3?3?6?3?9?3?9?3?2 ?3?0?3?5 ?3?8?3?2?3?2?3?4.
> ++?3?8?3?2?3?9?3?2?3?3?3?0?3?1?3?2?3?9 ?3?5?3?6?3?4 ?3?2?3?9?3?4?3?2 ?3?8?3?2?3?2?3?4, ?3?0?3?0?3?1 ?3?2?3?4?3?6?3?1
> ++?3?1?3?0?3?5?3?4?3?0?3?5?3?2?3?5?3?1 ?3?3?3?2?3?4?3?2?3?0. ?3?4?3?6?3?5 ?3?4?3?6?3?3?3?6?3?0?3?1?3?0?3?6
> ++?3?5?3?0?3?8?3?5?3?0?3?0?3?0?3?0?3?4 ?3?5?3?0?3?0?3?3, ?3?2?3?1 ?3?7?3?6?3?9?3?4?3?6?3?5?3?1?3?2?3?4 ?3?4?3?2?3?2?3?9?3?0?3?0
> ++?3?6?3?8?3?6?3?0?3?1?3?2?3?0 ?3?5?3?6?3?4. ?3?4?3?6?3?5 ?3?4?3?0 ?3?8?3?2?3?2?3?4, ?3?2?3?3?3?1?3?9?3?0?3?4?3?0?3?6?3?0 ?3?2?3?1
> ++?3?1?3?0?3?5?3?4?3?0?3?5?3?2?3?5?3?1 ?3?3?3?6?3?3, ?3?3?3?0?3?3?3?6?3?5?3?5?3?2?3?4 ?3?2?3?4 ?3?4?3?2?3?0?3?0?3?2.
> ++?3?7?3?6?3?0?3?1?3?0?3?3?3?2?3?3?3?2?3?4 ?3?3?3?6?3?3 ?3?9?3?0?3?0?3?2?3?0 ?3?7?3?6?3?9?3?1?3?2 ?3?4?3?2?3?2?3?9?3?0?3?0
> ++?3?1?3?6?3?4?3?7?3?6?3?9 ?3?3?3?3?3?2?3?5?3?5?3?0?3?1 ?3?6?3?2 ?3?3?3?6?3?3 ?3?5?3?0?3?2?3?4. ?3?2?3?2?3?0?3?0?3?8?3?2?3?6
> ++?3?6?3?9?3?6?3?0 ?3?3?3?0?3?3?3?6?3?9?3?6, ?3?1?3?6?3?4?3?7?3?6?3?9 ?3?2?3?1 ?3?6?3?8?3?6?3?0?3?1?3?2?3?0 ?3?5?3?6?3?4,
> ++?3?2?3?3?3?0?3?8?3?2?3?6?3?1 ?3?6?3?8?3?6?3?1 ?3?6?3?3?3?0?3?1. ?3?9?3?6?3?5?3?6?3?4 ?3?3?3?3?3?2?3?5?3?5?3?0?3?1 ?3?6?3?5?3?0?3?6
> ++?3?2?3?1 ?3?5?3?0?3?3?3?9 ?3?3?3?2?3?9?3?0?3?2?3?0 ?3?1?3?9?3?0?3?0?3?1?3?0?3?8?3?2?3?6. ?3?4?3?6?3?5 ?3?9?3?9?3?6?3?5?3?4?3?2?3?0
> ++?3?7?3?6?3?9?3?1?3?2 ?3?6?3?9?3?4?3?0, ?3?7?3?3?3?2?3?4?3?6?3?9?3?2?3?1 ?3?4?3?6?3?5?3?5?3?0?3?4?3?6?3?5?3?1?3?2?3?4 ?3?6?3?9?3?4?3?0
> ++?3?0?3?4?3?7?3?6?3?9?3?5?3?0?3?6?3?1 ?3?3?3?0?3?1?3?2?3?6. ?3?0?3?1?3?0?3?2?3?4 ?3?6?3?2 ?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2
> ++?3?6?3?9?3?6?3?0. ?3?4?3?5 ?3?3?3?6?3?5?3?6?3?5?3?2?3?1?3?0?3?0 ?3?7?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?3?3?0?3?3?3?6?3?9?3?6
> ++?3?0?3?6?3?5 ?3?6?3?8?3?6?3?0?3?1?3?2?3?0. ?3?9?3?2?3?0?3?0 ?3?1?3?0?3?5?3?4?3?0?3?5?3?2?3?5?3?1 ?3?4?3?6?3?3?3?6?3?0?3?1?3?0?3?6
> ++?3?9?3?0?3?0?3?2?3?0 ?3?0?3?5 ?3?9?3?2?3?1?3?9?3?2?3?4. ?3?9?3?2?3?3?3?3?3?2 ?3?7?3?2?3?4?3?0?3?3?3?0?3?0?3?0. ?3?9?3?2?3?0?3?0
> ++?3?3?3?6?3?3 ?3?7?3?2?3?9?3?2?3?0 ?3?2?3?4 ?3?3?3?0?3?3?3?6?3?9?3?6 ?3?9?3?2?3?1?3?9?3?2?3?4 ?3?2?3?3?3?1?3?9?3?0?3?4?3?6?3?0
> ++?3?0?3?6?3?5 ?3?3?3?6?3?3 ?3?2?3?2?3?8?3?2?3?6. ?3?9?3?6?3?5?3?6?3?4 ?3?6?3?8?3?6?3?1 ?3?5?3?0?3?2?3?4 ?3?6?3?1
> ++?3?3?3?0?3?3?3?6?3?9?3?6 ?3?7?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?3?3?6?3?5?3?6?3?5?3?2?3?1?3?0?3?0 ?3?5?3?6?3?5 ?3?6?3?1
> ++?3?7?3?2?3?9?3?2?3?0. ?3?6?3?1 ?3?6?3?2 ?3?3?3?6?3?4?3?1?3?2?3?0 ?3?7?3?2?3?9?3?2?3?0, ?3?6?3?8?3?6?3?1 ?3?8?3?9?3?2?3?3?3?0?3?5?3?2
> ++?3?6?3?9?3?2?3?1. ?3?4?3?6?3?5 ?3?5?3?6?3?4 ?3?7?3?6?3?3?3?0?3?0 ?3?3?3?0?3?8?3?2?3?3?3?2, ?3?6?3?8?3?6?3?1 ?3?3?3?2?3?4?3?1?3?2?3?0
> ++?3?6?3?9?3?2?3?1. ?3?8?3?2?3?2?3?9?3?0?3?0 ?3?0?3?2?3?7?3?0?3?6?3?5 ?3?6?3?0?3?1, ?3?4?3?2?3?1?3?1?3?0?3?0 ?3?2?3?1
> ++?3?7?3?2?3?2?3?4?3?0?3?3?3?2?3?0 ?3?6?3?1, ?3?7?3?2?3?2?3?4?3?0?3?3?3?2?3?0 ?3?5?3?6?3?4 ?3?5?3?2?3?5?3?4. ?3?9?3?2?3?5?3?4
> ++?3?1?3?6?3?4?3?7?3?2?3?0 ?3?0?3?2?3?4?3?2?3?3?3?0?3?0 ?3?2?3?9?3?5?3?2 ?3?3?3?0?3?1?3?2?3?6 ?3?5?3?0?3?8?3?5?3?0?3?0?3?0?3?0?3?4.
> ++?3?4?3?5 ?3?5?3?2?3?5?3?4 ?3?5?3?0?3?0?3?0, ?3?2?3?3?3?3?3?2?3?4?3?4?3?6?3?9?3?7?3?6?3?9 ?3?3?3?6?3?3 ?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2
> ++?3?3?3?6?3?3?3?2?3?1?3?7?3?2?3?1, ?3?0?3?4?3?7?3?6?3?9?3?5?3?0?3?6?3?1 ?3?2 ?3?5?3?0?3?2?3?4.
> ++?3?1?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?3?3?6?3?3 ?3?3?3?0?3?8?3?2?3?3?3?2 ?3?6?3?8?3?6?3?1 ?3?3?3?6?3?6
> ++?3?2?3?2?3?4?3?1?3?6?3?9 ?3?9?3?9?3?6?3?5?3?4?3?2?3?0 ?3?4?3?6?3?5?3?3?3?2?3?3?3?3?3?0?3?0 ?3?2 ?3?1?3?6?3?9?3?1?3?6?3?9.
> ++?3?0?3?1?3?0?3?2?3?4 ?3?2?3?1 ?3?3?3?6?3?4?3?1?3?2?3?0 ?3?3?3?0?3?1?3?2?3?6 ?3?2?3?5?3?1?3?6 ?3?1?3?6?3?4?3?7?3?2?3?0
> ++?3?2?3?3?3?1?3?9?3?0?3?4?3?0?3?6?3?0 ?3?2?3?1 ?3?3?3?0?3?1?3?2?3?6 ?3?6?3?3?3?0?3?1. ?3?9?3?2?3?4 ?3?0?3?5 ?3?1?3?2?3?9?3?7?3?0?3?0
> ++?3?0?3?7?3?0?3?2?3?4, ?3?2?3?1 ?3?4?3?2?3?1?3?1?3?0?3?0 ?3?1?3?6?3?9?3?1?3?6?3?9. ?3?9?3?2?3?3?3?3?3?2 ?3?6?3?1
> ++?3?7?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?5?3?6?3?8?3?2?3?6. ?3?9?3?6?3?5?3?6?3?4 ?3?3?3?2?3?4?3?0?3?5?3?0?3?2,
> ++?3?1?3?2?3?9?3?7?3?0?3?0 ?3?2?3?1 ?3?5?3?0?3?4?3?1?3?2?3?4 ?3?0?3?6?3?5?3?2?3?3?3?6?3?0, ?3?5?3?2?3?0 ?3?5?3?0?3?0?3?0
> ++?3?7?3?2?3?4?3?0?3?3?3?0?3?0?3?0?3?0 ?3?9?3?0?3?0?3?2?3?0, ?3?0?3?6?3?5 ?3?3?3?3?3?2?3?5?3?5?3?0?3?1 ?3?4?3?0 ?3?6?3?3?3?0?3?1 ?3?2?3?1
> ++?3?5?3?0?3?3?3?9. ?3?6?3?3?3?0?3?8?3?2?3?2?3?4 ?3?6?3?9?3?2?3?1 ?3?3?3?6?3?3?3?2?3?1?3?7?3?2?3?1.
> ++?3?1?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6 ?3?5?3?6?3?4 ?3?6?3?3?3?0?3?1 ?3?0?3?5 ?3?1?3?2?3?0?3?1?3?6
> ++?3?0?3?5?3?1?3?6?3?9?3?5?3?2?3?4 ?3?6?3?9?3?5?3?2?3?9?3?6 ?3?2 ?3?0?3?5 ?3?5?3?0?3?2?3?4. ?3?8?3?6?3?9?3?3?3?0 ?3?2?3?1
> ++?3?7?3?9?3?0?3?5?3?8?3?0?3?3?3?3?3?2 ?3?3?3?6?3?4?3?1?3?2?3?0. ?3?9?3?6?3?5?3?6?3?4 ?3?4?3?6?3?5?3?3?3?2?3?3?3?3?3?0?3?0
> ++?3?6?3?3?3?6?3?0?3?7?3?6?3?5?3?5 ?3?7?3?6?3?3?3?0?3?0, ?3?0?3?5 ?3?0?3?2?3?8?3?0?3?1?3?1?3?0?3?0 ?3?2?3?9?3?5?3?2
> ++?3?4?3?2?3?1?3?1?3?0?3?0 ?3?5?3?6?3?4. ?3?6?3?1 ?3?4?3?6?3?5?3?0?3?6?3?8?3?2?3?2?3?1 ?3?1?3?2?3?9?3?7?3?0?3?0 ?3?3?3?6?3?3
> ++?3?8?3?2?3?2?3?4 ?3?1?3?6?3?4?3?7?3?6?3?9 ?3?6?3?8?3?6?3?1 ?3?2?3?3?3?1?3?9?3?0?3?4?3?6?3?0 ?3?5?3?6?3?8?3?2?3?6
> ++?3?4?3?6?3?3?3?6?3?0?3?1?3?0?3?6. ?3?4?3?2?3?0?3?7?3?6?3?5?3?5?3?0?3?0?3?0?3?6 ?3?1?3?6?3?3?3?3?3?2?3?0 ?3?5?3?0?3?0?3?0,
> ++?3?9?3?6?3?5?3?5?3?9?3?6?3?9?3?0?3?1 ?3?3?3?0?3?1?3?2?3?6 ?3?7?3?6?3?0?3?2?3?6?3?9?3?6 ?3?6?3?8?3?6?3?1, ?3?7?3?3?3?2?3?4?3?6?3?9?3?2?3?1
> ++?3?0?3?6?3?5 ?3?4?3?6?3?1?3?2?3?0. ?3?4?3?5?3?1?3?6?3?8?3?6?3?9 ?3?7?3?3?3?2?3?4?3?6?3?9?3?2?3?1 ?3?0?3?4?3?7?3?6?3?9?3?5?3?0?3?6?3?1
> ++?3?7?3?3?3?2?3?4?3?6?3?9?3?2?3?1. ?3?8?3?6?3?9?3?3?3?0 ?3?1?3?6?3?4?3?7?3?2?3?0 ?3?5?3?2?3?5?3?4 ?3?5?3?2?3?5?3?4.
> ++?3?4?3?5?3?1?3?6?3?8?3?6?3?9 ?3?8?3?2?3?0?3?0 ?3?6?3?9?3?4?3?0 ?3?7?3?6?3?3?3?0?3?0. ?3?9?3?2?3?5?3?4 ?3?0?3?6?3?4?3?7?3?6?3?9,
> ++?3?2?3?9?3?4?3?2 ?3?5?3?6?3?5 ?3?4?3?6?3?5?3?0?3?6?3?8?3?2?3?2?3?1 ?3?5?3?0?3?8?3?5?3?0?3?0?3?0?3?0?3?4, ?3?3?3?6?3?9?3?6?3?4
> ++?3?2?3?9?3?5?3?2 ?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2 ?3?4?3?0, ?3?5?3?6?3?4 ?3?2?3?4?3?4?3?2?3?4?3?0?3?2?3?5 ?3?6?3?5?3?0?3?4 ?3?4?3?0
> ++?3?2 ?3?7?3?2?3?9?3?2?3?0. ?3?8?3?2?3?9?3?2?3?3?3?0?3?1?3?2?3?9 ?3?6?3?1 ?3?6?3?3?3?0?3?1 ?3?0?3?5 ?3?0?3?6?3?4
> ++?3?0?3?6?3?5?3?2?3?3?3?6?3?0 ?3?0?3?5?3?1?3?6?3?9?3?5?3?2?3?4. ?3?1?3?6?3?3?3?3?3?6?3?5?3?1?3?6?3?0?3?8?3?2?3?6
> ++?3?0?3?2?3?8?3?0?3?1?3?1?3?0?3?0 ?3?9?3?2?3?1?3?9?3?2?3?4 ?3?3?3?6?3?4?3?1?3?2?3?0 ?3?4?3?6?3?4?3?4?3?6?3?5?3?6
> ++?3?4?3?6?3?5?3?5?3?0?3?4?3?6?3?5?3?1?3?2?3?4. ?3?0?3?1?3?0?3?2?3?4 ?3?7?3?9?3?0?3?5?3?8?3?0?3?3?3?3?3?2, ?3?8?3?2?3?2?3?4 ?3?5?3?6?3?4
> ++?3?2?3?3?3?3?3?2?3?4?3?4?3?6?3?9?3?7?3?6?3?9 ?3?0?3?6?3?3?3?3?3?0?3?4?3?0?3?1?3?2?3?5?3?0?3?5, ?3?1?3?2?3?9?3?7?3?0?3?0 ?3?5?3?0?3?0?3?0
> ++?3?2?3?3?3?0?3?8?3?2?3?6?3?1 ?3?9?3?0?3?0?3?2?3?0, ?3?0?3?0?3?1 ?3?2?3?4?3?6?3?1 ?3?6?3?3?3?6?3?4?3?6?3?5?3?1?3?2?3?4
> ++?3?5?3?6?3?3?3?6?3?9 ?3?3?3?6?3?9?3?6?3?4 ?3?3?3?0?3?1?3?2?3?6 ?3?3?3?0?3?8?3?2?3?3?3?2. ?3?1?3?9?3?2?3?6?3?0?3?6?3?5?3?1
> ++?3?7?3?9?3?2?3?9?3?6?3?1?3?9?3?2 ?3?2?3?3?3?0?3?8?3?2?3?6?3?1 ?3?3?3?6?3?3?3?0?3?1 ?3?0?3?6?3?5 ?3?7?3?3?3?2?3?4?3?6?3?9?3?2?3?1. </p>
> ++</body>
> ++</html>
> +diff --git a/mozilla/layout/reftests/bugs/600974-3.html b/mozilla/layout/reftests/bugs/600974-3.html
> +new file mode 100644
> +index 0000000000000000000000000000000000000000..136cee96bafd67c369f2f83530db2209844fda14
> +GIT binary patch
> +literal 11314
> +zc-o~J$#UF8w9ow&!WS+|QaO-A;^dM*K@}7n%z>kcoy1in7|#T3ND7Jy7kNf;L}`|c
> +zr1>pQd<yW?>gBy&HKtthNUiSIZ{J$~{LA*)2ka61l09Sx>>KtK`<P|yQ@H<vea;>*
> +zF5cgOzYNBnu@g3dyW#&KTvK)o_fxog!oFu`@OuO!kKz6ZX1!ofVPwKyvQzl`4&FS6
> +z>jlg|gt-^+?lHjZ?+@Xwhjj+CZ^HOz0%i|qnBBvg$o<a6yMBbjuloBMo=@b?$MD?m
> +zcL-zs{cX7Vebw6|f&E0RI$)mwb+_3avF{_X<A-90Gnk22^?RzFGXcA&;3v4d5Nmrb
> +z4IFz0^Pa>0nZ)5KyU+FntUbYxDXi$Z(T_fnG~R%_Ls)eJZ!XwfF|X&x35?&9{2k^^
> +zVC-jjcUMq$2Pi!UIBMr(fN~_BdampXj!%WGdaR}}`v#2s05UmYKMD*UO323&{sHWN
> +z3Qv1T0>it0wvxatP31i#$BEeOKH=*g!e%OX*wg+1o^Fw6E=Di~`|Ml6`wRJW${zgn
> +z(cizowSsE{R|(gGW$?d(YYkTeSEonka&E2Gh|xyQZ^cv5&z7)SmNO2&GdX`LXP0uU
> +zRrBO78x3KOaH!;}nY{0zT#1>b#AVq1rWiX#WA7zgfs?>wt5)fqHWG3tMwW8rC0y?S
> +z`^;IRFq<K~2kx|pllop_btcFA9UFm3C7)&zhQhh=P^Lz%G+!02o&23?NhtZ$2+s=P
> +zs_<WGs4bDvLS8E+Z^{El)_z_ORR1Q&lmykB(&8(Z99Nt#B~^36--U$UNnQ@z8g_b(
> +zxL9i}6qicPp|=(t4Uy@vD)(s07QtW3`&O=KHAQQLU5Buv(pNLzAq`YkAZFPZ5T0+5
> +zJPT*%8qHWL_+rKk;nryUa-#K(mWE4-+68NPi*PaifNFx-VWqWhoP~2q|3<EDB3hty
> +zxeG`+r6sj|gROe7Q_Pzx>F-=_V!NCpn<+KkisBa0Yc&6+z~Wa#QH?A_t?^q|T4Tc&
> +zoS~goQi}boxxi;5^;dcI8PSu5#FDsY8DI|b`CYD?>)i`0IvIZz=UQe(9i?pxi+3IJ
> +zR$=W>7%Z{H5*uxhHC!S%1{>RU3KXwO<fjU4C6(rc8+W;PH1~MC63MYbwz1UE)qJBr
> +z17;J%zX2XcR4$Rd&QT<4N64I7i0vUb@&*|DO)!%9^AZ(Zm2NKNTARbh!jz9Lkq#T0
> +z(h*8|-Yvp-@aP%#x`=aYl)Z4IgC?er*Wz4Ly(Bj7Mhw0a+$?JEc_0^|nG_!tqgv$G
> +zbzDHcXQ}<dN<zjKWg<as<yMX5&A9T1nzo8WMV~jKIg_F;migro?x%G#gw<)(V=r`+
> +zDv>_hd3e|=jo(Of*;s5&vZyP|!W+#i?#*Lqj320cY1v8{k*mrG)LzB4s*Z4870%Oe
> +ztec~(E$jn~7TNhSmw94`<aTN0?i-Js+#1H0f5mc^@m}5Kzt2(@$Q#?SvDA?(t|_4?
> +zQD|J=BL0T`mOopx^{_#5Z!8{%D6E3KRz9vpdn%rqtgqXV_og1nM@FMU>xgS1gTDPS
> +zI(wnjkn5ZL8BSaR$_^KJt){I;v25;C!d;{?A6J3;tBcy=>IP-MVSGDpl^)ZoTt@-h
> +zmzR->-`DSOv$Qk^S7>CVF=;(<TXDHS(lZioEnR4BTD;a1&LwzIi&n_XRZ<>n%OlZ<
> +zm+hS6&^<VszqV?Oib%zc90S!;#1RvrjrPW43lBuba~(mpR^_ln)m=rba<|ISZv&jf
> +zy11?z&Fly+<2+qDe)#=QMKr8K+>BOvI+_#+tD02(K6>09k-ukBkc`UZYZ%{HEGab(
> +zR3>hJvy)PaS9X4XGxuum5VgY8tgqFpNNY0fAsI|UUAH%$h*4X4AdOxWN*>_K74kD%
> +zq{Y-`3*@7z{~ObhtWk#4X-y4b6z*R6uz3~ips5OEjeMNpb|WhZ9MxM#N+z#)i}smW
> +z*+qk7m=g;O&!&8%6(_arCFxe+m`%M!xc}baj!&dMNN2J`re(Z#xKeIVY;*chD4K0>
> +zMDkdDI<9PyhgE)OjcUbgbnGj<nb-9@mWB$y1%&m#B)JT>29u}7yOuax*rM!=YDN(~
> +z>*2w;UpUyhKFF_QZb!$j)qKa=BfO(8&wNd&F?FoJXT!Z`h;|JZ_9C&fG=BuA@nAR2
> +z8{Yx7tKbURuj)JaIYRj!K1B?l6__qdr|VDZJ9sLS(U`ayRBm-M(p3cQHPKTl69s5J
> +zF{X#*=J9cVbzOhs?~@xEOg{N1>PEHN&!kTv{O1OlryJy}U0)#xmzviFiLV=cVumDc
> +z?85JDV)~u-gM8Gvf}7do7GG7qafQ548;Qd_>ND(~%^PnW*jTo1v@C45^rYI=*l=gS
> +zjaBiC-tUcgvMMrprqa{3)fd8<35_B(vaH6Nk#HF|F}#g+Dw8^$ULkK&5?i1=8dKZ5
> +zb<e`;>5^(0(RxMlrgR4(odxkEoR~F-^HYDGh%;WEr0=~`fzuwxn6q;FbxCRS19h_8
> +zFKJA*HqHXm*>q0MCd@ZW+?%tfyY~x}bGv=@_z8`B4z$owxJZ5vlJ4_|`hGNWG=vBL
> +z?@NPh=QzqodGT<6Bb*C|&#HDiy^QtZ(h)TGbon#qOnkR$ZMUzq@<eQMGr)LPIhOgw
> +zzG}ho-p^?sJc+Np-x&I1g}?4Ix*0yB=c6n>&K>_ZS2Wfny}kJI@>G9=Nx!-@UwXpx
> +Ef8nX`XaE2J
> +
> +literal 0
> +Hc-jL100001
> +
> +diff --git a/mozilla/layout/reftests/bugs/reftest.list b/mozilla/layout/reftests/bugs/reftest.list
> +index 87a8b4e..427a2d4 100644
> +--- a/mozilla/layout/reftests/bugs/reftest.list
> ++++ b/mozilla/layout/reftests/bugs/reftest.list
> +@@ -1054,4 +1054,6 @@ fails == 494667-2.html 494667-2-ref.html # needs bug 155955 (not on 1.9.1 branch
> + != 513318-2.xul 513318-2-ref.xul
> + != 513318-3.xul 513318-3-ref.xul
> + == 600974-1.html 600974-1-ref.html
> ++== 600974-2.html 600974-1-ref.html
> ++== 600974-3.html 600974-1-ref.html
> + == 603423-1.html 603423-1-ref.html
> diff --git a/debian/patches/security/squeeze1/Tests-for-bug-600974.patch b/debian/patches/security/squeeze1/Tests-for-bug-600974.patch
> new file mode 100644
> index 0000000..d5d9fa1
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/Tests-for-bug-600974.patch
> @@ -0,0 +1,142 @@
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Thu, 14 Oct 2010 00:44:33 -0700
> +Subject: Tests for bug 600974
> +
> +---
> + layout/reftests/bugs/600974-1-ref.html |   93 ++++++++++++++++++++++++++++++++
> + layout/reftests/bugs/600974-1.html     |   15 +++++
> + layout/reftests/bugs/reftest.list      |    1 +
> + 3 files changed, 109 insertions(+), 0 deletions(-)
> + create mode 100644 layout/reftests/bugs/600974-1-ref.html
> + create mode 100644 layout/reftests/bugs/600974-1.html
> +
> +diff --git a/mozilla/layout/reftests/bugs/600974-1-ref.html b/mozilla/layout/reftests/bugs/600974-1-ref.html
> +new file mode 100644
> +index 0000000..9bf883b
> +--- /dev/null
> ++++ b/mozilla/layout/reftests/bugs/600974-1-ref.html
> +@@ -0,0 +1,93 @@
> ++<!DOCTYPE HTML>
> ++<html>
> ++<head>
> ++  <meta http-equiv="Content-Type"
> ++ content="text/html; charset=ISO-8859-1">
> ++  <title></title>
> ++</head>
> ++<body>
> ++<p>&#120443;&#120472;&#120475;&#120462;&#120470; &#120466;&#120473;&#120476;&#120478;&#120470; &#120461;&#120472;&#120469;&#120472;&#120475; &#120476;&#120466;&#120477; &#120458;&#120470;&#120462;&#120477;,
> ++&#120460;&#120472;&#120471;&#120476;&#120462;&#120460;&#120477;&#120462;&#120477;&#120478;&#120475; &#120458;&#120461;&#120466;&#120473;&#120466;&#120476;&#120460;&#120466;&#120471;&#120464; &#120462;&#120469;&#120466;&#120477;. &#120432;&#120469;&#120466;&#120474;&#120478;&#120458;&#120470;
> ++&#120479;&#120462;&#120469; &#120458;&#120475;&#120460;&#120478; &#120471;&#120466;&#120459;&#120465;, &#120479;&#120462;&#120469; &#120461;&#120466;&#120460;&#120477;&#120478;&#120470; &#120477;&#120472;&#120475;&#120477;&#120472;&#120475;. &#120434;&#120475;&#120458;&#120476;
> ++&#120466;&#120458;&#120460;&#120478;&#120469;&#120466;&#120476; &#120462;&#120469;&#120466;&#120477; &#120462;&#120464;&#120462;&#120477; &#120471;&#120478;&#120471;&#120460; &#120476;&#120472;&#120469;&#120469;&#120466;&#120460;&#120466;&#120477;&#120478;&#120461;&#120466;&#120471; &#120462;&#120477;
> ++&#120460;&#120472;&#120470;&#120470;&#120472;&#120461;&#120472; &#120479;&#120462;&#120469;&#120466;&#120477; &#120458;&#120469;&#120466;&#120474;&#120478;&#120458;&#120470;. &#120448;&#120478;&#120466;&#120476;&#120474;&#120478;&#120462; &#120479;&#120462;&#120469;
> ++&#120459;&#120466;&#120459;&#120462;&#120471;&#120461;&#120478;&#120470; &#120470;&#120458;&#120478;&#120475;&#120466;&#120476;. &#120445;&#120478;&#120469;&#120469;&#120458;&#120470; &#120471;&#120462;&#120460; &#120463;&#120462;&#120469;&#120466;&#120476; &#120461;&#120466;&#120458;&#120470;,
> ++&#120479;&#120462;&#120469; &#120479;&#120478;&#120469;&#120473;&#120478;&#120477;&#120458;&#120477;&#120462; &#120473;&#120478;&#120475;&#120478;&#120476;. &#120434;&#120475;&#120458;&#120476; &#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458;,
> ++&#120479;&#120462;&#120469;&#120466;&#120477; &#120479;&#120466;&#120477;&#120458;&#120462; &#120473;&#120478;&#120469;&#120479;&#120466;&#120471;&#120458;&#120475; &#120460;&#120478;&#120475;&#120476;&#120478;&#120476;, &#120471;&#120466;&#120476;&#120469;
> ++&#120473;&#120478;&#120475;&#120478;&#120476; &#120473;&#120472;&#120475;&#120477;&#120477;&#120466;&#120477;&#120472;&#120475; &#120474;&#120478;&#120458;&#120470;, &#120471;&#120472;&#120471; &#120458;&#120461;&#120466;&#120473;&#120466;&#120476;&#120460;&#120466;&#120471;&#120464;
> ++&#120462;&#120475;&#120472;&#120476; &#120470;&#120458;&#120478;&#120475;&#120466;&#120476; &#120462;&#120478; &#120463;&#120462;&#120469;&#120466;&#120476;. &#120445;&#120478;&#120469;&#120469;&#120458;&#120470; &#120469;&#120478;&#120460;&#120477;&#120478;&#120476;
> ++&#120471;&#120466;&#120476;&#120466; &#120476;&#120466;&#120477; &#120458;&#120470;&#120462;&#120477; &#120471;&#120466;&#120476;&#120469; &#120476;&#120472;&#120461;&#120458;&#120469;&#120462;&#120476; &#120466;&#120471;&#120477;&#120462;&#120475;&#120461;&#120478;&#120470;.
> ++&#120447;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120479;&#120478;&#120469;&#120473;&#120478;&#120477;&#120458;&#120477;&#120462; &#120458;&#120469;&#120466;&#120474;&#120478;&#120458;&#120470; &#120469;&#120462;&#120472;, &#120466;&#120461;
> ++&#120475;&#120465;&#120472;&#120471;&#120460;&#120478;&#120476; &#120476;&#120462;&#120470; &#120460;&#120472;&#120470;&#120470;&#120472;&#120461;&#120472; &#120466;&#120461;. &#120450;&#120462;&#120461; &#120469;&#120458;&#120472;&#120475;&#120462;&#120462;&#120477;
> ++&#120466;&#120471;&#120477;&#120462;&#120475;&#120461;&#120478;&#120470; &#120460;&#120472;&#120471;&#120461;&#120466;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470;. &#120445;&#120478;&#120469;&#120469;&#120458;&#120470; &#120472;&#120475;&#120471;&#120458;&#120475;&#120462;
> ++&#120479;&#120462;&#120476;&#120477;&#120466;&#120459;&#120478;&#120469;&#120478;&#120470; &#120473;&#120472;&#120475;&#120477;&#120458;. &#120432;&#120462;&#120471;&#120462;&#120458;&#120471; &#120466;&#120461; &#120461;&#120472;&#120469;&#120472;&#120475;
> ++&#120461;&#120472;&#120469;&#120472;&#120475;, &#120471;&#120462;&#120460; &#120462;&#120469;&#120462;&#120466;&#120463;&#120462;&#120471;&#120461; &#120471;&#120462;&#120474;&#120478;&#120462;. &#120435;&#120472;&#120471;&#120462;&#120460;
> ++&#120477;&#120466;&#120471;&#120460;&#120466;&#120461;&#120478;&#120471;&#120477; &#120460;&#120472;&#120470;&#120470;&#120472;&#120461;&#120472; &#120471;&#120466;&#120476;&#120469;, &#120471;&#120472;&#120471;
> ++&#120476;&#120460;&#120462;&#120469;&#120462;&#120475;&#120466;&#120476;&#120474;&#120478;&#120462; &#120461;&#120472;&#120469;&#120472;&#120475; &#120458;&#120460;&#120460;&#120478;&#120470;&#120476;&#120458;&#120471; &#120466;&#120461;.
> ++&#120447;&#120475;&#120458;&#120462;&#120476;&#120462;&#120471;&#120477; &#120459;&#120466;&#120459;&#120462;&#120471;&#120461;&#120478;&#120470; &#120479;&#120466;&#120479;&#120462;&#120475;&#120475;&#120458; &#120476;&#120478;&#120476;&#120460;&#120466;&#120473;&#120466;&#120477;.
> ++&#120445;&#120478;&#120471;&#120460; &#120460;&#120472;&#120471;&#120461;&#120466;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470;, &#120458;&#120471;&#120477;&#120462; &#120479;&#120466;&#120477;&#120458;&#120462;
> ++&#120460;&#120472;&#120471;&#120461;&#120466;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470; &#120475;&#120465;&#120472;&#120471;&#120460;&#120478;&#120476;, &#120471;&#120478;&#120471;&#120460; &#120471;&#120466;&#120459;&#120465;
> ++&#120473;&#120478;&#120469;&#120479;&#120466;&#120471;&#120458;&#120475; &#120477;&#120478;&#120475;&#120473;&#120466;&#120476;, &#120466;&#120471; &#120469;&#120472;&#120459;&#120472;&#120475;&#120477;&#120466;&#120476; &#120469;&#120458;&#120460;&#120478;&#120476; &#120469;&#120462;&#120472;
> ++&#120478;&#120477; &#120475;&#120466;&#120476;&#120478;&#120476;. &#120450;&#120462;&#120461; &#120466;&#120471; &#120462;&#120471;&#120466;&#120470; &#120477;&#120472;&#120475;&#120477;&#120472;&#120475;, &#120479;&#120466;&#120477;&#120458;&#120462;
> ++&#120458;&#120460;&#120460;&#120478;&#120470;&#120476;&#120458;&#120471; &#120475;&#120466;&#120476;&#120478;&#120476;. &#120432;&#120469;&#120466;&#120474;&#120478;&#120458;&#120470; &#120470;&#120466; &#120462;&#120475;&#120458;&#120477;,
> ++&#120460;&#120472;&#120470;&#120470;&#120472;&#120461;&#120472; &#120471;&#120462;&#120460; &#120469;&#120472;&#120459;&#120472;&#120475;&#120477;&#120466;&#120476; &#120471;&#120472;&#120471;, &#120461;&#120466;&#120464;&#120471;&#120466;&#120476;&#120476;&#120466;&#120470;
> ++&#120462;&#120464;&#120462;&#120477; &#120462;&#120475;&#120472;&#120476;. &#120437;&#120478;&#120476;&#120460;&#120462; &#120469;&#120458;&#120460;&#120478;&#120476; &#120470;&#120458;&#120476;&#120476;&#120458;,
> ++&#120460;&#120472;&#120471;&#120476;&#120462;&#120460;&#120477;&#120462;&#120477;&#120478;&#120475; &#120479;&#120466;&#120477;&#120458;&#120462; &#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458; &#120476;&#120462;&#120461;,
> ++&#120479;&#120466;&#120479;&#120462;&#120475;&#120475;&#120458; &#120466;&#120471; &#120474;&#120478;&#120458;&#120470;.
> ++&#120434;&#120478;&#120475;&#120458;&#120459;&#120466;&#120477;&#120478;&#120475; &#120471;&#120462;&#120460; &#120458;&#120475;&#120460;&#120478; &#120474;&#120478;&#120458;&#120470;, &#120476;&#120466;&#120477; &#120458;&#120470;&#120462;&#120477;
> ++&#120477;&#120466;&#120471;&#120460;&#120466;&#120461;&#120478;&#120471;&#120477; &#120469;&#120458;&#120460;&#120478;&#120476;. &#120450;&#120462;&#120461; &#120470;&#120472;&#120469;&#120462;&#120476;&#120477;&#120466;&#120462;
> ++&#120461;&#120466;&#120464;&#120471;&#120466;&#120476;&#120476;&#120466;&#120470; &#120471;&#120466;&#120476;&#120469;, &#120458;&#120477; &#120463;&#120462;&#120475;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470; &#120470;&#120458;&#120478;&#120475;&#120466;&#120476;
> ++&#120462;&#120464;&#120462;&#120476;&#120477;&#120458;&#120476; &#120471;&#120462;&#120460;. &#120450;&#120462;&#120461; &#120470;&#120466; &#120474;&#120478;&#120458;&#120470;, &#120478;&#120469;&#120477;&#120475;&#120466;&#120460;&#120466;&#120462;&#120476; &#120478;&#120477;
> ++&#120477;&#120466;&#120471;&#120460;&#120466;&#120461;&#120478;&#120471;&#120477; &#120479;&#120462;&#120469;, &#120459;&#120466;&#120459;&#120462;&#120471;&#120461;&#120478;&#120470; &#120458;&#120460; &#120470;&#120458;&#120476;&#120476;&#120458;.
> ++&#120453;&#120462;&#120476;&#120477;&#120466;&#120459;&#120478;&#120469;&#120478;&#120470; &#120479;&#120462;&#120469; &#120475;&#120466;&#120476;&#120478;&#120476; &#120473;&#120472;&#120475;&#120477;&#120458; &#120470;&#120458;&#120478;&#120475;&#120466;&#120476;
> ++&#120477;&#120462;&#120470;&#120473;&#120472;&#120475; &#120459;&#120469;&#120458;&#120471;&#120461;&#120466;&#120477; &#120462;&#120478; &#120479;&#120462;&#120469; &#120461;&#120466;&#120458;&#120470;. &#120448;&#120478;&#120466;&#120476;&#120474;&#120478;&#120462;
> ++&#120462;&#120475;&#120472;&#120476; &#120469;&#120466;&#120459;&#120462;&#120475;&#120472;, &#120477;&#120462;&#120470;&#120473;&#120472;&#120475; &#120478;&#120477; &#120462;&#120464;&#120462;&#120476;&#120477;&#120458;&#120476; &#120471;&#120462;&#120460;,
> ++&#120458;&#120469;&#120466;&#120474;&#120478;&#120462;&#120477; &#120462;&#120464;&#120462;&#120477; &#120462;&#120469;&#120466;&#120477;. &#120435;&#120472;&#120471;&#120462;&#120460; &#120459;&#120469;&#120458;&#120471;&#120461;&#120466;&#120477; &#120472;&#120461;&#120466;&#120472;
> ++&#120458;&#120477; &#120471;&#120466;&#120459;&#120465; &#120479;&#120458;&#120475;&#120466;&#120478;&#120476; &#120477;&#120475;&#120466;&#120476;&#120477;&#120466;&#120474;&#120478;&#120462;. &#120450;&#120462;&#120461; &#120475;&#120465;&#120472;&#120471;&#120460;&#120478;&#120476;
> ++&#120473;&#120472;&#120475;&#120477;&#120458; &#120472;&#120475;&#120460;&#120466;, &#120473;&#120469;&#120458;&#120460;&#120462;&#120475;&#120458;&#120477; &#120460;&#120472;&#120471;&#120461;&#120466;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470; &#120472;&#120475;&#120460;&#120466;
> ++&#120466;&#120470;&#120473;&#120462;&#120475;&#120461;&#120466;&#120462;&#120477; &#120479;&#120466;&#120477;&#120458;&#120462;. &#120436;&#120477;&#120466;&#120458;&#120470; &#120462;&#120478; &#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458;
> ++&#120462;&#120475;&#120472;&#120476;. &#120440;&#120471; &#120479;&#120462;&#120471;&#120462;&#120471;&#120458;&#120477;&#120466;&#120476; &#120473;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120469;&#120466;&#120459;&#120462;&#120475;&#120472;
> ++&#120476;&#120462;&#120461; &#120462;&#120464;&#120462;&#120476;&#120477;&#120458;&#120476;. &#120435;&#120478;&#120466;&#120476; &#120477;&#120466;&#120471;&#120460;&#120466;&#120461;&#120478;&#120471;&#120477; &#120470;&#120472;&#120469;&#120462;&#120476;&#120477;&#120466;&#120462;
> ++&#120475;&#120466;&#120476;&#120478;&#120476; &#120466;&#120461; &#120475;&#120478;&#120477;&#120475;&#120478;&#120470;. &#120445;&#120478;&#120469;&#120469;&#120458; &#120463;&#120458;&#120460;&#120466;&#120469;&#120466;&#120476;&#120466;. &#120435;&#120478;&#120466;&#120476;
> ++&#120479;&#120462;&#120469; &#120473;&#120478;&#120475;&#120478;&#120476; &#120458;&#120460; &#120469;&#120466;&#120459;&#120462;&#120475;&#120472; &#120475;&#120478;&#120477;&#120475;&#120478;&#120470; &#120478;&#120469;&#120477;&#120475;&#120466;&#120460;&#120462;&#120476;
> ++&#120476;&#120462;&#120461; &#120479;&#120462;&#120469; &#120458;&#120478;&#120464;&#120478;&#120462;. &#120435;&#120472;&#120471;&#120462;&#120460; &#120462;&#120464;&#120462;&#120477; &#120461;&#120466;&#120458;&#120470; &#120462;&#120477;
> ++&#120469;&#120466;&#120459;&#120462;&#120475;&#120472; &#120473;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120479;&#120462;&#120471;&#120462;&#120471;&#120458;&#120477;&#120466;&#120476; &#120471;&#120472;&#120471; &#120462;&#120477;
> ++&#120473;&#120478;&#120475;&#120478;&#120476;. &#120452;&#120477; &#120462;&#120478; &#120469;&#120462;&#120460;&#120477;&#120478;&#120476; &#120473;&#120478;&#120475;&#120478;&#120476;, &#120462;&#120464;&#120462;&#120477; &#120464;&#120475;&#120458;&#120479;&#120466;&#120461;&#120458;
> ++&#120462;&#120475;&#120458;&#120477;. &#120450;&#120462;&#120461; &#120471;&#120462;&#120460; &#120463;&#120462;&#120469;&#120466;&#120476; &#120469;&#120466;&#120464;&#120478;&#120469;&#120458;, &#120462;&#120464;&#120462;&#120477; &#120469;&#120478;&#120460;&#120477;&#120478;&#120476;
> ++&#120462;&#120475;&#120458;&#120477;. &#120444;&#120458;&#120478;&#120475;&#120466;&#120476; &#120476;&#120458;&#120473;&#120466;&#120462;&#120471; &#120462;&#120476;&#120477;, &#120470;&#120458;&#120477;&#120477;&#120466;&#120476; &#120478;&#120477;
> ++&#120463;&#120458;&#120478;&#120460;&#120466;&#120459;&#120478;&#120476; &#120462;&#120477;, &#120463;&#120458;&#120478;&#120460;&#120466;&#120459;&#120478;&#120476; &#120471;&#120462;&#120460; &#120471;&#120478;&#120471;&#120460;. &#120445;&#120478;&#120471;&#120460;
> ++&#120477;&#120462;&#120470;&#120473;&#120478;&#120476; &#120466;&#120458;&#120460;&#120478;&#120469;&#120466;&#120476; &#120478;&#120475;&#120471;&#120458; &#120479;&#120466;&#120477;&#120458;&#120462; &#120461;&#120466;&#120464;&#120471;&#120466;&#120476;&#120476;&#120466;&#120470;.
> ++&#120440;&#120471; &#120471;&#120478;&#120471;&#120460; &#120471;&#120466;&#120476;&#120466;, &#120478;&#120469;&#120469;&#120458;&#120470;&#120460;&#120472;&#120475;&#120473;&#120462;&#120475; &#120479;&#120462;&#120469; &#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458;
> ++&#120479;&#120472;&#120469;&#120478;&#120477;&#120473;&#120458;&#120477;, &#120466;&#120470;&#120473;&#120462;&#120475;&#120461;&#120466;&#120462;&#120477; &#120458; &#120461;&#120466;&#120458;&#120470;.
> ++&#120447;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120479;&#120462;&#120469; &#120469;&#120466;&#120464;&#120478;&#120469;&#120458; &#120462;&#120464;&#120462;&#120477; &#120469;&#120462;&#120472;
> ++&#120458;&#120478;&#120460;&#120477;&#120472;&#120475; &#120475;&#120465;&#120472;&#120471;&#120460;&#120478;&#120476; &#120460;&#120472;&#120471;&#120479;&#120458;&#120469;&#120469;&#120466;&#120476; &#120458; &#120477;&#120472;&#120475;&#120477;&#120472;&#120475;.
> ++&#120436;&#120477;&#120466;&#120458;&#120470; &#120458;&#120477; &#120469;&#120462;&#120460;&#120477;&#120478;&#120476; &#120479;&#120466;&#120477;&#120458;&#120462; &#120458;&#120471;&#120477;&#120462; &#120477;&#120462;&#120470;&#120473;&#120478;&#120476;
> ++&#120478;&#120469;&#120477;&#120475;&#120466;&#120460;&#120466;&#120462;&#120476; &#120478;&#120477; &#120479;&#120466;&#120477;&#120458;&#120462; &#120462;&#120469;&#120466;&#120477;. &#120445;&#120458;&#120470; &#120466;&#120471; &#120477;&#120478;&#120475;&#120473;&#120466;&#120476;
> ++&#120466;&#120473;&#120476;&#120478;&#120470;, &#120458;&#120477; &#120470;&#120458;&#120477;&#120477;&#120466;&#120476; &#120477;&#120472;&#120475;&#120477;&#120472;&#120475;. &#120445;&#120478;&#120469;&#120469;&#120458; &#120462;&#120477;
> ++&#120473;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120471;&#120462;&#120474;&#120478;&#120462;. &#120435;&#120472;&#120471;&#120462;&#120460; &#120469;&#120458;&#120460;&#120466;&#120471;&#120466;&#120458;,
> ++&#120477;&#120478;&#120475;&#120473;&#120466;&#120476; &#120478;&#120477; &#120461;&#120466;&#120460;&#120477;&#120478;&#120470; &#120476;&#120472;&#120461;&#120458;&#120469;&#120462;&#120476;, &#120461;&#120478;&#120466; &#120471;&#120466;&#120476;&#120466;
> ++&#120463;&#120458;&#120460;&#120466;&#120469;&#120466;&#120476;&#120466;&#120476; &#120475;&#120466;&#120476;&#120478;&#120476;, &#120476;&#120462;&#120461; &#120459;&#120469;&#120458;&#120471;&#120461;&#120466;&#120477; &#120470;&#120466; &#120462;&#120469;&#120466;&#120477; &#120478;&#120477;
> ++&#120471;&#120466;&#120459;&#120465;. &#120432;&#120469;&#120466;&#120474;&#120478;&#120458;&#120470; &#120462;&#120475;&#120458;&#120477; &#120479;&#120472;&#120469;&#120478;&#120477;&#120473;&#120458;&#120477;.
> ++&#120447;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462; &#120471;&#120462;&#120460; &#120462;&#120469;&#120466;&#120477; &#120466;&#120461; &#120467;&#120478;&#120476;&#120477;&#120472;
> ++&#120466;&#120471;&#120477;&#120462;&#120475;&#120461;&#120478;&#120470; &#120472;&#120475;&#120471;&#120458;&#120475;&#120462; &#120458; &#120466;&#120471; &#120461;&#120466;&#120458;&#120470;. &#120444;&#120472;&#120475;&#120459;&#120466; &#120458;&#120477;
> ++&#120463;&#120475;&#120466;&#120471;&#120464;&#120466;&#120469;&#120469;&#120458; &#120469;&#120462;&#120460;&#120477;&#120478;&#120476;. &#120435;&#120472;&#120471;&#120462;&#120460; &#120460;&#120472;&#120471;&#120479;&#120458;&#120469;&#120469;&#120466;&#120476;
> ++&#120462;&#120469;&#120462;&#120466;&#120463;&#120462;&#120471;&#120461; &#120463;&#120462;&#120469;&#120466;&#120476;, &#120466;&#120461; &#120476;&#120458;&#120464;&#120466;&#120477;&#120477;&#120466;&#120476; &#120478;&#120475;&#120471;&#120458;
> ++&#120470;&#120458;&#120477;&#120477;&#120466;&#120476; &#120471;&#120462;&#120460;. &#120452;&#120477; &#120460;&#120472;&#120471;&#120476;&#120462;&#120474;&#120478;&#120458;&#120477; &#120477;&#120478;&#120475;&#120473;&#120466;&#120476; &#120479;&#120462;&#120469;
> ++&#120474;&#120478;&#120458;&#120470; &#120477;&#120462;&#120470;&#120473;&#120472;&#120475; &#120462;&#120464;&#120462;&#120477; &#120478;&#120469;&#120477;&#120475;&#120466;&#120460;&#120462;&#120476; &#120471;&#120462;&#120474;&#120478;&#120462;
> ++&#120470;&#120472;&#120469;&#120462;&#120476;&#120477;&#120466;&#120462;. &#120450;&#120478;&#120476;&#120473;&#120462;&#120471;&#120461;&#120466;&#120476;&#120476;&#120462; &#120477;&#120462;&#120469;&#120469;&#120478;&#120476; &#120471;&#120466;&#120476;&#120466;,
> ++&#120465;&#120462;&#120471;&#120461;&#120475;&#120462;&#120475;&#120466;&#120477; &#120479;&#120466;&#120477;&#120458;&#120462; &#120473;&#120472;&#120476;&#120478;&#120462;&#120475;&#120462; &#120462;&#120464;&#120462;&#120477;, &#120473;&#120469;&#120458;&#120460;&#120462;&#120475;&#120458;&#120477;
> ++&#120476;&#120462;&#120461; &#120470;&#120462;&#120477;&#120478;&#120476;. &#120440;&#120471;&#120477;&#120462;&#120464;&#120462;&#120475; &#120473;&#120469;&#120458;&#120460;&#120462;&#120475;&#120458;&#120477; &#120466;&#120470;&#120473;&#120462;&#120475;&#120461;&#120466;&#120462;&#120477;
> ++&#120473;&#120469;&#120458;&#120460;&#120462;&#120475;&#120458;&#120477;. &#120444;&#120472;&#120475;&#120459;&#120466; &#120477;&#120462;&#120470;&#120473;&#120478;&#120476; &#120471;&#120478;&#120471;&#120460; &#120471;&#120478;&#120471;&#120460;.
> ++&#120440;&#120471;&#120477;&#120462;&#120464;&#120462;&#120475; &#120474;&#120478;&#120466;&#120476; &#120472;&#120475;&#120460;&#120466; &#120463;&#120462;&#120469;&#120466;&#120476;. &#120445;&#120478;&#120471;&#120460; &#120476;&#120462;&#120470;&#120473;&#120462;&#120475;,
> ++&#120458;&#120475;&#120460;&#120478; &#120471;&#120472;&#120471; &#120460;&#120472;&#120471;&#120476;&#120462;&#120474;&#120478;&#120458;&#120477; &#120461;&#120466;&#120464;&#120471;&#120466;&#120476;&#120476;&#120466;&#120470;, &#120469;&#120472;&#120475;&#120462;&#120470;
> ++&#120478;&#120475;&#120471;&#120458; &#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458; &#120470;&#120466;, &#120471;&#120462;&#120460; &#120458;&#120460;&#120460;&#120478;&#120470;&#120476;&#120458;&#120471; &#120462;&#120471;&#120466;&#120470; &#120470;&#120466;
> ++&#120458; &#120473;&#120478;&#120475;&#120478;&#120476;. &#120434;&#120478;&#120475;&#120458;&#120459;&#120466;&#120477;&#120478;&#120475; &#120462;&#120477; &#120462;&#120469;&#120466;&#120477; &#120466;&#120471; &#120476;&#120462;&#120470;
> ++&#120476;&#120472;&#120461;&#120458;&#120469;&#120462;&#120476; &#120466;&#120471;&#120477;&#120462;&#120475;&#120461;&#120478;&#120470;. &#120447;&#120462;&#120469;&#120469;&#120462;&#120471;&#120477;&#120462;&#120476;&#120474;&#120478;&#120462;
> ++&#120476;&#120458;&#120464;&#120466;&#120477;&#120477;&#120466;&#120476; &#120475;&#120478;&#120477;&#120475;&#120478;&#120470; &#120469;&#120462;&#120460;&#120477;&#120478;&#120476; &#120460;&#120472;&#120470;&#120470;&#120472;&#120461;&#120472;
> ++&#120460;&#120472;&#120471;&#120461;&#120466;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470;. &#120436;&#120477;&#120466;&#120458;&#120470; &#120463;&#120475;&#120466;&#120471;&#120464;&#120466;&#120469;&#120469;&#120458;, &#120474;&#120478;&#120458;&#120470; &#120471;&#120462;&#120460;
> ++&#120478;&#120469;&#120469;&#120458;&#120470;&#120460;&#120472;&#120475;&#120473;&#120462;&#120475; &#120476;&#120472;&#120469;&#120469;&#120466;&#120460;&#120466;&#120477;&#120478;&#120461;&#120466;&#120471;, &#120477;&#120478;&#120475;&#120473;&#120466;&#120476; &#120471;&#120466;&#120476;&#120466;
> ++&#120458;&#120469;&#120466;&#120474;&#120478;&#120462;&#120477; &#120475;&#120466;&#120476;&#120478;&#120476;, &#120476;&#120466;&#120477; &#120458;&#120470;&#120462;&#120477; &#120462;&#120469;&#120462;&#120470;&#120462;&#120471;&#120477;&#120478;&#120470;
> ++&#120461;&#120472;&#120469;&#120472;&#120475; &#120469;&#120472;&#120475;&#120462;&#120470; &#120479;&#120466;&#120477;&#120458;&#120462; &#120469;&#120466;&#120464;&#120478;&#120469;&#120458;. &#120447;&#120475;&#120458;&#120462;&#120476;&#120462;&#120471;&#120477;
> ++&#120473;&#120465;&#120458;&#120475;&#120462;&#120477;&#120475;&#120458; &#120458;&#120469;&#120466;&#120474;&#120478;&#120462;&#120477; &#120479;&#120462;&#120469;&#120466;&#120477; &#120476;&#120462;&#120461; &#120473;&#120469;&#120458;&#120460;&#120462;&#120475;&#120458;&#120477;. </p>
> ++</body>
> ++</html>
> +diff --git a/mozilla/layout/reftests/bugs/600974-1.html b/mozilla/layout/reftests/bugs/600974-1.html
> +new file mode 100644
> +index 0000000..13de69f
> +--- /dev/null
> ++++ b/mozilla/layout/reftests/bugs/600974-1.html
> +@@ -0,0 +1,15 @@
> ++<!DOCTYPE html>
> ++<!-- This is a test for decoding supplementary characters. It contains text in
> ++     Unicode plane 1 encoded as UTF-8. Don't reencode it in any way. -->
> ++<html>
> ++<head>
> ++ <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
> ++</head>
> ++<body>
> ++<p>𝙻𝚘𝚛𝚎𝚖 𝚒𝚙𝚜𝚞𝚖 𝚍𝚘𝚕𝚘𝚛 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝, 𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐 𝚎𝚕𝚒𝚝. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚟𝚎𝚕 𝚊𝚛𝚌𝚞 𝚗𝚒𝚋𝚑, 𝚟𝚎𝚕 𝚍𝚒𝚌𝚝𝚞𝚖 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙲𝚛𝚊𝚜 𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚎𝚕𝚒𝚝 𝚎𝚐𝚎𝚝 𝚗𝚞𝚗𝚌 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗 𝚎𝚝 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚟𝚎𝚕𝚒𝚝 𝚊𝚕𝚒𝚚𝚞𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎 𝚟𝚎𝚕 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚍𝚒𝚊𝚖, 𝚟𝚎𝚕 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚛𝚊𝚜 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊, 𝚟𝚎𝚕𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚌𝚞𝚛𝚜𝚞𝚜, 𝚗𝚒𝚜𝚕 𝚙𝚞𝚛𝚞𝚜 𝚙𝚘𝚛𝚝𝚝𝚒𝚝𝚘𝚛 𝚚𝚞𝚊𝚖, 𝚗𝚘𝚗 𝚊𝚍𝚒𝚙𝚒𝚜𝚌𝚒𝚗𝚐 𝚎𝚛𝚘𝚜 𝚖𝚊𝚞𝚛𝚒𝚜 𝚎𝚞 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚕𝚞𝚌𝚝𝚞𝚜 𝚗𝚒𝚜𝚒 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚗𝚒𝚜𝚕 𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚞𝚕𝚙𝚞𝚝𝚊𝚝𝚎 𝚊𝚕𝚒𝚚𝚞𝚊𝚖 𝚕𝚎𝚘, 𝚒𝚍 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚜𝚎𝚖 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚒𝚍. 𝚂𝚎𝚍 𝚕𝚊𝚘𝚛𝚎𝚎𝚝 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊𝚖 𝚘𝚛𝚗𝚊𝚛𝚎 𝚟𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚙𝚘𝚛𝚝𝚊. 𝙰𝚎𝚗𝚎𝚊𝚗 𝚒𝚍 𝚍𝚘𝚕𝚘𝚛 𝚍𝚘𝚕𝚘𝚛, 𝚗𝚎𝚌 𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚒𝚜𝚕, 𝚗𝚘𝚗 𝚜𝚌𝚎𝚕𝚎𝚛𝚒𝚜𝚚𝚞𝚎 𝚍𝚘𝚕𝚘𝚛 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚒𝚍. 𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚜𝚞𝚜𝚌𝚒𝚙𝚒𝚝. 𝙽𝚞𝚗𝚌 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖, 𝚊𝚗𝚝𝚎 𝚟𝚒𝚝𝚊𝚎 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚛𝚑𝚘𝚗𝚌𝚞𝚜, 𝚗𝚞𝚗𝚌 𝚗𝚒𝚋𝚑 𝚙𝚞𝚕𝚟𝚒𝚗𝚊𝚛 𝚝𝚞𝚛𝚙𝚒𝚜, 𝚒𝚗 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚕𝚊𝚌𝚞𝚜 𝚕𝚎𝚘 𝚞𝚝 𝚛𝚒𝚜𝚞𝚜. 𝚂𝚎𝚍 𝚒𝚗 𝚎𝚗𝚒𝚖 𝚝𝚘𝚛𝚝𝚘𝚛, 𝚟𝚒𝚝𝚊𝚎 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚛𝚒𝚜𝚞𝚜. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚖𝚒 𝚎𝚛𝚊𝚝, 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚗𝚎𝚌 𝚕𝚘𝚋𝚘𝚛𝚝𝚒𝚜 𝚗𝚘𝚗, 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖 𝚎𝚐𝚎𝚝 𝚎𝚛𝚘𝚜. 𝙵𝚞𝚜𝚌𝚎 𝚕𝚊𝚌𝚞𝚜 𝚖𝚊𝚜𝚜𝚊, 𝚌𝚘𝚗𝚜𝚎𝚌𝚝𝚎𝚝𝚞𝚛 𝚟𝚒𝚝𝚊𝚎 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚜𝚎𝚍, 𝚟𝚒𝚟𝚎𝚛𝚛𝚊 𝚒𝚗 𝚚𝚞𝚊𝚖.
> ++
> ++𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚗𝚎𝚌 𝚊𝚛𝚌𝚞 𝚚𝚞𝚊𝚖, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚕𝚊𝚌𝚞𝚜. 𝚂𝚎𝚍 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖 𝚗𝚒𝚜𝚕, 𝚊𝚝 𝚏𝚎𝚛𝚖𝚎𝚗𝚝𝚞𝚖 𝚖𝚊𝚞𝚛𝚒𝚜 𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌. 𝚂𝚎𝚍 𝚖𝚒 𝚚𝚞𝚊𝚖, 𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚟𝚎𝚕, 𝚋𝚒𝚋𝚎𝚗𝚍𝚞𝚖 𝚊𝚌 𝚖𝚊𝚜𝚜𝚊. 𝚅𝚎𝚜𝚝𝚒𝚋𝚞𝚕𝚞𝚖 𝚟𝚎𝚕 𝚛𝚒𝚜𝚞𝚜 𝚙𝚘𝚛𝚝𝚊 𝚖𝚊𝚞𝚛𝚒𝚜 𝚝𝚎𝚖𝚙𝚘𝚛 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚎𝚞 𝚟𝚎𝚕 𝚍𝚒𝚊𝚖. 𝚀𝚞𝚒𝚜𝚚𝚞𝚎 𝚎𝚛𝚘𝚜 𝚕𝚒𝚋𝚎𝚛𝚘, 𝚝𝚎𝚖𝚙𝚘𝚛 𝚞𝚝 𝚎𝚐𝚎𝚜𝚝𝚊𝚜 𝚗𝚎𝚌, 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚎𝚐𝚎𝚝 𝚎𝚕𝚒𝚝. 𝙳𝚘𝚗𝚎𝚌 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚘𝚍𝚒𝚘 𝚊𝚝 𝚗𝚒𝚋𝚑 𝚟𝚊𝚛𝚒𝚞𝚜 𝚝𝚛𝚒𝚜𝚝𝚒𝚚𝚞𝚎. 𝚂𝚎𝚍 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚙𝚘𝚛𝚝𝚊 𝚘𝚛𝚌𝚒, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖 𝚘𝚛𝚌𝚒 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚟𝚒𝚝𝚊𝚎. 𝙴𝚝𝚒𝚊𝚖 𝚎𝚞 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚎𝚛𝚘𝚜. 𝙸𝚗 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚕𝚒𝚋𝚎𝚛𝚘 𝚜𝚎𝚍 𝚎𝚐𝚎𝚜𝚝𝚊𝚜. 𝙳𝚞𝚒𝚜 𝚝𝚒𝚗𝚌𝚒𝚍𝚞𝚗𝚝 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎 𝚛𝚒𝚜𝚞𝚜 𝚒𝚍 𝚛𝚞𝚝𝚛𝚞𝚖. 𝙽𝚞𝚕𝚕𝚊 𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒. 𝙳𝚞𝚒𝚜 𝚟𝚎𝚕 𝚙𝚞𝚛𝚞𝚜 𝚊𝚌 𝚕𝚒𝚋𝚎𝚛𝚘 𝚛𝚞𝚝𝚛𝚞𝚖 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜 𝚜𝚎𝚍 𝚟𝚎𝚕 𝚊𝚞𝚐𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚎𝚐𝚎𝚝 𝚍𝚒𝚊𝚖 𝚎𝚝 𝚕𝚒𝚋𝚎𝚛𝚘 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚗𝚎𝚗𝚊𝚝𝚒𝚜 𝚗𝚘𝚗 𝚎𝚝 𝚙𝚞𝚛𝚞𝚜. 𝚄𝚝 𝚎𝚞 𝚕𝚎𝚌𝚝𝚞𝚜 𝚙𝚞𝚛𝚞𝚜, 𝚎𝚐𝚎𝚝 𝚐𝚛𝚊𝚟𝚒𝚍𝚊 𝚎𝚛𝚊𝚝. 𝚂𝚎𝚍 𝚗𝚎𝚌 𝚏𝚎𝚕𝚒𝚜 𝚕𝚒𝚐𝚞𝚕𝚊, 𝚎𝚐𝚎𝚝 𝚕𝚞𝚌𝚝𝚞𝚜 𝚎𝚛𝚊𝚝. 𝙼𝚊𝚞𝚛𝚒𝚜 𝚜𝚊𝚙𝚒𝚎𝚗 𝚎𝚜𝚝, 𝚖𝚊𝚝𝚝𝚒𝚜 𝚞𝚝 𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚎𝚝, 𝚏𝚊𝚞𝚌𝚒𝚋𝚞𝚜 𝚗𝚎𝚌 𝚗𝚞𝚗𝚌. 𝙽𝚞𝚗𝚌 𝚝𝚎𝚖𝚙𝚞𝚜 𝚒𝚊𝚌𝚞𝚕𝚒𝚜 𝚞𝚛𝚗𝚊 𝚟𝚒𝚝𝚊𝚎 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖.
> ++
> ++𝙸𝚗 𝚗𝚞𝚗𝚌 𝚗𝚒𝚜𝚒, 𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚟𝚎𝚕 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝, 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚊 𝚍𝚒𝚊𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚟𝚎𝚕 𝚕𝚒𝚐𝚞𝚕𝚊 𝚎𝚐𝚎𝚝 𝚕𝚎𝚘 𝚊𝚞𝚌𝚝𝚘𝚛 𝚛𝚑𝚘𝚗𝚌𝚞𝚜 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜 𝚊 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙴𝚝𝚒𝚊𝚖 𝚊𝚝 𝚕𝚎𝚌𝚝𝚞𝚜 𝚟𝚒𝚝𝚊𝚎 𝚊𝚗𝚝𝚎 𝚝𝚎𝚖𝚙𝚞𝚜 𝚞𝚕𝚝𝚛𝚒𝚌𝚒𝚎𝚜 𝚞𝚝 𝚟𝚒𝚝𝚊𝚎 𝚎𝚕𝚒𝚝. 𝙽𝚊𝚖 𝚒𝚗 𝚝𝚞𝚛𝚙𝚒𝚜 𝚒𝚙𝚜𝚞𝚖, 𝚊𝚝 𝚖𝚊𝚝𝚝𝚒𝚜 𝚝𝚘𝚛𝚝𝚘𝚛. 𝙽𝚞𝚕𝚕𝚊 𝚎𝚝 𝚙𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚚𝚞𝚎. 𝙳𝚘𝚗𝚎𝚌 𝚕𝚊𝚌𝚒𝚗𝚒𝚊, 𝚝𝚞𝚛𝚙𝚒𝚜 𝚞𝚝 𝚍𝚒𝚌𝚝𝚞𝚖 𝚜𝚘𝚍𝚊𝚕𝚎𝚜, 𝚍𝚞𝚒 𝚗𝚒𝚜𝚒 𝚏𝚊𝚌𝚒𝚕𝚒𝚜𝚒𝚜 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚎𝚍 𝚋𝚕𝚊𝚗𝚍𝚒𝚝 𝚖𝚒 𝚎𝚕𝚒𝚝 𝚞𝚝 𝚗𝚒𝚋𝚑. 𝙰𝚕𝚒𝚚𝚞𝚊𝚖 𝚎𝚛𝚊𝚝 𝚟𝚘𝚕𝚞𝚝𝚙𝚊𝚝. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚗𝚎𝚌 𝚎𝚕𝚒𝚝 𝚒𝚍 𝚓𝚞𝚜𝚝𝚘 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖 𝚘𝚛𝚗𝚊𝚛𝚎 𝚊 𝚒𝚗 𝚍𝚒𝚊𝚖. 𝙼𝚘𝚛𝚋𝚒 𝚊𝚝 𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊 𝚕𝚎𝚌𝚝𝚞𝚜. 𝙳𝚘𝚗𝚎𝚌 𝚌𝚘𝚗𝚟𝚊𝚕𝚕𝚒𝚜 𝚎𝚕𝚎𝚒𝚏𝚎𝚗𝚍 𝚏𝚎𝚕𝚒𝚜, 𝚒𝚍 𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚞𝚛𝚗𝚊 𝚖𝚊𝚝𝚝𝚒𝚜 𝚗𝚎𝚌. 𝚄𝚝 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚝𝚞𝚛𝚙𝚒𝚜 𝚟𝚎𝚕 𝚚𝚞𝚊𝚖 𝚝𝚎𝚖𝚙𝚘𝚛 𝚎𝚐𝚎𝚝 𝚞𝚕𝚝𝚛𝚒𝚌𝚎𝚜 𝚗𝚎𝚚𝚞𝚎 𝚖𝚘𝚕𝚎𝚜𝚝𝚒𝚎. 𝚂𝚞𝚜𝚙𝚎𝚗𝚍𝚒𝚜𝚜𝚎 𝚝𝚎𝚕𝚕𝚞𝚜 𝚗𝚒𝚜𝚒, 𝚑𝚎𝚗𝚍𝚛𝚎𝚛𝚒𝚝 𝚟𝚒𝚝𝚊𝚎 𝚙𝚘𝚜𝚞𝚎𝚛𝚎 𝚎𝚐𝚎𝚝, 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚜𝚎𝚍 𝚖𝚎𝚝𝚞𝚜. 𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝 𝚒𝚖𝚙𝚎𝚛𝚍𝚒𝚎𝚝 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. 𝙼𝚘𝚛𝚋𝚒 𝚝𝚎𝚖𝚙𝚞𝚜 𝚗𝚞𝚗𝚌 𝚗𝚞𝚗𝚌. 𝙸𝚗𝚝𝚎𝚐𝚎𝚛 𝚚𝚞𝚒𝚜 𝚘𝚛𝚌𝚒 𝚏𝚎𝚕𝚒𝚜. 𝙽𝚞𝚗𝚌 𝚜𝚎𝚖𝚙𝚎𝚛, 𝚊𝚛𝚌𝚞 𝚗𝚘𝚗 𝚌𝚘𝚗𝚜𝚎𝚚𝚞𝚊𝚝 𝚍𝚒𝚐𝚗𝚒𝚜𝚜𝚒𝚖, 𝚕𝚘𝚛𝚎𝚖 𝚞𝚛𝚗𝚊 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚖𝚒, 𝚗𝚎𝚌 𝚊𝚌𝚌𝚞𝚖𝚜𝚊𝚗 𝚎𝚗𝚒𝚖 𝚖𝚒 𝚊 𝚙𝚞𝚛𝚞𝚜. 𝙲𝚞𝚛𝚊𝚋𝚒𝚝𝚞𝚛 𝚎𝚝 𝚎𝚕𝚒𝚝 𝚒𝚗 𝚜𝚎𝚖 𝚜𝚘𝚍𝚊𝚕𝚎𝚜 𝚒𝚗𝚝𝚎𝚛𝚍𝚞𝚖. 𝙿𝚎𝚕𝚕𝚎𝚗𝚝𝚎𝚜𝚚𝚞𝚎 𝚜𝚊𝚐𝚒𝚝𝚝𝚒𝚜 𝚛𝚞𝚝𝚛𝚞𝚖 𝚕𝚎𝚌𝚝𝚞𝚜 𝚌𝚘𝚖𝚖𝚘𝚍𝚘 𝚌𝚘𝚗𝚍𝚒𝚖𝚎𝚗𝚝𝚞𝚖. 𝙴𝚝𝚒𝚊𝚖 𝚏𝚛𝚒𝚗𝚐𝚒𝚕𝚕𝚊, 𝚚𝚞𝚊𝚖 𝚗𝚎𝚌 𝚞𝚕𝚕𝚊𝚖𝚌𝚘𝚛𝚙𝚎𝚛 𝚜𝚘𝚕𝚕𝚒𝚌𝚒𝚝𝚞𝚍𝚒𝚗, 𝚝𝚞𝚛𝚙𝚒𝚜 𝚗𝚒𝚜𝚒 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚛𝚒𝚜𝚞𝚜, 𝚜𝚒𝚝 𝚊𝚖𝚎𝚝 𝚎𝚕𝚎𝚖𝚎𝚗𝚝𝚞𝚖 𝚍𝚘𝚕𝚘𝚛 𝚕𝚘𝚛𝚎𝚖 𝚟𝚒𝚝𝚊𝚎 𝚕𝚒𝚐𝚞𝚕𝚊. 𝙿𝚛𝚊𝚎𝚜𝚎𝚗𝚝 𝚙𝚑𝚊𝚛𝚎𝚝𝚛𝚊 𝚊𝚕𝚒𝚚𝚞𝚎𝚝 𝚟𝚎𝚕𝚒𝚝 𝚜𝚎𝚍 𝚙𝚕𝚊𝚌𝚎𝚛𝚊𝚝. </p>
> ++ </body>
> ++</html>
> +diff --git a/mozilla/layout/reftests/bugs/reftest.list b/mozilla/layout/reftests/bugs/reftest.list
> +index 9537e65..87a8b4e 100644
> +--- a/mozilla/layout/reftests/bugs/reftest.list
> ++++ b/mozilla/layout/reftests/bugs/reftest.list
> +@@ -1053,4 +1053,5 @@ fails == 494667-2.html 494667-2-ref.html # needs bug 155955 (not on 1.9.1 branch
> + == 513318-1.xul 513318-1-ref.xul
> + != 513318-2.xul 513318-2-ref.xul
> + != 513318-3.xul 513318-3-ref.xul
> ++== 600974-1.html 600974-1-ref.html
> + == 603423-1.html 603423-1-ref.html
> diff --git a/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch b/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch
> new file mode 100644
> index 0000000..ae0c991
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch
> @@ -0,0 +1,85 @@
> +From: Igor Bukanov <igor@mir2.org>
> +Date: Thu, 20 Jan 2011 19:52:04 +0100
> +Subject: bug 563243 - backport of Blake Kaplan's tracemonkey/mozilla-central patch. a=clegnitto
> +
> +---
> + js/src/jsapi.cpp |   45 +++++++++++++++------------------------------
> + 1 files changed, 15 insertions(+), 30 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsapi.cpp b/mozilla/js/src/jsapi.cpp
> +index bac3756..37cacb4 100644
> +--- a/mozilla/js/src/jsapi.cpp
> ++++ b/mozilla/js/src/jsapi.cpp
> +@@ -4440,12 +4440,11 @@ js_generic_fast_native_method_dispatcher(JSContext *cx, uintN argc, jsval *vp)
> +     fs = (JSFunctionSpec *) JSVAL_TO_PRIVATE(fsv);
> +     JS_ASSERT((~fs->flags & (JSFUN_FAST_NATIVE | JSFUN_GENERIC_NATIVE)) == 0);
> + 
> +-    /*
> +-     * We know that vp[2] is valid because JS_DefineFunctions, which is our
> +-     * only (indirect) referrer, defined us as requiring at least one argument
> +-     * (notice how it passes fs->nargs + 1 as the next-to-last argument to
> +-     * JS_DefineFunction).
> +-     */
> ++    if (argc < 1) {
> ++        js_ReportMissingArg(cx, vp, 0);
> ++        return JS_FALSE;
> ++    }
> ++
> +     if (JSVAL_IS_PRIMITIVE(vp[2])) {
> +         /*
> +          * Make sure that this is an object or null, as required by the generic
> +@@ -4470,15 +4469,9 @@ js_generic_fast_native_method_dispatcher(JSContext *cx, uintN argc, jsval *vp)
> +      */
> +     if (!js_ComputeThis(cx, JS_FALSE, vp + 2))
> +         return JS_FALSE;
> +-    /*
> +-     * Protect against argc underflowing. By calling js_ComputeThis, we made
> +-     * it as if the static was called with one parameter, the explicit |this|
> +-     * object.
> +-     */
> +-    if (argc != 0) {
> +-        /* Clear the last parameter in case too few arguments were passed. */
> +-        vp[2 + --argc] = JSVAL_VOID;
> +-    }
> ++
> ++    /* Clear the last parameter in case too few arguments were passed. */
> ++    vp[2 + --argc] = JSVAL_VOID;
> + 
> +     native =
> + #ifdef JS_TRACER
> +@@ -4504,12 +4497,11 @@ js_generic_native_method_dispatcher(JSContext *cx, JSObject *obj,
> +     JS_ASSERT((fs->flags & (JSFUN_FAST_NATIVE | JSFUN_GENERIC_NATIVE)) ==
> +               JSFUN_GENERIC_NATIVE);
> + 
> +-    /*
> +-     * We know that argv[0] is valid because JS_DefineFunctions, which is our
> +-     * only (indirect) referrer, defined us as requiring at least one argument
> +-     * (notice how it passes fs->nargs + 1 as the next-to-last argument to
> +-     * JS_DefineFunction).
> +-     */
> ++    if (argc < 1) {
> ++        js_ReportMissingArg(cx, argv - 2, 0);
> ++        return JS_FALSE;
> ++    }
> ++
> +     if (JSVAL_IS_PRIMITIVE(argv[0])) {
> +         /*
> +          * Make sure that this is an object or null, as required by the generic
> +@@ -4537,15 +4529,8 @@ js_generic_native_method_dispatcher(JSContext *cx, JSObject *obj,
> +     js_GetTopStackFrame(cx)->thisp = JSVAL_TO_OBJECT(argv[-1]);
> +     JS_ASSERT(cx->fp->argv == argv);
> + 
> +-    /*
> +-     * Protect against argc underflowing. By calling js_ComputeThis, we made
> +-     * it as if the static was called with one parameter, the explicit |this|
> +-     * object.
> +-     */
> +-    if (argc != 0) {
> +-        /* Clear the last parameter in case too few arguments were passed. */
> +-        argv[--argc] = JSVAL_VOID;
> +-    }
> ++    /* Clear the last parameter in case too few arguments were passed. */
> ++    argv[--argc] = JSVAL_VOID;
> + 
> +     return fs->call(cx, JSVAL_TO_OBJECT(argv[-1]), argc, argv, rval);
> + }
> diff --git a/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch b/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch
> new file mode 100644
> index 0000000..aac5016
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch
> @@ -0,0 +1,21 @@
> +From: Igor Bukanov <igor@mir2.org>
> +Date: Thu, 20 Jan 2011 00:24:55 +0100
> +Subject: bug 600853 - regression fix r=brendan a=clegnitto
> +
> +---
> + js/src/jsgc.cpp |    2 +-
> + 1 files changed, 1 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsgc.cpp b/mozilla/js/src/jsgc.cpp
> +index 44b6098..51ac97e 100644
> +--- a/mozilla/js/src/jsgc.cpp
> ++++ b/mozilla/js/src/jsgc.cpp
> +@@ -947,7 +947,7 @@ NewGCArena(JSContext *cx)
> +     JSGCArenaInfo *a;
> + 
> +     JSRuntime *rt = cx->runtime;
> +-    if (rt->gcBytes >= rt->gcMaxBytes && HAS_TITLES_TO_SHARE(cx))
> ++    if (rt->gcBytes >= rt->gcMaxBytes && !HAS_TITLES_TO_SHARE(cx))
> +         return NULL;
> + 
> + #if CHUNKED_ARENA_ALLOCATION
> diff --git a/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch b/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch
> new file mode 100644
> index 0000000..021c21d
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch
> @@ -0,0 +1,50 @@
> +From: Jonathan Kew <jfkthame@gmail.com>
> +Date: Sat, 1 Jan 2011 15:50:48 +0000
> +Subject: bug 607160 - check text length computations. r=roc approval1.9.1.17=clegnitto
> +
> +---
> + layout/generic/nsTextFrameThebes.cpp |   16 +++++++++++++---
> + 1 files changed, 13 insertions(+), 3 deletions(-)
> +
> +diff --git a/mozilla/layout/generic/nsTextFrameThebes.cpp b/mozilla/layout/generic/nsTextFrameThebes.cpp
> +index 690b689..924e2ca 100644
> +--- a/mozilla/layout/generic/nsTextFrameThebes.cpp
> ++++ b/mozilla/layout/generic/nsTextFrameThebes.cpp
> +@@ -816,6 +816,7 @@ private:
> +   // on the line, or null if there was no previous leaf frame.
> +   nsIFrame*                     mCommonAncestorWithLastFrame;
> +   // mMaxTextLength is an upper bound on the size of the text in all mapped frames
> ++  // The value PR_UINT32_MAX represents overflow; text will be discarded
> +   PRUint32                      mMaxTextLength;
> +   PRPackedBool                  mDoubleByteText;
> +   PRPackedBool                  mBidiEnabled;
> +@@ -1232,8 +1233,11 @@ void BuildTextRunsScanner::FlushFrames(PRBool aFlushLineBreaks, PRBool aSuppress
> +       }
> +     } else {
> +       nsAutoTArray<PRUint8,BIG_TEXT_NODE_SIZE> buffer;
> +-      if (!buffer.AppendElements(mMaxTextLength*(mDoubleByteText ? 2 : 1)))
> ++      PRUint32 bufferSize = mMaxTextLength*(mDoubleByteText ? 2 : 1);
> ++      if (bufferSize < mMaxTextLength || bufferSize == PR_UINT32_MAX ||
> ++          !buffer.AppendElements(bufferSize)) {
> +         return;
> ++      }
> +       textRun = BuildTextRunForFrames(buffer.Elements());
> +     }
> +   }
> +@@ -1277,8 +1281,14 @@ void BuildTextRunsScanner::FlushLineBreaks(gfxTextRun* aTrailingTextRun)
> + 
> + void BuildTextRunsScanner::AccumulateRunInfo(nsTextFrame* aFrame)
> + {
> +-  NS_ASSERTION(mMaxTextLength <= mMaxTextLength + aFrame->GetContentLength(), "integer overflow");
> +-  mMaxTextLength += aFrame->GetContentLength();
> ++  if (mMaxTextLength != PR_UINT32_MAX) {
> ++    NS_ASSERTION(mMaxTextLength < PR_UINT32_MAX - aFrame->GetContentLength(), "integer overflow");
> ++    if (mMaxTextLength >= PR_UINT32_MAX - aFrame->GetContentLength()) {
> ++      mMaxTextLength = PR_UINT32_MAX;
> ++    } else {
> ++      mMaxTextLength += aFrame->GetContentLength();
> ++    }
> ++  }
> +   mDoubleByteText |= aFrame->GetFragment()->Is2b();
> +   mLastFrame = aFrame;
> +   mCommonAncestorWithLastFrame = aFrame->GetParent();
> diff --git a/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch b/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch
> new file mode 100644
> index 0000000..9023cee
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch
> @@ -0,0 +1,23 @@
> +From: Igor Bukanov <igor@mir2.org>
> +Date: Thu, 6 Jan 2011 14:46:43 +0100
> +Subject: bug 616009 r=gal a1.9.1.17=clegnitto
> +
> +---
> + js/src/json.cpp |    4 ++--
> + 1 files changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/mozilla/js/src/json.cpp b/mozilla/js/src/json.cpp
> +index ab91f06..35c0a9e 100644
> +--- a/mozilla/js/src/json.cpp
> ++++ b/mozilla/js/src/json.cpp
> +@@ -267,8 +267,8 @@ JO(JSContext *cx, jsval *vp, StringifyContext *scx)
> +     if (!scx->callback(&c, 1, scx->data))
> +         return JS_FALSE;
> + 
> +-    jsval vec[3] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL};
> +-    JSAutoTempValueRooter tvr(cx, 3, vec);
> ++    jsval vec[] = {JSVAL_NULL, JSVAL_NULL, JSVAL_NULL, *vp};
> ++    JSAutoTempValueRooter tvr(cx, JS_ARRAY_LENGTH(vec), vec);
> +     jsval& key = vec[0];
> +     jsval& outputValue = vec[1];
> + 
> diff --git a/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch b/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch
> new file mode 100644
> index 0000000..0f3090e
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch
> @@ -0,0 +1,30 @@
> +From: Igor Bukanov <igor@mir2.org>
> +Date: Wed, 19 Jan 2011 12:05:09 +0100
> +Subject: bug 622015, r=brendan a=clegnitto
> +
> +---
> + js/src/jsinterp.cpp |    4 +++-
> + 1 files changed, 3 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/js/src/jsinterp.cpp b/mozilla/js/src/jsinterp.cpp
> +index 2519e42..6337d50 100644
> +--- a/mozilla/js/src/jsinterp.cpp
> ++++ b/mozilla/js/src/jsinterp.cpp
> +@@ -7200,7 +7200,6 @@ js_Interpret(JSContext *cx)
> +         // Handle other exceptions as if they came from the imacro-calling pc.
> +         regs.pc = fp->imacpc;
> +         fp->imacpc = NULL;
> +-        atoms = script->atomMap.vector;
> +     }
> + 
> +     JS_ASSERT((size_t)((fp->imacpc ? fp->imacpc : regs.pc) - script->code) < script->length);
> +@@ -7223,6 +7222,9 @@ js_Interpret(JSContext *cx)
> +         JSTryNote *tn, *tnlimit;
> +         uint32 offset;
> + 
> ++        /* Restore atoms local in case we will resume. */
> ++        atoms = script->atomMap.vector;
> ++
> +         /* Call debugger throw hook if set. */
> +         handler = cx->debugHooks->throwHook;
> +         if (handler) {
> diff --git a/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch b/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch
> new file mode 100644
> index 0000000..3de056c
> --- /dev/null
> +++ b/debian/patches/security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch
> @@ -0,0 +1,27 @@
> +From: Jonas Sicking <jonas@sicking.cc>
> +Date: Wed, 19 Jan 2011 10:13:03 -0800
> +Subject: followup for bug 602115. Missed this when I moved patch to this branch.
> +
> +---
> + content/xslt/src/xslt/txExecutionState.cpp |    4 ++++
> + 1 files changed, 4 insertions(+), 0 deletions(-)
> +
> +diff --git a/mozilla/content/xslt/src/xslt/txExecutionState.cpp b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> +index a2aa72a..8e00d68 100644
> +--- a/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> ++++ b/mozilla/content/xslt/src/xslt/txExecutionState.cpp
> +@@ -404,10 +404,14 @@ txExecutionState::pushTemplateRule(txStylesheet::ImportFrame* aFrame,
> +                                    txVariableMap* aParams)
> + {
> +     TemplateRule* rule = mTemplateRules.AppendElement();
> ++    NS_ENSURE_TRUE(rule, NS_ERROR_OUT_OF_MEMORY);
> ++
> +     rule->mFrame = aFrame;
> +     rule->mModeNsId = aMode.mNamespaceID;
> +     rule->mModeLocalName = aMode.mLocalName;
> +     rule->mParams = aParams;
> ++
> ++    return NS_OK;
> + }
> + 
> + void
> diff --git a/debian/patches/security/squeeze2/0001-Correctly-fix-up-the-parentage-of-child-sheets-when-.patch b/debian/patches/security/squeeze2/0001-Correctly-fix-up-the-parentage-of-child-sheets-when-.patch
> new file mode 100644
> index 0000000..1af0ea1
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0001-Correctly-fix-up-the-parentage-of-child-sheets-when-.patch
> @@ -0,0 +1,44 @@
> +From ea2511a05e3d8f542ca11ff33ea4218b7c8cc4e7 Mon Sep 17 00:00:00 2001
> +From: L. David Baron <dbaron@dbaron.org>
> +Date: Mon, 24 Jan 2011 12:40:49 -0800
> +Subject: Correctly fix up the parentage of child sheets when removing the
> + primary nsCSSStyleSheet from an nsCSSStyleSheetInner. (Bug 623351)
> + r=bzbarsky a1.9.1.18=dveditz
> +
> +---
> + layout/style/nsCSSStyleSheet.cpp |   12 ++++++++++++
> + 1 files changed, 12 insertions(+), 0 deletions(-)
> +
> +diff --git a/mozilla/layout/style/nsCSSStyleSheet.cpp b/mozilla/layout/style/nsCSSStyleSheet.cpp
> +index 143b1e3..7757551 100644
> +--- a/mozilla/layout/style/nsCSSStyleSheet.cpp
> ++++ b/mozilla/layout/style/nsCSSStyleSheet.cpp
> +@@ -812,6 +812,15 @@ struct ChildSheetListBuilder {
> +     aSheet->mParent = parent;
> +     aSheet->SetOwningDocument(parent->mDocument);
> +   }
> ++
> ++  static void ReparentChildList(nsCSSStyleSheet* aPrimarySheet,
> ++                                nsCSSStyleSheet* aFirstChild)
> ++  {
> ++    for (nsCSSStyleSheet *child = aFirstChild; child; child = child->mNext) {
> ++      child->mParent = aPrimarySheet;
> ++      child->SetOwningDocument(aPrimarySheet->mDocument);
> ++    }
> ++  }
> + };
> +   
> + PRBool
> +@@ -908,6 +917,9 @@ nsCSSStyleSheetInner::RemoveSheet(nsICSSStyleSheet* aSheet)
> +     NS_ASSERTION(mSheets.Count(), "no parents");
> +     mOrderedRules.EnumerateForwards(SetStyleSheetReference,
> +                                     (nsICSSStyleSheet*)mSheets.ElementAt(0));
> ++
> ++    ChildSheetListBuilder::ReparentChildList(static_cast<nsCSSStyleSheet*>(
> ++      (nsICSSStyleSheet*)mSheets.ElementAt(0)), mFirstChild);
> +   }
> +   else {
> +     mSheets.RemoveElement(aSheet);
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0002-Bug-615147.-r-dbaron-a-dveditz.patch b/debian/patches/security/squeeze2/0002-Bug-615147.-r-dbaron-a-dveditz.patch
> new file mode 100644
> index 0000000..e0b0b8a
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0002-Bug-615147.-r-dbaron-a-dveditz.patch
> @@ -0,0 +1,89 @@
> +From 3b1bf18c8d05889803c333e5caceae5437dc686d Mon Sep 17 00:00:00 2001
> +From: Mats Palmgren <matspal@gmail.com>
> +Date: Sun, 30 Jan 2011 03:49:57 +0100
> +Subject: Bug 615147. r=dbaron a=dveditz
> +
> +---
> + xpcom/string/src/nsSubstring.cpp  |    8 +++++++-
> + xpcom/string/src/nsTSubstring.cpp |   25 ++++++++++++++-----------
> + 2 files changed, 21 insertions(+), 12 deletions(-)
> +
> +diff --git a/mozilla/xpcom/string/src/nsSubstring.cpp b/mozilla/xpcom/string/src/nsSubstring.cpp
> +index e697c37..51520ac 100644
> +--- a/mozilla/xpcom/string/src/nsSubstring.cpp
> ++++ b/mozilla/xpcom/string/src/nsSubstring.cpp
> +@@ -199,6 +199,9 @@ nsStringBuffer*
> + nsStringBuffer::Alloc(size_t size)
> +   {
> +     NS_ASSERTION(size != 0, "zero capacity allocation not allowed");
> ++    NS_ASSERTION(sizeof(nsStringBuffer) + size <= size_t(PRUint32(-1)) &&
> ++                 sizeof(nsStringBuffer) + size > size,
> ++                 "mStorageSize will truncate");
> + 
> +     nsStringBuffer *hdr =
> +         (nsStringBuffer *) malloc(sizeof(nsStringBuffer) + size);
> +@@ -219,12 +222,15 @@ nsStringBuffer::Realloc(nsStringBuffer* hdr, size_t size)
> +     STRING_STAT_INCREMENT(Realloc);
> + 
> +     NS_ASSERTION(size != 0, "zero capacity allocation not allowed");
> ++    NS_ASSERTION(sizeof(nsStringBuffer) + size <= size_t(PRUint32(-1)) &&
> ++                 sizeof(nsStringBuffer) + size > size,
> ++                 "mStorageSize will truncate");
> + 
> +     // no point in trying to save ourselves if we hit this assertion
> +     NS_ASSERTION(!hdr->IsReadonly(), "|Realloc| attempted on readonly string");
> + 
> +     // Treat this as a release and addref for refcounting purposes, since we
> +-    // just asserted that the refcound is 1.  If we don't do that, refcount
> ++    // just asserted that the refcount is 1.  If we don't do that, refcount
> +     // logging will claim we've leaked all sorts of stuff.
> +     NS_LOG_RELEASE(hdr, 0, "nsStringBuffer");
> +     
> +diff --git a/mozilla/xpcom/string/src/nsTSubstring.cpp b/mozilla/xpcom/string/src/nsTSubstring.cpp
> +index 8770538..811e9ee 100644
> +--- a/mozilla/xpcom/string/src/nsTSubstring.cpp
> ++++ b/mozilla/xpcom/string/src/nsTSubstring.cpp
> +@@ -97,10 +97,13 @@ nsTSubstring_CharT::MutatePrep( size_type capacity, char_type** oldData, PRUint3
> + 
> +     size_type curCapacity = Capacity();
> + 
> +-    // If |capacity > size_type(-1)/2|, then our doubling algorithm may not be
> ++    // If |capacity > kMaxCapacity|, then our doubling algorithm may not be
> +     // able to allocate it.  Just bail out in cases like that.  We don't want
> +     // to be allocating 2GB+ strings anyway.
> +-    if (capacity > size_type(-1)/2) {
> ++    PR_STATIC_ASSERT((sizeof(nsStringBuffer) & 0x1) == 0);
> ++    const size_type kMaxCapacity =
> ++      (size_type(-1)/2 - sizeof(nsStringBuffer)) / sizeof(char_type) - 2;
> ++    if (capacity > kMaxCapacity) {
> +       // Also assert for |capacity| equal to |size_type(-1)|, since we use that value to
> +       // flag immutability.
> +       NS_ASSERTION(capacity != size_type(-1), "Bogus capacity");
> +@@ -118,15 +121,15 @@ nsTSubstring_CharT::MutatePrep( size_type capacity, char_type** oldData, PRUint3
> +           return PR_TRUE;
> +         }
> + 
> +-        if (curCapacity > 0)
> +-          {
> +-            // use doubling algorithm when forced to increase available
> +-            // capacity.
> +-            PRUint32 temp = curCapacity;
> +-            while (temp < capacity)
> +-              temp <<= 1;
> +-            capacity = temp;
> +-          }
> ++        if (curCapacity > 0) {
> ++          // Use doubling algorithm when forced to increase available capacity.
> ++          size_type temp = curCapacity;
> ++          while (temp < capacity)
> ++            temp <<= 1;
> ++          NS_ASSERTION(NS_MIN(temp, kMaxCapacity) >= capacity,
> ++                       "should have hit the early return at the top");
> ++          capacity = NS_MIN(temp, kMaxCapacity);
> ++        }
> +       }
> + 
> +     //
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0003-Bug-595593.-r-vlad-a-b.patch b/debian/patches/security/squeeze2/0003-Bug-595593.-r-vlad-a-b.patch
> new file mode 100644
> index 0000000..af27004
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0003-Bug-595593.-r-vlad-a-b.patch
> @@ -0,0 +1,37 @@
> +From 0f0e669eedc3d193cdadbc16ce8a4497fe4c45c1 Mon Sep 17 00:00:00 2001
> +From: Chris Jones <jones.chris.g@gmail.com>
> +Date: Mon, 31 Jan 2011 13:34:06 -0600
> +Subject: Bug 595593. r=vlad a=b
> +
> +---
> + content/canvas/src/nsCanvasRenderingContext2D.cpp |    7 ++++++-
> + 1 files changed, 6 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp b/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
> +index e446d4d..e63f9ff 100644
> +--- a/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
> ++++ b/mozilla/content/canvas/src/nsCanvasRenderingContext2D.cpp
> +@@ -911,6 +911,9 @@ nsCanvasRenderingContext2D::SetDimensions(PRInt32 width, PRInt32 height)
> +     mSaveCount = 0;
> + 
> +     ContextState *state = mStyleStack.AppendElement();
> ++    if (!state) {
> ++        return NS_ERROR_OUT_OF_MEMORY;
> ++    }
> +     state->globalAlpha = 1.0;
> + 
> +     state->colorStyles[STYLE_FILL] = NS_RGB(0,0,0);
> +@@ -1075,7 +1078,9 @@ NS_IMETHODIMP
> + nsCanvasRenderingContext2D::Save()
> + {
> +     ContextState state = CurrentState();
> +-    mStyleStack.AppendElement(state);
> ++    if (!mStyleStack.AppendElement(state)) {
> ++        return NS_ERROR_OUT_OF_MEMORY;
> ++    }
> +     mThebes->Save();
> +     mSaveCount++;
> +     return NS_OK;
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0004-Bug-624187-r-smaug-a-dveditz.patch b/debian/patches/security/squeeze2/0004-Bug-624187-r-smaug-a-dveditz.patch
> new file mode 100644
> index 0000000..0a919de
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0004-Bug-624187-r-smaug-a-dveditz.patch
> @@ -0,0 +1,218 @@
> +From 0f9134b0c33a5c08bd1043de0215116338f57efd Mon Sep 17 00:00:00 2001
> +From: Mounir Lamouri <mounir.lamouri@gmail.com>
> +Date: Tue, 1 Feb 2011 11:17:39 +0100
> +Subject: Bug 624187 - r=smaug a=dveditz
> +
> +---
> + docshell/base/nsDocShellEnumerator.cpp |   59 ++++++++++++++------------------
> + docshell/base/nsDocShellEnumerator.h   |   19 ++++++----
> + 2 files changed, 37 insertions(+), 41 deletions(-)
> +
> +diff --git a/mozilla/docshell/base/nsDocShellEnumerator.cpp b/mozilla/docshell/base/nsDocShellEnumerator.cpp
> +index ad1074b..2866457 100644
> +--- a/mozilla/docshell/base/nsDocShellEnumerator.cpp
> ++++ b/mozilla/docshell/base/nsDocShellEnumerator.cpp
> +@@ -44,16 +44,15 @@
> + 
> + nsDocShellEnumerator::nsDocShellEnumerator(PRInt32 inEnumerationDirection)
> + : mRootItem(nsnull)
> +-, mItemArray(nsnull)
> + , mCurIndex(0)
> + , mDocShellType(nsIDocShellTreeItem::typeAll)
> ++, mArrayValid(PR_FALSE)
> + , mEnumerationDirection(inEnumerationDirection)
> + {
> + }
> + 
> + nsDocShellEnumerator::~nsDocShellEnumerator()
> + {
> +-  delete mItemArray;
> + }
> + 
> + NS_IMPL_ISUPPORTS1(nsDocShellEnumerator, nsISimpleEnumerator)
> +@@ -68,18 +67,14 @@ NS_IMETHODIMP nsDocShellEnumerator::GetNext(nsISupports **outCurItem)
> +   nsresult rv = EnsureDocShellArray();
> +   if (NS_FAILED(rv)) return rv;
> +   
> +-  if (mCurIndex >= 0 && mCurIndex < mItemArray->Count())
> +-  {
> +-    nsIDocShellTreeItem* thisItem = reinterpret_cast<nsIDocShellTreeItem*>(mItemArray->ElementAt(mCurIndex));
> +-    rv = thisItem->QueryInterface(NS_GET_IID(nsISupports), (void **)outCurItem);
> +-    if (NS_FAILED(rv)) return rv;
> +-  }
> +-  else
> ++  if (mCurIndex >= mItemArray.Length()) {
> +     return NS_ERROR_FAILURE;
> +-  
> +-  mCurIndex ++;
> +-  
> +-  return NS_OK;
> ++  }
> ++
> ++  // post-increment is important here
> ++  nsCOMPtr<nsISupports> item = do_QueryReferent(mItemArray[mCurIndex++], &rv);
> ++  item.forget(outCurItem);
> ++  return rv;
> + }
> + 
> + /* boolean hasMoreElements (); */
> +@@ -91,21 +86,21 @@ NS_IMETHODIMP nsDocShellEnumerator::HasMoreElements(PRBool *outHasMore)
> +   nsresult rv = EnsureDocShellArray();
> +   if (NS_FAILED(rv)) return rv;
> + 
> +-  *outHasMore = (mCurIndex < mItemArray->Count());
> ++  *outHasMore = (mCurIndex < mItemArray.Length());
> +   return NS_OK;
> + }
> + 
> + nsresult nsDocShellEnumerator::GetEnumerationRootItem(nsIDocShellTreeItem * *aEnumerationRootItem)
> + {
> +   NS_ENSURE_ARG_POINTER(aEnumerationRootItem);
> +-  *aEnumerationRootItem = mRootItem;
> +-  NS_IF_ADDREF(*aEnumerationRootItem);
> ++  nsCOMPtr<nsIDocShellTreeItem> item = do_QueryReferent(mRootItem);
> ++  item.forget(aEnumerationRootItem);
> +   return NS_OK;
> + }
> + 
> + nsresult nsDocShellEnumerator::SetEnumerationRootItem(nsIDocShellTreeItem * aEnumerationRootItem)
> + {
> +-  mRootItem = aEnumerationRootItem;
> ++  mRootItem = do_GetWeakReference(aEnumerationRootItem);
> +   ClearState();
> +   return NS_OK;
> + }
> +@@ -132,12 +127,10 @@ nsresult nsDocShellEnumerator::First()
> + 
> + nsresult nsDocShellEnumerator::EnsureDocShellArray()
> + {
> +-  if (!mItemArray)
> ++  if (!mArrayValid)
> +   {
> +-    mItemArray = new nsVoidArray;
> +-    if (!mItemArray) return NS_ERROR_OUT_OF_MEMORY;
> +-  
> +-    return BuildDocShellArray(*mItemArray);
> ++    mArrayValid = PR_TRUE;
> ++    return BuildDocShellArray(mItemArray);
> +   }
> +   
> +   return NS_OK;
> +@@ -145,21 +138,21 @@ nsresult nsDocShellEnumerator::EnsureDocShellArray()
> + 
> + nsresult nsDocShellEnumerator::ClearState()
> + {
> +-  delete mItemArray;
> +-  mItemArray = nsnull;
> +-  
> ++  mItemArray.Clear();
> ++  mArrayValid = PR_FALSE;
> +   mCurIndex = 0;
> +   return NS_OK;
> + }
> + 
> +-nsresult nsDocShellEnumerator::BuildDocShellArray(nsVoidArray& inItemArray)
> ++nsresult nsDocShellEnumerator::BuildDocShellArray(nsTArray<nsWeakPtr>& inItemArray)
> + {
> +   NS_ENSURE_TRUE(mRootItem, NS_ERROR_NOT_INITIALIZED);
> +   inItemArray.Clear();
> +-  return BuildArrayRecursive(mRootItem, inItemArray);
> ++  nsCOMPtr<nsIDocShellTreeItem> item = do_QueryReferent(mRootItem);
> ++  return BuildArrayRecursive(item, inItemArray);
> + }
> + 
> +-nsresult nsDocShellForwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsVoidArray& inItemArray)
> ++nsresult nsDocShellForwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsTArray<nsWeakPtr>& inItemArray)
> + {
> +   nsresult rv;
> +   nsCOMPtr<nsIDocShellTreeNode> itemAsNode = do_QueryInterface(inItem, &rv);
> +@@ -170,8 +163,8 @@ nsresult nsDocShellForwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem*
> +   if ((mDocShellType == nsIDocShellTreeItem::typeAll) ||
> +       (NS_SUCCEEDED(inItem->GetItemType(&itemType)) && (itemType == mDocShellType)))
> +   {
> +-    rv = inItemArray.AppendElement((void *)inItem);
> +-    if (NS_FAILED(rv)) return rv;
> ++    if (!inItemArray.AppendElement(do_GetWeakReference(inItem)))
> ++      return NS_ERROR_OUT_OF_MEMORY;
> +   }
> + 
> +   PRInt32   numChildren;
> +@@ -192,7 +185,7 @@ nsresult nsDocShellForwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem*
> + }
> + 
> + 
> +-nsresult nsDocShellBackwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsVoidArray& inItemArray)
> ++nsresult nsDocShellBackwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsTArray<nsWeakPtr>& inItemArray)
> + {
> +   nsresult rv;
> +   nsCOMPtr<nsIDocShellTreeNode> itemAsNode = do_QueryInterface(inItem, &rv);
> +@@ -217,8 +210,8 @@ nsresult nsDocShellBackwardsEnumerator::BuildArrayRecursive(nsIDocShellTreeItem*
> +   if ((mDocShellType == nsIDocShellTreeItem::typeAll) ||
> +       (NS_SUCCEEDED(inItem->GetItemType(&itemType)) && (itemType == mDocShellType)))
> +   {
> +-    rv = inItemArray.AppendElement((void *)inItem);
> +-    if (NS_FAILED(rv)) return rv;
> ++    if (!inItemArray.AppendElement(do_GetWeakReference(inItem)))
> ++      return NS_ERROR_OUT_OF_MEMORY;
> +   }
> + 
> + 
> +diff --git a/mozilla/docshell/base/nsDocShellEnumerator.h b/mozilla/docshell/base/nsDocShellEnumerator.h
> +index aa4758a..eba2213 100644
> +--- a/mozilla/docshell/base/nsDocShellEnumerator.h
> ++++ b/mozilla/docshell/base/nsDocShellEnumerator.h
> +@@ -42,7 +42,9 @@
> + #include "nsIEnumerator.h"
> + 
> + #include "nsCOMPtr.h"
> +-#include "nsVoidArray.h"
> ++#include "nsTArray.h"
> ++#include "nsIWeakReference.h"
> ++#include "nsIWeakReferenceUtils.h"
> + 
> + class nsIDocShellTreeItem;
> + 
> +@@ -98,17 +100,18 @@ protected:
> +   nsresult                    EnsureDocShellArray();
> +   nsresult                    ClearState();
> +   
> +-  nsresult                    BuildDocShellArray(nsVoidArray& inItemArray);
> +-  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsVoidArray& inItemArray) = 0;
> ++  nsresult                    BuildDocShellArray(nsTArray<nsWeakPtr>& inItemArray);
> ++  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsTArray<nsWeakPtr>& inItemArray) = 0;
> +     
> + protected:
> + 
> +-  nsIDocShellTreeItem*        mRootItem;      // weak ref!
> ++  nsWeakPtr                   mRootItem;      // weak ref!
> +   
> +-  nsVoidArray*                mItemArray;     // flattened list of items with matching type
> +-  PRInt32                     mCurIndex;
> ++  nsTArray<nsWeakPtr>         mItemArray;     // flattened list of items with matching type
> ++  PRUint32                    mCurIndex;
> +   
> +   PRInt32                     mDocShellType;  // only want shells of this type
> ++  PRPackedBool                mArrayValid;    // is mItemArray up to date?
> + 
> +   const PRInt8                mEnumerationDirection;
> + };
> +@@ -125,7 +128,7 @@ public:
> + 
> + protected:
> + 
> +-  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsVoidArray& inItemArray);
> ++  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsTArray<nsWeakPtr>& inItemArray);
> + 
> + };
> + 
> +@@ -139,6 +142,6 @@ public:
> +                               }
> + protected:
> + 
> +-  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsVoidArray& inItemArray);
> ++  virtual nsresult            BuildArrayRecursive(nsIDocShellTreeItem* inItem, nsTArray<nsWeakPtr>& inItemArray);
> + 
> + };
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0005-Issue-console-warning-when-we-abort-reflow-because-t.patch b/debian/patches/security/squeeze2/0005-Issue-console-warning-when-we-abort-reflow-because-t.patch
> new file mode 100644
> index 0000000..e66fc1f
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0005-Issue-console-warning-when-we-abort-reflow-because-t.patch
> @@ -0,0 +1,67 @@
> +From 7c4a4868ae7c33de41519fd5b74510ef9bf1167d Mon Sep 17 00:00:00 2001
> +From: L. David Baron <dbaron@dbaron.org>
> +Date: Wed, 2 Feb 2011 11:05:09 -0800
> +Subject: Issue console warning when we abort reflow because the frame tree is
> + too deep. (Bug 619021) r=roc a1.9.1.18=dveditz
> +
> +---
> + layout/generic/nsBlockFrame.cpp  |    9 ---------
> + layout/generic/nsFrame.cpp       |    1 +
> + layout/generic/nsInlineFrame.cpp |    9 ---------
> + 3 files changed, 1 insertions(+), 18 deletions(-)
> +
> +diff --git a/mozilla/layout/generic/nsBlockFrame.cpp b/mozilla/layout/generic/nsBlockFrame.cpp
> +index 79e21f1..acd695b 100644
> +--- a/mozilla/layout/generic/nsBlockFrame.cpp
> ++++ b/mozilla/layout/generic/nsBlockFrame.cpp
> +@@ -909,15 +909,6 @@ nsBlockFrame::Reflow(nsPresContext*           aPresContext,
> +   ClearLineCursor();
> + 
> +   if (IsFrameTreeTooDeep(aReflowState, aMetrics)) {
> +-#ifdef DEBUG_kipp
> +-    {
> +-      extern char* nsPresShell_ReflowStackPointerTop;
> +-      char marker;
> +-      char* newsp = (char*) &marker;
> +-      printf("XXX: frame tree is too deep; approx stack size = %d\n",
> +-             nsPresShell_ReflowStackPointerTop - newsp);
> +-    }
> +-#endif
> +     aStatus = NS_FRAME_COMPLETE;
> +     return NS_OK;
> +   }
> +diff --git a/mozilla/layout/generic/nsFrame.cpp b/mozilla/layout/generic/nsFrame.cpp
> +index 66bdbd4..31e8d9f 100644
> +--- a/mozilla/layout/generic/nsFrame.cpp
> ++++ b/mozilla/layout/generic/nsFrame.cpp
> +@@ -4059,6 +4059,7 @@ nsFrame::IsFrameTreeTooDeep(const nsHTMLReflowState& aReflowState,
> +                             nsHTMLReflowMetrics& aMetrics)
> + {
> +   if (aReflowState.mReflowDepth >  MAX_FRAME_DEPTH) {
> ++    NS_WARNING("frame tree too deep; setting zero size and returning");
> +     mState |= NS_FRAME_TOO_DEEP_IN_FRAME_TREE;
> +     mState &= ~NS_FRAME_OUTSIDE_CHILDREN;
> +     aMetrics.width = 0;
> +diff --git a/mozilla/layout/generic/nsInlineFrame.cpp b/mozilla/layout/generic/nsInlineFrame.cpp
> +index c6c76e3..d156d05 100644
> +--- a/mozilla/layout/generic/nsInlineFrame.cpp
> ++++ b/mozilla/layout/generic/nsInlineFrame.cpp
> +@@ -364,15 +364,6 @@ nsInlineFrame::Reflow(nsPresContext*          aPresContext,
> +   }
> + 
> +   if (IsFrameTreeTooDeep(aReflowState, aMetrics)) {
> +-#ifdef DEBUG_kipp
> +-    {
> +-      extern char* nsPresShell_ReflowStackPointerTop;
> +-      char marker;
> +-      char* newsp = (char*) &marker;
> +-      printf("XXX: frame tree is too deep; approx stack size = %d\n",
> +-             nsPresShell_ReflowStackPointerTop - newsp);
> +-    }
> +-#endif
> +     aStatus = NS_FRAME_COMPLETE;
> +     return NS_OK;
> +   }
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0006-Report-incomplete-reflow-status-as-appropriate-when-.patch b/debian/patches/security/squeeze2/0006-Report-incomplete-reflow-status-as-appropriate-when-.patch
> new file mode 100644
> index 0000000..c40afdb
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0006-Report-incomplete-reflow-status-as-appropriate-when-.patch
> @@ -0,0 +1,100 @@
> +From 99686205983f9f546604f356c3591299dceea110 Mon Sep 17 00:00:00 2001
> +From: L. David Baron <dbaron@dbaron.org>
> +Date: Wed, 2 Feb 2011 11:05:09 -0800
> +Subject: Report incomplete reflow status as appropriate when frame tree is
> + too deep. (Bug 619021) r=roc a1.9.1.18=dveditz
> +
> +---
> + layout/generic/nsBlockFrame.cpp  |    3 +--
> + layout/generic/nsFrame.cpp       |   13 ++++++++++++-
> + layout/generic/nsFrame.h         |   13 +++++++------
> + layout/generic/nsInlineFrame.cpp |    3 +--
> + 4 files changed, 21 insertions(+), 11 deletions(-)
> +
> +diff --git a/mozilla/layout/generic/nsBlockFrame.cpp b/mozilla/layout/generic/nsBlockFrame.cpp
> +index acd695b..f045fc9 100644
> +--- a/mozilla/layout/generic/nsBlockFrame.cpp
> ++++ b/mozilla/layout/generic/nsBlockFrame.cpp
> +@@ -908,8 +908,7 @@ nsBlockFrame::Reflow(nsPresContext*           aPresContext,
> +   // and we may even delete the line with the line cursor.
> +   ClearLineCursor();
> + 
> +-  if (IsFrameTreeTooDeep(aReflowState, aMetrics)) {
> +-    aStatus = NS_FRAME_COMPLETE;
> ++  if (IsFrameTreeTooDeep(aReflowState, aMetrics, aStatus)) {
> +     return NS_OK;
> +   }
> + 
> +diff --git a/mozilla/layout/generic/nsFrame.cpp b/mozilla/layout/generic/nsFrame.cpp
> +index 31e8d9f..9a2d23c 100644
> +--- a/mozilla/layout/generic/nsFrame.cpp
> ++++ b/mozilla/layout/generic/nsFrame.cpp
> +@@ -4056,7 +4056,8 @@ nsIFrame::CheckInvalidateSizeChange(const nsRect& aOldRect,
> + 
> + PRBool
> + nsFrame::IsFrameTreeTooDeep(const nsHTMLReflowState& aReflowState,
> +-                            nsHTMLReflowMetrics& aMetrics)
> ++                            nsHTMLReflowMetrics& aMetrics,
> ++                            nsReflowStatus& aStatus)
> + {
> +   if (aReflowState.mReflowDepth >  MAX_FRAME_DEPTH) {
> +     NS_WARNING("frame tree too deep; setting zero size and returning");
> +@@ -4070,6 +4071,16 @@ nsFrame::IsFrameTreeTooDeep(const nsHTMLReflowState& aReflowState,
> +     aMetrics.mOverflowArea.y = 0;
> +     aMetrics.mOverflowArea.width = 0;
> +     aMetrics.mOverflowArea.height = 0;
> ++
> ++    if (GetNextInFlow()) {
> ++      // Reflow depth might vary between reflows, so we might have
> ++      // successfully reflowed and split this frame before.  If so, we
> ++      // shouldn't delete its continuations.
> ++      aStatus = NS_FRAME_NOT_COMPLETE;
> ++    } else {
> ++      aStatus = NS_FRAME_COMPLETE;
> ++    }
> ++
> +     return PR_TRUE;
> +   }
> +   mState &= ~NS_FRAME_TOO_DEEP_IN_FRAME_TREE;
> +diff --git a/mozilla/layout/generic/nsFrame.h b/mozilla/layout/generic/nsFrame.h
> +index 334ddd0..7ae5cb9 100644
> +--- a/mozilla/layout/generic/nsFrame.h
> ++++ b/mozilla/layout/generic/nsFrame.h
> +@@ -388,13 +388,14 @@ public:
> +    */
> +   void CheckInvalidateSizeChange(nsHTMLReflowMetrics&     aNewDesiredSize);
> + 
> +-  // Helper function that tests if the frame tree is too deep; if it
> +-  // is it marks the frame as "unflowable" and zeros out the metrics
> +-  // and returns PR_TRUE. Otherwise, the frame is unmarked
> +-  // "unflowable" and the metrics are not touched and PR_FALSE is
> +-  // returned.
> ++  // Helper function that tests if the frame tree is too deep; if it is
> ++  // it marks the frame as "unflowable", zeroes out the metrics, sets
> ++  // the reflow status, and returns PR_TRUE. Otherwise, the frame is
> ++  // unmarked "unflowable" and the metrics and reflow status are not
> ++  // touched and PR_FALSE is returned.
> +   PRBool IsFrameTreeTooDeep(const nsHTMLReflowState& aReflowState,
> +-                            nsHTMLReflowMetrics& aMetrics);
> ++                            nsHTMLReflowMetrics& aMetrics,
> ++                            nsReflowStatus& aStatus);
> + 
> +   // Do the work for getting the parent style context frame so that
> +   // other frame's |GetParentStyleContextFrame| methods can call this
> +diff --git a/mozilla/layout/generic/nsInlineFrame.cpp b/mozilla/layout/generic/nsInlineFrame.cpp
> +index d156d05..b0a55ec 100644
> +--- a/mozilla/layout/generic/nsInlineFrame.cpp
> ++++ b/mozilla/layout/generic/nsInlineFrame.cpp
> +@@ -363,8 +363,7 @@ nsInlineFrame::Reflow(nsPresContext*          aPresContext,
> +     }
> +   }
> + 
> +-  if (IsFrameTreeTooDeep(aReflowState, aMetrics)) {
> +-    aStatus = NS_FRAME_COMPLETE;
> ++  if (IsFrameTreeTooDeep(aReflowState, aMetrics, aStatus)) {
> +     return NS_OK;
> +   }
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0007-Fix-bug-624764.-r-bsmedberg-a-clegnitto.patch b/debian/patches/security/squeeze2/0007-Fix-bug-624764.-r-bsmedberg-a-clegnitto.patch
> new file mode 100644
> index 0000000..a09d1bb
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0007-Fix-bug-624764.-r-bsmedberg-a-clegnitto.patch
> @@ -0,0 +1,48 @@
> +From 695441f268c39b7cfdd2a54275a1999b0f5b92a2 Mon Sep 17 00:00:00 2001
> +From: Dan Witte <dwitte@mozilla.com>
> +Date: Wed, 2 Feb 2011 14:50:11 -0800
> +Subject: Fix bug 624764. r=bsmedberg, a=clegnitto
> +
> +---
> + netwerk/protocol/res/src/nsResProtocolHandler.cpp |   14 +++++---------
> + 1 files changed, 5 insertions(+), 9 deletions(-)
> +
> +diff --git a/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp b/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
> +index daf984b..3ea3c05 100644
> +--- a/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
> ++++ b/mozilla/netwerk/protocol/res/src/nsResProtocolHandler.cpp
> +@@ -348,10 +348,6 @@ nsResProtocolHandler::ResolveURI(nsIURI *uri, nsACString &result)
> + {
> +     nsresult rv;
> + 
> +-    nsCOMPtr<nsIURL> url(do_QueryInterface(uri));
> +-    if (!url)
> +-        return NS_NOINTERFACE;
> +-
> +     nsCAutoString host;
> +     nsCAutoString path;
> + 
> +@@ -361,15 +357,15 @@ nsResProtocolHandler::ResolveURI(nsIURI *uri, nsACString &result)
> +     rv = uri->GetPath(path);
> +     if (NS_FAILED(rv)) return rv;
> + 
> +-    nsCAutoString filepath;
> +-    url->GetFilePath(filepath);
> ++    // Unescape the path so we can perform some checks on it.
> ++    nsCAutoString unescapedPath(path);
> ++    NS_UnescapeURL(unescapedPath);
> + 
> +     // Don't misinterpret the filepath as an absolute URI.
> +-    if (filepath.FindChar(':') != -1)
> ++    if (unescapedPath.FindChar(':') != -1)
> +         return NS_ERROR_MALFORMED_URI;
> + 
> +-    NS_UnescapeURL(filepath);
> +-    if (filepath.FindChar('\\') != -1)
> ++    if (unescapedPath.FindChar('\\') != -1)
> +         return NS_ERROR_MALFORMED_URI;
> + 
> +     const char *p = path.get() + 1; // path always starts with a slash
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0008-Bug-527935-Fire-the-input-event-for-text-controls-wi.patch b/debian/patches/security/squeeze2/0008-Bug-527935-Fire-the-input-event-for-text-controls-wi.patch
> new file mode 100644
> index 0000000..970f0c6
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0008-Bug-527935-Fire-the-input-event-for-text-controls-wi.patch
> @@ -0,0 +1,588 @@
> +From 0cb5a370263fb2c40966ca5abd6f54215c344af4 Mon Sep 17 00:00:00 2001
> +From: Ehsan Akhgari <ehsan@mozilla.com>
> +Date: Tue, 7 Dec 2010 01:30:05 -0500
> +Subject: Bug 527935 - Fire the input event for text controls with the correct
> + trusted-ness status; r=roc a=LegNeato
> +
> +---
> + editor/idl/nsIEditor.idl                           |   11 +++
> + editor/libeditor/base/nsEditor.cpp                 |   28 ++++++
> + editor/libeditor/base/nsEditor.h                   |   32 +++++++-
> + editor/libeditor/text/nsEditorEventListeners.cpp   |   23 +++++
> + editor/libeditor/text/nsPlaintextDataTransfer.cpp  |    2 +
> + editor/libeditor/text/nsPlaintextEditor.cpp        |    8 ++
> + editor/libeditor/text/tests/Makefile.in            |    2 +
> + editor/libeditor/text/tests/test_bug527935.html    |   94 ++++++++++++++++++++
> + editor/libeditor/text/tests/test_bug625452.html    |   67 ++++++++++++++
> + layout/forms/nsTextControlFrame.cpp                |   10 ++-
> + layout/forms/nsTextControlFrame.h                  |    2 +-
> + .../components/satchel/test/test_bug_511615.html   |   24 ++---
> + 12 files changed, 283 insertions(+), 20 deletions(-)
> + create mode 100644 editor/libeditor/text/tests/test_bug527935.html
> + create mode 100644 editor/libeditor/text/tests/test_bug625452.html
> +
> +diff --git a/mozilla/editor/idl/nsIEditor.idl b/mozilla/editor/idl/nsIEditor.idl
> +index 7966abb..a125ab1 100644
> +--- a/mozilla/editor/idl/nsIEditor.idl
> ++++ b/mozilla/editor/idl/nsIEditor.idl
> +@@ -571,3 +571,14 @@ interface nsIEditor  : nsISupports
> +   /* checks if a node is read-only or not */
> +   [notxpcom] boolean isModifiableNode(in nsIDOMNode aNode);
> + };
> ++
> ++[uuid(a9ddee78-f5d2-43f1-9d91-d2124ba40d81)]
> ++interface nsIEditor_MOZILLA_1_9_2_BRANCH : nsISupports
> ++{
> ++  /**
> ++   * Will be set to true if the last keypress event that the editor has handled
> ++   * has been trusted.  The value will only be valid when the edit action listeners
> ++   * are being called, and will throw upon access at all other times.
> ++   */
> ++  readonly attribute boolean lastKeypressEventTrusted;
> ++};
> +diff --git a/mozilla/editor/libeditor/base/nsEditor.cpp b/mozilla/editor/libeditor/base/nsEditor.cpp
> +index cb11a84..4f1172b 100644
> +--- a/mozilla/editor/libeditor/base/nsEditor.cpp
> ++++ b/mozilla/editor/libeditor/base/nsEditor.cpp
> +@@ -113,6 +113,7 @@
> + #include "nsINameSpaceManager.h"
> + #include "nsIHTMLDocument.h"
> + #include "nsIParserService.h"
> ++#include "nsIDOMNSEvent.h"
> + 
> + #define NS_ERROR_EDITOR_NO_SELECTION NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_EDITOR,1)
> + #define NS_ERROR_EDITOR_NO_TEXTNODE  NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_EDITOR,2)
> +@@ -155,6 +156,7 @@ nsEditor::nsEditor()
> + ,  mDocDirtyState(-1)
> + ,  mDocWeak(nsnull)
> + ,  mPhonetic(nsnull)
> ++,  mLastKeypressEventWasTrusted(eTriUnset)
> + {
> +   //initialize member variables here
> + }
> +@@ -207,6 +209,7 @@ NS_IMPL_CYCLE_COLLECTION_TRAVERSE_BEGIN(nsEditor)
> + NS_IMPL_CYCLE_COLLECTION_TRAVERSE_END
> + 
> + NS_INTERFACE_MAP_BEGIN_CYCLE_COLLECTION(nsEditor)
> ++ NS_INTERFACE_MAP_ENTRY(nsIEditor_MOZILLA_1_9_2_BRANCH)
> +  NS_INTERFACE_MAP_ENTRY(nsIMutationObserver)
> +  NS_INTERFACE_MAP_ENTRY(nsIPhonetic)
> +  NS_INTERFACE_MAP_ENTRY(nsISupportsWeakReference)
> +@@ -5386,3 +5389,28 @@ nsEditor::IsModifiableNode(nsIDOMNode *aNode)
> + {
> +   return PR_TRUE;
> + }
> ++
> ++NS_IMETHODIMP
> ++nsEditor::GetLastKeypressEventTrusted(PRBool *aWasTrusted)
> ++{
> ++  NS_ENSURE_ARG_POINTER(aWasTrusted);
> ++
> ++  if (mLastKeypressEventWasTrusted == eTriUnset) {
> ++    return NS_ERROR_UNEXPECTED;
> ++  }
> ++
> ++  *aWasTrusted = (mLastKeypressEventWasTrusted == eTriTrue);
> ++  return NS_OK;
> ++}
> ++
> ++void
> ++nsEditor::BeginKeypressHandling(nsIDOMNSEvent* aEvent)
> ++{
> ++  NS_ASSERTION(mLastKeypressEventWasTrusted == eTriUnset, "How come our status is not clear?");
> ++
> ++  if (aEvent) {
> ++    PRBool isTrusted = PR_FALSE;
> ++    aEvent->GetIsTrusted(&isTrusted);
> ++    mLastKeypressEventWasTrusted = isTrusted ? eTriTrue : eTriFalse;
> ++  }
> ++}
> +diff --git a/mozilla/editor/libeditor/base/nsEditor.h b/mozilla/editor/libeditor/base/nsEditor.h
> +index 8e602f9..fcf7437 100644
> +--- a/mozilla/editor/libeditor/base/nsEditor.h
> ++++ b/mozilla/editor/libeditor/base/nsEditor.h
> +@@ -86,6 +86,7 @@ class RemoveStyleSheetTxn;
> + class nsIFile;
> + class nsISelectionController;
> + class nsIDOMEventTarget;
> ++class nsIDOMNSEvent;
> + 
> + #define kMOZEditorBogusNodeAttr NS_LITERAL_STRING("_moz_editor_bogus_node")
> + #define kMOZEditorBogusNodeValue NS_LITERAL_STRING("TRUE")
> +@@ -99,7 +100,8 @@ class nsEditor : public nsIEditor,
> +                  public nsIEditorIMESupport,
> +                  public nsSupportsWeakReference,
> +                  public nsIPhonetic,
> +-                 public nsStubMutationObserver
> ++                 public nsStubMutationObserver,
> ++                 public nsIEditor_MOZILLA_1_9_2_BRANCH
> + {
> + public:
> + 
> +@@ -159,6 +161,9 @@ public:
> +   NS_DECL_NSIMUTATIONOBSERVER_CONTENTINSERTED
> +   NS_DECL_NSIMUTATIONOBSERVER_CONTENTREMOVED
> + 
> ++  // nsIEditor_MOZILLA_1_9_2_BRANCH
> ++  NS_DECL_NSIEDITOR_MOZILLA_1_9_2_BRANCH
> ++
> + public:
> + 
> +   
> +@@ -197,6 +202,29 @@ public:
> +   */
> +   nsresult CreateHTMLContent(const nsAString& aTag, nsIContent** aContent);
> + 
> ++  void BeginKeypressHandling() { mLastKeypressEventWasTrusted = eTriTrue; }
> ++  void BeginKeypressHandling(nsIDOMNSEvent* aEvent);
> ++  void EndKeypressHandling() { mLastKeypressEventWasTrusted = eTriUnset; }
> ++
> ++  class FireTrustedInputEvent {
> ++  public:
> ++    explicit FireTrustedInputEvent(nsEditor* aSelf, PRBool aActive = PR_TRUE)
> ++      : mEditor(aSelf)
> ++      , mShouldAct(aActive && mEditor->mLastKeypressEventWasTrusted == eTriUnset) {
> ++      if (mShouldAct) {
> ++        mEditor->BeginKeypressHandling();
> ++      }
> ++    }
> ++    ~FireTrustedInputEvent() {
> ++      if (mShouldAct) {
> ++        mEditor->EndKeypressHandling();
> ++      }
> ++    }
> ++  private:
> ++    nsEditor* mEditor;
> ++    PRBool mShouldAct;
> ++  };
> ++
> + protected:
> +   nsCString mContentMIMEType;       // MIME type of the doc we are editing.
> + 
> +@@ -644,6 +672,8 @@ protected:
> +   nsCOMPtr<nsIDOMEventListener> mDragListenerP;
> +   nsCOMPtr<nsIDOMEventListener> mFocusListenerP;
> + 
> ++  Tristate mLastKeypressEventWasTrusted;
> ++
> +   friend PRBool NSCanUnload(nsISupports* serviceMgr);
> +   friend class nsAutoTxnsConserveSelection;
> +   friend class nsAutoSelectionReset;
> +diff --git a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
> +index a2127f3..0b701a3 100644
> +--- a/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
> ++++ b/mozilla/editor/libeditor/text/nsEditorEventListeners.cpp
> +@@ -73,6 +73,20 @@
> + 
> + //#define DEBUG_IME
> + 
> ++class nsAutoEditorKeypressOperation {
> ++public:
> ++  nsAutoEditorKeypressOperation(nsEditor *aEditor, nsIDOMNSEvent *aEvent)
> ++    : mEditor(aEditor) {
> ++    mEditor->BeginKeypressHandling(aEvent);
> ++  }
> ++  ~nsAutoEditorKeypressOperation() {
> ++    mEditor->EndKeypressHandling();
> ++  }
> ++
> ++private:
> ++  nsEditor *mEditor;
> ++};
> ++
> + /*
> +  * nsTextEditorKeyListener implementation
> +  */
> +@@ -117,6 +131,10 @@ nsTextEditorKeyListener::KeyUp(nsIDOMEvent* aKeyEvent)
> + nsresult
> + nsTextEditorKeyListener::KeyPress(nsIDOMEvent* aKeyEvent)
> + {
> ++  // Transfer the event's trusted-ness to our editor
> ++  nsCOMPtr<nsIDOMNSEvent> NSEvent = do_QueryInterface(aKeyEvent);
> ++  nsAutoEditorKeypressOperation operation(static_cast<nsEditor*> (mEditor), NSEvent);
> ++
> +   // DOM event handling happens in two passes, the client pass and the system
> +   // pass.  We do all of our processing in the system pass, to allow client
> +   // handlers the opportunity to cancel events and prevent typing in the editor.
> +@@ -869,6 +887,11 @@ nsTextEditorCompositionListener::HandleEndComposition(nsIDOMEvent* aCompositionE
> + #ifdef DEBUG_IME
> +    printf("nsTextEditorCompositionListener::HandleEndComposition\n");
> + #endif
> ++
> ++  // Transfer the event's trusted-ness to our editor
> ++  nsCOMPtr<nsIDOMNSEvent> NSEvent = do_QueryInterface(aCompositionEvent);
> ++  nsAutoEditorKeypressOperation operation(static_cast<nsEditor*> (mEditor), NSEvent);
> ++
> +    return mEditor->EndComposition();
> + }
> + 
> +diff --git a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
> +index cb59e0d..a657255 100644
> +--- a/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
> ++++ b/mozilla/editor/libeditor/text/nsPlaintextDataTransfer.cpp
> +@@ -119,6 +119,8 @@ NS_IMETHODIMP nsPlaintextEditor::InsertTextFromTransferable(nsITransferable *aTr
> +                                                             PRInt32 aDestOffset,
> +                                                             PRBool aDoDeleteSelection)
> + {
> ++  FireTrustedInputEvent trusted(this);
> ++
> +   nsresult rv = NS_OK;
> +   char* bestFlavor = nsnull;
> +   nsCOMPtr<nsISupports> genericDataObj;
> +diff --git a/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp b/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp
> +index ead1d02..d23d42a 100644
> +--- a/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp
> ++++ b/mozilla/editor/libeditor/text/nsPlaintextEditor.cpp
> +@@ -715,6 +715,8 @@ NS_IMETHODIMP nsPlaintextEditor::DeleteSelection(nsIEditor::EDirection aAction)
> + 
> +   nsresult result;
> + 
> ++  FireTrustedInputEvent trusted(this, aAction != eNone);
> ++
> +   // delete placeholder txns merge.
> +   nsAutoPlaceHolderBatch batch(this, nsGkAtoms::DeleteTxnName);
> +   nsAutoRules beginRulesSniffing(this, kOpDeleteSelection, aAction);
> +@@ -1124,6 +1126,8 @@ nsPlaintextEditor::SetNewlineHandling(PRInt32 aNewlineHandling)
> + NS_IMETHODIMP 
> + nsPlaintextEditor::Undo(PRUint32 aCount)
> + {
> ++  FireTrustedInputEvent trusted(this);
> ++
> +   nsAutoUpdateViewBatch beginViewBatching(this);
> + 
> +   ForceCompositionEnd();
> +@@ -1148,6 +1152,8 @@ nsPlaintextEditor::Undo(PRUint32 aCount)
> + NS_IMETHODIMP 
> + nsPlaintextEditor::Redo(PRUint32 aCount)
> + {
> ++  FireTrustedInputEvent trusted(this);
> ++
> +   nsAutoUpdateViewBatch beginViewBatching(this);
> + 
> +   ForceCompositionEnd();
> +@@ -1222,6 +1228,8 @@ nsresult nsPlaintextEditor::FireClipboardEvent(PRUint32 msg,
> + 
> + NS_IMETHODIMP nsPlaintextEditor::Cut()
> + {
> ++  FireTrustedInputEvent trusted(this);
> ++
> +   PRBool preventDefault;
> +   nsresult rv = FireClipboardEvent(NS_CUT, &preventDefault);
> +   if (NS_FAILED(rv) || preventDefault)
> +diff --git a/mozilla/editor/libeditor/text/tests/Makefile.in b/mozilla/editor/libeditor/text/tests/Makefile.in
> +index 19718ad..6ff16d1 100644
> +--- a/mozilla/editor/libeditor/text/tests/Makefile.in
> ++++ b/mozilla/editor/libeditor/text/tests/Makefile.in
> +@@ -46,6 +46,8 @@ include $(topsrcdir)/config/rules.mk
> + 
> + _TEST_FILES = \
> + 		test_bug471722.html \
> ++		test_bug527935.html \
> ++		test_bug625452.html \
> + 		$(NULL)
> + 
> + libs:: $(_TEST_FILES)
> +diff --git a/mozilla/editor/libeditor/text/tests/test_bug527935.html b/mozilla/editor/libeditor/text/tests/test_bug527935.html
> +new file mode 100644
> +index 0000000..d208859
> +--- /dev/null
> ++++ b/mozilla/editor/libeditor/text/tests/test_bug527935.html
> +@@ -0,0 +1,94 @@
> ++<!DOCTYPE HTML>
> ++<html>
> ++<!--
> ++https://bugzilla.mozilla.org/show_bug.cgi?id=527935
> ++-->
> ++<head>
> ++  <title>Test for Bug 527935</title>
> ++  <script type="application/javascript" src="/MochiKit/packed.js"></script>
> ++  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
> ++  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
> ++  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
> ++</head>
> ++<body>
> ++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=527935">Mozilla Bug 527935</a>
> ++<p id="display"></p>
> ++<div id="content">
> ++  <iframe id="formTarget" name="formTarget"></iframe>
> ++  <form action="data:text/html," target="formTarget">
> ++    <input name="test" id="initValue"><input type="submit">
> ++  </form>
> ++</div>
> ++<pre id="test">
> ++<script type="application/javascript">
> ++
> ++function getAutocompletePopup() {
> ++    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> ++    var Ci = Components.interfaces;
> ++    chromeWin = window.QueryInterface(Ci.nsIInterfaceRequestor)
> ++                      .getInterface(Ci.nsIWebNavigation)
> ++                      .QueryInterface(Ci.nsIDocShellTreeItem)
> ++                      .rootTreeItem
> ++                      .QueryInterface(Ci.nsIInterfaceRequestor)
> ++                      .getInterface(Ci.nsIDOMWindow)
> ++                      .QueryInterface(Ci.nsIDOMChromeWindow);
> ++    autocompleteMenu = chromeWin.document.getElementById("PopupAutoComplete");
> ++    ok(autocompleteMenu, "Got autocomplete popup");
> ++
> ++    return autocompleteMenu;
> ++}
> ++
> ++function registerPopupShowing(popup, listener) {
> ++    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> ++    popup.addEventListener("popupshowing", listener, false);
> ++}
> ++
> ++function unregisterPopupShowing(popup, listener) {
> ++    netscape.security.PrivilegeManager.enablePrivilege("UniversalXPConnect");
> ++    popup.removeEventListener("popupshowing", listener, false);
> ++}
> ++
> ++/** Test for Bug 527935 **/
> ++SimpleTest.waitForExplicitFinish();
> ++addLoadEvent(function() {
> ++  var formTarget = document.getElementById("formTarget");
> ++  var initValue = document.getElementById("initValue");
> ++
> ++  formTarget.addEventListener("load", function() {
> ++    var newInput = document.createElement("input");
> ++    newInput.setAttribute("name", "test");
> ++    document.body.appendChild(newInput);
> ++
> ++    setTimeout(function() {
> ++      var popupShown = false;
> ++      var popup = getAutocompletePopup();
> ++      function listener() {
> ++        popupShown = true;
> ++      }
> ++      registerPopupShowing(popup, listener);
> ++
> ++      var event = document.createEvent("KeyboardEvent");
> ++
> ++      event.initKeyEvent("keypress", true, true, null, false, false,
> ++                         false, false, 0, "f".charCodeAt(0));
> ++      newInput.value = "";
> ++      newInput.focus();
> ++      newInput.dispatchEvent(event);
> ++
> ++      setTimeout(function() {
> ++        ok(!popupShown, "Popup must not be opened");
> ++        unregisterPopupShowing(popup, listener);
> ++        SimpleTest.finish();
> ++      }, 1000);
> ++    }, 0);
> ++  }, false);
> ++
> ++  initValue.focus();
> ++  initValue.value = "foo";
> ++  synthesizeKey("VK_ENTER", {});
> ++});
> ++
> ++</script>
> ++</pre>
> ++</body>
> ++</html>
> +diff --git a/mozilla/editor/libeditor/text/tests/test_bug625452.html b/mozilla/editor/libeditor/text/tests/test_bug625452.html
> +new file mode 100644
> +index 0000000..f5e5068
> +--- /dev/null
> ++++ b/mozilla/editor/libeditor/text/tests/test_bug625452.html
> +@@ -0,0 +1,67 @@
> ++<!DOCTYPE HTML>
> ++<html>
> ++<!--
> ++https://bugzilla.mozilla.org/show_bug.cgi?id=625452
> ++-->
> ++<head>
> ++  <title>Test for Bug 625452</title>
> ++  <script type="application/javascript" src="/MochiKit/packed.js"></script>
> ++  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
> ++  <script type="text/javascript" src="/tests/SimpleTest/EventUtils.js"></script>
> ++  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
> ++</head>
> ++<body>
> ++<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=625452">Mozilla Bug 625452</a>
> ++<p id="display"></p>
> ++<div id="content">
> ++<input>
> ++</div>
> ++<pre id="test">
> ++<script type="application/javascript">
> ++
> ++/** Test for Bug 625452 **/
> ++SimpleTest.waitForExplicitFinish();
> ++addLoadEvent(function() {
> ++  var i = document.querySelector("input");
> ++  var inputCount = 0;
> ++  i.addEventListener("input", function() inputCount++, false);
> ++
> ++  // test cut
> ++  i.focus();
> ++  i.value = "foo bar";
> ++  i.selectionStart = 0;
> ++  i.selectionEnd = 4;
> ++  synthesizeKey("X", {accelKey: true});
> ++  is(i.value, "bar", "Cut should work correctly");
> ++  is(inputCount, 1, "input event should be raised correctly");
> ++
> ++  // test undo
> ++  synthesizeKey("Z", {accelKey: true});
> ++  is(i.value, "foo bar", "Undo should work correctly");
> ++  is(inputCount, 2, "input event should be raised correctly");
> ++
> ++  // test redo
> ++  synthesizeKey("Z", {accelKey: true, shiftKey: true});
> ++  is(i.value, "bar", "Redo should work correctly");
> ++  is(inputCount, 3, "input event should be raised correctly");
> ++
> ++  // test delete
> ++  i.selectionStart = 0;
> ++  i.selectionEnd = 2;
> ++  synthesizeKey("VK_DELETE", {});
> ++  is(i.value, "r", "Delete should work correctly");
> ++  is(inputCount, 4, "input event should be raised correctly");
> ++
> ++  // test DeleteSelection(eNone)
> ++  i.value = "retest"; // the "r" common prefix is crucial here
> ++  is(inputCount, 4, "input event should not have been raised");
> ++
> ++  // paste is tested in test_bug596001.html
> ++
> ++  SimpleTest.finish();
> ++});
> ++
> ++</script>
> ++</pre>
> ++</body>
> ++</html>
> +diff --git a/mozilla/layout/forms/nsTextControlFrame.cpp b/mozilla/layout/forms/nsTextControlFrame.cpp
> +index e2e2a3e..12e1646 100644
> +--- a/mozilla/layout/forms/nsTextControlFrame.cpp
> ++++ b/mozilla/layout/forms/nsTextControlFrame.cpp
> +@@ -518,7 +518,11 @@ nsTextInputListener::EditAction()
> +   mFrame->SetValueChanged(PR_TRUE);
> + 
> +   // Fire input event
> +-  mFrame->FireOnInput();
> ++  nsCOMPtr<nsIEditor_MOZILLA_1_9_2_BRANCH> editor192 = do_QueryInterface(editor);
> ++  NS_ASSERTION(editor192, "Something is very wrong!");
> ++  PRBool trusted = PR_FALSE;
> ++  editor192->GetLastKeypressEventTrusted(&trusted);
> ++  mFrame->FireOnInput(trusted);
> + 
> +   return NS_OK;
> + }
> +@@ -2546,14 +2550,14 @@ nsTextControlFrame::GetMaxLength(PRInt32* aSize)
> + 
> + // this is where we propagate a content changed event
> + void
> +-nsTextControlFrame::FireOnInput()
> ++nsTextControlFrame::FireOnInput(PRBool aTrusted)
> + {
> +   if (!mNotifyOnInput)
> +     return; // if notification is turned off, do nothing
> +   
> +   // Dispatch the "input" event
> +   nsEventStatus status = nsEventStatus_eIgnore;
> +-  nsUIEvent event(PR_TRUE, NS_FORM_INPUT, 0);
> ++  nsUIEvent event(aTrusted, NS_FORM_INPUT, 0);
> + 
> +   // Have the content handle the event, propagating it according to normal
> +   // DOM rules.
> +diff --git a/mozilla/layout/forms/nsTextControlFrame.h b/mozilla/layout/forms/nsTextControlFrame.h
> +index 207216e..0e777af 100644
> +--- a/mozilla/layout/forms/nsTextControlFrame.h
> ++++ b/mozilla/layout/forms/nsTextControlFrame.h
> +@@ -191,7 +191,7 @@ public: //for methods who access nsTextControlFrame directly
> +    * @return whether this is a password ontrol
> +    */
> +   PRBool IsPasswordTextControl() const;
> +-  void FireOnInput();
> ++  void FireOnInput(PRBool aTrusted);
> +   void SetValueChanged(PRBool aValueChanged);
> +   /** Called when the frame is focused, to remember the value for onChange. */
> +   nsresult InitFocusedValue();
> +diff --git a/mozilla/toolkit/components/satchel/test/test_bug_511615.html b/mozilla/toolkit/components/satchel/test/test_bug_511615.html
> +index 041ebb7..6508e45 100644
> +--- a/mozilla/toolkit/components/satchel/test/test_bug_511615.html
> ++++ b/mozilla/toolkit/components/satchel/test/test_bug_511615.html
> +@@ -210,10 +210,7 @@ function runTest(testNum) {
> +         nextTestPrivledged = true;
> +         break;
> +     case 15:
> +-        // XXX even with patch the popup is still opened.
> +-        // the keypress triggers a form input oninput / onchange
> +-        todo(false, "popup should be closed");
> +-        checkPopupOpen(true, -1);
> ++        checkPopupOpen(false);
> +         checkForm("v");
> +         break;
> +     // try a space
> +@@ -222,8 +219,7 @@ function runTest(testNum) {
> +         nextTestPrivledged = true;
> +         break;
> +     case 17:
> +-        todo(false, "popup should be closed");
> +-        checkPopupOpen(false, -1);
> ++        checkPopupOpen(false);
> +         checkForm("v ");
> +         break;
> +     // backspace
> +@@ -232,17 +228,15 @@ function runTest(testNum) {
> +         nextTestPrivledged = true;
> +         break;
> +     case 19:
> +-        todo(false, "popup should be closed");
> +-        checkPopupOpen(true, -1);
> ++        checkPopupOpen(false);
> +         checkForm("v");
> +         nextTestPrivledged = true;
> +         break;
> +     case 20:
> +         // We're privledged for this test, so open the popup.
> +-        todo(false, "popup should be closed");
> +-        checkPopupOpen(true, -1);
> ++        checkPopupOpen(false);
> +         checkForm("v");
> +-//        doKey("down");
> ++        doKey("down");
> +         nextTestPrivledged = true;
> +         break;
> +     case 21:
> +@@ -331,7 +325,7 @@ function runTest(testNum) {
> +         break;
> +     case 203:
> +         // XXX we should ignore this input while popup is open?
> +-        checkPopupOpen(false, -1);
> ++        checkPopupOpen(true, 0);
> +         checkForm("v ");
> +         break;
> +     // backspace
> +@@ -341,13 +335,13 @@ function runTest(testNum) {
> +         break;
> +     case 205:
> +         // XXX we should ignore this input while popup is open?
> +-        checkPopupOpen(true, -1);
> ++        checkPopupOpen(true, 0);
> +         checkForm("v");
> +         nextTestPrivledged = true;
> +         break;
> +     // Oops, reselect 1st entry
> +     case 206:
> +-        doKey("down");
> ++        // (this space intentionally left blank)
> +         nextTestPrivledged = true;
> +         break;
> +     case 207:
> +@@ -371,7 +365,7 @@ function runTest(testNum) {
> +         break;
> +     case 211:
> +         checkPopupOpen(false);
> +-        checkForm("v");
> ++        checkForm("");
> + 
> + 
> +         SimpleTest.finish();
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0009-Bug-623998-Reduce-frameset-size-limit-r-roc-a1.9.1.1.patch b/debian/patches/security/squeeze2/0009-Bug-623998-Reduce-frameset-size-limit-r-roc-a1.9.1.1.patch
> new file mode 100644
> index 0000000..010d772
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0009-Bug-623998-Reduce-frameset-size-limit-r-roc-a1.9.1.1.patch
> @@ -0,0 +1,125 @@
> +From c4dceb0bb8ea41980548644060e9b63152b012c0 Mon Sep 17 00:00:00 2001
> +From: Chris Double <chris.double@double.co.nz>
> +Date: Mon, 21 Feb 2011 17:40:50 +1300
> +Subject: Bug 623998 - Reduce frameset size limit - r=roc a1.9.1.18=dveditz
> +
> +---
> + content/html/content/public/nsIFrameSetElement.h   |    6 ++++
> + content/html/content/src/nsHTMLFrameSetElement.cpp |    5 +--
> + layout/generic/nsFrameSetFrame.cpp                 |   27 ++++++++++++++++++-
> + 3 files changed, 33 insertions(+), 5 deletions(-)
> +
> +diff --git a/mozilla/content/html/content/public/nsIFrameSetElement.h b/mozilla/content/html/content/public/nsIFrameSetElement.h
> +index 9a90820..563184b 100644
> +--- a/mozilla/content/html/content/public/nsIFrameSetElement.h
> ++++ b/mozilla/content/html/content/public/nsIFrameSetElement.h
> +@@ -66,6 +66,12 @@ struct nsFramesetSpec {
> + };
> + 
> + /**
> ++ * The maximum number of entries allowed in the frame set element row
> ++ * or column spec.
> ++ */
> ++#define NS_MAX_FRAMESET_SPEC_COUNT 16000
> ++
> ++/**
> +  * This interface is used by the nsFramesetFrame to access the parsed
> +  * values of the "rows" and "cols" attributes
> +  */
> +diff --git a/mozilla/content/html/content/src/nsHTMLFrameSetElement.cpp b/mozilla/content/html/content/src/nsHTMLFrameSetElement.cpp
> +index 6a6c394..a29ad4f 100644
> +--- a/mozilla/content/html/content/src/nsHTMLFrameSetElement.cpp
> ++++ b/mozilla/content/html/content/src/nsHTMLFrameSetElement.cpp
> +@@ -322,12 +322,11 @@ nsHTMLFrameSetElement::ParseRowCol(const nsAString & aValue,
> +   spec.StripChars(" \n\r\t\"\'");
> +   spec.Trim(",");
> +   
> +-#define MAX_FRAMESET_SPEC_COUNT 100000
> +   // Count the commas. Don't count more than X commas (bug 576447).
> +-  PR_STATIC_ASSERT(MAX_FRAMESET_SPEC_COUNT * sizeof(nsFramesetSpec) < (1 << 30));
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT * sizeof(nsFramesetSpec) < (1 << 30));
> +   PRInt32 commaX = spec.FindChar(sComma);
> +   PRInt32 count = 1;
> +-  while (commaX != kNotFound && count < MAX_FRAMESET_SPEC_COUNT) {
> ++  while (commaX != kNotFound && count < NS_MAX_FRAMESET_SPEC_COUNT) {
> +     count++;
> +     commaX = spec.FindChar(sComma, commaX + 1);
> +   }
> +diff --git a/mozilla/layout/generic/nsFrameSetFrame.cpp b/mozilla/layout/generic/nsFrameSetFrame.cpp
> +index 956fdc3..6eccaba 100644
> +--- a/mozilla/layout/generic/nsFrameSetFrame.cpp
> ++++ b/mozilla/layout/generic/nsFrameSetFrame.cpp
> +@@ -352,13 +352,19 @@ nsHTMLFramesetFrame::Init(nsIContent*      aContent,
> +   NS_ENSURE_SUCCESS(result, result);
> +   result = ourContent->GetColSpec(&mNumCols, &colSpecs);
> +   NS_ENSURE_SUCCESS(result, result);
> ++
> ++  // Maximum value of mNumRows and mNumCols is NS_MAX_FRAMESET_SPEC_COUNT
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nscoord));
> +   mRowSizes  = new nscoord[mNumRows];
> +   mColSizes  = new nscoord[mNumCols];
> +   if (!mRowSizes || !mColSizes)
> +     return NS_ERROR_OUT_OF_MEMORY; 
> + 
> ++  // Ensure we can't overflow numCells
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < PR_INT32_MAX / NS_MAX_FRAMESET_SPEC_COUNT);
> +   PRInt32 numCells = mNumRows*mNumCols;
> + 
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nsHTMLFramesetBorderFrame*));
> +   mVerBorders    = new nsHTMLFramesetBorderFrame*[mNumCols];  // 1 more than number of ver borders
> +   if (!mVerBorders)
> +     return NS_ERROR_OUT_OF_MEMORY;
> +@@ -372,9 +378,15 @@ nsHTMLFramesetFrame::Init(nsIContent*      aContent,
> + 
> +   for (int horX = 0; horX < mNumRows; horX++)
> +     mHorBorders[horX]    = nsnull;
> +-     
> ++ 
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
> ++                   < UINT_MAX / sizeof(PRInt32) / NS_MAX_FRAMESET_SPEC_COUNT); 
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
> ++                   < UINT_MAX / sizeof(nsFrameborder) / NS_MAX_FRAMESET_SPEC_COUNT); 
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
> ++                   < UINT_MAX / sizeof(nsBorderColor) / NS_MAX_FRAMESET_SPEC_COUNT); 
> +   mChildTypes = new PRInt32[numCells]; 
> +-  mChildFrameborder  = new nsFrameborder[numCells]; 
> ++  mChildFrameborder  = new nsFrameborder[numCells];
> +   mChildBorderColors  = new nsBorderColor[numCells]; 
> +   if (!mChildTypes || !mChildFrameborder || !mChildBorderColors)
> +     return NS_ERROR_OUT_OF_MEMORY;
> +@@ -547,6 +559,9 @@ void nsHTMLFramesetFrame::CalculateRowCol(nsPresContext*       aPresContext,
> +                                           const nsFramesetSpec* aSpecs, 
> +                                           nscoord*              aValues)
> + {
> ++  // aNumSpecs maximum value is NS_MAX_FRAMESET_SPEC_COUNT
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(PRInt32));
> ++
> +   PRInt32  fixedTotal = 0;
> +   PRInt32  numFixed = 0;
> +   nsAutoArrayPtr<PRInt32> fixed(new PRInt32[aNumSpecs]);
> +@@ -1040,6 +1055,11 @@ nsHTMLFramesetFrame::Reflow(nsPresContext*          aPresContext,
> +   nsFrameborder           frameborder = GetFrameBorder();
> + 
> +   if (firstTime) {
> ++    // Check for overflow in memory allocations using mNumCols and mNumRows
> ++    // which have a maxium value of NS_MAX_FRAMESET_SPEC_COUNT.
> ++    PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(PRBool));
> ++    PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < UINT_MAX / sizeof(nscolor));
> ++
> +     verBordersVis = new PRBool[mNumCols];
> +     NS_ENSURE_TRUE(verBordersVis, NS_ERROR_OUT_OF_MEMORY);
> +     verBorderColors = new nscolor[mNumCols];
> +@@ -1378,7 +1398,10 @@ nsHTMLFramesetFrame::RecalculateBorderResize()
> +     return;
> +   }
> + 
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT < PR_INT32_MAX / NS_MAX_FRAMESET_SPEC_COUNT);
> +   PRInt32 numCells = mNumRows * mNumCols; // max number of cells
> ++  PR_STATIC_ASSERT(NS_MAX_FRAMESET_SPEC_COUNT
> ++                   < UINT_MAX / sizeof(PRInt32) / NS_MAX_FRAMESET_SPEC_COUNT); 
> +   nsAutoArrayPtr<PRInt32> childTypes(new PRInt32[numCells]);
> +   if (NS_UNLIKELY(!childTypes)) {
> +     return;
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0010-Bug-635977.-Make-sure-to-always-send-OnStartRequest-.patch b/debian/patches/security/squeeze2/0010-Bug-635977.-Make-sure-to-always-send-OnStartRequest-.patch
> new file mode 100644
> index 0000000..2a2c3a7
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0010-Bug-635977.-Make-sure-to-always-send-OnStartRequest-.patch
> @@ -0,0 +1,84 @@
> +From baf3262025be96e0f90a1a64c2966ea5bed330dc Mon Sep 17 00:00:00 2001
> +From: Boris Zbarsky <bzbarsky@mit.edu>
> +Date: Thu, 24 Feb 2011 13:42:15 -0500
> +Subject: Bug 635977. Make sure to always send OnStartRequest to our listener
> + from nsIndexedToHTML. r=jduell, a=dveditz
> +
> +---
> + netwerk/streamconv/converters/nsIndexedToHTML.cpp |   36 ++++++++++++++-------
> + netwerk/streamconv/converters/nsIndexedToHTML.h   |    5 ++-
> + 2 files changed, 28 insertions(+), 13 deletions(-)
> +
> +diff --git a/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.cpp b/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.cpp
> +index 2873d21..99a8723 100644
> +--- a/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.cpp
> ++++ b/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.cpp
> +@@ -150,6 +150,29 @@ nsIndexedToHTML::AsyncConvertData(const char *aFromType,
> + 
> + NS_IMETHODIMP
> + nsIndexedToHTML::OnStartRequest(nsIRequest* request, nsISupports *aContext) {
> ++    nsString buffer;
> ++    nsresult rv = DoOnStartRequest(request, aContext, buffer);
> ++    if (NS_FAILED(rv)) {
> ++        request->Cancel(rv);
> ++    }
> ++    
> ++    rv = mListener->OnStartRequest(request, aContext);
> ++    if (NS_FAILED(rv)) return rv;
> ++
> ++    // The request may have been canceled, and if that happens, we want to
> ++    // suppress calls to OnDataAvailable.
> ++    request->GetStatus(&rv);
> ++    if (NS_FAILED(rv)) return rv;
> ++
> ++    // Push our buffer to the listener.
> ++
> ++    rv = FormatInputStream(request, aContext, buffer);
> ++    return rv;
> ++}
> ++
> ++nsresult
> ++nsIndexedToHTML::DoOnStartRequest(nsIRequest* request, nsISupports *aContext,
> ++                                  nsString& aBuffer) {
> +     nsresult rv;
> + 
> +     nsCOMPtr<nsIChannel> channel = do_QueryInterface(request);
> +@@ -687,18 +710,7 @@ nsIndexedToHTML::OnStartRequest(nsIRequest* request, nsISupports *aContext) {
> +     }
> +     buffer.AppendLiteral(" <tbody>\n");
> + 
> +-    // Push buffer to the listener now, so the initial HTML will not
> +-    // be parsed in OnDataAvailable().
> +-
> +-    rv = mListener->OnStartRequest(request, aContext);
> +-    if (NS_FAILED(rv)) return rv;
> +-
> +-    // The request may have been canceled, and if that happens, we want to
> +-    // suppress calls to OnDataAvailable.
> +-    request->GetStatus(&rv);
> +-    if (NS_FAILED(rv)) return rv;
> +-
> +-    rv = FormatInputStream(request, aContext, buffer);
> ++    aBuffer = buffer;
> +     return rv;
> + }
> + 
> +diff --git a/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.h b/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.h
> +index 4001c9f..fc9124f 100644
> +--- a/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.h
> ++++ b/mozilla/netwerk/streamconv/converters/nsIndexedToHTML.h
> +@@ -76,7 +76,10 @@ public:
> + protected:
> +     
> +     void FormatSizeString(PRInt64 inSize, nsString& outSizeString);
> +-    nsresult FormatInputStream(nsIRequest* aRequest, nsISupports *aContext, const nsAString &aBuffer); 
> ++    nsresult FormatInputStream(nsIRequest* aRequest, nsISupports *aContext, const nsAString &aBuffer);
> ++    // Helper to properly implement OnStartRequest
> ++    nsresult DoOnStartRequest(nsIRequest* request, nsISupports *aContext,
> ++                              nsString& aBuffer);
> + 
> + protected:
> +     nsCOMPtr<nsIDirIndexParser>     mParser;
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0011-Bug-630919-add-collect-and-invalidate-phases-for-tre.patch b/debian/patches/security/squeeze2/0011-Bug-630919-add-collect-and-invalidate-phases-for-tre.patch
> new file mode 100644
> index 0000000..247510e
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0011-Bug-630919-add-collect-and-invalidate-phases-for-tre.patch
> @@ -0,0 +1,79 @@
> +From a77c01176ac643d67bf4d6ae73cfa907c78b7bfa Mon Sep 17 00:00:00 2001
> +From: Olli Pettay <Olli.Pettay@helsinki.fi>
> +Date: Tue, 1 Mar 2011 15:50:19 +0200
> +Subject: Bug 630919, add collect and invalidate phases for tree ranges,
> + r=enn+neil, a=jst
> +
> +---
> + layout/xul/base/src/tree/src/nsTreeSelection.cpp |   34 ++++++++++++++++++---
> + 1 files changed, 29 insertions(+), 5 deletions(-)
> +
> +diff --git a/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp b/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp
> +index a1812ce..7120195 100644
> +--- a/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp
> ++++ b/mozilla/layout/xul/base/src/tree/src/nsTreeSelection.cpp
> +@@ -214,18 +214,40 @@ struct nsTreeRange
> +     return total;
> +   }
> + 
> ++  static void CollectRanges(nsTreeRange* aRange, nsTArray<PRInt32>& aRanges)
> ++  {
> ++    nsTreeRange* cur = aRange;
> ++    while (cur) {
> ++      aRanges.AppendElement(cur->mMin);
> ++      aRanges.AppendElement(cur->mMax);
> ++      cur = cur->mNext;
> ++    }
> ++  }
> ++  
> ++  static void InvalidateRanges(nsITreeBoxObject* aTree,
> ++                               nsTArray<PRInt32>& aRanges)
> ++  {
> ++    if (aTree) {
> ++      nsCOMPtr<nsITreeBoxObject> tree = aTree;
> ++      for (PRUint32 i = 0; i < aRanges.Length(); i += 2) {
> ++        aTree->InvalidateRange(aRanges[i], aRanges[i + 1]);
> ++      }
> ++    }
> ++  }
> ++
> +   void Invalidate() {
> +-    if (mSelection->mTree)
> +-      mSelection->mTree->InvalidateRange(mMin, mMax);
> +-    if (mNext)
> +-      mNext->Invalidate();
> ++    nsTArray<PRInt32> ranges;
> ++    CollectRanges(this, ranges);
> ++    InvalidateRanges(mSelection->mTree, ranges);
> ++    
> +   }
> + 
> +   void RemoveAllBut(PRInt32 aIndex) {
> +     if (aIndex >= mMin && aIndex <= mMax) {
> + 
> +       // Invalidate everything in this list.
> +-      mSelection->mFirstRange->Invalidate();
> ++      nsTArray<PRInt32> ranges;
> ++      CollectRanges(mSelection->mFirstRange, ranges);
> + 
> +       mMin = aIndex;
> +       mMax = aIndex;
> +@@ -241,6 +263,7 @@ struct nsTreeRange
> +         delete mSelection->mFirstRange;
> +         mSelection->mFirstRange = this;
> +       }
> ++      InvalidateRanges(mSelection->mTree, ranges);
> +     }
> +     else if (mNext)
> +       mNext->RemoveAllBut(aIndex);
> +@@ -451,6 +474,7 @@ NS_IMETHODIMP nsTreeSelection::RangedSelect(PRInt32 aStartIndex, PRInt32 aEndInd
> +     if (mFirstRange) {
> +         mFirstRange->Invalidate();
> +         delete mFirstRange;
> ++        mFirstRange = nsnull;
> +     }
> +   }
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0012-Bug-634986.-Don-t-act-like-we-re-redirecting-if-we-d.patch b/debian/patches/security/squeeze2/0012-Bug-634986.-Don-t-act-like-we-re-redirecting-if-we-d.patch
> new file mode 100644
> index 0000000..dd76c69
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0012-Bug-634986.-Don-t-act-like-we-re-redirecting-if-we-d.patch
> @@ -0,0 +1,29 @@
> +From 1045776850baa2d175a7308f758a504c3a32d5d2 Mon Sep 17 00:00:00 2001
> +From: Boris Zbarsky <bzbarsky@mit.edu>
> +Date: Wed, 2 Mar 2011 14:21:55 -0500
> +Subject: Bug 634986. Don't act like we're redirecting if we don't have a
> + channel. r=jst, a=blocker
> +
> +---
> + content/base/src/nsObjectLoadingContent.cpp |    5 +++--
> + 1 files changed, 3 insertions(+), 2 deletions(-)
> +
> +diff --git a/mozilla/content/base/src/nsObjectLoadingContent.cpp b/mozilla/content/base/src/nsObjectLoadingContent.cpp
> +index d5a3336..1c85a51 100644
> +--- a/mozilla/content/base/src/nsObjectLoadingContent.cpp
> ++++ b/mozilla/content/base/src/nsObjectLoadingContent.cpp
> +@@ -904,8 +904,9 @@ nsObjectLoadingContent::OnChannelRedirect(nsIChannel *aOldChannel,
> +                                           nsIChannel *aNewChannel,
> +                                           PRUint32    aFlags)
> + {
> +-  // If we're already busy with a new load, cancel the redirect
> +-  if (aOldChannel != mChannel) {
> ++  // If we're already busy with a new load, or have no load at all,
> ++  // cancel the redirect.
> ++  if (!mChannel || aOldChannel != mChannel) {
> +     return NS_BINDING_ABORTED;
> +   }
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0013-bug-635705.-r-bzbarsky-a-dveditz.patch b/debian/patches/security/squeeze2/0013-bug-635705.-r-bzbarsky-a-dveditz.patch
> new file mode 100644
> index 0000000..34f5643
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0013-bug-635705.-r-bzbarsky-a-dveditz.patch
> @@ -0,0 +1,26 @@
> +From dc5f218a8c064e25f986090b43dcd9f0fc01b3a4 Mon Sep 17 00:00:00 2001
> +From: Jonathan Kew <jfkthame@gmail.com>
> +Date: Sat, 5 Mar 2011 08:30:18 +0000
> +Subject: bug 635705. r=bzbarsky a=dveditz
> +
> +---
> + netwerk/mime/src/nsMIMEHeaderParamImpl.cpp |    2 +-
> + 1 files changed, 1 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/netwerk/mime/src/nsMIMEHeaderParamImpl.cpp b/mozilla/netwerk/mime/src/nsMIMEHeaderParamImpl.cpp
> +index 58dbc80..5409653 100644
> +--- a/mozilla/netwerk/mime/src/nsMIMEHeaderParamImpl.cpp
> ++++ b/mozilla/netwerk/mime/src/nsMIMEHeaderParamImpl.cpp
> +@@ -165,8 +165,8 @@ nsMIMEHeaderParamImpl::GetParameterInternal(const char *aHeaderValue,
> +       if (str == start)
> +         return NS_ERROR_UNEXPECTED;
> +       *aResult = (char *) nsMemory::Clone(start, (str - start) + 1);
> +-      (*aResult)[str - start] = '\0';  // null-terminate
> +       NS_ENSURE_TRUE(*aResult, NS_ERROR_OUT_OF_MEMORY);
> ++      (*aResult)[str - start] = '\0';  // null-terminate
> +       return NS_OK;
> +     }
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0014-Fix-converter-stream-part-of-bug-638236.-r-bzbarsky-.patch b/debian/patches/security/squeeze2/0014-Fix-converter-stream-part-of-bug-638236.-r-bzbarsky-.patch
> new file mode 100644
> index 0000000..0189d60
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0014-Fix-converter-stream-part-of-bug-638236.-r-bzbarsky-.patch
> @@ -0,0 +1,27 @@
> +From 676ba1d27287a89506f46cf3c481e91aa79a6d2d Mon Sep 17 00:00:00 2001
> +From: L. David Baron <dbaron@dbaron.org>
> +Date: Wed, 2 Mar 2011 21:01:20 -0800
> +Subject: Fix converter stream part of bug 638236. r=bzbarsky
> + a1.9.1.18=clegnitto
> +
> +---
> + intl/uconv/src/nsConverterInputStream.cpp |    3 ++-
> + 1 files changed, 2 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/intl/uconv/src/nsConverterInputStream.cpp b/mozilla/intl/uconv/src/nsConverterInputStream.cpp
> +index b295162..4552aef 100644
> +--- a/mozilla/intl/uconv/src/nsConverterInputStream.cpp
> ++++ b/mozilla/intl/uconv/src/nsConverterInputStream.cpp
> +@@ -254,7 +254,8 @@ nsConverterInputStream::Fill(nsresult * aErrorCode)
> +     NS_ASSERTION(srcConsumed <= mByteData->GetLength(),
> +                  "Whoa.  The converter should have returned NS_OK_UDEC_MOREINPUT before this point!");
> +   } while (mReplacementChar &&
> +-           NS_FAILED(*aErrorCode));
> ++           NS_FAILED(*aErrorCode) &&
> ++           mUnicharData->GetBufferSize() > mUnicharDataLength);
> + 
> +   mLeftOverBytes = mByteData->GetLength() - srcConsumed;
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0015-Set-correct-output-params-in-the-UTF-16-decoder.-Bug.patch b/debian/patches/security/squeeze2/0015-Set-correct-output-params-in-the-UTF-16-decoder.-Bug.patch
> new file mode 100644
> index 0000000..003e10f
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0015-Set-correct-output-params-in-the-UTF-16-decoder.-Bug.patch
> @@ -0,0 +1,100 @@
> +From 444594baf306b2ae2d5bc5385e147613dae04d2f Mon Sep 17 00:00:00 2001
> +From: Simon Montagu <smontagu@smontagu.org>
> +Date: Tue, 8 Mar 2011 09:10:15 +0200
> +Subject: Set correct output params in the UTF-16 decoder. Bug 634257, Bug
> + 638236, p=smontagu,dbaron, r=emk,smontagu, a1.9.1.18=clegnitto
> +
> +---
> + intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp |   35 +++++++++++++++++++----------
> + 1 files changed, 23 insertions(+), 12 deletions(-)
> +
> +diff --git a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> +index 7093e1d..5d73277 100644
> +--- a/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> ++++ b/mozilla/intl/uconv/ucvlatin/nsUCS2BEToUnicode.cpp
> +@@ -63,16 +63,13 @@ UTF16ConvertToUnicode(PRUint8& aState, PRUint8& aOddByte,
> + 
> +   switch(aState) {
> +     case STATE_FOUND_BOM:
> +-      if (*aSrcLength < 2)
> +-        return NS_ERROR_ILLEGAL_INPUT;
> ++      NS_ASSERTION(*aSrcLength > 1, "buffer too short");
> +       src+=2;
> +       aState = STATE_NORMAL;
> +       break;
> + 
> +     case STATE_FIRST_CALL: // first time called
> +-      if (*aSrcLength < 2)
> +-        return NS_ERROR_ILLEGAL_INPUT;
> +-
> ++      NS_ASSERTION(*aSrcLength > 1, "buffer too short");
> +       // Eliminate BOM (0xFEFF). Note that different endian case is taken care
> +       // of in |Convert| of LE and BE converters. Here, we only have to
> +       // deal with the same endian case. That is, 0xFFFE (byte-swapped BOM) is
> +@@ -218,14 +215,19 @@ NS_IMETHODIMP
> + nsUTF16BEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> +                             PRUnichar * aDest, PRInt32 * aDestLength)
> + {
> ++    if(STATE_FIRST_CALL == mState && *aSrcLength < 2)
> ++    {
> ++      nsresult res = (*aSrcLength == 0) ? NS_OK : NS_ERROR_ILLEGAL_INPUT;
> ++      *aSrcLength=0;
> ++      *aDestLength=0;
> ++      return res;
> ++    }
> + #ifdef IS_LITTLE_ENDIAN
> +     // Remove the BOM if we're little-endian. The 'same endian' case with the
> +     // leading BOM will be taken care of by |UTF16ConvertToUnicode|.
> +     if(STATE_FIRST_CALL == mState) // Called for the first time.
> +     {
> +       mState = STATE_NORMAL;
> +-      if (*aSrcLength < 2)
> +-        return NS_ERROR_ILLEGAL_INPUT;
> +       if(0xFFFE == *((PRUnichar*)aSrc)) {
> +         // eliminate BOM (on LE machines, BE BOM is 0xFFFE)
> +         mState = STATE_FOUND_BOM;
> +@@ -253,14 +255,19 @@ NS_IMETHODIMP
> + nsUTF16LEToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> +                             PRUnichar * aDest, PRInt32 * aDestLength)
> + {
> ++    if(STATE_FIRST_CALL == mState && *aSrcLength < 2)
> ++    {
> ++      nsresult res = (*aSrcLength == 0) ? NS_OK : NS_ERROR_ILLEGAL_INPUT;
> ++      *aSrcLength=0;
> ++      *aDestLength=0;
> ++      return res;
> ++    }
> + #ifdef IS_BIG_ENDIAN
> +     // Remove the BOM if we're big-endian. The 'same endian' case with the
> +     // leading BOM will be taken care of by |UTF16ConvertToUnicode|.
> +     if(STATE_FIRST_CALL == mState) // first time called
> +     {
> +       mState = STATE_NORMAL;
> +-      if (*aSrcLength < 2)
> +-        return NS_ERROR_ILLEGAL_INPUT;
> +       if(0xFFFE == *((PRUnichar*)aSrc)) {
> +         // eliminate BOM (on BE machines, LE BOM is 0xFFFE)
> +         mState = STATE_FOUND_BOM;
> +@@ -296,12 +303,16 @@ NS_IMETHODIMP
> + nsUTF16ToUnicode::Convert(const char * aSrc, PRInt32 * aSrcLength,
> +                           PRUnichar * aDest, PRInt32 * aDestLength)
> + {
> ++    if(STATE_FIRST_CALL == mState && *aSrcLength < 2)
> ++    {
> ++      nsresult res = (*aSrcLength == 0) ? NS_OK : NS_ERROR_ILLEGAL_INPUT;
> ++      *aSrcLength=0;
> ++      *aDestLength=0;
> ++      return res;
> ++    }
> +     if(STATE_FIRST_CALL == mState) // first time called
> +     {
> +       mState = STATE_NORMAL;
> +-      if (*aSrcLength < 2)
> +-        return NS_ERROR_ILLEGAL_INPUT;
> +-
> +       // check if BOM (0xFEFF) is at the beginning, remove it if found, and
> +       // set mEndian accordingly.
> +       if(0xFF == PRUint8(aSrc[0]) && 0xFE == PRUint8(aSrc[1])) {
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0017-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch b/debian/patches/security/squeeze2/0017-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> new file mode 100644
> index 0000000..b3ac1e8
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0017-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> @@ -0,0 +1,26 @@
> +From 8fa8552b5b5651652e5123184eaf066c62203716 Mon Sep 17 00:00:00 2001
> +From: Olli Pettay <Olli.Pettay@helsinki.fi>
> +Date: Tue, 29 Mar 2011 19:36:58 +0300
> +Subject: Bug 637621, allow selection collapse more often, r+a=jst
> +
> +---
> + layout/generic/nsSelection.cpp |    3 +++
> + 1 files changed, 3 insertions(+), 0 deletions(-)
> +
> +diff --git a/mozilla/layout/generic/nsSelection.cpp b/mozilla/layout/generic/nsSelection.cpp
> +index a824a13..b9415af 100644
> +--- a/mozilla/layout/generic/nsSelection.cpp
> ++++ b/mozilla/layout/generic/nsSelection.cpp
> +@@ -5519,6 +5519,9 @@ nsTypedSelection::Collapse(nsIDOMNode* aParentNode, PRInt32 aOffset)
> +     return NS_ERROR_INVALID_ARG;
> +   if (!mFrameSelection)
> +     return NS_ERROR_NOT_INITIALIZED; // Can't do selection
> ++
> ++  nsCOMPtr<nsINode> kungfuDeathGrip = aParentNode;
> ++
> +   mFrameSelection->InvalidateDesiredX();
> +   if (!IsValidSelectionPoint(mFrameSelection, aParentNode))
> +     return NS_ERROR_FAILURE;
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0018-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch b/debian/patches/security/squeeze2/0018-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> new file mode 100644
> index 0000000..4c99123
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0018-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> @@ -0,0 +1,26 @@
> +From 427ce0222440b392335f5dea7e701efe921831d0 Mon Sep 17 00:00:00 2001
> +From: Olli Pettay <Olli.Pettay@helsinki.fi>
> +Date: Tue, 29 Mar 2011 20:20:13 +0300
> +Subject: Bug 637621, allow selection collapse more often, r+a=jst, bustage
> + fix
> +
> +---
> + layout/generic/nsSelection.cpp |    2 +-
> + 1 files changed, 1 insertions(+), 1 deletions(-)
> +
> +diff --git a/mozilla/layout/generic/nsSelection.cpp b/mozilla/layout/generic/nsSelection.cpp
> +index b9415af..e2f5717 100644
> +--- a/mozilla/layout/generic/nsSelection.cpp
> ++++ b/mozilla/layout/generic/nsSelection.cpp
> +@@ -5520,7 +5520,7 @@ nsTypedSelection::Collapse(nsIDOMNode* aParentNode, PRInt32 aOffset)
> +   if (!mFrameSelection)
> +     return NS_ERROR_NOT_INITIALIZED; // Can't do selection
> + 
> +-  nsCOMPtr<nsINode> kungfuDeathGrip = aParentNode;
> ++  nsCOMPtr<nsIDOMNode> kungfuDeathGrip = aParentNode;
> + 
> +   mFrameSelection->InvalidateDesiredX();
> +   if (!IsValidSelectionPoint(mFrameSelection, aParentNode))
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0019-bug-645565-don-t-stomp-previous-200-response-with-an.patch b/debian/patches/security/squeeze2/0019-bug-645565-don-t-stomp-previous-200-response-with-an.patch
> new file mode 100644
> index 0000000..dfd1cde
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0019-bug-645565-don-t-stomp-previous-200-response-with-an.patch
> @@ -0,0 +1,34 @@
> +From 7b5174bc53984bcff676e724c1af6673abf8bf75 Mon Sep 17 00:00:00 2001
> +From: Daniel Veditz <dveditz@cruzio.com>
> +Date: Tue, 29 Mar 2011 13:29:31 -0700
> +Subject: bug 645565 don't stomp previous 200 response with an invalid one,
> + r=biesi, a=clegnitto
> +
> +---
> + netwerk/streamconv/converters/nsDirIndexParser.cpp |    3 +--
> + 1 files changed, 1 insertions(+), 2 deletions(-)
> +
> +diff --git a/mozilla/netwerk/streamconv/converters/nsDirIndexParser.cpp b/mozilla/netwerk/streamconv/converters/nsDirIndexParser.cpp
> +index 0927ee6..658c513 100644
> +--- a/mozilla/netwerk/streamconv/converters/nsDirIndexParser.cpp
> ++++ b/mozilla/netwerk/streamconv/converters/nsDirIndexParser.cpp
> +@@ -179,8 +179,6 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
> +   // Parse a "200" format line, and remember the fields and their
> +   // ordering in mFormat. Multiple 200 lines stomp on each other.
> + 
> +-  delete[] mFormat;
> +-
> +   // Lets find out how many elements we have.
> +   // easier to do this then realloc
> +   const char* pos = aFormatStr;
> +@@ -203,6 +201,7 @@ nsDirIndexParser::ParseFormat(const char* aFormatStr) {
> + 
> +   } while (*pos);
> + 
> ++  delete[] mFormat;
> +   mFormat = new int[num+1];
> +   // Prevent NULL Deref - Bug 443299 
> +   if (mFormat == nsnull)
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0020-Bug-644069-a-LegNeato.patch b/debian/patches/security/squeeze2/0020-Bug-644069-a-LegNeato.patch
> new file mode 100644
> index 0000000..bd04b5e
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0020-Bug-644069-a-LegNeato.patch
> @@ -0,0 +1,79 @@
> +From 72b99cff7db31f2c009551ad56dcc61d34fc6ebb Mon Sep 17 00:00:00 2001
> +From: Boris Zbarsky <bzbarsky@mit.edu>
> +Date: Wed, 13 Apr 2011 17:19:52 -0700
> +Subject: Bug 644069, a=LegNeato
> +
> +---
> + content/base/src/nsXMLHttpRequest.cpp |   30 +++++++++++++++---------------
> + 1 files changed, 15 insertions(+), 15 deletions(-)
> +
> +diff --git a/mozilla/content/base/src/nsXMLHttpRequest.cpp b/mozilla/content/base/src/nsXMLHttpRequest.cpp
> +index 6aa3b9b..5fbe543 100644
> +--- a/mozilla/content/base/src/nsXMLHttpRequest.cpp
> ++++ b/mozilla/content/base/src/nsXMLHttpRequest.cpp
> +@@ -937,39 +937,39 @@ nsAccessControlLRUCache::GetEntry(nsIURI* aURI,
> +     return nsnull;
> +   }
> + 
> +-  if (!mTable.Put(key, entry)) {
> +-    // Failed, clean up the new entry.
> +-    delete entry;
> +-
> +-    NS_WARNING("Failed to add entry to the access control cache!");
> +-    return nsnull;
> +-  }
> +-
> +-  PR_INSERT_LINK(entry, &mList);
> +-
> +-  NS_ASSERTION(mTable.Count() <= ACCESS_CONTROL_CACHE_SIZE + 1,
> ++  NS_ASSERTION(mTable.Count() <= ACCESS_CONTROL_CACHE_SIZE,
> +                "Something is borked, too many entries in the cache!");
> + 
> +   // Now enforce the max count.
> +-  if (mTable.Count() > ACCESS_CONTROL_CACHE_SIZE) {
> ++  if (mTable.Count() == ACCESS_CONTROL_CACHE_SIZE) {
> +     // Try to kick out all the expired entries.
> +     PRTime now = PR_Now();
> +     mTable.Enumerate(RemoveExpiredEntries, &now);
> + 
> +     // If that didn't remove anything then kick out the least recently used
> +     // entry.
> +-    if (mTable.Count() > ACCESS_CONTROL_CACHE_SIZE) {
> ++    if (mTable.Count() == ACCESS_CONTROL_CACHE_SIZE) {
> +       CacheEntry* lruEntry = static_cast<CacheEntry*>(PR_LIST_TAIL(&mList));
> +       PR_REMOVE_LINK(lruEntry);
> + 
> +       // This will delete 'lruEntry'.
> +       mTable.Remove(lruEntry->mKey);
> + 
> +-      NS_ASSERTION(mTable.Count() == ACCESS_CONTROL_CACHE_SIZE,
> ++      NS_ASSERTION(mTable.Count() == ACCESS_CONTROL_CACHE_SIZE - 1,
> +                    "Somehow tried to remove an entry that was never added!");
> +     }
> +   }
> +   
> ++  if (!mTable.Put(key, entry)) {
> ++    // Failed, clean up the new entry.
> ++    delete entry;
> ++
> ++    NS_WARNING("Failed to add entry to the access control cache!");
> ++    return nsnull;
> ++  }
> ++
> ++  PR_INSERT_LINK(entry, &mList);
> ++
> +   return entry;
> + }
> + 
> +@@ -1008,7 +1008,7 @@ nsAccessControlLRUCache::RemoveExpiredEntries(const nsACString& aKey,
> +   aValue->PurgeExpired(*now);
> +   
> +   if (aValue->mHeaders.IsEmpty() &&
> +-      aValue->mHeaders.IsEmpty()) {
> ++      aValue->mMethods.IsEmpty()) {
> +     // Expired, remove from the list as well as the hash table.
> +     PR_REMOVE_LINK(aValue);
> +     return PL_DHASH_REMOVE;
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/security/squeeze2/0021-Fixing-bug-604262.-Fix-crash-in-nsImageLoadingConten.patch b/debian/patches/security/squeeze2/0021-Fixing-bug-604262.-Fix-crash-in-nsImageLoadingConten.patch
> new file mode 100644
> index 0000000..17947bc
> --- /dev/null
> +++ b/debian/patches/security/squeeze2/0021-Fixing-bug-604262.-Fix-crash-in-nsImageLoadingConten.patch
> @@ -0,0 +1,405 @@
> +From ecd92df94d6d60d87df7d7ca6b39c526eb274ee4 Mon Sep 17 00:00:00 2001
> +From: Johnny Stenback <jst@mozilla.com>
> +Date: Wed, 20 Apr 2011 19:30:13 +0200
> +Subject: Fixing bug 604262. Fix crash in
> + nsImageLoadingContent::OnStartDecode(). r=mrbkap a=dveditz
> +
> +---
> + content/base/src/nsImageLoadingContent.cpp       |   37 +++++++++++++++++++++-
> + content/html/document/crashtests/631421.html     |   34 ++++++++++++++++++++
> + content/html/document/crashtests/crashtests.list |    1 +
> + content/html/document/src/nsImageDocument.cpp    |   26 +++++++++++++++
> + layout/generic/nsImageFrame.cpp                  |   31 +++++++++++++++++-
> + layout/svg/base/src/nsSVGImageFrame.cpp          |   26 +++++++++++++++
> + 7 files changed, 153 insertions(+), 2 deletions(-)
> + create mode 100644 content/html/document/crashtests/631421.html
> + create mode 100644 content/html/document/crashtests/631421.png
> +
> +diff --git a/mozilla/content/base/src/nsImageLoadingContent.cpp b/mozilla/content/base/src/nsImageLoadingContent.cpp
> +index 19ac416..c8eb384 100644
> +--- a/mozilla/content/base/src/nsImageLoadingContent.cpp
> ++++ b/mozilla/content/base/src/nsImageLoadingContent.cpp
> +@@ -163,13 +163,15 @@ nsImageLoadingContent::FrameChanged(imgIContainer* aContainer,
> +   LOOP_OVER_OBSERVERS(FrameChanged(aContainer, aFrame, aDirtyRect));
> +   return NS_OK;
> + }
> +-            
> ++
> + /*
> +  * imgIDecoderObserver impl
> +  */
> + NS_IMETHODIMP
> + nsImageLoadingContent::OnStartRequest(imgIRequest* aRequest)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStartRequest(aRequest));
> +   return NS_OK;
> + }
> +@@ -177,6 +179,8 @@ nsImageLoadingContent::OnStartRequest(imgIRequest* aRequest)
> + NS_IMETHODIMP
> + nsImageLoadingContent::OnStartDecode(imgIRequest* aRequest)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStartDecode(aRequest));
> +   return NS_OK;
> + }
> +@@ -185,6 +189,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::OnStartContainer(imgIRequest* aRequest,
> +                                         imgIContainer* aContainer)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStartContainer(aRequest, aContainer));
> + 
> +   // Have to check for state changes here, since we might have been in
> +@@ -197,6 +203,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::OnStartFrame(imgIRequest* aRequest,
> +                                     gfxIImageFrame* aFrame)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStartFrame(aRequest, aFrame));
> +   return NS_OK;    
> + }
> +@@ -206,6 +214,8 @@ nsImageLoadingContent::OnDataAvailable(imgIRequest* aRequest,
> +                                        gfxIImageFrame* aFrame,
> +                                        const nsRect* aRect)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnDataAvailable(aRequest, aFrame, aRect));
> +   return NS_OK;
> + }
> +@@ -214,6 +224,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::OnStopFrame(imgIRequest* aRequest,
> +                                    gfxIImageFrame* aFrame)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStopFrame(aRequest, aFrame));
> +   return NS_OK;
> + }
> +@@ -222,6 +234,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::OnStopContainer(imgIRequest* aRequest,
> +                                        imgIContainer* aContainer)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStopContainer(aRequest, aContainer));
> +   return NS_OK;
> + }
> +@@ -233,6 +247,9 @@ nsImageLoadingContent::OnStopDecode(imgIRequest* aRequest,
> + {
> +   NS_PRECONDITION(aRequest == mCurrentRequest || aRequest == mPendingRequest,
> +                   "Unknown request");
> ++
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStopDecode(aRequest, aStatus, aStatusArg));
> + 
> +   if (aRequest == mPendingRequest) {
> +@@ -264,6 +281,8 @@ nsImageLoadingContent::OnStopDecode(imgIRequest* aRequest,
> + NS_IMETHODIMP
> + nsImageLoadingContent::OnStopRequest(imgIRequest* aRequest, PRBool aLastPart)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   LOOP_OVER_OBSERVERS(OnStopRequest(aRequest, aLastPart));
> + 
> +   return NS_OK;
> +@@ -276,6 +295,8 @@ nsImageLoadingContent::OnStopRequest(imgIRequest* aRequest, PRBool aLastPart)
> + NS_IMETHODIMP
> + nsImageLoadingContent::GetLoadingEnabled(PRBool *aLoadingEnabled)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   *aLoadingEnabled = mLoadingEnabled;
> +   return NS_OK;
> + }
> +@@ -283,6 +304,8 @@ nsImageLoadingContent::GetLoadingEnabled(PRBool *aLoadingEnabled)
> + NS_IMETHODIMP
> + nsImageLoadingContent::SetLoadingEnabled(PRBool aLoadingEnabled)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   if (nsContentUtils::GetImgLoader()) {
> +     mLoadingEnabled = aLoadingEnabled;
> +   }
> +@@ -292,6 +315,8 @@ nsImageLoadingContent::SetLoadingEnabled(PRBool aLoadingEnabled)
> + NS_IMETHODIMP
> + nsImageLoadingContent::GetImageBlockingStatus(PRInt16* aStatus)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   NS_PRECONDITION(aStatus, "Null out param");
> +   *aStatus = mImageBlockingStatus;
> +   return NS_OK;
> +@@ -300,6 +325,8 @@ nsImageLoadingContent::GetImageBlockingStatus(PRInt16* aStatus)
> + NS_IMETHODIMP
> + nsImageLoadingContent::AddObserver(imgIDecoderObserver* aObserver)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   NS_ENSURE_ARG_POINTER(aObserver);
> + 
> +   if (!mObserverList.mObserver) {
> +@@ -326,6 +353,8 @@ nsImageLoadingContent::AddObserver(imgIDecoderObserver* aObserver)
> + NS_IMETHODIMP
> + nsImageLoadingContent::RemoveObserver(imgIDecoderObserver* aObserver)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   NS_ENSURE_ARG_POINTER(aObserver);
> + 
> +   if (mObserverList.mObserver == aObserver) {
> +@@ -383,6 +412,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::GetRequestType(imgIRequest* aRequest,
> +                                       PRInt32* aRequestType)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   NS_PRECONDITION(aRequestType, "Null out param");
> +   
> +   if (aRequest == mCurrentRequest) {
> +@@ -419,6 +450,8 @@ NS_IMETHODIMP
> + nsImageLoadingContent::LoadImageWithChannel(nsIChannel* aChannel,
> +                                             nsIStreamListener** aListener)
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   NS_PRECONDITION(aListener, "null out param");
> +   
> +   NS_ENSURE_ARG_POINTER(aChannel);
> +@@ -456,6 +489,8 @@ nsImageLoadingContent::LoadImageWithChannel(nsIChannel* aChannel,
> + 
> + NS_IMETHODIMP nsImageLoadingContent::ForceReload()
> + {
> ++  NS_ENSURE_TRUE(nsContentUtils::IsCallerChrome() || mStartingLoad, NS_ERROR_NOT_AVAILABLE);
> ++
> +   nsCOMPtr<nsIURI> currentURI;
> +   GetCurrentURI(getter_AddRefs(currentURI));
> +   if (!currentURI) {
> +diff --git a/mozilla/content/html/document/crashtests/631421.html b/mozilla/content/html/document/crashtests/631421.html
> +new file mode 100644
> +index 0000000..e4a7b91
> +--- /dev/null
> ++++ b/mozilla/content/html/document/crashtests/631421.html
> +@@ -0,0 +1,34 @@
> ++<!DOCTYPE html>
> ++<html class="reftest-wait">
> ++<head>
> ++<script>
> ++"use strict";
> ++
> ++var f2;
> ++
> ++function newIframe()
> ++{
> ++  var f = document.createElementNS("http://www.w3.org/1999/xhtml", "iframe");
> ++  f.setAttributeNS(null, "src", "631421.png");
> ++  document.body.appendChild(f);
> ++  return f;
> ++}
> ++
> ++function b1()
> ++{
> ++  void newIframe();
> ++  f2 = newIframe();
> ++  setTimeout(b2, 0);
> ++}
> ++
> ++function b2()
> ++{
> ++  document.body.removeChild(f2);
> ++  document.documentElement.removeAttribute("class");
> ++}
> ++
> ++</script>
> ++</head>
> ++
> ++<body onload="b1();"></body>
> ++</html>
> +diff --git a/mozilla/content/html/document/crashtests/crashtests.list b/mozilla/content/html/document/crashtests/crashtests.list
> +index 1017b33..8c3dbaa 100644
> +--- a/mozilla/content/html/document/crashtests/crashtests.list
> ++++ b/mozilla/content/html/document/crashtests/crashtests.list
> +@@ -10,3 +10,4 @@ load 468562-2.html
> + load 494225.html
> + load 495543.svg
> + load 564461.xhtml
> ++load 631421.html
> +diff --git a/mozilla/content/html/document/src/nsImageDocument.cpp b/mozilla/content/html/document/src/nsImageDocument.cpp
> +index 84416e0..b3e3984 100644
> +--- a/mozilla/content/html/document/src/nsImageDocument.cpp
> ++++ b/mozilla/content/html/document/src/nsImageDocument.cpp
> +@@ -72,6 +72,7 @@
> + #include "nsIDocShell.h"
> + #include "nsIContentViewer.h"
> + #include "nsIMarkupDocumentViewer.h"
> ++#include "nsIJSContextStack.h"
> + 
> + #define AUTOMATIC_IMAGE_RESIZING_PREF "browser.enable_automatic_image_resizing"
> + 
> +@@ -351,7 +352,20 @@ nsImageDocument::Destroy()
> +     if (mObservingImageLoader) {
> +       nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(mImageContent);
> +       if (imageLoader) {
> ++        // Push a null JSContext on the stack so that code that
> ++        // nsImageLoadingContent doesn't think it's being called by JS.  See
> ++        // Bug 631241
> ++
> ++        nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++        if (stack) {
> ++          stack->Push(nsnull);
> ++        }
> ++
> +         imageLoader->RemoveObserver(this);
> ++
> ++        if (stack) {
> ++          stack->Pop(nsnull);
> ++        }
> +       }
> +     }
> + 
> +@@ -644,6 +658,14 @@ nsImageDocument::CreateSyntheticDocument()
> +   nsCAutoString src;
> +   mDocumentURI->GetSpec(src);
> + 
> ++  // Push a null JSContext on the stack so that code that runs within
> ++  // the below code doesn't think it's being called by JS. See bug
> ++  // 604262.
> ++  nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++  if (stack) {
> ++    stack->Push(nsnull);
> ++  }
> ++
> +   NS_ConvertUTF8toUTF16 srcString(src);
> +   // Make sure not to start the image load from here...
> +   imageLoader->SetLoadingEnabled(PR_FALSE);
> +@@ -653,6 +675,10 @@ nsImageDocument::CreateSyntheticDocument()
> +   body->AppendChildTo(mImageContent, PR_FALSE);
> +   imageLoader->SetLoadingEnabled(PR_TRUE);
> + 
> ++  if (stack) {
> ++    stack->Pop(nsnull);
> ++  }
> ++
> +   return NS_OK;
> + }
> + 
> +diff --git a/mozilla/layout/generic/nsImageFrame.cpp b/mozilla/layout/generic/nsImageFrame.cpp
> +index 2d0e153..1ad6381 100644
> +--- a/mozilla/layout/generic/nsImageFrame.cpp
> ++++ b/mozilla/layout/generic/nsImageFrame.cpp
> +@@ -103,6 +103,7 @@
> + #include "nsLayoutErrors.h"
> + #include "nsBidiUtils.h"
> + #include "nsBidiPresUtils.h"
> ++#include "nsIJSContextStack.h"
> + 
> + #ifdef DEBUG
> + #undef NOISY_IMAGE_LOADING
> +@@ -239,7 +240,20 @@ nsImageFrame::Destroy()
> +   if (mListener) {
> +     nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(mContent);
> +     if (imageLoader) {
> ++      // Push a null JSContext on the stack so that code that runs
> ++      // within the below code doesn't think it's being called by
> ++      // JS. See bug 604262.
> ++      nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++      if (stack) {
> ++        stack->Push(nsnull);
> ++      }
> ++
> +       imageLoader->RemoveObserver(mListener);
> ++
> ++      if (stack) {
> ++        stack->Pop(nsnull);
> ++      }
> ++
> +     }
> +     
> +     reinterpret_cast<nsImageListener*>(mListener.get())->SetFrame(nsnull);
> +@@ -265,7 +279,22 @@ nsImageFrame::Init(nsIContent*      aContent,
> + 
> +   nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(aContent);
> +   NS_ENSURE_TRUE(imageLoader, NS_ERROR_UNEXPECTED);
> +-  imageLoader->AddObserver(mListener);
> ++
> ++  {
> ++    // Push a null JSContext on the stack so that code that runs
> ++    // within the below code doesn't think it's being called by
> ++    // JS. See bug 604262.
> ++    nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++    if (stack) {
> ++      stack->Push(nsnull);
> ++    }
> ++
> ++    imageLoader->AddObserver(mListener);
> ++
> ++    if (stack) {
> ++      stack->Pop(nsnull);
> ++    }
> ++  }
> + 
> +   nsPresContext *aPresContext = PresContext();
> +   
> +diff --git a/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp b/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp
> +index 03b6e2a..272e606 100644
> +--- a/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp
> ++++ b/mozilla/layout/svg/base/src/nsSVGImageFrame.cpp
> +@@ -48,6 +48,7 @@
> + #include "gfxContext.h"
> + #include "nsIInterfaceRequestorUtils.h"
> + #include "nsIImage.h"
> ++#include "nsIJSContextStack.h"
> + 
> + class nsSVGImageFrame;
> + 
> +@@ -144,7 +145,19 @@ nsSVGImageFrame::~nsSVGImageFrame()
> +   if (mListener) {
> +     nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(mContent);
> +     if (imageLoader) {
> ++      // Push a null JSContext on the stack so that code that runs
> ++      // within the below code doesn't think it's being called by
> ++      // JS. See bug 604262.
> ++      nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++      if (stack) {
> ++        stack->Push(nsnull);
> ++      }
> ++
> +       imageLoader->RemoveObserver(mListener);
> ++
> ++      if (stack) {
> ++        stack->Pop(nsnull);
> ++      }
> +     }
> +     reinterpret_cast<nsSVGImageListener*>(mListener.get())->SetFrame(nsnull);
> +   }
> +@@ -163,8 +176,21 @@ nsSVGImageFrame::Init(nsIContent* aContent,
> +   if (!mListener) return NS_ERROR_OUT_OF_MEMORY;
> +   nsCOMPtr<nsIImageLoadingContent> imageLoader = do_QueryInterface(mContent);
> +   NS_ENSURE_TRUE(imageLoader, NS_ERROR_UNEXPECTED);
> ++
> ++  // Push a null JSContext on the stack so that code that runs within
> ++  // the below code doesn't think it's being called by JS. See bug
> ++  // 604262.
> ++  nsIThreadJSContextStack* stack = nsContentUtils::ThreadJSContextStack();
> ++  if (stack) {
> ++    stack->Push(nsnull);
> ++  }
> ++
> +   imageLoader->AddObserver(mListener);
> + 
> ++  if (stack) {
> ++    stack->Pop(nsnull);
> ++  }
> ++
> +   return NS_OK; 
> + }
> + 
> +-- 
> +1.7.4.4
> +
> diff --git a/debian/patches/series b/debian/patches/series
> index 802a692..a69cce2 100644
> --- a/debian/patches/series
> +++ b/debian/patches/series
> @@ -13,3 +13,54 @@ Rerun-autoconf-since-configure.in-changed.patch
>  Don-t-build-unused-bsdiff.patch
>  Revert-post-release-version-bump.patch
>  Don-t-error-out-when-run-time-libsqlite-is-older-tha.patch
> +Bug-643137-strict-alignment-issues-when-displaying-O.patch
> +security/squeeze1/Bug-613376-r-josh-a1.9.1.16-dveditz.patch
> +security/squeeze1/Properly-check-attribute-URLs-Bug-562547-r-jst-r-a-d.patch
> +security/squeeze1/Fix-some-errors-with-handling-invalid-sequences-in-t.patch
> +security/squeeze1/Tests-for-bug-563618.patch
> +security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers.patch
> +security/squeeze1/Tests-for-bug-600974.patch
> +security/squeeze1/Don-t-split-a-surrogate-pair-over-two-output-buffers-2.patch
> +security/squeeze1/Tests-for-bug-600974-a-test.patch
> +security/squeeze1/Bug-616659-Initialize-eButtonPressed-to-1-r-dolske-g.patch
> +security/squeeze1/bug-607160-check-text-length-computations.-r-roc-app.patch
> +security/squeeze1/bug-616009-r-gal-a1.9.1.17-clegnitto.patch
> +security/squeeze1/Bug-614499-release-old-mListRoot-members-r-bz-a-cleg.patch
> +security/squeeze1/Bug-558531-fix-typo-in-JS_ResolveStandardClass-r-wal.patch
> +security/squeeze1/Bug-576649.-r-dbaron-a-blocking1.9.1.17.patch
> +security/squeeze1/Bug-558541-Simplify-some-code-in-js_SetPropertyHelpe.patch
> +security/squeeze1/bug-622015-r-brendan-a-clegnitto.patch
> +security/squeeze1/Bug-602115-Fix-XSLT-error-handling-bugs.-r-peterv-a-.patch
> +security/squeeze1/followup-for-bug-602115.-Missed-this-when-I-moved-pa.patch
> +security/squeeze1/bug-600853-regression-fix-r-brendan-a-clegnitto.patch
> +security/squeeze1/Fix-for-bug-605672-Fix-reason-for-invalid-scope-asse.patch
> +security/squeeze1/bug-563243-backport-of-Blake-Kaplan-s-tracemonkey-mo.patch
> +security/squeeze1/Bug-626631-nsAutoJSValHolder-should-root-its-jsval-r.patch
> +security/squeeze1/Fix-hard-case-destructurinv-vs.-for-var-.-.-in-.-bug.patch
> +security/squeeze1/Fix-MakeUpvarForEval-vs.-normal-upvar-bookkeeping-61.patch
> +security/squeeze1/Bug-553808-assertion-setting-template-datasources-r-.patch
> +security/squeeze1/Bug-608687-clear-mRoot-after-uninitializing-so-that-.patch
> +security/squeeze1/Bug-611910-r-josh-a-blocking1.9.1.17.patch
> +security/squeeze1/Bug-614116-Enforce-HTTP-mode-when-setting-a-storage-.patch
> +security/squeeze1/Bug-573873-Fix-bug-in-HTTP-handling-for-plugins.-r-j.patch
> +security/squeeze1/Bug-573873-Bustage-fix.-a-dveditz.patch
> +security/squeeze2/0001-Correctly-fix-up-the-parentage-of-child-sheets-when-.patch
> +security/squeeze2/0002-Bug-615147.-r-dbaron-a-dveditz.patch
> +security/squeeze2/0003-Bug-595593.-r-vlad-a-b.patch
> +security/squeeze2/0004-Bug-624187-r-smaug-a-dveditz.patch
> +security/squeeze2/0005-Issue-console-warning-when-we-abort-reflow-because-t.patch
> +security/squeeze2/0006-Report-incomplete-reflow-status-as-appropriate-when-.patch
> +security/squeeze2/0007-Fix-bug-624764.-r-bsmedberg-a-clegnitto.patch
> +security/squeeze2/0008-Bug-527935-Fire-the-input-event-for-text-controls-wi.patch
> +security/squeeze2/0009-Bug-623998-Reduce-frameset-size-limit-r-roc-a1.9.1.1.patch
> +security/squeeze2/0010-Bug-635977.-Make-sure-to-always-send-OnStartRequest-.patch
> +security/squeeze2/0011-Bug-630919-add-collect-and-invalidate-phases-for-tre.patch
> +security/squeeze2/0012-Bug-634986.-Don-t-act-like-we-re-redirecting-if-we-d.patch
> +security/squeeze2/0013-bug-635705.-r-bzbarsky-a-dveditz.patch
> +security/squeeze2/0014-Fix-converter-stream-part-of-bug-638236.-r-bzbarsky-.patch
> +security/squeeze2/0015-Set-correct-output-params-in-the-UTF-16-decoder.-Bug.patch
> +security/squeeze2/0017-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> +security/squeeze2/0018-Bug-637621-allow-selection-collapse-more-often-r-a-j.patch
> +security/squeeze2/0019-bug-645565-don-t-stomp-previous-200-response-with-an.patch
> +security/squeeze2/0020-Bug-644069-a-LegNeato.patch
> +security/squeeze2/0021-Fixing-bug-604262.-Fix-crash-in-nsImageLoadingConten.patch





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Wed, 08 Jun 2011 18:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 08 Jun 2011 18:57:06 GMT) Full text and rfc822 format available.

Message #25 received at 619850@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Guido Günther <agx@sigxcpu.org>, 619850@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Wed, 08 Jun 2011 19:56:00 +0100
On Tue, 2011-06-07 at 09:25 +0200, Guido Günther wrote:
> On Sun, May 08, 2011 at 02:35:19PM +0200, Guido Günther wrote:
> > On Sat, Apr 30, 2011 at 04:57:53PM +0100, Adam D. Barratt wrote:
[...]
> > > On Sun, 2011-03-27 at 22:27 +0200, Guido Günther wrote:,
> > > > I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
> > > > updates. It contains the same updates as current icedove. 
> > > 
> > > Presumably this now requires a further update, in light of at least
> > > MFSA2011-12?
> > 
> > Indeed. I've added all the patches that got added to xulrunner and
> > icedove recently (attached).
> 
> Ping. Can this be pushed to s-p-u?

I hadn't realised the above was as long ago as it was; apologies for
that.  However, the main reason I'd left it flagged as waiting was the
hope of a response to...

> > > I do note that the discussion before the release about updating iceowl
> > > in stable very much implied that security updates would be pushed via
> > > the security archive, albeit not as the security team's top priority.
> > 
> > The update in stable was necessary to move iceowl to the same codebase
> > as icedove/xulrunner making it possible to reuse the patches. I'm
> > putting the security team on cc: so we can figure out how to best get
> > the updated iceowl versions into stable.

... this.  There doesn't appear to have been any follow-up from the
security team on the bug; has there been any discussion elsewhere?

Regards,

Adam





Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sun, 12 Jun 2011 20:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sun, 12 Jun 2011 20:15:03 GMT) Full text and rfc822 format available.

Message #30 received at 619850@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 619850@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sun, 12 Jun 2011 22:11:04 +0200
On Wed, Jun 08, 2011 at 07:56:00PM +0100, Adam D. Barratt wrote:
> On Tue, 2011-06-07 at 09:25 +0200, Guido Günther wrote:
> > On Sun, May 08, 2011 at 02:35:19PM +0200, Guido Günther wrote:
> > > On Sat, Apr 30, 2011 at 04:57:53PM +0100, Adam D. Barratt wrote:
> [...]
> > > > On Sun, 2011-03-27 at 22:27 +0200, Guido Günther wrote:,
> > > > > I'd like to push iceowl 1.0~b1+dfsg2-2.squeeze1 to squeeze proposed
> > > > > updates. It contains the same updates as current icedove. 
> > > > 
> > > > Presumably this now requires a further update, in light of at least
> > > > MFSA2011-12?
> > > 
> > > Indeed. I've added all the patches that got added to xulrunner and
> > > icedove recently (attached).
> > 
> > Ping. Can this be pushed to s-p-u?
> 
> I hadn't realised the above was as long ago as it was; apologies for
> that.  However, the main reason I'd left it flagged as waiting was the
> hope of a response to...
> 
> > > > I do note that the discussion before the release about updating iceowl
> > > > in stable very much implied that security updates would be pushed via
> > > > the security archive, albeit not as the security team's top priority.
> > > 
> > > The update in stable was necessary to move iceowl to the same codebase
> > > as icedove/xulrunner making it possible to reuse the patches. I'm
> > > putting the security team on cc: so we can figure out how to best get
> > > the updated iceowl versions into stable.
> 
> ... this.  There doesn't appear to have been any follow-up from the
> security team on the bug; has there been any discussion elsewhere?

Not that I know of. I think README.Debian still holds:

# There's no upstream security support for iceowl and iceowl-extension since
# lightning is still under development without an officially supported version by
# upstream. New lightning upstream versions add features and require new
# icedove/thunderbird versions to function.

# Therefore Debian doesn't offer official security support for this package.

Nevertheless we should fix what is easily fixable.
Cheers,
 -- Guido




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Fri, 17 Jun 2011 20:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Fri, 17 Jun 2011 20:27:03 GMT) Full text and rfc822 format available.

Message #35 received at 619850@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Guido Günther <agx@sigxcpu.org>, 619850@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Fri, 17 Jun 2011 21:21:56 +0100
tag 619850 + squeeze confirmed
thanks

On Sun, 2011-06-12 at 22:11 +0200, Guido Günther wrote:
> On Wed, Jun 08, 2011 at 07:56:00PM +0100, Adam D. Barratt wrote:
[...]
> > > > > I do note that the discussion before the release about updating iceowl
> > > > > in stable very much implied that security updates would be pushed via
> > > > > the security archive, albeit not as the security team's top priority.
> > > > 
> > > > The update in stable was necessary to move iceowl to the same codebase
> > > > as icedove/xulrunner making it possible to reuse the patches. I'm
> > > > putting the security team on cc: so we can figure out how to best get
> > > > the updated iceowl versions into stable.
> > 
> > ... this.  There doesn't appear to have been any follow-up from the
> > security team on the bug; has there been any discussion elsewhere?
> 
> Not that I know of. I think README.Debian still holds:
[...]
> # Therefore Debian doesn't offer official security support for this package.
> 
> Nevertheless we should fix what is easily fixable.

Ack, and apologies again for the delays.  Please go ahead, bearing in
mind that the acceptance window for 6.0.2 closes over the weekend.

Regards,

Adam





Added tag(s) squeeze and confirmed. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Fri, 17 Jun 2011 20:27:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sat, 18 Jun 2011 10:27:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Guido Günther <agx@sigxcpu.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 18 Jun 2011 10:27:06 GMT) Full text and rfc822 format available.

Message #42 received at 619850@bugs.debian.org (full text, mbox):

From: Guido Günther <agx@sigxcpu.org>
To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: 619850@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sat, 18 Jun 2011 12:24:28 +0200
Hi Adam,
On Fri, Jun 17, 2011 at 09:21:56PM +0100, Adam D. Barratt wrote:
> tag 619850 + squeeze confirmed
> thanks
> 
> On Sun, 2011-06-12 at 22:11 +0200, Guido Günther wrote:
> > On Wed, Jun 08, 2011 at 07:56:00PM +0100, Adam D. Barratt wrote:
> [...]
> > > > > > I do note that the discussion before the release about updating iceowl
> > > > > > in stable very much implied that security updates would be pushed via
> > > > > > the security archive, albeit not as the security team's top priority.
> > > > > 
> > > > > The update in stable was necessary to move iceowl to the same codebase
> > > > > as icedove/xulrunner making it possible to reuse the patches. I'm
> > > > > putting the security team on cc: so we can figure out how to best get
> > > > > the updated iceowl versions into stable.
> > > 
> > > ... this.  There doesn't appear to have been any follow-up from the
> > > security team on the bug; has there been any discussion elsewhere?
> > 
> > Not that I know of. I think README.Debian still holds:
> [...]
> > # Therefore Debian doesn't offer official security support for this package.
> > 
> > Nevertheless we should fix what is easily fixable.
> 
> Ack, and apologies again for the delays.  Please go ahead, bearing in
> mind that the acceptance window for 6.0.2 closes over the weekend.
Uploaded now. Thanks a lot!
 -- Guido




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#619850; Package release.debian.org. (Sat, 18 Jun 2011 16:27:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Adam D. Barratt" <adam@adam-barratt.org.uk>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Sat, 18 Jun 2011 16:27:03 GMT) Full text and rfc822 format available.

Message #47 received at 619850@bugs.debian.org (full text, mbox):

From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
To: Guido Günther <agx@sigxcpu.org>, <619850@bugs.debian.org>
Cc: <team@security.debian.org>
Subject: Re: Bug#619850: pu: package iceowl/1.0~b1+dfsg2-2.squeeze1.diff
Date: Sat, 18 Jun 2011 17:23:40 +0100
tag 619850 + pending
thanks

On Sat, 18 Jun 2011 12:24:28 +0200, Guido Günther wrote:
> Hi Adam,
> On Fri, Jun 17, 2011 at 09:21:56PM +0100, Adam D. Barratt wrote:
>> On Sun, 2011-06-12 at 22:11 +0200, Guido Günther wrote:
>> > # Therefore Debian doesn't offer official security support for 
>> this package.
>> >
>> > Nevertheless we should fix what is easily fixable.
>>
>> Ack, and apologies again for the delays.  Please go ahead, bearing 
>> in
>> mind that the acceptance window for 6.0.2 closes over the weekend.
> Uploaded now. Thanks a lot!

Flagged for acceptance at the next dinstall; thanks.

Regards,

Adam




Added tag(s) pending. Request was from "Adam D. Barratt" <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sat, 18 Jun 2011 16:27:05 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 6.0.2, send any further explanations to Guido Günther <agx@sigxcpu.org> Request was from Adam D. Barratt <adam@adam-barratt.org.uk> to control@bugs.debian.org. (Sun, 26 Jun 2011 15:03:11 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 25 Jul 2011 07:39:10 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 04:14:02 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.