Patch the various recently reported security vulnerabilities in Mozilla.

This update covers the following Mozilla bugs:

245066
226669
250862
255067
256316
257317
258005

Thanks to nectar for scraping all of these patches together.

Obtained from:	Mozilla CVS
Approved by:	portmgr (implicit)

5 files changed, 409 insertions, 0 deletions

diff --git a/www/seamonkey2/files/patch-250862 b/www/seamonkey2/files/patch-250862
new file mode 100644
index 000000000000..05423dc84195
--- /dev/null
+++ b/www/seamonkey2/files/patch-250862
@@ -0,0 +1,22 @@
+Index: mozilla/xpfe/communicator/resources/content/contentAreaDD.js
+===================================================================
+RCS file: /cvsroot/mozilla/xpfe/communicator/resources/content/contentAreaDD.js,v
+retrieving revision 1.32
+retrieving revision 1.32.88.1
+diff -u -r1.32 -r1.32.88.1
+--- xpfe/communicator/resources/content/contentAreaDD.js	10 Jul 2002 01:23:50 -0000	1.32
++++ xpfe/communicator/resources/content/contentAreaDD.js	27 Aug 2004 01:13:39 -0000	1.32.88.1
+@@ -53,8 +53,11 @@
+     {
+       var url = transferUtils.retrieveURLFromData(aXferData.data, aXferData.flavour.contentType);
+ 
+-      // valid urls don't contain spaces ' '; if we have a space it isn't a valid url so bail out
+-      if (!url || !url.length || url.indexOf(" ", 0) != -1) 
++      // valid urls don't contain spaces ' '; if we have a space it
++      // isn't a valid url, or if it's a javascript: or data: url,
++      // bail out
++      if (!url || !url.length || url.indexOf(" ", 0) != -1 ||
++          /^\s*(javascript|data):/.test(url))
+         return;
+ 
+       switch (document.firstChild.getAttribute('windowtype')) {
diff --git a/www/seamonkey2/files/patch-255067 b/www/seamonkey2/files/patch-255067
new file mode 100644
index 000000000000..cddf17ca8328
--- /dev/null
+++ b/www/seamonkey2/files/patch-255067
@@ -0,0 +1,60 @@
+Index: mozilla/gfx/src/shared/gfxImageFrame.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/shared/gfxImageFrame.cpp,v
+retrieving revision 1.26
+retrieving revision 1.26.12.1
+diff -u -r1.26 -r1.26.12.1
+--- gfx/src/shared/gfxImageFrame.cpp	16 Jan 2004 23:28:48 -0000	1.26
++++ gfx/src/shared/gfxImageFrame.cpp	27 Aug 2004 11:02:58 -0000	1.26.12.1
+@@ -72,6 +72,13 @@
+     return NS_ERROR_FAILURE;
+   }
+ 
++  /* reject over-wide or over-tall images */
++  const PRInt32 k64KLimit = 0x0000FFFF;
++  if ( aWidth > k64KLimit || aHeight > k64KLimit ){
++    NS_ERROR("image too big");
++    return NS_ERROR_FAILURE;
++  }
++
+   nsresult rv;
+ 
+   mOffset.MoveTo(aX, aY);
+Index: mozilla/gfx/src/windows/nsImageWin.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/gfx/src/windows/nsImageWin.cpp,v
+retrieving revision 3.130.2.1
+retrieving revision 3.130.2.1.6.1
+diff -u -r3.130.2.1 -r3.130.2.1.6.1
+--- gfx/src/windows/nsImageWin.cpp	11 May 2004 21:53:49 -0000	3.130.2.1
++++ gfx/src/windows/nsImageWin.cpp	27 Aug 2004 11:02:58 -0000	3.130.2.1.6.1
+@@ -131,6 +131,10 @@
+     return NS_ERROR_UNEXPECTED;
+   }
+ 
++  // limit images to 64k pixels on a side (~55 feet on a 100dpi monitor)
++  const PRInt32 k64KLimit = 0x0000FFFF;
++  if (aWidth > k64KLimit || aHeight > k64KLimit)
++      return NS_ERROR_FAILURE;
+ 
+   if (mNumPaletteColors >= 0){
+     // If we have a palette
+Index: mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp,v
+retrieving revision 1.24.2.1
+retrieving revision 1.24.2.1.6.1
+diff -u -r1.24.2.1 -r1.24.2.1.6.1
+--- modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp	13 May 2004 22:27:35 -0000	1.24.2.1
++++ modules/libpr0n/decoders/bmp/nsBMPDecoder.cpp	27 Aug 2004 11:02:58 -0000	1.24.2.1.6.1
+@@ -274,7 +274,9 @@
+             CalcBitShift();
+         }
+         // BMPs with negative width are invalid
+-        if (mBIH.width < 0)
++        // Reject extremely wide images to keep the math sane
++        const PRInt32 k64KWidth = 0x0000FFFF;
++        if (mBIH.width < 0 || mBIH.width > k64KWidth)
+             return NS_ERROR_FAILURE;
+ 
+         PRUint32 real_height = (mBIH.height > 0) ? mBIH.height : -mBIH.height;
diff --git a/www/seamonkey2/files/patch-256316 b/www/seamonkey2/files/patch-256316
new file mode 100644
index 000000000000..147d15e5303d
--- /dev/null
+++ b/www/seamonkey2/files/patch-256316
@@ -0,0 +1,18 @@
+Index: mozilla/netwerk/dns/src/nsIDNService.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/netwerk/dns/src/nsIDNService.cpp,v
+retrieving revision 1.18
+retrieving revision 1.18.10.1
+diff -u -r1.18 -r1.18.10.1
+--- netwerk/dns/src/nsIDNService.cpp	3 Apr 2004 07:32:18 -0000	1.18
++++ netwerk/dns/src/nsIDNService.cpp	27 Aug 2004 11:23:21 -0000	1.18.10.1
+@@ -242,6 +242,9 @@
+ 
+ NS_IMETHODIMP nsIDNService::Normalize(const nsACString & input, nsACString & output)
+ {
++  // protect against bogus input
++  NS_ENSURE_TRUE(IsUTF8(input), NS_ERROR_UNEXPECTED);
++
+   nsAutoString outUTF16;
+   nsresult rv = stringPrep(NS_ConvertUTF8toUTF16(input), outUTF16);
+   if (NS_SUCCEEDED(rv))
diff --git a/www/seamonkey2/files/patch-257314 b/www/seamonkey2/files/patch-257314
new file mode 100644
index 000000000000..8bcc707b9dd9
--- /dev/null
+++ b/www/seamonkey2/files/patch-257314
@@ -0,0 +1,31 @@
+Index: nsVCardObj.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/addrbook/src/nsVCardObj.cpp,v
+retrieving revision 1.2
+retrieving revision 1.2.24.1
+diff -u -r1.2 -r1.2.24.1
+--- mailnews/addrbook/src/nsVCardObj.cpp	14 Sep 2003 21:45:58 -0000	1.2
++++ mailnews/addrbook/src/nsVCardObj.cpp	31 Aug 2004 07:44:25 -0000	1.2.24.1
+@@ -1344,16 +1344,13 @@
+ 
+ static void writeGroup(OFile *fp, VObject *o)
+ {
+-    char buf1[256];
+-    char buf2[256];
+-    PL_strcpy(buf1,NAME_OF(o));
+-    while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
+-  PL_strcpy(buf2,STRINGZ_VALUE_OF(o));
+-  PL_strcat(buf2,".");
+-  PL_strcat(buf2,buf1);
+-  PL_strcpy(buf1,buf2);
++  nsCAutoString buf(NAME_OF(o));
++
++  while ((o=isAPropertyOf(o,VCGroupingProp)) != 0) {
++    buf.Insert(NS_LITERAL_CSTRING("."), 0);
++    buf.Insert(STRINGZ_VALUE_OF(o), 0);
+   }
+-    appendsOFile(fp,buf1);
++  appendsOFile(fp, buf.get());
+ }
+ 
+ static int inList(const char **list, const char *s)
diff --git a/www/seamonkey2/files/patch-258005 b/www/seamonkey2/files/patch-258005
new file mode 100644
index 000000000000..fc20d4b596cf
--- /dev/null
+++ b/www/seamonkey2/files/patch-258005
@@ -0,0 +1,278 @@
+Index: nsMsgCompUtils.cpp
+===================================================================
+RCS file: /cvsroot/mozilla/mailnews/compose/src/nsMsgCompUtils.cpp,v
+retrieving revision 1.161
+retrieving revision 1.161.10.1
+diff -u -r1.161 -r1.161.10.1
+--- mailnews/compose/src/nsMsgCompUtils.cpp	12 Mar 2004 07:23:38 -0000	1.161
++++ mailnews/compose/src/nsMsgCompUtils.cpp	8 Sep 2004 19:27:53 -0000	1.161.10.1
+@@ -821,16 +821,7 @@
+   nsresult rv;
+   nsCOMPtr<nsIPref> prefs(do_GetService(kPrefCID, &rv)); 
+ 
+-  PRInt32 buffer_size = 2048 + (real_name ? 2*PL_strlen(real_name) : 0) + (base_url ? 2*PL_strlen(base_url) : 0) +
+-                        (type_param ? PL_strlen(type_param) : 0) + (encoding ? PL_strlen(encoding) : 0) +
+-                        (description ? PL_strlen(description) : 0) + (x_mac_type ? PL_strlen(x_mac_type) : 0) +
+-                        (x_mac_creator ? PL_strlen(x_mac_creator) : 0) + (attachmentCharset ? PL_strlen(attachmentCharset) : 0) +
+-                        (bodyCharset ? PL_strlen(bodyCharset) : 0) + (content_id ? PL_strlen(content_id) : 0);
+-  char *buffer = (char *) PR_Malloc (buffer_size);
+-  char *buffer_tail = buffer;
+-
+-  if (! buffer)
+-    return 0; /* NS_ERROR_OUT_OF_MEMORY */
++  nsCString buf("");
+ 
+   NS_ASSERTION (encoding, "null encoding");
+ 
+@@ -874,14 +865,13 @@
+     }
+   }
+ 
+-  PUSH_STRING ("Content-Type: ");
+-  PUSH_STRING (type);
+-
++  buf.Append("Content-Type: ");
++  buf.Append(type);
+   if (type_param && *type_param)
+   {
+     if (*type_param != ';')
+-      PUSH_STRING("; ");
+-    PUSH_STRING(type_param);
++      buf.Append("; ");
++    buf.Append(type_param);
+   }
+ 
+   if (mime_type_needs_charset (type)) 
+@@ -918,8 +908,8 @@
+          (PL_strcasecmp(encoding, ENCODING_BASE64) != 0)) &&
+          (*charset_label))
+     {
+-      PUSH_STRING ("; charset=");
+-      PUSH_STRING (charset_label);
++      buf.Append("; charset=");
++      buf.Append(charset_label);
+     }
+   }
+ 
+@@ -930,7 +920,7 @@
+     if(type && !PL_strcasecmp(type, "text/plain"))
+     {
+       if(UseFormatFlowed(bodyCharset))
+-        PUSH_STRING ("; format=flowed");
++        buf.Append("; format=flowed");
+       // else
+       // {
+       // Don't add a markup. Could use 
+@@ -942,59 +932,59 @@
+   }    
+ 
+   if (x_mac_type && *x_mac_type) {
+-    PUSH_STRING ("; x-mac-type=\"");
+-    PUSH_STRING (x_mac_type);
+-    PUSH_STRING ("\"");
++    buf.Append("; x-mac-type=\"");
++    buf.Append(x_mac_type);
++    buf.Append("\"");
+   }
+ 
+   if (x_mac_creator && *x_mac_creator) {
+-    PUSH_STRING ("; x-mac-creator=\"");
+-    PUSH_STRING (x_mac_creator);
+-    PUSH_STRING ("\"");
++    buf.Append("; x-mac-creator=\"");
++    buf.Append(x_mac_creator);
++    buf.Append("\"");
+   }
+ 
+ #ifdef EMIT_NAME_IN_CONTENT_TYPE
+   if (encodedRealName && *encodedRealName) {
+     if (parmFolding == 0 || parmFolding == 1) {
+-      PUSH_STRING (";\r\n name=\"");
+-      PUSH_STRING (encodedRealName);
+-      PUSH_STRING ("\"");
++      buf.Append(";\r\n name=\"");
++      buf.Append(encodedRealName);
++      buf.Append("\"");
+     }
+     else // if (parmFolding == 2)
+     {
+       char *rfc2231Parm = RFC2231ParmFolding("name", charset.get(),
+                          nsMsgI18NGetAcceptLanguage(), encodedRealName);
+       if (rfc2231Parm) {
+-        PUSH_STRING(";\r\n ");
+-        PUSH_STRING(rfc2231Parm);
++        buf.Append(";\r\n ");
++        buf.Append(rfc2231Parm);
+         PR_Free(rfc2231Parm);
+       }
+     }
+   }
+ #endif /* EMIT_NAME_IN_CONTENT_TYPE */
++  buf.Append(CRLF);
+ 
+-  PUSH_NEWLINE ();
++  buf.Append("Content-Transfer-Encoding: ");
++  buf.Append(encoding);
+ 
+-  PUSH_STRING ("Content-Transfer-Encoding: ");
+-  PUSH_STRING (encoding);
+-  PUSH_NEWLINE ();
++	buf.Append(CRLF);
+ 
+   if (description && *description) {
+     char *s = mime_fix_header (description);
+     if (s) {
+-      PUSH_STRING ("Content-Description: ");
+-      PUSH_STRING (s);
+-      PUSH_NEWLINE ();
++      buf.Append("Content-Description: ");
++      buf.Append(s);
++      buf.Append(CRLF);
+       PR_Free(s);
+     }
+   }
+ 
+   if ( (content_id) && (*content_id) )
+   {
+-    PUSH_STRING ("Content-ID: <");
+-    PUSH_STRING (content_id);
+-    PUSH_STRING (">");
+-    PUSH_NEWLINE ();
++    buf.Append("Content-ID: <");
++    buf.Append(content_id);
++    buf.Append(">");  
++    buf.Append(CRLF);
+   }
+ 
+   if (encodedRealName && *encodedRealName) {
+@@ -1004,15 +994,15 @@
+         rv = prefs->GetIntPref("mail.content_disposition_type", &pref_content_disposition);
+         NS_ASSERTION(NS_SUCCEEDED(rv), "failed to get mail.content_disposition_type");
+ 
+-    PUSH_STRING ("Content-Disposition: ");
++    buf.Append("Content-Disposition: ");
+ 
+     if (pref_content_disposition == 1)
+-      PUSH_STRING ("attachment");
++      buf.Append("attachment");
+     else
+       if (pref_content_disposition == 2 && 
+           (!PL_strcasecmp(type, TEXT_PLAIN) || 
+           (period && !PL_strcasecmp(period, ".txt"))))
+-        PUSH_STRING("attachment");
++        buf.Append("attachment");
+ 
+       /* If this document is an anonymous binary file or a vcard, 
+       then always show it as an attachment, never inline. */
+@@ -1020,23 +1010,23 @@
+         if (!PL_strcasecmp(type, APPLICATION_OCTET_STREAM) || 
+             !PL_strcasecmp(type, TEXT_VCARD) ||
+             !PL_strcasecmp(type, APPLICATION_DIRECTORY)) /* text/x-vcard synonym */
+-          PUSH_STRING ("attachment");
++          buf.Append("attachment");
+         else
+-          PUSH_STRING ("inline");
++          buf.Append("inline");
+ 
+     if (parmFolding == 0 || parmFolding == 1) {
+-      PUSH_STRING (";\r\n filename=\"");
+-      PUSH_STRING (encodedRealName);
+-      PUSH_STRING ("\"" CRLF);
++      buf.Append(";\r\n filename=\"");
++      buf.Append(encodedRealName);
++      buf.Append("\"" CRLF);
+     }
+     else // if (parmFolding == 2)
+     {
+       char *rfc2231Parm = RFC2231ParmFolding("filename", charset.get(),
+                        nsMsgI18NGetAcceptLanguage(), encodedRealName);
+       if (rfc2231Parm) {
+-        PUSH_STRING(";\r\n ");
+-        PUSH_STRING(rfc2231Parm);
+-        PUSH_NEWLINE ();
++        buf.Append(";\r\n ");
++        buf.Append(rfc2231Parm);
++        buf.Append(CRLF);
+         PR_Free(rfc2231Parm);
+       }
+     }
+@@ -1045,7 +1035,7 @@
+     if (type &&
+         (!PL_strcasecmp (type, MESSAGE_RFC822) ||
+         !PL_strcasecmp (type, MESSAGE_NEWS)))
+-      PUSH_STRING ("Content-Disposition: inline" CRLF);
++      buf.Append("Content-Disposition: inline" CRLF);
+   
+ #ifdef GENERATE_CONTENT_BASE
+   /* If this is an HTML document, and we know the URL it originally
+@@ -1079,9 +1069,9 @@
+       prefs->GetBoolPref("mail.use_content_location_on_send", &useContentLocation);
+ 
+     if (useContentLocation)
+-      PUSH_STRING ("Content-Location: \"");
++      buf.Append("Content-Location: \"");
+     else
+-      PUSH_STRING ("Content-Base: \"");
++      buf.Append("Content-Base: \"");
+     /* rhp - Pref for Content-Location usage */
+ 
+ /* rhp: this is to work with the Content-Location stuff */
+@@ -1089,34 +1079,34 @@
+ 
+     while (*s != 0 && *s != '#')
+     {
+-      const char *ot = buffer_tail;
+-
++      PRUint32 ot=buf.Length();
++      char tmp[]="\x00\x00";
+       /* URLs must be wrapped at 40 characters or less. */
+       if (col >= 38) {
+-        PUSH_STRING(CRLF "\t");
++        buf.Append(CRLF "\t");
+         col = 0;
+       }
+ 
+       if (*s == ' ')
+-        PUSH_STRING("%20");
++        buf.Append("%20");
+       else if (*s == '\t')
+-        PUSH_STRING("%09");
++        buf.Append("%09");
+       else if (*s == '\n')
+-        PUSH_STRING("%0A");
++        buf.Append("%0A");
+       else if (*s == '\r')
+-        PUSH_STRING("%0D");
++        buf.Append("%0D");
+       else {
+-        *buffer_tail++ = *s;
+-        *buffer_tail = '\0';
++	      tmp[0]=*s;
++	      buf.Append(tmp);
+       }
+       s++;
+-      col += (buffer_tail - ot);
++      col += (buf.Length() - ot);
+     }
+-    PUSH_STRING ("\"" CRLF);
++    buf.Append("\"" CRLF);
+ 
+     /* rhp: this is to try to get around this fun problem with Content-Location */
+     if (!useContentLocation) {
+-      PUSH_STRING ("Content-Location: \"");
++      buf.Append("Content-Location: \"");
+       s = base_url;
+       col = 0;
+       useContentLocation = PR_TRUE;
+@@ -1130,10 +1120,9 @@
+ #endif /* GENERATE_CONTENT_BASE */
+ 
+   /* realloc it smaller... */
+-  buffer = (char*) PR_REALLOC (buffer, buffer_tail - buffer + 1);
+ 
+   PR_FREEIF(encodedRealName);
+-  return buffer;
++  return PL_strdup(buf.get());
+ }
+ 
+ static PRBool isValidHost( const char* host )