#443: update certs and pins, M1397811 M1407740 M1408005 M1411458 M1406750 M1412252 M1400763

config/external/nss/nss.symbols

@@ -186,6 +186,7 @@ NSSBase64_DecodeBuffer
 NSSBase64_EncodeItem
 NSSBase64_EncodeItem_Util
 NSS_CMSContentInfo_GetContent
+NSS_CMSContentInfo_GetContentTypeTag
 NSS_CMSContentInfo_SetContent_Data
 NSS_CMSContentInfo_SetContent_EnvelopedData
 NSS_CMSContentInfo_SetContent_SignedData

docshell/base/nsDocShell.cpp

@@ -845,6 +845,9 @@ nsDocShell::~nsDocShell()
 {
   MOZ_ASSERT(!mObserved);
 
+  // Avoid notifying observers while we're in the dtor.
+  mIsBeingDestroyed = true;
+
   Destroy();
 
   nsCOMPtr<nsISHistoryInternal> shPrivate(do_QueryInterface(mSessionHistory));

dom/base/nsNodeUtils.cpp

@@ -590,6 +590,15 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, bool aClone, bool aDeep,
     }
   }
 
+  if (aNode->HasProperties()) {
+    bool ok = aNodesWithProperties.AppendObject(aNode);
+    MOZ_RELEASE_ASSERT(ok, "Out of memory");
+    if (aClone) {
+      ok = aNodesWithProperties.AppendObject(clone);
+      MOZ_RELEASE_ASSERT(ok, "Out of memory");
+    }
+  }
+
   if (aDeep && (!aClone || !aNode->IsNodeOfType(nsINode::eATTRIBUTE))) {
     // aNode's children.
     for (nsIContent* cloneChild = aNode->GetFirstChild();
@@ -645,15 +654,6 @@ nsNodeUtils::CloneAndAdopt(nsINode *aNode, bool aClone, bool aDeep,
   }
 #endif
 
-  if (aNode->HasProperties()) {
-    bool ok = aNodesWithProperties.AppendObject(aNode);
-    if (aClone) {
-      ok = ok && aNodesWithProperties.AppendObject(clone);
-    }
-
-    NS_ENSURE_TRUE(ok, NS_ERROR_OUT_OF_MEMORY);
-  }
-
   clone.forget(aResult);
 
   return NS_OK;

layout/base/nsCSSFrameConstructor.cpp

@@ -7938,8 +7938,9 @@ nsCSSFrameConstructor::ContentRemoved(nsIContent*  aContainer,
       }
     }
     if (ancestorFrame) {
-      nsTArray<nsIContent*>* generated = ancestorFrame->GetGenConPseudos();
-      if (generated) {
+      nsIFrame* contentInsertion = ancestorFrame->GetContentInsertionFrame();
+      if (ancestorFrame->GetGenConPseudos() ||
+          (contentInsertion && contentInsertion->GetGenConPseudos())) {
         *aDidReconstruct = true;
         LAYOUT_PHASE_TEMP_EXIT();
         // XXXmats Can we recreate frames only for the ::after/::before content?

layout/style/nsComputedDOMStyle.cpp

@@ -642,6 +642,11 @@ nsComputedDOMStyle::UpdateCurrentStyleSources(bool aNeedsLayoutFlush)
   mFlushedPendingReflows = aNeedsLayoutFlush;
 #endif
 
+  nsCOMPtr<nsIPresShell> presShellForContent = GetPresShellForContent(mContent);
+  if (presShellForContent && presShellForContent != mPresShell) {
+    presShellForContent->FlushPendingNotifications(Flush_Style);
+  }
+
   mPresShell = document->GetShell();
   if (!mPresShell || !mPresShell->GetPresContext()) {
     ClearStyleContext();
@@ -709,10 +714,11 @@ nsComputedDOMStyle::UpdateCurrentStyleSources(bool aNeedsLayoutFlush)
 #endif
     // Need to resolve a style context
     RefPtr<nsStyleContext> resolvedStyleContext =
-      nsComputedDOMStyle::GetStyleContextForElement(mContent->AsElement(),
-                                                    mPseudo,
-                                                    mPresShell,
-                                                    mStyleType);
+      nsComputedDOMStyle::GetStyleContextForElementNoFlush(
+          mContent->AsElement(),
+          mPseudo,
+          presShellForContent ? presShellForContent.get() : mPresShell,
+          mStyleType);
     if (!resolvedStyleContext) {
       ClearStyleContext();
       return;

security/manager/ssl/StaticHPKPins.h

@@ -1108,6 +1108,7 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "security.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "services.mozilla.com", true, false, true, 6, &kPinset_mozilla_services },
   { "sg.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
+  { "sirburton.com", true, true, false, -1, &kPinset_ncsccs },
   { "sites.google.com", true, false, false, -1, &kPinset_google_root_pems },
   { "spideroak.com", true, false, false, -1, &kPinset_spideroak },
   { "spreadsheets.google.com", true, false, false, -1, &kPinset_google_root_pems },
@@ -1175,8 +1176,8 @@ static const TransportSecurityPreload kPublicKeyPinningPreloadList[] = {
   { "zh.search.yahoo.com", false, true, false, -1, &kPinset_yahoo },
 };
 
-// Pinning Preload List Length = 473;
+// Pinning Preload List Length = 474;
 
 static const int32_t kUnknownId = -1;
 
-static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1516901517980000);
+static const PRTime kPreloadPKPinsExpirationTime = INT64_C(1518725677736000);

security/manager/ssl/nsDataSignatureVerifier.cpp

@@ -146,6 +146,12 @@ VerifyCMSDetachedSignatureIncludingCertificate(
     return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
   }
 
+  // We're expecting this to be a PKCS#7 signedData content info.
+  if (NSS_CMSContentInfo_GetContentTypeTag(cinfo)
+        != SEC_OID_PKCS7_SIGNED_DATA) {
+    return NS_ERROR_CMS_VERIFY_NO_CONTENT_INFO;
+  }
+
   // signedData is non-owning
   NSSCMSSignedData* signedData =
     reinterpret_cast<NSSCMSSignedData*>(NSS_CMSContentInfo_GetContent(cinfo));

toolkit/components/downloads/ApplicationReputation.cpp

@@ -1217,6 +1217,8 @@ ApplicationReputationService::ApplicationReputationService()
 
 ApplicationReputationService::~ApplicationReputationService() {
   LOG(("Application reputation service shutting down"));
+  MOZ_ASSERT(gApplicationReputationService == this);
+  gApplicationReputationService = nullptr;
 }
 
 NS_IMETHODIMP