summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch
diff options
context:
space:
mode:
authorMark H Weaver <mhw@netris.org>2015-11-06 22:08:30 -0500
committerMark H Weaver <mhw@netris.org>2015-11-07 08:33:16 -0500
commit0ca1eb705d29c20f901fc385ee4e1bb1eaa52f75 (patch)
tree83964c88051d0ce95ece8eafde5c0133b3afa7df /gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch
parentfe88f636e3bfbbf143bd87f57e0d65a2e532d7dd (diff)
downloadguix-0ca1eb705d29c20f901fc385ee4e1bb1eaa52f75.tar.gz
gnu: icecat: Add several security fixes.
* gnu/packages/patches/icecat-CVE-2015-4513-pt01.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt02.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt03.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt05.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt06.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt07.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt08.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt09.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt10.patch,
  gnu/packages/patches/icecat-CVE-2015-4513-pt11.patch,
  gnu/packages/patches/icecat-CVE-2015-7188.patch,
  gnu/packages/patches/icecat-CVE-2015-7189.patch,
  gnu/packages/patches/icecat-CVE-2015-7193.patch,
  gnu/packages/patches/icecat-CVE-2015-7194.patch,
  gnu/packages/patches/icecat-CVE-2015-7196.patch,
  gnu/packages/patches/icecat-CVE-2015-7197.patch,
  gnu/packages/patches/icecat-CVE-2015-7198.patch,
  gnu/packages/patches/icecat-CVE-2015-7199.patch: New files.
* gnu-system.am (dist_patch_DATA): Add them.
* gnu/packages/gnuzilla.scm (icecat)[source]: Add patches.
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch50
1 files changed, 50 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch
new file mode 100644
index 0000000000..f6f3cd3585
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-4513-pt04.patch
@@ -0,0 +1,50 @@
+From 97bd3ada2a0ac6eff0e03e6eec8d2012af3bb57d Mon Sep 17 00:00:00 2001
+From: Jan de Mooij <jdemooij@mozilla.com>
+Date: Mon, 28 Sep 2015 13:30:42 +0200
+Subject: [PATCH] Bug 1205707 part 1 - Clean up some is-TypedArrayObject code
+ in Ion. r=Waldo, a=sylvestre
+
+---
+ js/src/jit/MCallOptimize.cpp | 19 +++++++++++++++++--
+ 1 file changed, 17 insertions(+), 2 deletions(-)
+
+diff --git a/js/src/jit/MCallOptimize.cpp b/js/src/jit/MCallOptimize.cpp
+index 7fdede8..2c6a533 100644
+--- a/js/src/jit/MCallOptimize.cpp
++++ b/js/src/jit/MCallOptimize.cpp
+@@ -2122,6 +2122,19 @@ IonBuilder::inlineIsTypedArray(CallInfo& callInfo)
+     return InliningStatus_Inlined;
+ }
+ 
++static bool
++IsTypedArrayObject(CompilerConstraintList* constraints, MDefinition* def)
++{
++    MOZ_ASSERT(def->type() == MIRType_Object);
++
++    TemporaryTypeSet* types = def->resultTypeSet();
++    if (!types)
++        return false;
++
++    return types->forAllClasses(constraints, IsTypedArrayClass) ==
++           TemporaryTypeSet::ForAllResult::ALL_TRUE;
++}
++
+ IonBuilder::InliningStatus
+ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo)
+ {
+@@ -2132,8 +2145,10 @@ IonBuilder::inlineTypedArrayLength(CallInfo& callInfo)
+     if (getInlineReturnType() != MIRType_Int32)
+         return InliningStatus_NotInlined;
+ 
+-    // We assume that when calling this function we always
+-    // have a TypedArray. The native asserts that as well.
++    // Note that the argument we see here is not necessarily a typed array.
++    // If it's not, this call should be unreachable though.
++    if (!IsTypedArrayObject(constraints(), callInfo.getArg(0)))
++        return InliningStatus_NotInlined;
+ 
+     MInstruction* length = addTypedArrayLength(callInfo.getArg(0));
+     current->push(length);
+-- 
+2.5.0
+