1 files changed, 30 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch b/gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch
new file mode 100644
index 0000000000..4e45e3062f
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2014-1587-bug-1042567.patch
@@ -0,0 +1,30 @@
+commit 60529fc02cf10482d8fecd699eea271ddc22bcb9
+Author: Jason Orendorff <jorendorff@mozilla.com>
+Date:   Thu Aug 28 15:43:57 2014 -0500
+
+    Bug 1042567 - Reflect JSPropertyOp properties more consistently as data properties. r=efaust, a=lmandel
+
+	Modified   js/src/jsobj.cpp
+diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
+index 2745509..ad336f3 100644
+--- a/js/src/jsobj.cpp
++++ b/js/src/jsobj.cpp
+@@ -235,11 +235,18 @@ js::GetOwnPropertyDescriptor(JSContext *cx, HandleObject obj, HandleId id,
+     if (pobj->isNative()) {
+         desc.setAttributes(GetShapeAttributes(pobj, shape));
+         if (desc.hasGetterOrSetterObject()) {
++            MOZ_ASSERT(desc.isShared());
+             doGet = false;
+             if (desc.hasGetterObject())
+                 desc.setGetterObject(shape->getterObject());
+             if (desc.hasSetterObject())
+                 desc.setSetterObject(shape->setterObject());
++        } else {
++            // This is either a straight-up data property or (rarely) a
++            // property with a JSPropertyOp getter/setter. The latter must be
++            // reported to the caller as a plain data property, so don't
++            // populate desc.getter/setter, and mask away the SHARED bit.
++            desc.attributesRef() &= ~JSPROP_SHARED;
+         }
+     } else {
+         if (!JSObject::getGenericAttributes(cx, pobj, id, &desc.attributesRef()))