summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch63
1 files changed, 63 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
new file mode 100644
index 0000000000..1dd5e20c67
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
@@ -0,0 +1,63 @@
+From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
+From: Steve Fink <sfink@mozilla.com>
+Date: Mon, 12 Jan 2015 14:19:27 -0800
+Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
+ JS_iterateCompartments. r=terrence, a=abillings
+
+---
+ js/src/gc/Zone.h | 11 ++++++-----
+ js/src/jsapi.h   |  5 +++--
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
+index cbbde6b..612defe 100644
+--- a/js/src/gc/Zone.h
++++ b/js/src/gc/Zone.h
+@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
+     // This is for the benefit of CompartmentsIterT::comp.
+     friend class mozilla::Maybe<CompartmentsInZoneIter>;
+   private:
+-    JSCompartment **it, **end;
++    JS::Zone *zone;
++    JSCompartment **it;
+ 
+     CompartmentsInZoneIter()
+-      : it(nullptr), end(nullptr)
++      : zone(nullptr), it(nullptr)
+     {}
+ 
+   public:
+-    explicit CompartmentsInZoneIter(JS::Zone *zone) {
++    explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
+         it = zone->compartments.begin();
+-        end = zone->compartments.end();
+     }
+ 
+     bool done() const {
+         JS_ASSERT(it);
+-        return it == end;
++        return it < zone->compartments.begin() ||
++               it >= zone->compartments.end();
+     }
+     void next() {
+         JS_ASSERT(!done());
+diff --git a/js/src/jsapi.h b/js/src/jsapi.h
+index 5ae1f86..40fdb37 100644
+--- a/js/src/jsapi.h
++++ b/js/src/jsapi.h
+@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
+ typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
+ 
+ /*
+- * This function calls |compartmentCallback| on every compartment.  Beware that
++ * This function calls |compartmentCallback| on every compartment. Beware that
+  * there is no guarantee that the compartment will survive after the callback
+- * returns.
++ * returns. Also, if the callback can GC, there is no guarantee that every
++ * compartment will be visited.
+  */
+ extern JS_PUBLIC_API(void)
+ JS_IterateCompartments(JSRuntime *rt, void *data,
+-- 
+2.2.1
+