summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch220
1 files changed, 0 insertions, 220 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
deleted file mode 100644
index 115cd76201..0000000000
--- a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
+++ /dev/null
@@ -1,220 +0,0 @@
-From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001
-From: Tom Schuster <evilpies@gmail.com>
-Date: Sun, 25 Jan 2015 21:42:10 +0100
-Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray.
- r=efaust, a=abillings
-
----
- browser/devtools/app-manager/app-projects.js |  2 ++
- js/public/Class.h                            |  5 +++-
- js/src/jsarray.cpp                           |  9 ++++--
- js/src/jsobjinlines.h                        | 15 +++++++++-
- js/src/json.cpp                              | 11 +++----
- js/src/jsproxy.cpp                           | 45 ++++++++++++++++++++++++++++
- 6 files changed, 78 insertions(+), 9 deletions(-)
-
-diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js
-index d09f72f..77ca67b 100644
---- a/browser/devtools/app-manager/app-projects.js
-+++ b/browser/devtools/app-manager/app-projects.js
-@@ -61,6 +61,8 @@ const IDB = {
-   add: function(project) {
-     let deferred = promise.defer();
- 
-+    project = JSON.parse(JSON.stringify(project));
-+
-     if (!project.location) {
-       // We need to make sure this object has a `.location` property.
-       deferred.reject("Missing location property on project object.");
-diff --git a/js/public/Class.h b/js/public/Class.h
-index ff864b1..46f7d39 100644
---- a/js/public/Class.h
-+++ b/js/public/Class.h
-@@ -521,7 +521,10 @@ Valueify(const JSClass *c)
-  */
- enum ESClassValue {
-     ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean,
--    ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date
-+    ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date,
-+    // Special snowflake for the ES6 IsArray method.
-+    // Please don't use it without calling that function.
-+    ESClass_IsArray
- };
- 
- /*
-diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
-index 24da176..46f1c20 100644
---- a/js/src/jsarray.cpp
-+++ b/js/src/jsarray.cpp
-@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp)
-         HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
-         if (v.isObject()) {
-             RootedObject obj(cx, &v.toObject());
--            if (ObjectClassIs(obj, ESClass_Array, cx)) {
-+            // This should be IsConcatSpreadable
-+            if (IsArray(obj, cx)) {
-                 uint32_t alength;
-                 if (!GetLengthProperty(cx, obj, &alength))
-                     return false;
-@@ -2870,7 +2871,11 @@ static bool
- array_isArray(JSContext *cx, unsigned argc, Value *vp)
- {
-     CallArgs args = CallArgsFromVp(argc, vp);
--    bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
-+    bool isArray = false;
-+    if (args.get(0).isObject()) {
-+        RootedObject obj(cx, &args[0].toObject());
-+        isArray = IsArray(obj, cx);
-+    }
-     args.rval().setBoolean(isArray);
-     return true;
- }
-diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
-index e848ba7..557dd26 100644
---- a/js/src/jsobjinlines.h
-+++ b/js/src/jsobjinlines.h
-@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx)
-         return Proxy::objectClassIs(obj, classValue, cx);
- 
-     switch (classValue) {
--      case ESClass_Array: return obj->is<ArrayObject>();
-+      case ESClass_Array:
-+      case ESClass_IsArray:
-+        // There difference between those is only relevant for proxies.
-+        return obj->is<ArrayObject>();
-       case ESClass_Number: return obj->is<NumberObject>();
-       case ESClass_String: return obj->is<StringObject>();
-       case ESClass_Boolean: return obj->is<BooleanObject>();
-@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx)
-     return ObjectClassIs(obj, classValue, cx);
- }
- 
-+// ES6 7.2.2
-+inline bool
-+IsArray(HandleObject obj, JSContext *cx)
-+{
-+    if (obj->is<ArrayObject>())
-+        return true;
-+
-+    return ObjectClassIs(obj, ESClass_IsArray, cx);
-+}
-+
- static MOZ_ALWAYS_INLINE bool
- NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
- {
-diff --git a/js/src/json.cpp b/js/src/json.cpp
-index 6e45bfd..81a99a6 100644
---- a/js/src/json.cpp
-+++ b/js/src/json.cpp
-@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx)
-     Maybe<AutoIdVector> ids;
-     const AutoIdVector *props;
-     if (scx->replacer && !scx->replacer->isCallable()) {
--        JS_ASSERT(JS_IsArrayObject(cx, scx->replacer));
-+        JS_ASSERT(IsArray(scx->replacer, cx));
-         props = &scx->propertyList;
-     } else {
-         JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0);
-@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx)
- 
-     scx->depth++;
-     bool ok;
--    if (ObjectClassIs(obj, ESClass_Array, cx))
-+    if (IsArray(obj, cx))
-         ok = JA(cx, obj, scx);
-     else
-         ok = JO(cx, obj, scx);
-@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
-     if (replacer) {
-         if (replacer->isCallable()) {
-             /* Step 4a(i): use replacer to transform values.  */
--        } else if (ObjectClassIs(replacer, ESClass_Array, cx)) {
-+        } else if (IsArray(replacer, cx)) {
-             /*
-              * Step 4b: The spec algorithm is unhelpfully vague about the exact
-              * steps taken when the replacer is an array, regarding the exact
-@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
- 
-             /* Step 4b(ii). */
-             uint32_t len;
--            JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len));
-+            if (!GetLengthProperty(cx, replacer, &len))
-+                return false;
-             if (replacer->is<ArrayObject>() && !replacer->isIndexed())
-                 len = Min(len, replacer->getDenseInitializedLength());
- 
-@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut
-     if (val.isObject()) {
-         RootedObject obj(cx, &val.toObject());
- 
--        if (ObjectClassIs(obj, ESClass_Array, cx)) {
-+        if (IsArray(obj, cx)) {
-             /* Step 2a(ii). */
-             uint32_t length;
-             if (!GetLengthProperty(cx, obj, &length))
-diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
-index 7644da1..7453103 100644
---- a/js/src/jsproxy.cpp
-+++ b/js/src/jsproxy.cpp
-@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler {
-     virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE;
- 
-     /* Spidermonkey extensions. */
-+    // A scripted proxy should not be treated as generic in most contexts.
-+    virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
-+                            CallArgs args) MOZ_OVERRIDE;
-+    virtual bool objectClassIs(HandleObject obj, ESClassValue classValue,
-+                               JSContext *cx) MOZ_OVERRIDE;
-+    virtual bool regexp_toShared(JSContext *cx, HandleObject proxy,
-+                                 RegExpGuard *g) MOZ_OVERRIDE;
-+
-     virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
-     virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
-     virtual bool isScripted() MOZ_OVERRIDE { return true; }
-@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C
-     return true;
- }
- 
-+bool
-+ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
-+                                       CallArgs args)
-+{
-+    ReportIncompatible(cx, args);
-+    return false;
-+}
-+
-+bool
-+ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue,
-+                                          JSContext *cx)
-+{
-+    // Special case IsArray. In every other instance ES wants to have exactly
-+    // one object type and not a proxy around it, so return false.
-+    if (classValue != ESClass_IsArray)
-+        return false;
-+
-+    // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here.
-+    // The reason for this is that we have proxies for which looking at the target might
-+    // be impossible. So instead we use our little objectClassIs function that just works
-+    // already across different wrappers.
-+    RootedObject target(cx, proxy->as<ProxyObject>().target());
-+    if (!target)
-+        return false;
-+
-+    return IsArray(target, cx);
-+}
-+
-+bool
-+ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy,
-+                                            RegExpGuard *g)
-+{
-+    MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared");
-+    return false;
-+}
-+
-+
- ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton;
- 
- #define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall)                   \
--- 
-2.2.1
-
generated by cgit-pink 1.4.1 (git 2.36.1) at 2025-01-24 05:35:34 +0000