summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch69
1 files changed, 69 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
new file mode 100644
index 0000000000..f4b4c0d4eb
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt2.patch
@@ -0,0 +1,69 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3d2b62083a6a
+
+# HG changeset patch
+# User Shu-yu Guo <shu@rfrn.org>
+# Date 1459741387 -7200
+# Node ID 3d2b62083a6a4fb43cb330d77142f9dce0959a23
+# Parent  9d4364f6b55c6ee65c13c491292c3abe1ee2c993
+Bug 1254164 - Make aliasedBodyLevelLexicalBegin a uint32. r=Waldo, a=ritu
+
+diff --git a/js/src/jit-test/tests/parser/bug-1254164.js b/js/src/jit-test/tests/parser/bug-1254164.js
+new file mode 100644
+--- /dev/null
++++ b/js/src/jit-test/tests/parser/bug-1254164.js
+@@ -0,0 +1,6 @@
++// |jit-test| slow;
++
++var s = '';
++for (var i = 0; i < 70000; i++)
++    s += 'function x' + i + '() { x' + i + '(); }\n';
++eval("(function() { " + s + " })();");
+diff --git a/js/src/jsscript.cpp b/js/src/jsscript.cpp
+--- a/js/src/jsscript.cpp
++++ b/js/src/jsscript.cpp
+@@ -111,17 +111,20 @@ Bindings::initWithTemporaryStorage(Exclu
+     // JITs when interpreting/compiling aliasedvar ops.)
+ 
+     // Since unaliased variables are, by definition, only accessed by local
+     // operations and never through the scope chain, only give shapes to
+     // aliased variables. While the debugger may observe any scope object at
+     // any time, such accesses are mediated by DebugScopeProxy (see
+     // DebugScopeProxy::handleUnaliasedAccess).
+     uint32_t nslots = CallObject::RESERVED_SLOTS;
+-    uint32_t aliasedBodyLevelLexicalBegin = UINT16_MAX;
++
++    // Unless there are aliased body-level lexical bindings at all, set the
++    // begin index to an impossible slot number.
++    uint32_t aliasedBodyLevelLexicalBegin = LOCALNO_LIMIT;
+     for (BindingIter bi(self); bi; bi++) {
+         if (bi->aliased()) {
+             // Per ES6, lexical bindings cannot be accessed until
+             // initialized. Remember the first aliased slot that is a
+             // body-level lexical, so that they may be initialized to sentinel
+             // magic values.
+             if (numBodyLevelLexicals > 0 &&
+                 nslots < aliasedBodyLevelLexicalBegin &&
+diff --git a/js/src/jsscript.h b/js/src/jsscript.h
+--- a/js/src/jsscript.h
++++ b/js/src/jsscript.h
+@@ -201,18 +201,18 @@ class Bindings
+     friend class BindingIter;
+     friend class AliasedFormalIter;
+ 
+     RelocatablePtrShape callObjShape_;
+     uintptr_t bindingArrayAndFlag_;
+     uint16_t numArgs_;
+     uint16_t numBlockScoped_;
+     uint16_t numBodyLevelLexicals_;
+-    uint16_t aliasedBodyLevelLexicalBegin_;
+     uint16_t numUnaliasedBodyLevelLexicals_;
++    uint32_t aliasedBodyLevelLexicalBegin_;
+     uint32_t numVars_;
+     uint32_t numUnaliasedVars_;
+ 
+ #if JS_BITS_PER_WORD == 32
+     // Bindings is allocated inline inside JSScript, which needs to be
+     // gc::Cell aligned.
+     uint32_t padding_;
+ #endif
+
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-11-26 16:09:29 +0000