1 files changed, 37 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
new file mode 100644
index 0000000000..5eff4fe99c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt4.patch
@@ -0,0 +1,37 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/5c312182da90
+
+# HG changeset patch
+# User Jan de Mooij <jdemooij@mozilla.com>
+# Date 1458828581 -3600
+# Node ID 5c312182da9020504103aa329360abaffa7e232d
+# Parent  fa4efccde9b7efde8763a178a6cf422b6d37a0e9
+Bug 1254622 - Relookup group->newScript in CreateThisForFunctionWithGroup. r=bhackett a=sylvestre
+
+MozReview-Commit-ID: KXd7kB70f1Z
+
+diff --git a/js/src/jsobj.cpp b/js/src/jsobj.cpp
+--- a/js/src/jsobj.cpp
++++ b/js/src/jsobj.cpp
+@@ -1574,18 +1574,19 @@ CreateThisForFunctionWithGroup(JSContext
+         // Not enough objects with this group have been created yet, so make a
+         // plain object and register it with the group. Use the maximum number
+         // of fixed slots, as is also required by the TypeNewScript.
+         gc::AllocKind allocKind = GuessObjectGCKind(NativeObject::MAX_FIXED_SLOTS);
+         PlainObject* res = NewObjectWithGroup<PlainObject>(cx, group, parent, allocKind, newKind);
+         if (!res)
+             return nullptr;
+ 
+-        if (newKind != SingletonObject)
+-            newScript->registerNewObject(res);
++        // Make sure group->newScript is still there.
++        if (newKind != SingletonObject && group->newScript())
++            group->newScript()->registerNewObject(res);
+ 
+         return res;
+     }
+ 
+     gc::AllocKind allocKind = NewObjectGCKind(&PlainObject::class_);
+ 
+     if (newKind == SingletonObject) {
+         Rooted<TaggedProto> protoRoot(cx, group->proto());
+