summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch35
1 files changed, 35 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch b/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
new file mode 100644
index 0000000000..00718ebaac
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
@@ -0,0 +1,35 @@
+Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099
+
+# HG changeset patch
+# User Carsten "Tomcat" Book <cbook@mozilla.com>
+# Date 1461123938 -7200
+# Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24
+# Parent  52dfdd37150d62f708dc5bf61dd28f3967596788
+Bug 1252707 - a=sylvestre
+
+diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
+--- a/js/src/vm/Shape.cpp
++++ b/js/src/vm/Shape.cpp
+@@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona
+ 
+     if (obj->inDictionaryMode()) {
+         MOZ_ASSERT(parent == obj->lastProperty());
+         RootedGeneric<StackShape*> childRoot(cx, &child);
+         shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx);
+         if (!shape)
+             return nullptr;
+         if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) {
+-            if (!obj->setSlotSpan(cx, childRoot->slot() + 1))
++            if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) {
++                new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
+                 return nullptr;
++            }
+         }
+         shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_);
+     }
+ 
+     return shape;
+ }
+ 
+ /* static */ Shape*
+