summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch
blob: 1dd5e20c67864f3248291adb9d8d14d46b02e110 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Mon, 12 Jan 2015 14:19:27 -0800
Subject: [PATCH] Bug 1137326 - Fix out of bounds error in
 JS_iterateCompartments. r=terrence, a=abillings

---
 js/src/gc/Zone.h | 11 ++++++-----
 js/src/jsapi.h   |  5 +++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h
index cbbde6b..612defe 100644
--- a/js/src/gc/Zone.h
+++ b/js/src/gc/Zone.h
@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter
     // This is for the benefit of CompartmentsIterT::comp.
     friend class mozilla::Maybe<CompartmentsInZoneIter>;
   private:
-    JSCompartment **it, **end;
+    JS::Zone *zone;
+    JSCompartment **it;
 
     CompartmentsInZoneIter()
-      : it(nullptr), end(nullptr)
+      : zone(nullptr), it(nullptr)
     {}
 
   public:
-    explicit CompartmentsInZoneIter(JS::Zone *zone) {
+    explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) {
         it = zone->compartments.begin();
-        end = zone->compartments.end();
     }
 
     bool done() const {
         JS_ASSERT(it);
-        return it == end;
+        return it < zone->compartments.begin() ||
+               it >= zone->compartments.end();
     }
     void next() {
         JS_ASSERT(!done());
diff --git a/js/src/jsapi.h b/js/src/jsapi.h
index 5ae1f86..40fdb37 100644
--- a/js/src/jsapi.h
+++ b/js/src/jsapi.h
@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment);
 typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment);
 
 /*
- * This function calls |compartmentCallback| on every compartment.  Beware that
+ * This function calls |compartmentCallback| on every compartment. Beware that
  * there is no guarantee that the compartment will survive after the callback
- * returns.
+ * returns. Also, if the callback can GC, there is no guarantee that every
+ * compartment will be visited.
  */
 extern JS_PUBLIC_API(void)
 JS_IterateCompartments(JSRuntime *rt, void *data,
-- 
2.2.1