summary refs log tree commit diff
path: root/gnu/packages/patches/icecat-CVE-2016-2807-pt5.patch
blob: 00718ebaac1814e2a29af6792364d54ba90b2a0b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
Copied from https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/3fdd280fa099

# HG changeset patch
# User Carsten "Tomcat" Book <cbook@mozilla.com>
# Date 1461123938 -7200
# Node ID 3fdd280fa099b6453ce9fd9905af883bc2ebce24
# Parent  52dfdd37150d62f708dc5bf61dd28f3967596788
Bug 1252707 - a=sylvestre

diff --git a/js/src/vm/Shape.cpp b/js/src/vm/Shape.cpp
--- a/js/src/vm/Shape.cpp
+++ b/js/src/vm/Shape.cpp
@@ -382,18 +382,20 @@ NativeObject::getChildPropertyOnDictiona
 
     if (obj->inDictionaryMode()) {
         MOZ_ASSERT(parent == obj->lastProperty());
         RootedGeneric<StackShape*> childRoot(cx, &child);
         shape = childRoot->isAccessorShape() ? NewGCAccessorShape(cx) : NewGCShape(cx);
         if (!shape)
             return nullptr;
         if (childRoot->hasSlot() && childRoot->slot() >= obj->lastProperty()->base()->slotSpan()) {
-            if (!obj->setSlotSpan(cx, childRoot->slot() + 1))
+            if (!obj->setSlotSpan(cx, childRoot->slot() + 1)) {
+                new (shape) Shape(obj->lastProperty()->base()->unowned(), 0);
                 return nullptr;
+            }
         }
         shape->initDictionaryShape(*childRoot, obj->numFixedSlots(), &obj->shape_);
     }
 
     return shape;
 }
 
 /* static */ Shape*