1 files changed, 183 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
new file mode 100644
index 0000000000..2e409d961c
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1930-pt11.patch
@@ -0,0 +1,183 @@
+Copied from: https://hg.mozilla.org/releases/mozilla-esr38/rev/0f7224441f20
+Security advisory: https://www.mozilla.org/en-US/security/advisories/mfsa2016-01/
+Mozilla Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1234280
+
+# HG changeset patch
+# User Benjamin Bouvier <benj@benj.me>
+# Date 1450947090 -3600
+# Node ID 0f7224441f2089001f7934b46ac10cb72d267606
+# Parent  debff255c08e898be370e307e1e014f5601c20c6
+Bug 1234280: Handle oom in CodeGeneratorShared::allocateData; r=jandem, a=sledru
+
+diff --git a/js/src/jit/CodeGenerator.cpp b/js/src/jit/CodeGenerator.cpp
+--- a/js/src/jit/CodeGenerator.cpp
++++ b/js/src/jit/CodeGenerator.cpp
+@@ -7902,17 +7902,19 @@ const VMFunction GetPropertyIC::UpdateIn
+ void
+ CodeGenerator::visitGetPropertyIC(OutOfLineUpdateCache* ool, DataPtr<GetPropertyIC>& ic)
+ {
+     LInstruction* lir = ool->lir();
+ 
+     if (ic->idempotent()) {
+         size_t numLocs;
+         CacheLocationList& cacheLocs = lir->mirRaw()->toGetPropertyCache()->location();
+-        size_t locationBase = addCacheLocations(cacheLocs, &numLocs);
++        size_t locationBase;
++        if (!addCacheLocations(cacheLocs, &numLocs, &locationBase))
++            return;
+         ic->setLocationInfo(locationBase, numLocs);
+     }
+ 
+     saveLive(lir);
+ 
+     pushArg(ic->object());
+     pushArg(Imm32(ool->getCacheIndex()));
+     pushArg(ImmGCPtr(gen->info().script()));
+diff --git a/js/src/jit/shared/CodeGenerator-shared.cpp b/js/src/jit/shared/CodeGenerator-shared.cpp
+--- a/js/src/jit/shared/CodeGenerator-shared.cpp
++++ b/js/src/jit/shared/CodeGenerator-shared.cpp
+@@ -1527,31 +1527,34 @@ CodeGeneratorShared::jumpToBlock(MBasicB
+ 
+         masm.propagateOOM(patchableBackedges_.append(PatchableBackedgeInfo(backedge, mir->lir()->label(), oolEntry)));
+     } else {
+         masm.j(cond, mir->lir()->label());
+     }
+ }
+ #endif
+ 
+-size_t
+-CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs)
++MOZ_WARN_UNUSED_RESULT bool
++CodeGeneratorShared::addCacheLocations(const CacheLocationList& locs, size_t* numLocs,
++                                       size_t* curIndex)
+ {
+     size_t firstIndex = runtimeData_.length();
+     size_t numLocations = 0;
+     for (CacheLocationList::iterator iter = locs.begin(); iter != locs.end(); iter++) {
+         // allocateData() ensures that sizeof(CacheLocation) is word-aligned.
+         // If this changes, we will need to pad to ensure alignment.
+-        size_t curIndex = allocateData(sizeof(CacheLocation));
+-        new (&runtimeData_[curIndex]) CacheLocation(iter->pc, iter->script);
++        if (!allocateData(sizeof(CacheLocation), curIndex))
++            return false;
++        new (&runtimeData_[*curIndex]) CacheLocation(iter->pc, iter->script);
+         numLocations++;
+     }
+     MOZ_ASSERT(numLocations != 0);
+     *numLocs = numLocations;
+-    return firstIndex;
++    *curIndex = firstIndex;
++    return true;
+ }
+ 
+ ReciprocalMulConstants
+ CodeGeneratorShared::computeDivisionConstants(int d) {
+     // In what follows, d is positive and is not a power of 2.
+     MOZ_ASSERT(d > 0 && (d & (d - 1)) != 0);
+ 
+     // Speeding up division by non power-of-2 constants is possible by
+diff --git a/js/src/jit/shared/CodeGenerator-shared.h b/js/src/jit/shared/CodeGenerator-shared.h
+--- a/js/src/jit/shared/CodeGenerator-shared.h
++++ b/js/src/jit/shared/CodeGenerator-shared.h
+@@ -3,16 +3,17 @@
+  * This Source Code Form is subject to the terms of the Mozilla Public
+  * License, v. 2.0. If a copy of the MPL was not distributed with this
+  * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+ 
+ #ifndef jit_shared_CodeGenerator_shared_h
+ #define jit_shared_CodeGenerator_shared_h
+ 
+ #include "mozilla/Alignment.h"
++#include "mozilla/TypeTraits.h"
+ 
+ #include "jit/JitFrames.h"
+ #include "jit/LIR.h"
+ #include "jit/MacroAssembler.h"
+ #include "jit/MIRGenerator.h"
+ #include "jit/MIRGraph.h"
+ #include "jit/OptimizationTracking.h"
+ #include "jit/Safepoints.h"
+@@ -242,24 +243,16 @@ class CodeGeneratorShared : public LElem
+         return SlotToStackOffset(a->toStackSlot()->slot());
+     }
+ 
+     uint32_t frameSize() const {
+         return frameClass_ == FrameSizeClass::None() ? frameDepth_ : frameClass_.frameSize();
+     }
+ 
+   protected:
+-    // Ensure the cache is an IonCache while expecting the size of the derived
+-    // class. We only need the cache list at GC time. Everyone else can just take
+-    // runtimeData offsets.
+-    size_t allocateCache(const IonCache&, size_t size) {
+-        size_t dataOffset = allocateData(size);
+-        masm.propagateOOM(cacheList_.append(dataOffset));
+-        return dataOffset;
+-    }
+ 
+ #ifdef CHECK_OSIPOINT_REGISTERS
+     void resetOsiPointRegs(LSafepoint* safepoint);
+     bool shouldVerifyOsiPointRegs(LSafepoint* safepoint);
+     void verifyOsiPointRegs(LSafepoint* safepoint);
+ #endif
+ 
+     bool addNativeToBytecodeEntry(const BytecodeSite* site);
+@@ -295,27 +288,33 @@ class CodeGeneratorShared : public LElem
+             return lookup();
+         }
+         T * operator*() {
+             return lookup();
+         }
+     };
+ 
+   protected:
+-
+-    size_t allocateData(size_t size) {
++    MOZ_WARN_UNUSED_RESULT
++    bool allocateData(size_t size, size_t* offset) {
+         MOZ_ASSERT(size % sizeof(void*) == 0);
+-        size_t dataOffset = runtimeData_.length();
++        *offset = runtimeData_.length();
+         masm.propagateOOM(runtimeData_.appendN(0, size));
+-        return dataOffset;
++        return !masm.oom();
+     }
+ 
++    // Ensure the cache is an IonCache while expecting the size of the derived
++    // class. We only need the cache list at GC time. Everyone else can just take
++    // runtimeData offsets.
+     template <typename T>
+     inline size_t allocateCache(const T& cache) {
+-        size_t index = allocateCache(cache, sizeof(mozilla::AlignedStorage2<T>));
++        static_assert(mozilla::IsBaseOf<IonCache, T>::value, "T must inherit from IonCache");
++        size_t index;
++        masm.propagateOOM(allocateData(sizeof(mozilla::AlignedStorage2<T>), &index));
++        masm.propagateOOM(cacheList_.append(index));
+         if (masm.oom())
+             return SIZE_MAX;
+         // Use the copy constructor on the allocated space.
+         MOZ_ASSERT(index == cacheList_.back());
+         new (&runtimeData_[index]) T(cache);
+         return index;
+     }
+ 
+@@ -475,17 +474,17 @@ class CodeGeneratorShared : public LElem
+ 
+     void callVM(const VMFunction& f, LInstruction* ins, const Register* dynStack = nullptr);
+ 
+     template <class ArgSeq, class StoreOutputTo>
+     inline OutOfLineCode* oolCallVM(const VMFunction& fun, LInstruction* ins, const ArgSeq& args,
+                                     const StoreOutputTo& out);
+ 
+     void addCache(LInstruction* lir, size_t cacheIndex);
+-    size_t addCacheLocations(const CacheLocationList& locs, size_t* numLocs);
++    bool addCacheLocations(const CacheLocationList& locs, size_t* numLocs, size_t* offset);
+     ReciprocalMulConstants computeDivisionConstants(int d);
+ 
+   protected:
+     void addOutOfLineCode(OutOfLineCode* code, const MInstruction* mir);
+     void addOutOfLineCode(OutOfLineCode* code, const BytecodeSite* site);
+     bool hasOutOfLineCode() { return !outOfLineCode_.empty(); }
+     bool generateOutOfLineCode();
+ 
+