diff options
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch')
| -rw-r--r-- | gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch | 63 |
1 files changed, 63 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch new file mode 100644 index 0000000000..1dd5e20c67 --- /dev/null +++ b/gnu/packages/patches/icecat-CVE-2015-0815-pt1.patch @@ -0,0 +1,63 @@ +From 6fb9d1d2bee806abb2f67cee05a8573450a017df Mon Sep 17 00:00:00 2001 +From: Steve Fink <sfink@mozilla.com> +Date: Mon, 12 Jan 2015 14:19:27 -0800 +Subject: [PATCH] Bug 1137326 - Fix out of bounds error in + JS_iterateCompartments. r=terrence, a=abillings + +--- + js/src/gc/Zone.h | 11 ++++++----- + js/src/jsapi.h | 5 +++-- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/js/src/gc/Zone.h b/js/src/gc/Zone.h +index cbbde6b..612defe 100644 +--- a/js/src/gc/Zone.h ++++ b/js/src/gc/Zone.h +@@ -389,21 +389,22 @@ struct CompartmentsInZoneIter + // This is for the benefit of CompartmentsIterT::comp. + friend class mozilla::Maybe<CompartmentsInZoneIter>; + private: +- JSCompartment **it, **end; ++ JS::Zone *zone; ++ JSCompartment **it; + + CompartmentsInZoneIter() +- : it(nullptr), end(nullptr) ++ : zone(nullptr), it(nullptr) + {} + + public: +- explicit CompartmentsInZoneIter(JS::Zone *zone) { ++ explicit CompartmentsInZoneIter(JS::Zone *zone) : zone(zone) { + it = zone->compartments.begin(); +- end = zone->compartments.end(); + } + + bool done() const { + JS_ASSERT(it); +- return it == end; ++ return it < zone->compartments.begin() || ++ it >= zone->compartments.end(); + } + void next() { + JS_ASSERT(!done()); +diff --git a/js/src/jsapi.h b/js/src/jsapi.h +index 5ae1f86..40fdb37 100644 +--- a/js/src/jsapi.h ++++ b/js/src/jsapi.h +@@ -1780,9 +1780,10 @@ JS_LeaveCompartment(JSContext *cx, JSCompartment *oldCompartment); + typedef void (*JSIterateCompartmentCallback)(JSRuntime *rt, void *data, JSCompartment *compartment); + + /* +- * This function calls |compartmentCallback| on every compartment. Beware that ++ * This function calls |compartmentCallback| on every compartment. Beware that + * there is no guarantee that the compartment will survive after the callback +- * returns. ++ * returns. Also, if the callback can GC, there is no guarantee that every ++ * compartment will be visited. + */ + extern JS_PUBLIC_API(void) + JS_IterateCompartments(JSRuntime *rt, void *data, +-- +2.2.1 + |