1 files changed, 36 insertions, 0 deletions

diff --git a/gnu/packages/patches/icecat-CVE-2016-1966.patch b/gnu/packages/patches/icecat-CVE-2016-1966.patch
new file mode 100644
index 0000000000..6bf5f9f95e
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2016-1966.patch
@@ -0,0 +1,36 @@
+Copied from upstream:
+https://hg.mozilla.org/releases/mozilla-esr38/raw-rev/291c2f31c48c
+
+# HG changeset patch
+# User Nicholas Nethercote <nnethercote@mozilla.com>
+# Date 1454650565 -39600
+# Node ID 291c2f31c48c7e96b1884b55273355970fa0fc30
+# Parent  11e6614756551cfd7291e73eefb90c52873a8480
+Bug 1246054 - Fix an erroneous nsNPObjWrapper assertion. r=froydnj. a=ritu
+
+diff --git a/dom/plugins/base/nsJSNPRuntime.cpp b/dom/plugins/base/nsJSNPRuntime.cpp
+--- a/dom/plugins/base/nsJSNPRuntime.cpp
++++ b/dom/plugins/base/nsJSNPRuntime.cpp
+@@ -1915,18 +1915,19 @@ nsNPObjWrapper::GetNewOrUsed(NPP npp, JS
+   // No existing JSObject, create one.
+ 
+   JS::Rooted<JSObject*> obj(cx, ::JS_NewObject(cx, js::Jsvalify(&sNPObjectJSWrapperClass)));
+ 
+   if (generation != sNPObjWrappers.Generation()) {
+       // Reload entry if the JS_NewObject call caused a GC and reallocated
+       // the table (see bug 445229). This is guaranteed to succeed.
+ 
+-      NS_ASSERTION(PL_DHashTableSearch(&sNPObjWrappers, npobj),
+-                   "Hashtable didn't find what we just added?");
++      entry = static_cast<NPObjWrapperHashEntry*>
++        (PL_DHashTableSearch(&sNPObjWrappers, npobj));
++      NS_ASSERTION(entry, "Hashtable didn't find what we just added?");
+   }
+ 
+   if (!obj) {
+     // OOM? Remove the stale entry from the hash.
+ 
+     PL_DHashTableRawRemove(&sNPObjWrappers, entry);
+ 
+     return nullptr;
+