aboutsummaryrefslogtreecommitdiff
path: root/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
diff options
context:
space:
mode:
Diffstat (limited to 'gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch')
-rw-r--r--gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch220
1 files changed, 220 insertions, 0 deletions
diff --git a/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
new file mode 100644
index 0000000000..115cd76201
--- /dev/null
+++ b/gnu/packages/patches/icecat-CVE-2015-0836-pt-03.patch
@@ -0,0 +1,220 @@
+From 4e4e34238e5bb5af83a645a5f4d2097e3b30e9dd Mon Sep 17 00:00:00 2001
+From: Tom Schuster <evilpies@gmail.com>
+Date: Sun, 25 Jan 2015 21:42:10 +0100
+Subject: [PATCH] Bug 1111243 - Implement ES6 proxy behavior for IsArray.
+ r=efaust, a=abillings
+
+---
+ browser/devtools/app-manager/app-projects.js | 2 ++
+ js/public/Class.h | 5 +++-
+ js/src/jsarray.cpp | 9 ++++--
+ js/src/jsobjinlines.h | 15 +++++++++-
+ js/src/json.cpp | 11 +++----
+ js/src/jsproxy.cpp | 45 ++++++++++++++++++++++++++++
+ 6 files changed, 78 insertions(+), 9 deletions(-)
+
+diff --git a/browser/devtools/app-manager/app-projects.js b/browser/devtools/app-manager/app-projects.js
+index d09f72f..77ca67b 100644
+--- a/browser/devtools/app-manager/app-projects.js
++++ b/browser/devtools/app-manager/app-projects.js
+@@ -61,6 +61,8 @@ const IDB = {
+ add: function(project) {
+ let deferred = promise.defer();
+
++ project = JSON.parse(JSON.stringify(project));
++
+ if (!project.location) {
+ // We need to make sure this object has a `.location` property.
+ deferred.reject("Missing location property on project object.");
+diff --git a/js/public/Class.h b/js/public/Class.h
+index ff864b1..46f7d39 100644
+--- a/js/public/Class.h
++++ b/js/public/Class.h
+@@ -521,7 +521,10 @@ Valueify(const JSClass *c)
+ */
+ enum ESClassValue {
+ ESClass_Array, ESClass_Number, ESClass_String, ESClass_Boolean,
+- ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date
++ ESClass_RegExp, ESClass_ArrayBuffer, ESClass_Date,
++ // Special snowflake for the ES6 IsArray method.
++ // Please don't use it without calling that function.
++ ESClass_IsArray
+ };
+
+ /*
+diff --git a/js/src/jsarray.cpp b/js/src/jsarray.cpp
+index 24da176..46f1c20 100644
+--- a/js/src/jsarray.cpp
++++ b/js/src/jsarray.cpp
+@@ -2645,7 +2645,8 @@ js::array_concat(JSContext *cx, unsigned argc, Value *vp)
+ HandleValue v = HandleValue::fromMarkedLocation(&p[i]);
+ if (v.isObject()) {
+ RootedObject obj(cx, &v.toObject());
+- if (ObjectClassIs(obj, ESClass_Array, cx)) {
++ // This should be IsConcatSpreadable
++ if (IsArray(obj, cx)) {
+ uint32_t alength;
+ if (!GetLengthProperty(cx, obj, &alength))
+ return false;
+@@ -2870,7 +2871,11 @@ static bool
+ array_isArray(JSContext *cx, unsigned argc, Value *vp)
+ {
+ CallArgs args = CallArgsFromVp(argc, vp);
+- bool isArray = args.length() > 0 && IsObjectWithClass(args[0], ESClass_Array, cx);
++ bool isArray = false;
++ if (args.get(0).isObject()) {
++ RootedObject obj(cx, &args[0].toObject());
++ isArray = IsArray(obj, cx);
++ }
+ args.rval().setBoolean(isArray);
+ return true;
+ }
+diff --git a/js/src/jsobjinlines.h b/js/src/jsobjinlines.h
+index e848ba7..557dd26 100644
+--- a/js/src/jsobjinlines.h
++++ b/js/src/jsobjinlines.h
+@@ -1032,7 +1032,10 @@ ObjectClassIs(HandleObject obj, ESClassValue classValue, JSContext *cx)
+ return Proxy::objectClassIs(obj, classValue, cx);
+
+ switch (classValue) {
+- case ESClass_Array: return obj->is<ArrayObject>();
++ case ESClass_Array:
++ case ESClass_IsArray:
++ // There difference between those is only relevant for proxies.
++ return obj->is<ArrayObject>();
+ case ESClass_Number: return obj->is<NumberObject>();
+ case ESClass_String: return obj->is<StringObject>();
+ case ESClass_Boolean: return obj->is<BooleanObject>();
+@@ -1053,6 +1056,16 @@ IsObjectWithClass(const Value &v, ESClassValue classValue, JSContext *cx)
+ return ObjectClassIs(obj, classValue, cx);
+ }
+
++// ES6 7.2.2
++inline bool
++IsArray(HandleObject obj, JSContext *cx)
++{
++ if (obj->is<ArrayObject>())
++ return true;
++
++ return ObjectClassIs(obj, ESClass_IsArray, cx);
++}
++
+ static MOZ_ALWAYS_INLINE bool
+ NewObjectMetadata(ExclusiveContext *cxArg, JSObject **pmetadata)
+ {
+diff --git a/js/src/json.cpp b/js/src/json.cpp
+index 6e45bfd..81a99a6 100644
+--- a/js/src/json.cpp
++++ b/js/src/json.cpp
+@@ -300,7 +300,7 @@ JO(JSContext *cx, HandleObject obj, StringifyContext *scx)
+ Maybe<AutoIdVector> ids;
+ const AutoIdVector *props;
+ if (scx->replacer && !scx->replacer->isCallable()) {
+- JS_ASSERT(JS_IsArrayObject(cx, scx->replacer));
++ JS_ASSERT(IsArray(scx->replacer, cx));
+ props = &scx->propertyList;
+ } else {
+ JS_ASSERT_IF(scx->replacer, scx->propertyList.length() == 0);
+@@ -488,7 +488,7 @@ Str(JSContext *cx, const Value &v, StringifyContext *scx)
+
+ scx->depth++;
+ bool ok;
+- if (ObjectClassIs(obj, ESClass_Array, cx))
++ if (IsArray(obj, cx))
+ ok = JA(cx, obj, scx);
+ else
+ ok = JO(cx, obj, scx);
+@@ -510,7 +510,7 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+ if (replacer) {
+ if (replacer->isCallable()) {
+ /* Step 4a(i): use replacer to transform values. */
+- } else if (ObjectClassIs(replacer, ESClass_Array, cx)) {
++ } else if (IsArray(replacer, cx)) {
+ /*
+ * Step 4b: The spec algorithm is unhelpfully vague about the exact
+ * steps taken when the replacer is an array, regarding the exact
+@@ -541,7 +541,8 @@ js_Stringify(JSContext *cx, MutableHandleValue vp, JSObject *replacer_, Value sp
+
+ /* Step 4b(ii). */
+ uint32_t len;
+- JS_ALWAYS_TRUE(GetLengthProperty(cx, replacer, &len));
++ if (!GetLengthProperty(cx, replacer, &len))
++ return false;
+ if (replacer->is<ArrayObject>() && !replacer->isIndexed())
+ len = Min(len, replacer->getDenseInitializedLength());
+
+@@ -678,7 +679,7 @@ Walk(JSContext *cx, HandleObject holder, HandleId name, HandleValue reviver, Mut
+ if (val.isObject()) {
+ RootedObject obj(cx, &val.toObject());
+
+- if (ObjectClassIs(obj, ESClass_Array, cx)) {
++ if (IsArray(obj, cx)) {
+ /* Step 2a(ii). */
+ uint32_t length;
+ if (!GetLengthProperty(cx, obj, &length))
+diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
+index 7644da1..7453103 100644
+--- a/js/src/jsproxy.cpp
++++ b/js/src/jsproxy.cpp
+@@ -1108,6 +1108,14 @@ class ScriptedDirectProxyHandler : public DirectProxyHandler {
+ virtual bool isExtensible(JSContext *cx, HandleObject proxy, bool *extensible) MOZ_OVERRIDE;
+
+ /* Spidermonkey extensions. */
++ // A scripted proxy should not be treated as generic in most contexts.
++ virtual bool nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++ CallArgs args) MOZ_OVERRIDE;
++ virtual bool objectClassIs(HandleObject obj, ESClassValue classValue,
++ JSContext *cx) MOZ_OVERRIDE;
++ virtual bool regexp_toShared(JSContext *cx, HandleObject proxy,
++ RegExpGuard *g) MOZ_OVERRIDE;
++
+ virtual bool call(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+ virtual bool construct(JSContext *cx, HandleObject proxy, const CallArgs &args) MOZ_OVERRIDE;
+ virtual bool isScripted() MOZ_OVERRIDE { return true; }
+@@ -2350,6 +2358,43 @@ ScriptedDirectProxyHandler::construct(JSContext *cx, HandleObject proxy, const C
+ return true;
+ }
+
++bool
++ScriptedDirectProxyHandler::nativeCall(JSContext *cx, IsAcceptableThis test, NativeImpl impl,
++ CallArgs args)
++{
++ ReportIncompatible(cx, args);
++ return false;
++}
++
++bool
++ScriptedDirectProxyHandler::objectClassIs(HandleObject proxy, ESClassValue classValue,
++ JSContext *cx)
++{
++ // Special case IsArray. In every other instance ES wants to have exactly
++ // one object type and not a proxy around it, so return false.
++ if (classValue != ESClass_IsArray)
++ return false;
++
++ // In ES6 IsArray is supposed to poke at the Proxy target, instead we do this here.
++ // The reason for this is that we have proxies for which looking at the target might
++ // be impossible. So instead we use our little objectClassIs function that just works
++ // already across different wrappers.
++ RootedObject target(cx, proxy->as<ProxyObject>().target());
++ if (!target)
++ return false;
++
++ return IsArray(target, cx);
++}
++
++bool
++ScriptedDirectProxyHandler::regexp_toShared(JSContext *cx, HandleObject proxy,
++ RegExpGuard *g)
++{
++ MOZ_CRASH("Should not end up in ScriptedDirectProxyHandler::regexp_toShared");
++ return false;
++}
++
++
+ ScriptedDirectProxyHandler ScriptedDirectProxyHandler::singleton;
+
+ #define INVOKE_ON_PROTOTYPE(cx, handler, proxy, protoCall) \
+--
+2.2.1
+
generated by cgit