guix-devel/gnu/packages/patches/icecat-CVE-2015-0817.patch

45 lines
1.6 KiB
Diff

From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Thu, 19 Mar 2015 15:46:24 -0700
Subject: [PATCH] Bug 1145255. r=luke, a=lmandel
---
js/src/jit/AsmJS.cpp | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp
index 302b5ab..1b8eed6 100644
--- a/js/src/jit/AsmJS.cpp
+++ b/js/src/jit/AsmJS.cpp
@@ -14,6 +14,7 @@
#include "jsmath.h"
#include "jsprf.h"
+#include "jsutil.h"
#include "jsworkers.h"
#include "prmjtime.h"
@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
// Flag the access to skip the bounds check if the mask ensures that an 'out of
// bounds' access can not occur based on the current heap length constraint.
- if (mask2 == 0 ||
- CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
+ if (mask2 == 0) {
*needsBoundsCheck = NO_BOUNDS_CHECK;
+ } else {
+ uint32_t minHeap = f.m().minHeapLength();
+ uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1);
+ uint32_t maskZeroes = CountLeadingZeroes32(mask2);
+ if ((minHeapZeroes < maskZeroes) ||
+ (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes))
+ {
+ *needsBoundsCheck = NO_BOUNDS_CHECK;
+ }
}
*mask &= mask2;
*indexExpr = indexNode;
--
2.2.1