guix/gnu/packages/patches/icecat-CVE-2015-0817.patch

From cedbdf8290018fbef65458e9e438c72adf2c2775 Mon Sep 17 00:00:00 2001
From: Steve Fink <sfink@mozilla.com>
Date: Thu, 19 Mar 2015 15:46:24 -0700
Subject: [PATCH] Bug 1145255. r=luke, a=lmandel

---
 js/src/jit/AsmJS.cpp | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/js/src/jit/AsmJS.cpp b/js/src/jit/AsmJS.cpp
index 302b5ab..1b8eed6 100644
--- a/js/src/jit/AsmJS.cpp
+++ b/js/src/jit/AsmJS.cpp
@@ -14,6 +14,7 @@
 
 #include "jsmath.h"
 #include "jsprf.h"
+#include "jsutil.h"
 #include "jsworkers.h"
 #include "prmjtime.h"
 
@@ -3432,9 +3433,17 @@ FoldMaskedArrayIndex(FunctionCompiler &f, ParseNode **indexExpr, int32_t *mask,
     if (IsLiteralOrConstInt(f, maskNode, &mask2)) {
         // Flag the access to skip the bounds check if the mask ensures that an 'out of
         // bounds' access can not occur based on the current heap length constraint.
-        if (mask2 == 0 ||
-            CountLeadingZeroes32(f.m().minHeapLength() - 1) <= CountLeadingZeroes32(mask2)) {
+        if (mask2 == 0) {
             *needsBoundsCheck = NO_BOUNDS_CHECK;
+        } else {
+            uint32_t minHeap = f.m().minHeapLength();
+            uint32_t minHeapZeroes = CountLeadingZeroes32(minHeap - 1);
+            uint32_t maskZeroes = CountLeadingZeroes32(mask2);
+            if ((minHeapZeroes < maskZeroes) ||
+                (IsPowerOfTwo(minHeap) && minHeapZeroes == maskZeroes))
+            {
+                *needsBoundsCheck = NO_BOUNDS_CHECK;
+            }
         }
         *mask &= mask2;
         *indexExpr = indexNode;
-- 
2.2.1