[v8/el6: 1/2] backport fix for enumeration for objects with lots of properties
T.C. Hollingsworth
patches at fedoraproject.org
Mon Jan 27 22:58:07 UTC 2014
commit d3e10708eb61e1caf3e2c54764ba60f6788b9e13
Author: T.C. Hollingsworth <tchollingsworth at gmail.com>
Date: Mon Jan 27 15:57:16 2014 -0700
backport fix for enumeration for objects with lots of properties
v8-3.14.5.10-enumeration.patch | 30 ++++++++++++++++++++++++++++++
v8.spec | 10 +++++++++-
2 files changed, 39 insertions(+), 1 deletions(-)
---
diff --git a/v8-3.14.5.10-enumeration.patch b/v8-3.14.5.10-enumeration.patch
new file mode 100644
index 0000000..4dea2a5
--- /dev/null
+++ b/v8-3.14.5.10-enumeration.patch
@@ -0,0 +1,30 @@
+From 196184d332ba2d2defc56ad0b37653659a7d3ec0 Mon Sep 17 00:00:00 2001
+From: "svenpanne at chromium.org" <svenpanne at chromium.org>
+Date: Fri, 9 Nov 2012 11:30:05 +0000
+Subject: [PATCH] v8: backport codereview.chromium.org/11362182
+
+Keep the number of descriptors below
+DescriptorArray::kMaxNumberOfDescriptors even for accessors
+
+Review URL: https://codereview.chromium.org/11362182
+---
+ src/objects.cc | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/objects.cc b/src/objects.cc
+--- a/src/objects.cc
++++ b/src/objects.cc
+@@ -4453,7 +4453,9 @@ MaybeObject* JSObject::DefinePropertyAccessor(String* name,
+ // to do a lookup, which seems to be a bit of overkill.
+ Heap* heap = GetHeap();
+ bool only_attribute_changes = getter->IsNull() && setter->IsNull();
+- if (HasFastProperties() && !only_attribute_changes) {
++ if (HasFastProperties() && !only_attribute_changes &&
++ (map()->NumberOfOwnDescriptors() <
++ DescriptorArray::kMaxNumberOfDescriptors)) {
+ MaybeObject* getterOk = heap->undefined_value();
+ if (!getter->IsNull()) {
+ getterOk = DefineFastAccessor(name, ACCESSOR_GETTER, getter, attributes);
+--
+1.8.5.1
+
diff --git a/v8.spec b/v8.spec
index 9a304d2..7cc3a87 100644
--- a/v8.spec
+++ b/v8.spec
@@ -23,7 +23,7 @@
Name: v8
Version: %{somajor}.%{sominor}.%{sobuild}.%{sotiny}
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 1
Summary: JavaScript Engine
Group: System Environment/Libraries
@@ -43,6 +43,10 @@ Patch2: v8-3.14.5.10-CVE-2013-2882.patch
#backport fix for CVE-2013-6640 (RHBZ#1039889)
Patch3: v8-3.14.5.10-CVE-2013-6640.patch
+#backport fix for enumeration for objects with lots of properties
+# https://codereview.chromium.org/11362182
+Patch4: v8-3.14.5.10-enumeration.patch
+
%description
V8 is Google's open source JavaScript engine. V8 is written in C++ and is used
in Google Chrome, the open source browser from Google. V8 implements ECMAScript
@@ -61,6 +65,7 @@ Development headers and libraries for v8.
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
# -fno-strict-aliasing is needed with gcc 4.4 to get past some ugly code
PARSED_OPT_FLAGS=`echo \'$RPM_OPT_FLAGS -fPIC -fno-strict-aliasing -Wno-unused-parameter -Wno-error=strict-overflow -Wno-error=unused-local-typedefs -Wno-unused-but-set-variable\'| sed "s/ /',/g" | sed "s/',/', '/g"`
@@ -218,6 +223,9 @@ rm -rf %{buildroot}
%{python_sitelib}/j*.py*
%changelog
+* Mon Jan 27 2014 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-4
+- backport fix for enumeration for objects with lots of properties
+
* Fri Dec 13 2013 T.C. Hollingsworth <tchollingsworth at gmail.com> - 1:3.14.5.10-3
- backport fix for out-of-bounds read DoS (RHBZ#1039889; CVE-2013-6640)
More information about the scm-commits
mailing list