$NetBSD: patch-CVE-2018-12387,v 1.1 2018/10/03 18:58:22 maya Exp $

From 64de926d460164d41269812742a1376ba7bafda6 Mon Sep 17 00:00:00 2001
From: Jan de Mooij <jdemooij@mozilla.com>
Date: Tue, 25 Sep 2018 12:33:42 +0200
Subject: [PATCH] Bug 1493903 - Don't inline push with more than 1 argument.
 r=tcampbell

CVE-2018-12387

--- js/src/jit/MCallOptimize.cpp.orig	2018-04-28 01:04:03.000000000 +0000
+++ js/src/jit/MCallOptimize.cpp
@@ -818,6 +818,12 @@ IonBuilder::inlineArraySlice(CallInfo& c
         return InliningStatus_NotInlined;
     }
 
+    // XXX bug 1493903.
+    if (callInfo.argc() != 1) {
+        trackOptimizationOutcome(TrackedOutcome::CantInlineNativeBadForm);
+        return InliningStatus_NotInlined;
+    }
+
     MDefinition* obj = convertUnboxedObjects(callInfo.thisArg());
 
     // Ensure |this| and result are objects.
