From 9d895961777db17f4021b7aa63490ff3cd8cb94d Mon Sep 17 00:00:00 2001
From: Morgan Phillips <winter2718@gmail.com>
Date: Mon, 27 Jun 2016 03:29:08 +0100
Subject: [PATCH] Bug 1282332 - Refuse to parse display names with unquoted,
 non-numeric, property names; r=jorendorff

--HG--
extra : rebase_source : 77825ee84d76beed0da58b6092f4730c6d64c7a2
---
 js/src/jsfun.cpp                     | 10 +++++++---
 js/src/tests/ecma_6/Function/name.js | 19 +++++++++++++++++++
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/js/src/jsfun.cpp b/js/src/jsfun.cpp
index 4d1574127a50..381b57da21e9 100644
--- a/js/src/jsfun.cpp
+++ b/js/src/jsfun.cpp
@@ -1670,13 +1670,17 @@ FunctionNameFromDisplayName(JSContext* cx, TextChar* text, size_t textLen, Strin
             MOZ_ASSERT(0);
             break;
         } else if (text[index] == (TextChar)']') {
-            // Here we're dealing with an unquoted numeric value so we can
-            // just skip to the closing bracket to save some work.
+            // Here we expect an unquoted numeric value. If that's the case
+            // we can just skip to the closing bracket to save some work.
             for (size_t j = 0; j < index; j++) {
-                if (text[(index - j) - 1] == (TextChar)'[') {
+                TextChar numeral = text[(index - j) - 1];
+                if (numeral == (TextChar)'[') {
                     start = index - j;
                     end = index;
                     break;
+                } else if (numeral > (TextChar)'9' || numeral < (TextChar)'0') {
+                    // Fail on anything that isn't a numeral (Bug 1282332).
+                    return false;
                 }
             }
             break;
diff --git a/js/src/tests/ecma_6/Function/name.js b/js/src/tests/ecma_6/Function/name.js
index 79b9e2895799..08a00f9ebff5 100644
--- a/js/src/tests/ecma_6/Function/name.js
+++ b/js/src/tests/ecma_6/Function/name.js
@@ -75,4 +75,23 @@ assertEq(({"[abba]": () => 1})["[abba]"].name, "[abba]");
 let zip = obj.wubba;
 assertEq(zip.name, "wubba");
 
+// (Bug 1282332) Accessed as a property based on a function name
+// This creates a tricky display name of the form: x[y[0]].
+let idaho = {0: () => 1};
+
+let planetz = {};
+planetz[idaho[0]] = () => 1;
+assertEq(planetz[idaho[0]].name, "");
+
+let moya = {};
+moya[planetz[idaho[0]]] =  () => 1;
+assertEq(moya[planetz[idaho[0]]].name, "");
+
+
+// Bound function names
+function bound() {};
+assertEq(bound.name, "bound");
+assertEq(bound.bind(Object).name, "bound bound");
+assertEq((function(){}).bind(function(){}).name, "bound ");
+
 reportCompare(0, 0, 'ok');