import webkit2gtk3-2.36.7-1.el8_7.1
This commit is contained in:
parent
b492ea06be
commit
303423e441
78
SOURCES/CVE-2022-42856.patch
Normal file
78
SOURCES/CVE-2022-42856.patch
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
From 98940f219ba0e3eb6d958af483b73dd9cc75c28c Mon Sep 17 00:00:00 2001
|
||||||
|
From: Mark Lam <mark.lam@apple.com>
|
||||||
|
Date: Mon, 19 Dec 2022 17:32:15 -0800
|
||||||
|
Subject: [PATCH] Cherry-pick 252432.839@safari-7614-branch (71cdc1c09ef1).
|
||||||
|
rdar://102531234
|
||||||
|
|
||||||
|
The provenType filtering in FTL's speculateRealNumber is incorrect.
|
||||||
|
https://bugs.webkit.org/show_bug.cgi?id=248266
|
||||||
|
<rdar://problem/102531234>
|
||||||
|
|
||||||
|
Reviewed by Justin Michaud.
|
||||||
|
|
||||||
|
speculateRealNumber does a doubleEqual compare, which filters out double values which
|
||||||
|
are not NaN. NaN values will fall through to the `intCase` block. In the `intCase` block,
|
||||||
|
the isNotInt32() check there was given a proven type that wrongly filters out ~SpecFullDouble.
|
||||||
|
|
||||||
|
Consider a scenario where the edge was proven to be { SpecInt32Only, SpecDoubleReal,
|
||||||
|
SpecDoublePureNaN }. SpecFullDouble is defined as SpecDoubleReal | SpecDoubleNaN, and
|
||||||
|
SpecDoubleNaN is defined as SpecDoublePureNaN | SpecDoubleImpureNaN. Hence, the filtering
|
||||||
|
of the proven type with ~SpecFullDouble means that isNotInt32() will effectively be given
|
||||||
|
a proven type of
|
||||||
|
|
||||||
|
{ SpecInt32Only, SpecDoubleReal, SpecDoublePureNaN } - { SpecDoubleReal, SpecDoublePureNaN }
|
||||||
|
|
||||||
|
which yields
|
||||||
|
|
||||||
|
{ SpecInt32Only }.
|
||||||
|
|
||||||
|
As a result, the compiler will think that that isNotIn32() check will always fail. This
|
||||||
|
is not correct if the actual incoming value for that edge is actually a PureNaN. In this
|
||||||
|
case, speculateRealNumber should have OSR exited, but it doesn't because it thinks that
|
||||||
|
the isNotInt32() check will always fail and elide the check altogether.
|
||||||
|
|
||||||
|
In this patch, we fix this by replacing the ~SpecFullDouble with ~SpecDoubleReal. We also
|
||||||
|
rename the `intCase` block to `intOrNaNCase` to document what it actually handles.
|
||||||
|
|
||||||
|
* JSTests/stress/speculate-real-number-in-object-is.js: Added.
|
||||||
|
(test.object_is_opt):
|
||||||
|
(test):
|
||||||
|
* Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp:
|
||||||
|
(JSC::FTL::DFG::LowerDFGToB3::compileCompareStrictEq):
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/252432.839@safari-7614-branch
|
||||||
|
|
||||||
|
Canonical link: https://commits.webkit.org/258113@main
|
||||||
|
---
|
||||||
|
.../speculate-real-number-in-object-is.js | 22 +++++++++++++++++++
|
||||||
|
Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp | 8 +++----
|
||||||
|
2 files changed, 26 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 JSTests/stress/speculate-real-number-in-object-is.js
|
||||||
|
|
||||||
|
diff --git a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
|
||||||
|
index 3ba2d21b8072..18d13f1941bb 100644
|
||||||
|
--- a/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
|
||||||
|
+++ b/Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp
|
||||||
|
@@ -20574,18 +20574,18 @@ IGNORE_CLANG_WARNINGS_END
|
||||||
|
LValue value = lowJSValue(edge, ManualOperandSpeculation);
|
||||||
|
LValue doubleValue = unboxDouble(value);
|
||||||
|
|
||||||
|
- LBasicBlock intCase = m_out.newBlock();
|
||||||
|
+ LBasicBlock intOrNaNCase = m_out.newBlock();
|
||||||
|
LBasicBlock continuation = m_out.newBlock();
|
||||||
|
|
||||||
|
m_out.branch(
|
||||||
|
m_out.doubleEqual(doubleValue, doubleValue),
|
||||||
|
- usually(continuation), rarely(intCase));
|
||||||
|
+ usually(continuation), rarely(intOrNaNCase));
|
||||||
|
|
||||||
|
- LBasicBlock lastNext = m_out.appendTo(intCase, continuation);
|
||||||
|
+ LBasicBlock lastNext = m_out.appendTo(intOrNaNCase, continuation);
|
||||||
|
|
||||||
|
typeCheck(
|
||||||
|
jsValueValue(value), m_node->child1(), SpecBytecodeRealNumber,
|
||||||
|
- isNotInt32(value, provenType(m_node->child1()) & ~SpecFullDouble));
|
||||||
|
+ isNotInt32(value, provenType(m_node->child1()) & ~SpecDoubleReal));
|
||||||
|
m_out.jump(continuation);
|
||||||
|
|
||||||
|
m_out.appendTo(continuation, lastNext);
|
@ -12,7 +12,7 @@
|
|||||||
|
|
||||||
Name: webkit2gtk3
|
Name: webkit2gtk3
|
||||||
Version: 2.36.7
|
Version: 2.36.7
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}.1
|
||||||
Summary: GTK Web content engine library
|
Summary: GTK Web content engine library
|
||||||
|
|
||||||
License: LGPLv2
|
License: LGPLv2
|
||||||
@ -34,6 +34,9 @@ Patch1: aarch64-page-size.patch
|
|||||||
# https://bugs.webkit.org/show_bug.cgi?id=235367
|
# https://bugs.webkit.org/show_bug.cgi?id=235367
|
||||||
Patch2: icu60.patch
|
Patch2: icu60.patch
|
||||||
|
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=2153683
|
||||||
|
Patch3: CVE-2022-42856.patch
|
||||||
|
|
||||||
BuildRequires: bison
|
BuildRequires: bison
|
||||||
BuildRequires: cmake
|
BuildRequires: cmake
|
||||||
BuildRequires: flex
|
BuildRequires: flex
|
||||||
@ -303,9 +306,46 @@ export NINJA_STATUS="[%f/%t][%e] "
|
|||||||
%endif
|
%endif
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Fri Sep 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1
|
* Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
|
||||||
|
- Add patch for CVE-2022-42856
|
||||||
|
Resolves: #2153735
|
||||||
|
|
||||||
|
* Wed Aug 24 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1
|
||||||
- Update to 2.36.7
|
- Update to 2.36.7
|
||||||
Related: #2123429
|
Related: #2061994
|
||||||
|
|
||||||
|
* Tue Aug 09 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.6-1
|
||||||
|
- Update to 2.36.6
|
||||||
|
Related: #2061994
|
||||||
|
|
||||||
|
* Tue Aug 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-2
|
||||||
|
- Fix Eclipse after update to 2.36.5
|
||||||
|
Related: #2061994
|
||||||
|
|
||||||
|
* Thu Jul 28 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.5-1
|
||||||
|
- Update to 2.36.5
|
||||||
|
Related: #2061994
|
||||||
|
Resolves: #2099334
|
||||||
|
|
||||||
|
* Tue Jul 05 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.4-1
|
||||||
|
- Update to 2.36.4
|
||||||
|
Related: #2061994
|
||||||
|
|
||||||
|
* Thu Jun 02 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.3-1
|
||||||
|
- Update to 2.36.3
|
||||||
|
- Related: #2061994
|
||||||
|
- Resolves: #2092748
|
||||||
|
|
||||||
|
* Wed May 18 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.2-1
|
||||||
|
- Update to 2.36.2
|
||||||
|
Related: #2061994
|
||||||
|
|
||||||
|
* Thu Apr 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.1-1
|
||||||
|
- Update to 2.36.1
|
||||||
|
Related: #2061994
|
||||||
|
- Resolves: #2075492
|
||||||
|
- Resolves: #2075494
|
||||||
|
- Resolves: #2075496
|
||||||
|
|
||||||
* Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1
|
* Thu Feb 17 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.34.6-1
|
||||||
- Update to 2.34.6
|
- Update to 2.34.6
|
||||||
|
Loading…
Reference in New Issue
Block a user