rpms
/
webkit2gtk3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import UBI webkit2gtk3-2.40.5-1.el9

This commit is contained in:
eabdullin 2023-11-07 12:12:47 +00:00
parent a617c7e055
commit 346aebf698
8 changed files with 39 additions and 875 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -1,2 +1,2 @@
SOURCES/webkitgtk-2.38.5.tar.xz
SOURCES/webkitgtk-2.40.5.tar.xz
SOURCES/webkitgtk-keys.gpg

2
.webkit2gtk3.metadata
View File

@ -1,2 +1,2 @@
1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz
2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz
cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg

167
SOURCES/CVE-2023-28204.patch
View File

@ -1,167 +0,0 @@
From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 22 May 2023 13:40:46 -0700
Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
https://bugs.webkit.org/show_bug.cgi?id=254930
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
https://bugs.webkit.org/show_bug.cgi?id=254930
rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
Canonical link: https://commits.webkit.org/264365@main
---
...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
.../runtime/StringPrototype.cpp | 10 ++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++--
3 files changed, 79 insertions(+), 2 deletions(-)
create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
new file mode 100644
index 000000000000..25b1a70b81d2
--- /dev/null
+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
@@ -0,0 +1,35 @@
+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
+// and that we do advance in String.replace() when processing an empty match.
+
+let expected = "|";
+
+for (let i = 0; i < 11; ++i)
+ expected += String.fromCodePoint(128512) + '|';
+
+let str = String.fromCodePoint(128512).repeat(11);
+
+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
+ return '|';
+});
+
+
+if (result1 !== expected)
+ print("FAILED: \"" + result1 + " !== " + expected + '"');
+
+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
+ return '|';
+});
+
+if (result2 !== expected)
+ print("FAILED: \"" + result2 + " !== " + expected + '"');
+
+expected = "|" + String.fromCodePoint(128512);
+
+str = String.fromCodePoint(128512).repeat(1);
+
+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
+ return '|';
+});
+
+if (result3 !== expected)
+ print("FAILED: \"" + result3 + " !== " + expected + '"');
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1dbfa9..459295f728a7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1a66d..b1a22b253866 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,38 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
+
+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
+ // We don't want any side effects like the next() in readChecked() above.
+ int readForCharacterDump(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +514,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.40.1

638
SOURCES/CVE-2023-28205.patch
View File

@ -1,638 +0,0 @@
From 1039f0c3235ffd9a6584657adb34db10c562e4af Mon Sep 17 00:00:00 2001
From: Mark Lam <mark.lam@apple.com>
Date: Fri, 31 Mar 2023 10:49:49 -0700
Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977
CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
https://bugs.webkit.org/show_bug.cgi?id=254797
rdar://107369977
Reviewed by Justin Michaud.
Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot
scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
template class that offer 2 enhancements:
1. It can be configured to store specific types of cell pointer types. This avoids us
having to constantly cast JSValues into these pointers.
2. It allows us to specify the type of OverflowHandler we want to use. In this case,
we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes
RecordOnOverflow. This allows us to avoid having to manually check for overflows,
or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be
used as a drop in replacement for Vector.
And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
with MarkedVector instead.
* Source/JavaScriptCore/heap/Heap.cpp:
(JSC::Heap::addCoreConstraints):
* Source/JavaScriptCore/heap/Heap.h:
* Source/JavaScriptCore/heap/HeapInlines.h:
* Source/JavaScriptCore/runtime/ArgList.cpp:
(JSC::MarkedVectorBase::addMarkSet):
(JSC::MarkedVectorBase::markLists):
(JSC::MarkedVectorBase::slowEnsureCapacity):
(JSC::MarkedVectorBase::expandCapacity):
(JSC::MarkedVectorBase::slowAppend):
(JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
(JSC::MarkedArgumentBufferBase::markLists): Deleted.
(JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
(JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
* Source/JavaScriptCore/runtime/ArgList.h:
(JSC::MarkedVectorWithSize::MarkedVectorWithSize):
(JSC::MarkedVectorWithSize::at const):
(JSC::MarkedVectorWithSize::clear):
(JSC::MarkedVectorWithSize::append):
(JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
(JSC::MarkedVectorWithSize::last const):
(JSC::MarkedVectorWithSize::takeLast):
(JSC::MarkedVectorWithSize::ensureCapacity):
(JSC::MarkedVectorWithSize::hasOverflowed):
(JSC::MarkedVectorWithSize::fill):
(JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
(WebCore::AudioWorkletProcessor::buildJSArguments):
* Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
* Source/WebCore/bindings/js/SerializedScriptValue.cpp:
(WebCore::CloneDeserializer::deserialize):
Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch
Identifier: 259548.395@safari-7615.1.26.11-branch
---
Source/JavaScriptCore/heap/Heap.cpp | 4 +-
Source/JavaScriptCore/heap/Heap.h | 8 +-
Source/JavaScriptCore/heap/HeapInlines.h | 2 +-
Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++--
Source/JavaScriptCore/runtime/ArgList.h | 206 ++++++++++--------
.../webaudio/AudioWorkletProcessor.cpp | 4 +-
.../Modules/webaudio/AudioWorkletProcessor.h | 7 +-
.../bindings/js/SerializedScriptValue.cpp | 11 +-
8 files changed, 158 insertions(+), 130 deletions(-)
diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
index d773eb9e79d6..37bf0e94b266 100644
--- a/Source/JavaScriptCore/heap/Heap.cpp
+++ b/Source/JavaScriptCore/heap/Heap.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
* Copyright (C) 2007 Eric Seidel <eric@webkit.org>
*
* This library is free software; you can redistribute it and/or
@@ -2854,7 +2854,7 @@ void Heap::addCoreConstraints()
if (!m_markListSet.isEmpty()) {
SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);
- MarkedArgumentBufferBase::markLists(visitor, m_markListSet);
+ MarkedVectorBase::markLists(visitor, m_markListSet);
}
{
diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
index d6cb99c4e4b5..315d62e50b1d 100644
--- a/Source/JavaScriptCore/heap/Heap.h
+++ b/Source/JavaScriptCore/heap/Heap.h
@@ -1,7 +1,7 @@
/*
* Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
* Copyright (C) 2001 Peter Kelly (pmk@post.com)
- * Copyright (C) 2003-2022 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
@@ -85,7 +85,7 @@ class MarkStackArray;
class MarkStackMergingConstraint;
class MarkedJSValueRefArray;
class BlockDirectory;
-class MarkedArgumentBufferBase;
+class MarkedVectorBase;
class MarkingConstraint;
class MarkingConstraintSet;
class MutatorScheduler;
@@ -413,7 +413,7 @@ class Heap {
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();
JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();
- HashSet<MarkedArgumentBufferBase*>& markListSet();
+ HashSet<MarkedVectorBase*>& markListSet();
void addMarkedJSValueRefArray(MarkedJSValueRefArray*);
template<typename Functor> void forEachProtectedCell(const Functor&);
@@ -782,7 +782,7 @@ class Heap {
size_t m_deprecatedExtraMemorySize { 0 };
ProtectCountSet m_protectedValues;
- HashSet<MarkedArgumentBufferBase*> m_markListSet;
+ HashSet<MarkedVectorBase*> m_markListSet;
SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;
std::unique_ptr<MachineThreads> m_machineThreads;
diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
index f91546bb62c4..8e33eaae4a4f 100644
--- a/Source/JavaScriptCore/heap/HeapInlines.h
+++ b/Source/JavaScriptCore/heap/HeapInlines.h
@@ -205,7 +205,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
}
}
-inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
+inline HashSet<MarkedVectorBase*>& Heap::markListSet()
{
return m_markListSet;
}
diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp
index f2815b80c8c7..a72dea74a56f 100644
--- a/Source/JavaScriptCore/runtime/ArgList.cpp
+++ b/Source/JavaScriptCore/runtime/ArgList.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2003-2021 Apple Inc. All rights reserved.
+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Library General Public
@@ -27,7 +27,7 @@ using std::min;
namespace JSC {
-void MarkedArgumentBufferBase::addMarkSet(JSValue v)
+void MarkedVectorBase::addMarkSet(JSValue v)
{
if (m_markSet)
return;
@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
}
template<typename Visitor>
-void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
{
ListSet::iterator end = markSet.end();
for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
- MarkedArgumentBufferBase* list = *it;
+ MarkedVectorBase* list = *it;
for (int i = 0; i < list->m_size; ++i)
visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
}
}
-template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
-template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
-void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
{
setNeedsOverflowCheck();
auto checkedNewCapacity = CheckedInt32(requestedCapacity);
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
- return this->overflowed();
- expandCapacity(checkedNewCapacity);
+ return Status::Overflowed;
+ return expandCapacity(checkedNewCapacity);
}
-void MarkedArgumentBufferBase::expandCapacity()
+auto MarkedVectorBase::expandCapacity() -> Status
{
setNeedsOverflowCheck();
auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;
if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
- return this->overflowed();
- expandCapacity(checkedNewCapacity);
+ return Status::Overflowed;
+ return expandCapacity(checkedNewCapacity);
}
-void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
{
setNeedsOverflowCheck();
ASSERT(m_capacity < newCapacity);
auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);
if (UNLIKELY(checkedSize.hasOverflowed()))
- return this->overflowed();
+ return Status::Overflowed;
EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
if (!newBuffer)
- return this->overflowed();
+ return Status::Overflowed;
for (int i = 0; i < m_size; ++i) {
newBuffer[i] = m_buffer[i];
addMarkSet(JSValue::decode(m_buffer[i]));
@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
m_buffer = newBuffer;
m_capacity = newCapacity;
+ return Status::Success;
}
-void MarkedArgumentBufferBase::slowAppend(JSValue v)
+auto MarkedVectorBase::slowAppend(JSValue v) -> Status
{
ASSERT(m_size <= m_capacity);
- if (m_size == m_capacity)
- expandCapacity();
- if (UNLIKELY(Base::hasOverflowed())) {
- ASSERT(m_needsOverflowCheck);
- return;
+ if (m_size == m_capacity) {
+ auto status = expandCapacity();
+ if (status == Status::Overflowed) {
+ ASSERT(m_needsOverflowCheck);
+ return status;
+ }
}
-
slotFor(m_size) = JSValue::encode(v);
++m_size;
addMarkSet(v);
+ return Status::Success;
}
} // namespace JSC
diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
index 8ea9b0e308b8..07632263266b 100644
--- a/Source/JavaScriptCore/runtime/ArgList.h
+++ b/Source/JavaScriptCore/runtime/ArgList.h
@@ -28,20 +28,20 @@
namespace JSC {
-class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {
- WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);
- WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);
+class alignas(alignof(EncodedJSValue)) MarkedVectorBase {
+ WTF_MAKE_NONCOPYABLE(MarkedVectorBase);
+ WTF_MAKE_NONMOVABLE(MarkedVectorBase);
WTF_FORBID_HEAP_ALLOCATION;
friend class VM;
friend class ArgList;
+protected:
+ enum class Status { Success, Overflowed };
public:
- using Base = RecordOverflow;
- typedef HashSet<MarkedArgumentBufferBase*> ListSet;
+ typedef HashSet<MarkedVectorBase*> ListSet;
- ~MarkedArgumentBufferBase()
+ ~MarkedVectorBase()
{
- ASSERT(!m_needsOverflowCheck);
if (m_markSet)
m_markSet->remove(this);
@@ -52,92 +52,20 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO
size_t size() const { return m_size; }
bool isEmpty() const { return !m_size; }
- JSValue at(int i) const
- {
- if (i >= m_size)
- return jsUndefined();
-
- return JSValue::decode(slotFor(i));
- }
-
- void clear()
- {
- ASSERT(!m_needsOverflowCheck);
- clearOverflow();
- m_size = 0;
- }
-
- enum OverflowCheckAction {
- CrashOnOverflow,
- WillCheckLater
- };
- template<OverflowCheckAction action>
- void appendWithAction(JSValue v)
- {
- ASSERT(m_size <= m_capacity);
- if (m_size == m_capacity || mallocBase()) {
- slowAppend(v);
- if (action == CrashOnOverflow)
- RELEASE_ASSERT(!hasOverflowed());
- return;
- }
-
- slotFor(m_size) = JSValue::encode(v);
- ++m_size;
- }
- void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
- void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
-
void removeLast()
{
ASSERT(m_size);
m_size--;
}
- JSValue last()
- {
- ASSERT(m_size);
- return JSValue::decode(slotFor(m_size - 1));
- }
-
- JSValue takeLast()
- {
- JSValue result = last();
- removeLast();
- return result;
- }
-
template<typename Visitor> static void markLists(Visitor&, ListSet&);
- void ensureCapacity(size_t requestedCapacity)
- {
- if (requestedCapacity > static_cast<size_t>(m_capacity))
- slowEnsureCapacity(requestedCapacity);
- }
-
- bool hasOverflowed()
- {
- clearNeedsOverflowCheck();
- return Base::hasOverflowed();
- }
-
void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }
- template<typename Functor>
- void fill(size_t count, const Functor& func)
- {
- ASSERT(!m_size);
- ensureCapacity(count);
- if (Base::hasOverflowed())
- return;
- m_size = count;
- func(reinterpret_cast<JSValue*>(&slotFor(0)));
- }
-
protected:
// Constructor for a read-write list, to which you may append values.
// FIXME: Remove all clients of this API, then remove this API.
- MarkedArgumentBufferBase(size_t capacity)
+ MarkedVectorBase(size_t capacity)
: m_size(0)
, m_capacity(capacity)
, m_buffer(inlineBuffer())
@@ -147,17 +75,16 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO
EncodedJSValue* inlineBuffer()
{
- return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));
+ return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));
}
-private:
- void expandCapacity();
- void expandCapacity(int newCapacity);
- void slowEnsureCapacity(size_t requestedCapacity);
+ Status expandCapacity();
+ Status expandCapacity(int newCapacity);
+ Status slowEnsureCapacity(size_t requestedCapacity);
void addMarkSet(JSValue);
- JS_EXPORT_PRIVATE void slowAppend(JSValue);
+ JS_EXPORT_PRIVATE Status slowAppend(JSValue);
EncodedJSValue& slotFor(int item) const
{
@@ -172,11 +99,14 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO
}
#if ASSERT_ENABLED
- void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
+ void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }
+ void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }
void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }
bool m_needsOverflowCheck { false };
+ bool m_overflowCheckEnabled { true };
#else
+ void disableNeedsOverflowCheck() { }
void setNeedsOverflowCheck() { }
void clearNeedsOverflowCheck() { }
#endif // ASSERT_ENABLED
@@ -186,22 +116,114 @@ class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordO
ListSet* m_markSet;
};
-template<size_t passedInlineCapacity = 8>
-class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {
+template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>
+class MarkedVector : public OverflowHandler, public MarkedVectorBase {
public:
static constexpr size_t inlineCapacity = passedInlineCapacity;
- MarkedArgumentBufferWithSize()
- : MarkedArgumentBufferBase(inlineCapacity)
+ MarkedVector()
+ : MarkedVectorBase(inlineCapacity)
{
ASSERT(inlineBuffer() == m_inlineBuffer);
+ if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {
+ // CrashOnOverflow handles overflows immediately. So, we do not
+ // need to check for it after.
+ disableNeedsOverflowCheck();
+ }
+ }
+
+ auto at(int i) const -> decltype(auto)
+ {
+ if constexpr (std::is_same_v<T, JSValue>) {
+ if (i >= m_size)
+ return jsUndefined();
+ return JSValue::decode(slotFor(i));
+ } else {
+ if (i >= m_size)
+ return static_cast<T>(nullptr);
+ return jsCast<T>(JSValue::decode(slotFor(i)).asCell());
+ }
+ }
+
+ void clear()
+ {
+ ASSERT(!m_needsOverflowCheck);
+ OverflowHandler::clearOverflow();
+ m_size = 0;
+ }
+
+ void append(T v)
+ {
+ ASSERT(m_size <= m_capacity);
+ if (m_size == m_capacity || mallocBase()) {
+ if (slowAppend(v) == Status::Overflowed)
+ this->overflowed();
+ return;
+ }
+
+ slotFor(m_size) = JSValue::encode(v);
+ ++m_size;
+ }
+
+ void appendWithCrashOnOverflow(T v)
+ {
+ append(v);
+ if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)
+ RELEASE_ASSERT(!this->hasOverflowed());
+ }
+
+ auto last() const -> decltype(auto)
+ {
+ if constexpr (std::is_same_v<T, JSValue>) {
+ ASSERT(m_size);
+ return JSValue::decode(slotFor(m_size - 1));
+ } else {
+ ASSERT(m_size);
+ return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());
+ }
+ }
+
+ JSValue takeLast()
+ {
+ JSValue result = last();
+ removeLast();
+ return result;
+ }
+
+ void ensureCapacity(size_t requestedCapacity)
+ {
+ if (requestedCapacity > static_cast<size_t>(m_capacity)) {
+ if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)
+ this->overflowed();
+ }
+ }
+
+ bool hasOverflowed()
+ {
+ clearNeedsOverflowCheck();
+ return OverflowHandler::hasOverflowed();
+ }
+
+ template<typename Functor>
+ void fill(size_t count, const Functor& func)
+ {
+ ASSERT(!m_size);
+ ensureCapacity(count);
+ if (OverflowHandler::hasOverflowed())
+ return;
+ m_size = count;
+ func(reinterpret_cast<JSValue*>(&slotFor(0)));
}
private:
EncodedJSValue m_inlineBuffer[inlineCapacity] { };
};
-using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;
+template<size_t passedInlineCapacity>
+class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {
+};
+
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
class ArgList {
WTF_MAKE_FAST_ALLOCATED;
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
index e41a46dd57de..2ab3abb48117 100644
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -220,7 +220,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop
ASSERT(!isMainThread());
}
-void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
{
// For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.
if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs)))
diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
index 746059067f87..40751a2e501b 100644
--- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2020 Apple Inc. All rights reserved.
+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
@@ -41,7 +41,8 @@
namespace JSC {
class JSArray;
-class MarkedArgumentBufferBase;
+template<typename T, size_t, class> class MarkedVector;
+using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
}
namespace WebCore {
@@ -71,7 +72,7 @@ class AudioWorkletProcessor : public ScriptWrappable, public ThreadSafeRefCounte
private:
explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&);
- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
AudioWorkletGlobalScope& m_globalScope;
String m_name;
diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
index ad135b5da8f8..a465d5a57a73 100644
--- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -573,6 +573,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;
using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>;
class CloneBase {
+ WTF_FORBID_HEAP_ALLOCATION;
protected:
CloneBase(JSGlobalObject* lexicalGlobalObject)
: m_lexicalGlobalObject(lexicalGlobalObject)
@@ -650,6 +651,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8
}
class CloneSerializer : CloneBase {
+ WTF_FORBID_HEAP_ALLOCATION;
public:
static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps,
#if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS)
@@ -2318,6 +2320,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
}
class CloneDeserializer : CloneBase {
+ WTF_FORBID_HEAP_ALLOCATION;
public:
static String deserializeString(const Vector<uint8_t>& buffer)
{
@@ -4285,10 +4288,10 @@ DeserializationResult CloneDeserializer::deserialize()
Vector<uint32_t, 16> indexStack;
Vector<Identifier, 16> propertyNameStack;
- Vector<JSObject*, 32> outputObjectStack;
- Vector<JSValue, 4> mapKeyStack;
- Vector<JSMap*, 4> mapStack;
- Vector<JSSet*, 4> setStack;
+ MarkedVector<JSObject*, 32> outputObjectStack;
+ MarkedVector<JSValue, 4> mapKeyStack;
+ MarkedVector<JSMap*, 4> mapStack;
+ MarkedVector<JSSet*, 4> setStack;
Vector<WalkerState, 16> stateStack;
WalkerState lexicalGlobalObject = StateUnknown;
JSValue outValue;

36
SOURCES/CVE-2023-32373.patch
View File

@ -1,36 +0,0 @@
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
- auto* target = effect ? effect->target() : nullptr;
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+ RefPtr target = effect ? effect->target() : nullptr;
// 2. For each target in targets:
//

6
SOURCES/webkitgtk-2.38.5.tar.xz.asc
View File

@ -1,6 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC
w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk=
=or/S
-----END PGP SIGNATURE-----

6
SOURCES/webkitgtk-2.40.5.tar.xz.asc Normal file
View File

@ -0,0 +1,6 @@
-----BEGIN PGP SIGNATURE-----
iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCZMjRYQAKCRDz0yLQ7EWC
wwPPAJ0XUmEmSr4IFQWpbDfPOR9keXY+lwCfVLyOFL8T55psriGN4vkxVZqq+EM=
=nGCs
-----END PGP SIGNATURE-----

57
SPECS/webkit2gtk3.spec
View File

@ -11,8 +11,8 @@
%endif
Name: webkit2gtk3
Version: 2.38.5
Release: 1%{?dist}.3
Version: 2.40.5
Release: 1%{?dist}
Summary: GTK Web content engine library
License: LGPLv2
@ -24,13 +24,6 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
# $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg
Source2: webkitgtk-keys.gpg
# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
Patch0: CVE-2023-28204.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
Patch1: CVE-2023-28205.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
Patch2: CVE-2023-32373.patch
BuildRequires: bison
BuildRequires: bubblewrap
BuildRequires: cmake
@ -43,6 +36,7 @@ BuildRequires: gperf
BuildRequires: hyphen-devel
BuildRequires: libatomic
BuildRequires: ninja-build
BuildRequires: openssl-devel
BuildRequires: perl(English)
BuildRequires: perl(FindBin)
BuildRequires: perl(JSON::PP)
@ -50,6 +44,7 @@ BuildRequires: python3
BuildRequires: ruby
BuildRequires: rubygems
BuildRequires: rubygem-json
BuildRequires: unifdef
BuildRequires: xdg-dbus-proxy
BuildRequires: pkgconfig(atspi-2)
@ -58,16 +53,19 @@ BuildRequires: pkgconfig(egl)
BuildRequires: pkgconfig(enchant-2)
BuildRequires: pkgconfig(fontconfig)
BuildRequires: pkgconfig(freetype2)
BuildRequires: pkgconfig(gbm)
BuildRequires: pkgconfig(gl)
BuildRequires: pkgconfig(glib-2.0)
BuildRequires: pkgconfig(glesv2)
BuildRequires: pkgconfig(gobject-introspection-1.0)
BuildRequires: pkgconfig(gstreamer-1.0)
BuildRequires: pkgconfig(gstreamer-plugins-bad-1.0)
BuildRequires: pkgconfig(gstreamer-plugins-base-1.0)
BuildRequires: pkgconfig(gtk+-3.0)
BuildRequires: pkgconfig(harfbuzz)
BuildRequires: pkgconfig(icu-uc)
BuildRequires: pkgconfig(lcms2)
BuildRequires: pkgconfig(libdrm)
BuildRequires: pkgconfig(libgcrypt)
BuildRequires: pkgconfig(libjpeg)
BuildRequires: pkgconfig(libnotify)
@ -213,13 +211,12 @@ rm -rf Source/ThirdParty/qunit/
-DCMAKE_BUILD_TYPE=Release \
-DENABLE_JIT=OFF \
-DUSE_SOUP2=ON \
-DUSE_AVIF=OFF \
-DENABLE_DOCUMENTATION=OFF \
-DUSE_GSTREAMER_TRANSCODER=OFF \
%if !0%{?with_gamepad}
-DENABLE_GAMEPAD=OFF \
%endif
%if 0%{?fedora}
-DUSER_AGENT_BRANDING="Fedora" \
%endif
%if 0%{?rhel}
%ifarch aarch64
-DUSE_64KB_PAGE_BLOCK=ON \
@ -234,12 +231,11 @@ export NINJA_STATUS="[%f/%t][%e] "
%install
%cmake_install
%find_lang WebKit2GTK-4.0
%find_lang WebKitGTK-4.0
# Finally, copy over and rename various files for %%license inclusion
%add_to_license_files Source/JavaScriptCore/COPYING.LIB
%add_to_license_files Source/ThirdParty/ANGLE/LICENSE
%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE
%add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
%add_to_license_files Source/WebCore/LICENSE-APPLE
%add_to_license_files Source/WebCore/LICENSE-LGPL-2
@ -251,7 +247,7 @@ export NINJA_STATUS="[%f/%t][%e] "
%add_to_license_files Source/WTF/wtf/dtoa/COPYING
%add_to_license_files Source/WTF/wtf/dtoa/LICENSE
%files -f WebKit2GTK-4.0.lang
%files -f WebKitGTK-4.0.lang
%license _license_files/*ThirdParty*
%license _license_files/*WebCore*
%license _license_files/*WebInspectorUI*
@ -295,20 +291,29 @@ export NINJA_STATUS="[%f/%t][%e] "
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
%changelog
* Tue Jul 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.3
* Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
- Update to 2.40.5
Related: #2176270
* Fri Jul 21 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.4-1
- Update to 2.40.4
Related: #2176270
* Tue Jul 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.3-2
- Disable JIT
Resolves: #2218792
Resolves: #2218802
Related: #2176270
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.2
- Add patch for CVE-2023-28204
Resolves: #2209747
- Add patch for CVE-2023-32373
Resolves: #2209730
* Wed Jun 28 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.3-1
- Update to 2.40.3
Related: #2176270
* Tue Apr 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.1
- Add patch for CVE-2023-28205
Resolves: #2185745
* Tue May 30 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.2-1
- Update to 2.40.2
Related: #2176270
* Thu May 04 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.1-1
- Upgrade to 2.40.1
Resolves: #2176270
* Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1
- Update to 2.38.5