rpms
/
webkit2gtk3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import webkit2gtk3-2.36.7-1.el8_7.2

This commit is contained in:
CentOS Sources 2023-02-22 12:48:56 +00:00 committed by Stepan Oksanichenko
parent 303423e441
commit 5186e91aea
2 changed files with 63 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
SOURCES/CVE-2023-23529.patch Normal file
View File

@ -0,0 +1,55 @@
From d44ded97d14cdb5ac2eb011203e5f4c45dfd94b9 Mon Sep 17 00:00:00 2001
From: Yusuke Suzuki <ysuzuki@apple.com>
Date: Wed, 8 Feb 2023 15:32:00 -0800
Subject: [PATCH] Cherry-pick 1b2eb138ef92. rdar://problem/105236768
[JSC] ToThis object folding should check if AbstractValue is always an object
https://bugs.webkit.org/show_bug.cgi?id=251944
rdar://105175786
Reviewed by Geoffrey Garen and Mark Lam.
ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
* Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
(JSC::DFG::isToThisAnIdentity):
Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
---
.../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
index ea7bcd6b7b31..ef3f6bbe376e 100644
--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
}
}
- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
+ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
+ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
bool overridesToThis = false;
valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
// If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
});
+
+ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
if (!overridesToThis)
return ToThisResult::Identity;
- if (allStructuresAreJSScope) {
+
+ // But this folding is available only if input is always an object.
+ if (onlyObjects && allStructuresAreJSScope) {
if (ecmaMode.isStrict())
return ToThisResult::Undefined;
return ToThisResult::GlobalThis;
--
2.39.1

9
SPECS/webkit2gtk3.spec
View File

@ -12,7 +12,7 @@
Name: webkit2gtk3
Version: 2.36.7
Release: 1%{?dist}.1
Release: 1%{?dist}.2
Summary: GTK Web content engine library
License: LGPLv2
@ -37,6 +37,9 @@ Patch2: icu60.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2153683
Patch3: CVE-2022-42856.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2169934
Patch4: CVE-2023-23529.patch
BuildRequires: bison
BuildRequires: cmake
BuildRequires: flex
@ -306,6 +309,10 @@ export NINJA_STATUS="[%f/%t][%e] "
%endif
%changelog
* Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.2
- Add patch for CVE-2023-23529
Resolves: #2170007
* Wed Dec 21 2022 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.1
- Add patch for CVE-2022-42856
Resolves: #2153735