diff --git a/.gitignore b/.gitignore index 6604850..2a925d8 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,2 @@ -SOURCES/webkitgtk-2.38.5.tar.xz +SOURCES/webkitgtk-2.40.5.tar.xz SOURCES/webkitgtk-keys.gpg diff --git a/.webkit2gtk3.metadata b/.webkit2gtk3.metadata index 3cff2b7..6a421f0 100644 --- a/.webkit2gtk3.metadata +++ b/.webkit2gtk3.metadata @@ -1,2 +1,2 @@ -1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz +2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg diff --git a/SOURCES/CVE-2023-28204.patch b/SOURCES/CVE-2023-28204.patch deleted file mode 100644 index cc19fd0..0000000 --- a/SOURCES/CVE-2023-28204.patch +++ /dev/null @@ -1,167 +0,0 @@ -From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001 -From: Michael Saboff -Date: Mon, 22 May 2023 13:40:46 -0700 -Subject: [PATCH] Cherry-pick 264365@main (698c6e293734). - https://bugs.webkit.org/show_bug.cgi?id=254930 - - [JSC] RegExpGlobalData::performMatch issue leading to OOB read - https://bugs.webkit.org/show_bug.cgi?id=254930 - rdar://107436732 - - Reviewed by Alexey Shvayka. - - Fixed two issues: - 1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP - characters. Since it is an assertion, we shouldn't advance the character position. - Made the same fix to matchAssertionEOL(). - 2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of - a non-BMP character for the case where the RegExp match is empty. - - * JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test. - * Source/JavaScriptCore/runtime/StringPrototype.cpp: - (JSC::replaceUsingRegExpSearch): - * Source/JavaScriptCore/yarr/YarrInterpreter.cpp: - (JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance): - (JSC::Yarr::Interpreter::matchAssertionBOL): - (JSC::Yarr::Interpreter::matchAssertionEOL): - - Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732 - Canonical link: https://commits.webkit.org/264365@main ---- - ...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++ - .../runtime/StringPrototype.cpp | 10 ++++++ - .../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++-- - 3 files changed, 79 insertions(+), 2 deletions(-) - create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js - -diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js -new file mode 100644 -index 000000000000..25b1a70b81d2 ---- /dev/null -+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js -@@ -0,0 +1,35 @@ -+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter -+// and that we do advance in String.replace() when processing an empty match. -+ -+let expected = "|"; -+ -+for (let i = 0; i < 11; ++i) -+ expected += String.fromCodePoint(128512) + '|'; -+ -+let str = String.fromCodePoint(128512).repeat(11); -+ -+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => { -+ return '|'; -+}); -+ -+ -+if (result1 !== expected) -+ print("FAILED: \"" + result1 + " !== " + expected + '"'); -+ -+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => { -+ return '|'; -+}); -+ -+if (result2 !== expected) -+ print("FAILED: \"" + result2 + " !== " + expected + '"'); -+ -+expected = "|" + String.fromCodePoint(128512); -+ -+str = String.fromCodePoint(128512).repeat(1); -+ -+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => { -+ return '|'; -+}); -+ -+if (result3 !== expected) -+ print("FAILED: \"" + result3 + " !== " + expected + '"'); -diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp -index 08104b1dbfa9..459295f728a7 100644 ---- a/Source/JavaScriptCore/runtime/StringPrototype.cpp -+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp -@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( - startPosition++; - if (startPosition > sourceLen) - break; -+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { -+ startPosition++; -+ if (startPosition > sourceLen) -+ break; -+ } - } - } - } else { -@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch( - startPosition++; - if (startPosition > sourceLen) - break; -+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) { -+ startPosition++; -+ if (startPosition > sourceLen) -+ break; -+ } - } - } while (global); - } -diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp -index 95a848a1a66d..b1a22b253866 100644 ---- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp -+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp -@@ -209,6 +209,38 @@ public: - } - return result; - } -+ -+ int readCheckedDontAdvance(unsigned negativePositionOffest) -+ { -+ RELEASE_ASSERT(pos >= negativePositionOffest); -+ unsigned p = pos - negativePositionOffest; -+ ASSERT(p < length); -+ int result = input[p]; -+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { -+ if (atEnd()) -+ return -1; -+ -+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); -+ } -+ return result; -+ } -+ -+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro. -+ // We don't want any side effects like the next() in readChecked() above. -+ int readForCharacterDump(unsigned negativePositionOffest) -+ { -+ RELEASE_ASSERT(pos >= negativePositionOffest); -+ unsigned p = pos - negativePositionOffest; -+ ASSERT(p < length); -+ int result = input[p]; -+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) { -+ if (atEnd()) -+ return -1; -+ -+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]); -+ } -+ return result; -+ } - - int readSurrogatePairChecked(unsigned negativePositionOffset) - { -@@ -482,13 +514,13 @@ public: - - bool matchAssertionBOL(ByteTerm& term) - { -- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1))); -+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1))); - } - - bool matchAssertionEOL(ByteTerm& term) - { - if (term.inputPosition) -- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition))); -+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition))); - - return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read())); - } --- -2.40.1 - diff --git a/SOURCES/CVE-2023-28205.patch b/SOURCES/CVE-2023-28205.patch deleted file mode 100644 index 030bf96..0000000 --- a/SOURCES/CVE-2023-28205.patch +++ /dev/null @@ -1,648 +0,0 @@ -From b315f620c349e001a697dd7d4c501bdd07fe18c5 Mon Sep 17 00:00:00 2001 -From: Mark Lam -Date: Fri, 31 Mar 2023 10:49:49 -0700 -Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977 - - CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. - https://bugs.webkit.org/show_bug.cgi?id=254797 - rdar://107369977 - - Reviewed by Justin Michaud. - - Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects - in a few Vectors. This is problematic because the GC is not aware of Vectors, and cannot - scan them. In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector - template class that offer 2 enhancements: - - 1. It can be configured to store specific types of cell pointer types. This avoids us - having to constantly cast JSValues into these pointers. - - 2. It allows us to specify the type of OverflowHandler we want to use. In this case, - we want to use CrashOnOverflow. The previous MarkedArgumentBuffer always assumes - RecordOnOverflow. This allows us to avoid having to manually check for overflows, - or have to use appendWithCrashOnOverflow. For our current needs, MarkedVector can be - used as a drop in replacement for Vector. - - And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors - with MarkedVector instead. - - * Source/JavaScriptCore/heap/Heap.cpp: - (JSC::Heap::addCoreConstraints): - * Source/JavaScriptCore/heap/Heap.h: - * Source/JavaScriptCore/heap/HeapInlines.h: - * Source/JavaScriptCore/runtime/ArgList.cpp: - (JSC::MarkedVectorBase::addMarkSet): - (JSC::MarkedVectorBase::markLists): - (JSC::MarkedVectorBase::slowEnsureCapacity): - (JSC::MarkedVectorBase::expandCapacity): - (JSC::MarkedVectorBase::slowAppend): - (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted. - (JSC::MarkedArgumentBufferBase::markLists): Deleted. - (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted. - (JSC::MarkedArgumentBufferBase::slowAppend): Deleted. - * Source/JavaScriptCore/runtime/ArgList.h: - (JSC::MarkedVectorWithSize::MarkedVectorWithSize): - (JSC::MarkedVectorWithSize::at const): - (JSC::MarkedVectorWithSize::clear): - (JSC::MarkedVectorWithSize::append): - (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow): - (JSC::MarkedVectorWithSize::last const): - (JSC::MarkedVectorWithSize::takeLast): - (JSC::MarkedVectorWithSize::ensureCapacity): - (JSC::MarkedVectorWithSize::hasOverflowed): - (JSC::MarkedVectorWithSize::fill): - (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted. - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp: - (WebCore::AudioWorkletProcessor::buildJSArguments): - * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h: - * Source/WebCore/bindings/js/SerializedScriptValue.cpp: - (WebCore::CloneDeserializer::deserialize): - - Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch - -Identifier: 259548.395@safari-7615.1.26.11-branch ---- - Source/JavaScriptCore/heap/Heap.cpp | 4 +- - Source/JavaScriptCore/heap/Heap.h | 8 +- - Source/JavaScriptCore/heap/HeapInlines.h | 2 +- - Source/JavaScriptCore/runtime/ArgList.cpp | 46 ++-- - Source/JavaScriptCore/runtime/ArgList.h | 207 ++++++++++-------- - .../webaudio/AudioWorkletProcessor.cpp | 4 +- - .../Modules/webaudio/AudioWorkletProcessor.h | 7 +- - .../bindings/js/SerializedScriptValue.cpp | 11 +- - 8 files changed, 159 insertions(+), 130 deletions(-) - -diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp -index 8a4c082cb36e..632b01f14546 100644 ---- a/Source/JavaScriptCore/heap/Heap.cpp -+++ b/Source/JavaScriptCore/heap/Heap.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2003-2022 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * Copyright (C) 2007 Eric Seidel - * - * This library is free software; you can redistribute it and/or -@@ -2847,7 +2847,7 @@ void Heap::addCoreConstraints() - - if (!m_markListSet.isEmpty()) { - SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan); -- MarkedArgumentBufferBase::markLists(visitor, m_markListSet); -+ MarkedVectorBase::markLists(visitor, m_markListSet); - } - - { -diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h -index 418f24fd1212..8df576acf7f8 100644 ---- a/Source/JavaScriptCore/heap/Heap.h -+++ b/Source/JavaScriptCore/heap/Heap.h -@@ -1,7 +1,7 @@ - /* - * Copyright (C) 1999-2000 Harri Porten (porten@kde.org) - * Copyright (C) 2001 Peter Kelly (pmk@post.com) -- * Copyright (C) 2003-2022 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Lesser General Public -@@ -85,7 +85,7 @@ class MarkStackArray; - class MarkStackMergingConstraint; - class MarkedJSValueRefArray; - class BlockDirectory; --class MarkedArgumentBufferBase; -+class MarkedVectorBase; - class MarkingConstraint; - class MarkingConstraintSet; - class MutatorScheduler; -@@ -409,7 +409,7 @@ public: - JS_EXPORT_PRIVATE std::unique_ptr protectedObjectTypeCounts(); - JS_EXPORT_PRIVATE std::unique_ptr objectTypeCounts(); - -- HashSet& markListSet(); -+ HashSet& markListSet(); - void addMarkedJSValueRefArray(MarkedJSValueRefArray*); - - template void forEachProtectedCell(const Functor&); -@@ -778,7 +778,7 @@ private: - size_t m_deprecatedExtraMemorySize { 0 }; - - ProtectCountSet m_protectedValues; -- HashSet m_markListSet; -+ HashSet m_markListSet; - SentinelLinkedList> m_markedJSValueRefArrays; - - std::unique_ptr m_machineThreads; -diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h -index 66d8317e317c..4d767a564d5f 100644 ---- a/Source/JavaScriptCore/heap/HeapInlines.h -+++ b/Source/JavaScriptCore/heap/HeapInlines.h -@@ -206,7 +206,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded() - } - } - --inline HashSet& Heap::markListSet() -+inline HashSet& Heap::markListSet() - { - return m_markListSet; - } -diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp -index f2815b80c8c7..a72dea74a56f 100644 ---- a/Source/JavaScriptCore/runtime/ArgList.cpp -+++ b/Source/JavaScriptCore/runtime/ArgList.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2003-2021 Apple Inc. All rights reserved. -+ * Copyright (C) 2003-2023 Apple Inc. All rights reserved. - * - * This library is free software; you can redistribute it and/or - * modify it under the terms of the GNU Library General Public -@@ -27,7 +27,7 @@ using std::min; - - namespace JSC { - --void MarkedArgumentBufferBase::addMarkSet(JSValue v) -+void MarkedVectorBase::addMarkSet(JSValue v) - { - if (m_markSet) - return; -@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const - } - - template --void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet) -+void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet) - { - ListSet::iterator end = markSet.end(); - for (ListSet::iterator it = markSet.begin(); it != end; ++it) { -- MarkedArgumentBufferBase* list = *it; -+ MarkedVectorBase* list = *it; - for (int i = 0; i < list->m_size; ++i) - visitor.appendUnbarriered(JSValue::decode(list->slotFor(i))); - } - } - --template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&); --template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&); -+template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&); -+template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&); - --void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity) -+auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status - { - setNeedsOverflowCheck(); - auto checkedNewCapacity = CheckedInt32(requestedCapacity); - if (UNLIKELY(checkedNewCapacity.hasOverflowed())) -- return this->overflowed(); -- expandCapacity(checkedNewCapacity); -+ return Status::Overflowed; -+ return expandCapacity(checkedNewCapacity); - } - --void MarkedArgumentBufferBase::expandCapacity() -+auto MarkedVectorBase::expandCapacity() -> Status - { - setNeedsOverflowCheck(); - auto checkedNewCapacity = CheckedInt32(m_capacity) * 2; - if (UNLIKELY(checkedNewCapacity.hasOverflowed())) -- return this->overflowed(); -- expandCapacity(checkedNewCapacity); -+ return Status::Overflowed; -+ return expandCapacity(checkedNewCapacity); - } - --void MarkedArgumentBufferBase::expandCapacity(int newCapacity) -+auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status - { - setNeedsOverflowCheck(); - ASSERT(m_capacity < newCapacity); - auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue); - if (UNLIKELY(checkedSize.hasOverflowed())) -- return this->overflowed(); -+ return Status::Overflowed; - EncodedJSValue* newBuffer = static_cast(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize)); - if (!newBuffer) -- return this->overflowed(); -+ return Status::Overflowed; - for (int i = 0; i < m_size; ++i) { - newBuffer[i] = m_buffer[i]; - addMarkSet(JSValue::decode(m_buffer[i])); -@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity) - - m_buffer = newBuffer; - m_capacity = newCapacity; -+ return Status::Success; - } - --void MarkedArgumentBufferBase::slowAppend(JSValue v) -+auto MarkedVectorBase::slowAppend(JSValue v) -> Status - { - ASSERT(m_size <= m_capacity); -- if (m_size == m_capacity) -- expandCapacity(); -- if (UNLIKELY(Base::hasOverflowed())) { -- ASSERT(m_needsOverflowCheck); -- return; -+ if (m_size == m_capacity) { -+ auto status = expandCapacity(); -+ if (status == Status::Overflowed) { -+ ASSERT(m_needsOverflowCheck); -+ return status; -+ } - } -- - slotFor(m_size) = JSValue::encode(v); - ++m_size; - addMarkSet(v); -+ return Status::Success; - } - - } // namespace JSC -diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h -index 8ea9b0e308b8..01a6d5e0e5dc 100644 ---- a/Source/JavaScriptCore/runtime/ArgList.h -+++ b/Source/JavaScriptCore/runtime/ArgList.h -@@ -22,26 +22,27 @@ - #pragma once - - #include "CallFrame.h" -+#include "JSCast.h" - #include - #include - #include - - namespace JSC { - --class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow { -- WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase); -- WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase); -+class alignas(alignof(EncodedJSValue)) MarkedVectorBase { -+ WTF_MAKE_NONCOPYABLE(MarkedVectorBase); -+ WTF_MAKE_NONMOVABLE(MarkedVectorBase); - WTF_FORBID_HEAP_ALLOCATION; - friend class VM; - friend class ArgList; - -+protected: -+ enum class Status { Success, Overflowed }; - public: -- using Base = RecordOverflow; -- typedef HashSet ListSet; -+ typedef HashSet ListSet; - -- ~MarkedArgumentBufferBase() -+ ~MarkedVectorBase() - { -- ASSERT(!m_needsOverflowCheck); - if (m_markSet) - m_markSet->remove(this); - -@@ -52,92 +53,20 @@ public: - size_t size() const { return m_size; } - bool isEmpty() const { return !m_size; } - -- JSValue at(int i) const -- { -- if (i >= m_size) -- return jsUndefined(); -- -- return JSValue::decode(slotFor(i)); -- } -- -- void clear() -- { -- ASSERT(!m_needsOverflowCheck); -- clearOverflow(); -- m_size = 0; -- } -- -- enum OverflowCheckAction { -- CrashOnOverflow, -- WillCheckLater -- }; -- template -- void appendWithAction(JSValue v) -- { -- ASSERT(m_size <= m_capacity); -- if (m_size == m_capacity || mallocBase()) { -- slowAppend(v); -- if (action == CrashOnOverflow) -- RELEASE_ASSERT(!hasOverflowed()); -- return; -- } -- -- slotFor(m_size) = JSValue::encode(v); -- ++m_size; -- } -- void append(JSValue v) { appendWithAction(v); } -- void appendWithCrashOnOverflow(JSValue v) { appendWithAction(v); } -- - void removeLast() - { - ASSERT(m_size); - m_size--; - } - -- JSValue last() -- { -- ASSERT(m_size); -- return JSValue::decode(slotFor(m_size - 1)); -- } -- -- JSValue takeLast() -- { -- JSValue result = last(); -- removeLast(); -- return result; -- } -- - template static void markLists(Visitor&, ListSet&); - -- void ensureCapacity(size_t requestedCapacity) -- { -- if (requestedCapacity > static_cast(m_capacity)) -- slowEnsureCapacity(requestedCapacity); -- } -- -- bool hasOverflowed() -- { -- clearNeedsOverflowCheck(); -- return Base::hasOverflowed(); -- } -- - void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); } - -- template -- void fill(size_t count, const Functor& func) -- { -- ASSERT(!m_size); -- ensureCapacity(count); -- if (Base::hasOverflowed()) -- return; -- m_size = count; -- func(reinterpret_cast(&slotFor(0))); -- } -- - protected: - // Constructor for a read-write list, to which you may append values. - // FIXME: Remove all clients of this API, then remove this API. -- MarkedArgumentBufferBase(size_t capacity) -+ MarkedVectorBase(size_t capacity) - : m_size(0) - , m_capacity(capacity) - , m_buffer(inlineBuffer()) -@@ -147,17 +76,16 @@ protected: - - EncodedJSValue* inlineBuffer() - { -- return bitwise_cast(bitwise_cast(this) + sizeof(MarkedArgumentBufferBase)); -+ return bitwise_cast(bitwise_cast(this) + sizeof(MarkedVectorBase)); - } - --private: -- void expandCapacity(); -- void expandCapacity(int newCapacity); -- void slowEnsureCapacity(size_t requestedCapacity); -+ Status expandCapacity(); -+ Status expandCapacity(int newCapacity); -+ Status slowEnsureCapacity(size_t requestedCapacity); - - void addMarkSet(JSValue); - -- JS_EXPORT_PRIVATE void slowAppend(JSValue); -+ JS_EXPORT_PRIVATE Status slowAppend(JSValue); - - EncodedJSValue& slotFor(int item) const - { -@@ -172,11 +100,14 @@ private: - } - - #if ASSERT_ENABLED -- void setNeedsOverflowCheck() { m_needsOverflowCheck = true; } -+ void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; } -+ void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; } - void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; } - - bool m_needsOverflowCheck { false }; -+ bool m_overflowCheckEnabled { true }; - #else -+ void disableNeedsOverflowCheck() { } - void setNeedsOverflowCheck() { } - void clearNeedsOverflowCheck() { } - #endif // ASSERT_ENABLED -@@ -186,22 +117,114 @@ private: - ListSet* m_markSet; - }; - --template --class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase { -+template -+class MarkedVector : public OverflowHandler, public MarkedVectorBase { - public: - static constexpr size_t inlineCapacity = passedInlineCapacity; - -- MarkedArgumentBufferWithSize() -- : MarkedArgumentBufferBase(inlineCapacity) -+ MarkedVector() -+ : MarkedVectorBase(inlineCapacity) - { - ASSERT(inlineBuffer() == m_inlineBuffer); -+ if constexpr (std::is_same_v) { -+ // CrashOnOverflow handles overflows immediately. So, we do not -+ // need to check for it after. -+ disableNeedsOverflowCheck(); -+ } -+ } -+ -+ auto at(int i) const -> decltype(auto) -+ { -+ if constexpr (std::is_same_v) { -+ if (i >= m_size) -+ return jsUndefined(); -+ return JSValue::decode(slotFor(i)); -+ } else { -+ if (i >= m_size) -+ return static_cast(nullptr); -+ return jsCast(JSValue::decode(slotFor(i)).asCell()); -+ } -+ } -+ -+ void clear() -+ { -+ ASSERT(!m_needsOverflowCheck); -+ OverflowHandler::clearOverflow(); -+ m_size = 0; -+ } -+ -+ void append(T v) -+ { -+ ASSERT(m_size <= m_capacity); -+ if (m_size == m_capacity || mallocBase()) { -+ if (slowAppend(v) == Status::Overflowed) -+ this->overflowed(); -+ return; -+ } -+ -+ slotFor(m_size) = JSValue::encode(v); -+ ++m_size; -+ } -+ -+ void appendWithCrashOnOverflow(T v) -+ { -+ append(v); -+ if constexpr (!std::is_same::value) -+ RELEASE_ASSERT(!this->hasOverflowed()); -+ } -+ -+ auto last() const -> decltype(auto) -+ { -+ if constexpr (std::is_same_v) { -+ ASSERT(m_size); -+ return JSValue::decode(slotFor(m_size - 1)); -+ } else { -+ ASSERT(m_size); -+ return jsCast(JSValue::decode(slotFor(m_size - 1)).asCell()); -+ } -+ } -+ -+ JSValue takeLast() -+ { -+ JSValue result = last(); -+ removeLast(); -+ return result; -+ } -+ -+ void ensureCapacity(size_t requestedCapacity) -+ { -+ if (requestedCapacity > static_cast(m_capacity)) { -+ if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed) -+ this->overflowed(); -+ } -+ } -+ -+ bool hasOverflowed() -+ { -+ clearNeedsOverflowCheck(); -+ return OverflowHandler::hasOverflowed(); -+ } -+ -+ template -+ void fill(size_t count, const Functor& func) -+ { -+ ASSERT(!m_size); -+ ensureCapacity(count); -+ if (OverflowHandler::hasOverflowed()) -+ return; -+ m_size = count; -+ func(reinterpret_cast(&slotFor(0))); - } - - private: - EncodedJSValue m_inlineBuffer[inlineCapacity] { }; - }; - --using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>; -+template -+class MarkedArgumentBufferWithSize : public MarkedVector { -+}; -+ -+using MarkedArgumentBuffer = MarkedVector; - - class ArgList { - WTF_MAKE_FAST_ALLOCATED; -diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -index 13d04e3bdb3b..f827b2ec6a6b 100644 ---- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2020 Apple Inc. All rights reserved. -+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -219,7 +219,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop - ASSERT(!isMainThread()); - } - --void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap) -+void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap) - { - // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes. - if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs))) -diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -index 3f3d708c7ae4..b0bce3609198 100644 ---- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -+++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h -@@ -1,5 +1,5 @@ - /* -- * Copyright (C) 2020 Apple Inc. All rights reserved. -+ * Copyright (C) 2020-2023 Apple Inc. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions -@@ -41,7 +41,8 @@ - - namespace JSC { - class JSArray; --class MarkedArgumentBufferBase; -+template class MarkedVector; -+using MarkedArgumentBuffer = MarkedVector; - } - - namespace WebCore { -@@ -71,7 +72,7 @@ public: - - private: - explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&); -- void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap); -+ void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector>& inputs, Vector>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap>& paramValuesMap); - - AudioWorkletGlobalScope& m_globalScope; - String m_name; -diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -index e0d4316a169f..5897e1066512 100644 ---- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp -+++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp -@@ -540,6 +540,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000; - using DeserializationResult = std::pair; - - class CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - protected: - CloneBase(JSGlobalObject* lexicalGlobalObject) - : m_lexicalGlobalObject(lexicalGlobalObject) -@@ -617,6 +618,7 @@ template <> bool writeLittleEndian(Vector& buffer, const uint8 - } - - class CloneSerializer : CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - public: - static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector>& messagePorts, Vector>& arrayBuffers, const Vector>& imageBitmaps, - #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS) -@@ -2150,6 +2152,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in) - } - - class CloneDeserializer : CloneBase { -+ WTF_FORBID_HEAP_ALLOCATION; - public: - static String deserializeString(const Vector& buffer) - { -@@ -3921,10 +3924,10 @@ DeserializationResult CloneDeserializer::deserialize() - - Vector indexStack; - Vector propertyNameStack; -- Vector outputObjectStack; -- Vector mapKeyStack; -- Vector mapStack; -- Vector setStack; -+ MarkedVector outputObjectStack; -+ MarkedVector mapKeyStack; -+ MarkedVector mapStack; -+ MarkedVector setStack; - Vector stateStack; - WalkerState lexicalGlobalObject = StateUnknown; - JSValue outValue; --- -2.40.0 - diff --git a/SOURCES/CVE-2023-32373.patch b/SOURCES/CVE-2023-32373.patch deleted file mode 100644 index 83d6bdd..0000000 --- a/SOURCES/CVE-2023-32373.patch +++ /dev/null @@ -1,36 +0,0 @@ -From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001 -From: Antoine Quint -Date: Mon, 22 May 2023 13:37:32 -0700 -Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles - https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873 - -Reviewed by Dean Jackson and Darin Adler. - -Ensure that the animation's effect and target are kept alive for the duration of this method -since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus -these two pointers could be changed to a null value using the Web Animations API. - -* Source/WebCore/animation/WebAnimation.cpp: -(WebCore::WebAnimation::commitStyles): - -Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873 -Canonical link: https://commits.webkit.org/264363@main ---- - Source/WebCore/animation/WebAnimation.cpp | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp -index 68ea47985807..ae20c79c36cf 100644 ---- a/Source/WebCore/animation/WebAnimation.cpp -+++ b/Source/WebCore/animation/WebAnimation.cpp -@@ -1531,8 +1531,8 @@ ExceptionOr WebAnimation::commitStyles() - // https://drafts.csswg.org/web-animations-1/#commit-computed-styles - - // 1. Let targets be the set of all effect targets for animation effects associated with animation. -- auto* effect = dynamicDowncast(m_effect.get()); -- auto* target = effect ? effect->target() : nullptr; -+ RefPtr effect = dynamicDowncast(m_effect.get()); -+ RefPtr target = effect ? effect->target() : nullptr; - - // 2. For each target in targets: - // diff --git a/SOURCES/CVE-2023-42917.patch b/SOURCES/CVE-2023-42917.patch new file mode 100644 index 0000000..a638b86 --- /dev/null +++ b/SOURCES/CVE-2023-42917.patch @@ -0,0 +1,80 @@ +From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001 +From: Russell Epstein +Date: Fri, 17 Nov 2023 15:48:32 -0800 +Subject: [PATCH] Cherry-pick b0a755e34426. + https://bugs.webkit.org/show_bug.cgi?id=265067 + + Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure + https://bugs.webkit.org/show_bug.cgi?id=265067 + rdar://118548733 + + Reviewed by Justin Michaud and Mark Lam. + + Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it). + Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock + in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly. + + This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly. + And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly. + + * Source/JavaScriptCore/runtime/Structure.cpp: + (JSC::Structure::flattenDictionaryStructure): + + Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch + + Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch +--- + Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------ + 1 file changed, 21 insertions(+), 7 deletions(-) + +diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp +index 2922e2478794c..9d094e2c8adc8 100644 +--- a/Source/JavaScriptCore/runtime/Structure.cpp ++++ b/Source/JavaScriptCore/runtime/Structure.cpp +@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + checkOffsetConsistency(); + ASSERT(isDictionary()); + ASSERT(object->structure() == this); +- +- GCSafeConcurrentJSLocker locker(m_lock, vm); +- +- object->setStructureIDDirectly(id().nuke()); +- WTF::storeStoreFence(); + ++ Locker cellLocker(NoLockingNecessary); ++ ++ PropertyTable* table = nullptr; + size_t beforeOutOfLineCapacity = this->outOfLineCapacity(); ++ size_t afterOutOfLineCapacity = beforeOutOfLineCapacity; + if (isUncacheableDictionary()) { +- PropertyTable* table = propertyTableOrNull(); ++ table = propertyTableOrNull(); + ASSERT(table); ++ PropertyOffset maxOffset = invalidOffset; ++ if (unsigned propertyCount = table->size()) ++ maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity); ++ afterOutOfLineCapacity = outOfLineCapacity(maxOffset); ++ } + ++ // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly. ++ if (beforeOutOfLineCapacity != afterOutOfLineCapacity) ++ cellLocker = Locker { object->cellLock() }; ++ ++ GCSafeConcurrentJSLocker locker(m_lock, vm); ++ ++ object->setStructureIDDirectly(id().nuke()); ++ WTF::storeStoreFence(); ++ ++ if (isUncacheableDictionary()) { + size_t propertyCount = table->size(); + + // Holds our values compacted by insertion order. This is OK since GC is deferred. +@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object) + setDictionaryKind(NoneDictionaryKind); + setHasBeenFlattenedBefore(true); + +- size_t afterOutOfLineCapacity = this->outOfLineCapacity(); ++ ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity); + + if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) { + ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity); diff --git a/SOURCES/evolution-shared-secondary-process.patch b/SOURCES/evolution-shared-secondary-process.patch index d5f6f10..47fb705 100644 --- a/SOURCES/evolution-shared-secondary-process.patch +++ b/SOURCES/evolution-shared-secondary-process.patch @@ -1,26 +1,14 @@ -From ffe84688fc8a91b1e6d1c4462120fc44349a7c05 Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 27 Oct 2022 19:12:43 -0500 -Subject: [PATCH] Force Evolution to use single secondary process - ---- - Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp | 3 +++ - 1 file changed, 3 insertions(+) - diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp -index 6bb6767869af..2a05a69d9b0d 100644 +index a30f5b13be26..72ad006cde21 100644 --- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp +++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp -@@ -431,6 +431,9 @@ static void webkitWebContextConstructed(GObject* object) +@@ -438,6 +438,9 @@ static void webkitWebContextConstructed(GObject* object) } configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length())); + if (!g_strcmp0(g_get_prgname(), "evolution")) + configuration.setUsesSingleWebProcess(true); + + #if !ENABLE(2022_GLIB_API) if (!priv->websiteDataManager) priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr)); - --- -2.31.1 - diff --git a/SOURCES/glib-dep.patch b/SOURCES/glib-dep.patch new file mode 100644 index 0000000..770dec3 --- /dev/null +++ b/SOURCES/glib-dep.patch @@ -0,0 +1,19 @@ +diff --git a/glib-dep.patch b/glib-dep.patch +new file mode 100644 +index 0000000..dbc0ab6 +--- /dev/null ++++ b/glib-dep.patch +@@ -0,0 +1,13 @@ ++diff --git a/Source/WTF/wtf/glib/Sandbox.cpp b/Source/WTF/wtf/glib/Sandbox.cpp ++index 9b07bb8cb5a9b..a8169511fe851 100644 ++--- a/Source/WTF/wtf/glib/Sandbox.cpp +++++ b/Source/WTF/wtf/glib/Sandbox.cpp ++@@ -58,7 +58,7 @@ bool isInsideUnsupportedContainer() ++ int waitStatus = 0; ++ gboolean spawnSucceeded = g_spawn_sync(nullptr, const_cast(bwrapArgs), nullptr, ++ G_SPAWN_STDERR_TO_DEV_NULL, nullptr, nullptr, nullptr, nullptr, &waitStatus, nullptr); ++- supportedContainer = spawnSucceeded && g_spawn_check_wait_status(waitStatus, nullptr); +++ supportedContainer = spawnSucceeded && g_spawn_check_exit_status(waitStatus, nullptr); ++ if (!supportedContainer) ++ WTFLogAlways("Bubblewrap does not work inside of this container, sandboxing will be disabled."); ++ } diff --git a/SOURCES/gstreamer-1.16.1.patch b/SOURCES/gstreamer-1.16.1.patch new file mode 100644 index 0000000..aa8d0ad --- /dev/null +++ b/SOURCES/gstreamer-1.16.1.patch @@ -0,0 +1,57 @@ +diff --git a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp +index a861b913ccfc..df21a1f67e98 100644 +--- a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp ++++ b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp +@@ -88,7 +88,25 @@ static void webKitGLVideoSinkConstructed(GObject* object) + ASSERT(colorconvert); + gst_bin_add_many(GST_BIN_CAST(sink), upload, colorconvert, sink->priv->appSink.get(), nullptr); + +- GRefPtr caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT)); ++ // Workaround until we can depend on GStreamer 1.16.2. ++ // https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/8d32de090554cf29fe359f83aa46000ba658a693 ++ // Forcing a color conversion to RGBA here allows glupload to internally use ++ // an uploader that adds a VideoMeta, through the TextureUploadMeta caps ++ // feature, without needing the patch above. However this specific caps ++ // feature is going to be removed from GStreamer so it is considered a ++ // short-term workaround. This code path most likely will have a negative ++ // performance impact on embedded platforms as well. Downstream embedders ++ // are highly encouraged to cherry-pick the patch linked above in their BSP ++ // and set the WEBKIT_GST_NO_RGBA_CONVERSION environment variable until ++ // GStreamer 1.16.2 is released. ++ // See also https://bugs.webkit.org/show_bug.cgi?id=201422 ++ GRefPtr caps; ++ if (webkitGstCheckVersion(1, 16, 2) || getenv("WEBKIT_GST_NO_RGBA_CONVERSION")) ++ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT)); ++ else { ++ GST_INFO_OBJECT(sink, "Forcing RGBA as GStreamer is not new enough."); ++ caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) RGBA")); ++ } + gst_caps_set_features(caps.get(), 0, gst_caps_features_new(GST_CAPS_FEATURE_MEMORY_GL_MEMORY, nullptr)); + g_object_set(sink->priv->appSink.get(), "caps", caps.get(), nullptr); + +diff --git a/Source/cmake/GStreamerChecks.cmake b/Source/cmake/GStreamerChecks.cmake +index ba8423e2795c..df9d3204910d 100644 +--- a/Source/cmake/GStreamerChecks.cmake ++++ b/Source/cmake/GStreamerChecks.cmake +@@ -36,7 +36,7 @@ if (ENABLE_VIDEO OR ENABLE_WEB_AUDIO) + list(APPEND GSTREAMER_COMPONENTS webrtc) + endif () + +- find_package(GStreamer 1.16.2 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS}) ++ find_package(GStreamer 1.16.0 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS}) + + if (ENABLE_WEB_AUDIO) + if (NOT PC_GSTREAMER_AUDIO_FOUND OR NOT PC_GSTREAMER_FFT_FOUND) + +diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp +index 0b81e04559f0..4c6ae470e49f 100644 +--- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp ++++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp +@@ -479,7 +479,6 @@ bool MediaPlayerPrivateGStreamer::doSeek(const MediaTime& position, float rate) + + auto seekStart = toGstClockTime(startTime); + auto seekStop = toGstClockTime(endTime); +- GST_DEBUG_OBJECT(pipeline(), "[Seek] Performing actual seek to %" GST_TIMEP_FORMAT " (endTime: %" GST_TIMEP_FORMAT ") at rate %f", &seekStart, &seekStop, rate); + return gst_element_seek(m_pipeline.get(), rate, GST_FORMAT_TIME, m_seekFlags, GST_SEEK_TYPE_SET, seekStart, GST_SEEK_TYPE_SET, seekStop); + } + diff --git a/SOURCES/icu60.patch b/SOURCES/icu60.patch index 303cc00..eb46e27 100644 --- a/SOURCES/icu60.patch +++ b/SOURCES/icu60.patch @@ -1,17 +1,3 @@ -From 833cfdd150b6f7f0fb021ac5de7890dff158f5fd Mon Sep 17 00:00:00 2001 -From: Michael Catanzaro -Date: Thu, 27 Oct 2022 16:32:43 -0500 -Subject: [PATCH] Build against ICU 60 - ---- - Source/JavaScriptCore/runtime/IntlCache.cpp | 3 +++ - Source/JavaScriptCore/runtime/IntlCache.h | 3 +++ - Source/JavaScriptCore/runtime/IntlDisplayNames.cpp | 11 +++++++++++ - Source/JavaScriptCore/runtime/IntlDisplayNames.h | 7 +++++++ - Source/JavaScriptCore/runtime/IntlObject.cpp | 6 +++++- - Source/cmake/OptionsGTK.cmake | 2 +- - 6 files changed, 30 insertions(+), 2 deletions(-) - diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp index b17d7340df56..94a5474059b6 100644 --- a/Source/JavaScriptCore/runtime/IntlCache.cpp @@ -62,7 +48,7 @@ index 058b2423786d..e7a8c82f392b 100644 private: UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status) diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp -index c281f796eaee..1bc3c0c8a8c6 100644 +index f38161e7f95b..068613ce8feb 100644 --- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp +++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp @@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa @@ -73,18 +59,20 @@ index c281f796eaee..1bc3c0c8a8c6 100644 UErrorCode status = U_ZERO_ERROR; UDisplayContext contexts[] = { -@@ -137,6 +138,10 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa +@@ -137,15 +138,19 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa throwTypeError(globalObject, scope, "failed to initialize DisplayNames"_s); return; } +#else -+ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s); -+ return; ++ throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s); ++ return; +#endif } // https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.of -@@ -146,6 +151,7 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co + JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) const + { +- VM& vm = globalObject->vm(); auto scope = DECLARE_THROW_SCOPE(vm); @@ -92,7 +80,7 @@ index c281f796eaee..1bc3c0c8a8c6 100644 ASSERT(m_displayNames); auto code = codeValue.toWTFString(globalObject); RETURN_IF_EXCEPTION(scope, { }); -@@ -350,6 +356,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co +@@ -350,6 +355,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co return throwTypeError(globalObject, scope, "Failed to query a display name."_s); } return jsString(vm, String(WTFMove(buffer))); @@ -123,18 +111,18 @@ index d80dc3d83a15..f2bf36275c79 100644 enum class RelevantExtensionKey : uint8_t; diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp -index f7dc4d578d77..a6ccbe1b9f74 100644 +index 0080abf51be4..d23c7c021334 100644 --- a/Source/JavaScriptCore/runtime/IntlObject.cpp +++ b/Source/JavaScriptCore/runtime/IntlObject.cpp -@@ -153,7 +153,6 @@ namespace JSC { - getCanonicalLocales intlObjectFuncGetCanonicalLocales DontEnum|Function 1 +@@ -164,7 +164,6 @@ namespace JSC { + supportedValuesOf intlObjectFuncSupportedValuesOf DontEnum|Function 1 Collator createCollatorConstructor DontEnum|PropertyCallback DateTimeFormat createDateTimeFormatConstructor DontEnum|PropertyCallback - DisplayNames createDisplayNamesConstructor DontEnum|PropertyCallback Locale createLocaleConstructor DontEnum|PropertyCallback NumberFormat createNumberFormatConstructor DontEnum|PropertyCallback PluralRules createPluralRulesConstructor DontEnum|PropertyCallback -@@ -239,6 +238,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject* globalObject) +@@ -252,6 +251,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject*) Base::finishCreation(vm); ASSERT(inherits(info())); JSC_TO_STRING_TAG_WITHOUT_TRANSITION(); @@ -144,21 +132,38 @@ index f7dc4d578d77..a6ccbe1b9f74 100644 + UNUSED_PARAM(&createDisplayNamesConstructor); +#endif #if HAVE(ICU_U_LIST_FORMATTER) - putDirectWithoutTransition(vm, vm.propertyNames->ListFormat, createListFormatConstructor(vm, this), static_cast(PropertyAttribute::DontEnum)); - #else + if (Options::useIntlDurationFormat()) + putDirectWithoutTransition(vm, vm.propertyNames->DurationFormat, createDurationFormatConstructor(vm, this), static_cast(PropertyAttribute::DontEnum)); diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake -index 5e653a9e0b5a..0977f2c49037 100644 +index 8bd6ed347418..9d0a7e88b16a 100644 --- a/Source/cmake/OptionsGTK.cmake +++ b/Source/cmake/OptionsGTK.cmake -@@ -19,7 +19,7 @@ find_package(Freetype 2.4.2 REQUIRED) +@@ -18,7 +18,7 @@ find_package(Fontconfig 2.8.0 REQUIRED) + find_package(Freetype 2.4.2 REQUIRED) find_package(LibGcrypt 1.6.0 REQUIRED) - find_package(GLIB 2.56.4 REQUIRED COMPONENTS gio gio-unix gobject gthread gmodule) find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU) -find_package(ICU 61.2 REQUIRED COMPONENTS data i18n uc) -+find_package(ICU 60.2 REQUIRED COMPONENTS data i18n uc) ++find_package(ICU 60 REQUIRED COMPONENTS data i18n uc) find_package(JPEG REQUIRED) + find_package(LibEpoxy 1.4.0 REQUIRED) find_package(LibXml2 2.8.0 REQUIRED) - find_package(PNG REQUIRED) --- -2.31.1 - +diff --git a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp +index fdcaa71f2011..f6aa1b0e3def 100644 +--- a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp ++++ b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp +@@ -41,7 +41,6 @@ + #endif + #endif + #include +-#include + #include + #if HAVE(ICU_U_LIST_FORMATTER) + #define U_HIDE_DRAFT_API 1 +@@ -49,6 +48,7 @@ + + #if HAVE(ICU_U_LIST_FORMATTER) + #include ++#include + #endif + + namespace JSC { diff --git a/SOURCES/webkitgtk-2.38.5.tar.xz.asc b/SOURCES/webkitgtk-2.38.5.tar.xz.asc deleted file mode 100644 index a285466..0000000 --- a/SOURCES/webkitgtk-2.38.5.tar.xz.asc +++ /dev/null @@ -1,6 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC -w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk= -=or/S ------END PGP SIGNATURE----- diff --git a/SOURCES/webkitgtk-2.40.5.tar.xz.asc b/SOURCES/webkitgtk-2.40.5.tar.xz.asc new file mode 100644 index 0000000..4dc018d --- /dev/null +++ b/SOURCES/webkitgtk-2.40.5.tar.xz.asc @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCZMjRYQAKCRDz0yLQ7EWC +wwPPAJ0XUmEmSr4IFQWpbDfPOR9keXY+lwCfVLyOFL8T55psriGN4vkxVZqq+EM= +=nGCs +-----END PGP SIGNATURE----- diff --git a/SPECS/webkit2gtk3.spec b/SPECS/webkit2gtk3.spec index 48e51ba..392c9a4 100644 --- a/SPECS/webkit2gtk3.spec +++ b/SPECS/webkit2gtk3.spec @@ -6,8 +6,8 @@ cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g') Name: webkit2gtk3 -Version: 2.38.5 -Release: 1%{?dist}.5.alma +Version: 2.40.5 +Release: 1%{?dist}.alma.1 Summary: GTK Web content engine library License: LGPLv2 @@ -25,23 +25,28 @@ Patch0: evolution-shared-secondary-process.patch # https://bugs.webkit.org/show_bug.cgi?id=235367 Patch1: icu60.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2209208 -Patch2: CVE-2023-28204.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2185745 -Patch3: CVE-2023-28205.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2209214 -Patch4: CVE-2023-32373.patch +# https://github.com/WebKit/WebKit/pull/14498 +Patch2: glib-dep.patch + +# Partial revert of https://github.com/WebKit/WebKit/pull/6087 +Patch3: gstreamer-1.16.1.patch + +# Patches were taken from: +# https://git.almalinux.org/rpms/webkit2gtk3/commit/876f553c6cd33386eb8b184bbc7618a1b03a2826 +Patch4: CVE-2023-42917.patch BuildRequires: bison BuildRequires: cmake BuildRequires: flex BuildRequires: gcc-c++ +BuildRequires: gcc-toolset-13 BuildRequires: gettext BuildRequires: git BuildRequires: gperf BuildRequires: hyphen-devel BuildRequires: libatomic BuildRequires: ninja-build +BuildRequires: openssl-devel BuildRequires: perl(English) BuildRequires: perl(FindBin) BuildRequires: perl(JSON::PP) @@ -49,6 +54,8 @@ BuildRequires: python3 BuildRequires: ruby BuildRequires: rubygem-json BuildRequires: rubygems +BuildRequires: shadow-utils +BuildRequires: unifdef BuildRequires: pkgconfig(atspi-2) BuildRequires: pkgconfig(cairo) @@ -61,16 +68,19 @@ BuildRequires: pkgconfig(enchant-2) %endif BuildRequires: pkgconfig(fontconfig) BuildRequires: pkgconfig(freetype2) +BuildRequires: pkgconfig(gbm) BuildRequires: pkgconfig(gl) BuildRequires: pkgconfig(glib-2.0) BuildRequires: pkgconfig(glesv2) BuildRequires: pkgconfig(gobject-introspection-1.0) BuildRequires: pkgconfig(gstreamer-1.0) +BuildRequires: pkgconfig(gstreamer-plugins-bad-1.0) BuildRequires: pkgconfig(gstreamer-plugins-base-1.0) BuildRequires: pkgconfig(gtk+-3.0) BuildRequires: pkgconfig(harfbuzz) BuildRequires: pkgconfig(icu-uc) BuildRequires: pkgconfig(lcms2) +BuildRequires: pkgconfig(libdrm) BuildRequires: pkgconfig(libjpeg) BuildRequires: pkgconfig(libnotify) BuildRequires: pkgconfig(libopenjp2) @@ -191,19 +201,27 @@ rm -rf Source/ThirdParty/qunit/ %global optflags %(echo %{optflags} | sed 's/-g /-g1 /') %endif -# bmalloc and JIT are disabled on aarch64 only in RHEL because of the nonstandard -# page size that's causing problems there. WebKit's build system sets appropriate -# defaults for all other architectures, and all other distros except RHEL. +# The system GCC is too old to build WebKit, so use a GCC Toolset instead. +# This prints warnings complaining that it should not be used except in +# SCL scriplets, but I can't figure out any other way to make it work. +source scl_source enable gcc-toolset-13 + +# -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires +# __atomic_compare_exchange_16 which does not seem to be available. mkdir -p %{_target_platform} pushd %{_target_platform} %cmake \ -GNinja \ -DPORT=GTK \ -DCMAKE_BUILD_TYPE=Release \ + -DUSE_SYSTEM_MALLOC=ON \ + -DENABLE_JIT=OFF \ -DENABLE_BUBBLEWRAP_SANDBOX=OFF \ -DENABLE_JIT=OFF \ -DUSE_SOUP2=ON \ + -DUSE_AVIF=OFF \ -DENABLE_DOCUMENTATION=OFF \ + -DUSE_GSTREAMER_TRANSCODER=OFF \ -DENABLE_GAMEPAD=OFF \ %if 0%{?rhel} %ifarch aarch64 @@ -220,12 +238,11 @@ export NINJA_STATUS="[%f/%t][%e] " %install %ninja_install -C %{_target_platform} -%find_lang WebKit2GTK-4.0 +%find_lang WebKitGTK-4.0 # Finally, copy over and rename various files for %%license inclusion %add_to_license_files Source/JavaScriptCore/COPYING.LIB %add_to_license_files Source/ThirdParty/ANGLE/LICENSE -%add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE %add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE %add_to_license_files Source/WebCore/LICENSE-APPLE %add_to_license_files Source/WebCore/LICENSE-LGPL-2 @@ -237,7 +254,7 @@ export NINJA_STATUS="[%f/%t][%e] " %add_to_license_files Source/WTF/wtf/dtoa/COPYING %add_to_license_files Source/WTF/wtf/dtoa/LICENSE -%files -f WebKit2GTK-4.0.lang +%files -f WebKitGTK-4.0.lang %license _license_files/*ThirdParty* %license _license_files/*WebCore* %license _license_files/*WebInspectorUI* @@ -281,8 +298,18 @@ export NINJA_STATUS="[%f/%t][%e] " %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir %changelog -* Tue Jul 18 2023 Andrew Lukoshko - 2.38.5-1.5.alma -- Disable JIT (CVE-2023-32435, CVE-2023-32439) +* Tue Dec 12 2023 Eduard Abdullin - 2.40.5-1.1.alma.1 +- Add patch for CVE-2023-42917 + +* Tue Aug 01 2023 Michael Catanzaro - 2.40.5-1 +- Upgrade to 2.40.5. Also, disable JIT + Resolves: #2176269 + Resolves: #2185742 + Resolves: #2209728 + Resolves: #2209745 + Resolves: #2218649 + Resolves: #2218651 + Resolves: #2224611 * Thu May 25 2023 Michael Catanzaro - 2.38.5-1.4 - Add patch for CVE-2023-28204