- Add patch for CVE-2023-42917

2023-12-12 11:29:41 +03:00 · 2023-12-12 11:29:41 +03:00 · 75e17ac97c
commit 75e17ac97c
parent f4a4460d0f 858febf09b
13 changed files with 249 additions and 924 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,2 @@
-SOURCES/webkitgtk-2.38.5.tar.xz
+SOURCES/webkitgtk-2.40.5.tar.xz
 SOURCES/webkitgtk-keys.gpg
--- a/.webkit2gtk3.metadata
+++ b/.webkit2gtk3.metadata
@ -1,2 +1,2 @@
-1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz
+2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz
 cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg
--- a/SOURCES/CVE-2023-28204.patch
+++ b/SOURCES/CVE-2023-28204.patch
@ -1,167 +0,0 @@
 From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
 From: Michael Saboff <msaboff@apple.com>
 Date: Mon, 22 May 2023 13:40:46 -0700
 Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
 https://bugs.webkit.org/show_bug.cgi?id=254930
    [JSC] RegExpGlobalData::performMatch issue leading to OOB read
    https://bugs.webkit.org/show_bug.cgi?id=254930
    rdar://107436732
    Reviewed by Alexey Shvayka.
    Fixed two issues:
    1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
       characters.  Since it is an assertion, we shouldn't advance the character position.
       Made the same fix to matchAssertionEOL().
    2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
       a non-BMP character for the case where the RegExp match is empty.
    * JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
    * Source/JavaScriptCore/runtime/StringPrototype.cpp:
    (JSC::replaceUsingRegExpSearch):
    * Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
    (JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
    (JSC::Yarr::Interpreter::matchAssertionBOL):
    (JSC::Yarr::Interpreter::matchAssertionEOL):
    Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
    Canonical link: https://commits.webkit.org/264365@main
 ---
 ...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
 .../runtime/StringPrototype.cpp               | 10 ++++++
 .../JavaScriptCore/yarr/YarrInterpreter.cpp   | 36 +++++++++++++++++--
 3 files changed, 79 insertions(+), 2 deletions(-)
 create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
 diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
 new file mode 100644
 index 000000000000..25b1a70b81d2
 --- /dev/null
 +++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
@@ -0,0 +1,35 @@
 +// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
 +// and that we do advance in String.replace() when processing an empty match.
 +
 +let expected = "|";
 +
 +for (let i = 0; i < 11; ++i)
 +    expected += String.fromCodePoint(128512) + '|';
 +
 +let str = String.fromCodePoint(128512).repeat(11);
 +
 +let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
 +    return '|';
 +});
 +
 +
 +if (result1 !== expected)
 +    print("FAILED: \"" + result1 + " !== " + expected + '"');
 +
 +let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
 +    return '|';
 +});
 +
 +if (result2 !== expected)
 +    print("FAILED: \"" + result2 + " !== " + expected + '"');
 +
 +expected = "|" + String.fromCodePoint(128512);
 +
 +str = String.fromCodePoint(128512).repeat(1);
 +
 +let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
 +    return '|';
 +});
 +
 +if (result3 !== expected)
 +    print("FAILED: \"" + result3 + " !== " + expected + '"');
 diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
 index 08104b1dbfa9..459295f728a7 100644
 --- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
 +++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
                 startPosition++;
                 if (startPosition > sourceLen)
                     break;
 +                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
 +                    startPosition++;
 +                    if (startPosition > sourceLen)
 +                        break;
 +                }
             }
         }
     } else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
                 startPosition++;
                 if (startPosition > sourceLen)
                     break;
 +                if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
 +                    startPosition++;
 +                    if (startPosition > sourceLen)
 +                        break;
 +                }
             }
         } while (global);
     }
 diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
 index 95a848a1a66d..b1a22b253866 100644
 --- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
 +++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,38 @@ public:
             }
             return result;
         }
 +
 +        int readCheckedDontAdvance(unsigned negativePositionOffest)
 +        {
 +            RELEASE_ASSERT(pos >= negativePositionOffest);
 +            unsigned p = pos - negativePositionOffest;
 +            ASSERT(p < length);
 +            int result = input[p];
 +            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
 +                if (atEnd())
 +                    return -1;
 +
 +                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
 +            }
 +            return result;
 +        }
 +
 +        // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
 +        // We don't want any side effects like the next() in readChecked() above.
 +        int readForCharacterDump(unsigned negativePositionOffest)
 +        {
 +            RELEASE_ASSERT(pos >= negativePositionOffest);
 +            unsigned p = pos - negativePositionOffest;
 +            ASSERT(p < length);
 +            int result = input[p];
 +            if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
 +                if (atEnd())
 +                    return -1;
 +
 +                result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
 +            }
 +            return result;
 +        }
         int readSurrogatePairChecked(unsigned negativePositionOffset)
         {
@@ -482,13 +514,13 @@ public:
     bool matchAssertionBOL(ByteTerm& term)
     {
 -        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
 +        return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
     }
     bool matchAssertionEOL(ByteTerm& term)
     {
         if (term.inputPosition)
 -            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
 +            return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
         return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
     }
 -- 
 2.40.1
--- a/SOURCES/CVE-2023-28205.patch
+++ b/SOURCES/CVE-2023-28205.patch
@ -1,648 +0,0 @@
 From b315f620c349e001a697dd7d4c501bdd07fe18c5 Mon Sep 17 00:00:00 2001
 From: Mark Lam <mark.lam@apple.com>
 Date: Fri, 31 Mar 2023 10:49:49 -0700
 Subject: [PATCH] Cherry-pick 2c49ff7b0481. rdar://problem/107369977
    CloneDeserializer::deserialize() should store cell pointers in a MarkedVector.
    https://bugs.webkit.org/show_bug.cgi?id=254797
    rdar://107369977
    Reviewed by Justin Michaud.
    Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects
    in a few Vectors.  This is problematic because the GC is not aware of Vectors, and cannot
    scan them.  In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector
    template class that offer 2 enhancements:
    1. It can be configured to store specific types of cell pointer types.  This avoids us
       having to constantly cast JSValues into these pointers.
    2. It allows us to specify the type of OverflowHandler we want to use.  In this case,
       we want to use CrashOnOverflow.  The previous MarkedArgumentBuffer always assumes
       RecordOnOverflow.  This allows us to avoid having to manually check for overflows,
       or have to use appendWithCrashOnOverflow.  For our current needs, MarkedVector can be
       used as a drop in replacement for Vector.
    And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors
    with MarkedVector instead.
    * Source/JavaScriptCore/heap/Heap.cpp:
    (JSC::Heap::addCoreConstraints):
    * Source/JavaScriptCore/heap/Heap.h:
    * Source/JavaScriptCore/heap/HeapInlines.h:
    * Source/JavaScriptCore/runtime/ArgList.cpp:
    (JSC::MarkedVectorBase::addMarkSet):
    (JSC::MarkedVectorBase::markLists):
    (JSC::MarkedVectorBase::slowEnsureCapacity):
    (JSC::MarkedVectorBase::expandCapacity):
    (JSC::MarkedVectorBase::slowAppend):
    (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted.
    (JSC::MarkedArgumentBufferBase::markLists): Deleted.
    (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted.
    (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted.
    (JSC::MarkedArgumentBufferBase::slowAppend): Deleted.
    * Source/JavaScriptCore/runtime/ArgList.h:
    (JSC::MarkedVectorWithSize::MarkedVectorWithSize):
    (JSC::MarkedVectorWithSize::at const):
    (JSC::MarkedVectorWithSize::clear):
    (JSC::MarkedVectorWithSize::append):
    (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow):
    (JSC::MarkedVectorWithSize::last const):
    (JSC::MarkedVectorWithSize::takeLast):
    (JSC::MarkedVectorWithSize::ensureCapacity):
    (JSC::MarkedVectorWithSize::hasOverflowed):
    (JSC::MarkedVectorWithSize::fill):
    (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted.
    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp:
    (WebCore::AudioWorkletProcessor::buildJSArguments):
    * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h:
    * Source/WebCore/bindings/js/SerializedScriptValue.cpp:
    (WebCore::CloneDeserializer::deserialize):
    Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch
 Identifier: 259548.395@safari-7615.1.26.11-branch
 ---
 Source/JavaScriptCore/heap/Heap.cpp           |   4 +-
 Source/JavaScriptCore/heap/Heap.h             |   8 +-
 Source/JavaScriptCore/heap/HeapInlines.h      |   2 +-
 Source/JavaScriptCore/runtime/ArgList.cpp     |  46 ++--
 Source/JavaScriptCore/runtime/ArgList.h       | 207 ++++++++++--------
 .../webaudio/AudioWorkletProcessor.cpp        |   4 +-
 .../Modules/webaudio/AudioWorkletProcessor.h  |   7 +-
 .../bindings/js/SerializedScriptValue.cpp     |  11 +-
 8 files changed, 159 insertions(+), 130 deletions(-)
 diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
 index 8a4c082cb36e..632b01f14546 100644
 --- a/Source/JavaScriptCore/heap/Heap.cpp
 +++ b/Source/JavaScriptCore/heap/Heap.cpp
@@ -1,5 +1,5 @@
 /*
 - *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
 + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *  Copyright (C) 2007 Eric Seidel <eric@webkit.org>
  *
  *  This library is free software; you can redistribute it and/or
@@ -2847,7 +2847,7 @@ void Heap::addCoreConstraints()
             if (!m_markListSet.isEmpty()) {
                 SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan);
 -                MarkedArgumentBufferBase::markLists(visitor, m_markListSet);
 +                MarkedVectorBase::markLists(visitor, m_markListSet);
             }
             {
 diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
 index 418f24fd1212..8df576acf7f8 100644
 --- a/Source/JavaScriptCore/heap/Heap.h
 +++ b/Source/JavaScriptCore/heap/Heap.h
@@ -1,7 +1,7 @@
 /*
  *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org)
  *  Copyright (C) 2001 Peter Kelly (pmk@post.com)
 - *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
 + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Lesser General Public
@@ -85,7 +85,7 @@ class MarkStackArray;
 class MarkStackMergingConstraint;
 class MarkedJSValueRefArray;
 class BlockDirectory;
 -class MarkedArgumentBufferBase;
 +class MarkedVectorBase;
 class MarkingConstraint;
 class MarkingConstraintSet;
 class MutatorScheduler;
@@ -409,7 +409,7 @@ public:
     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts();
     JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts();
 -    HashSet<MarkedArgumentBufferBase*>& markListSet();
 +    HashSet<MarkedVectorBase*>& markListSet();
     void addMarkedJSValueRefArray(MarkedJSValueRefArray*);
     template<typename Functor> void forEachProtectedCell(const Functor&);
@@ -778,7 +778,7 @@ private:
     size_t m_deprecatedExtraMemorySize { 0 };
     ProtectCountSet m_protectedValues;
 -    HashSet<MarkedArgumentBufferBase*> m_markListSet;
 +    HashSet<MarkedVectorBase*> m_markListSet;
     SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays;
     std::unique_ptr<MachineThreads> m_machineThreads;
 diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
 index 66d8317e317c..4d767a564d5f 100644
 --- a/Source/JavaScriptCore/heap/HeapInlines.h
 +++ b/Source/JavaScriptCore/heap/HeapInlines.h
@@ -206,7 +206,7 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
     }
 }
 -inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
 +inline HashSet<MarkedVectorBase*>& Heap::markListSet()
 {
     return m_markListSet;
 }
 diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp
 index f2815b80c8c7..a72dea74a56f 100644
 --- a/Source/JavaScriptCore/runtime/ArgList.cpp
 +++ b/Source/JavaScriptCore/runtime/ArgList.cpp
@@ -1,5 +1,5 @@
 /*
 - *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.
 + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
  *
  *  This library is free software; you can redistribute it and/or
  *  modify it under the terms of the GNU Library General Public
@@ -27,7 +27,7 @@ using std::min;
 namespace JSC {
 -void MarkedArgumentBufferBase::addMarkSet(JSValue v)
 +void MarkedVectorBase::addMarkSet(JSValue v)
 {
     if (m_markSet)
         return;
@@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
 }
 template<typename Visitor>
 -void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
 +void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
 {
     ListSet::iterator end = markSet.end();
     for (ListSet::iterator it = markSet.begin(); it != end; ++it) {
 -        MarkedArgumentBufferBase* list = *it;
 +        MarkedVectorBase* list = *it;
         for (int i = 0; i < list->m_size; ++i)
             visitor.appendUnbarriered(JSValue::decode(list->slotFor(i)));
     }
 }
 -template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
 -template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
 +template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
 +template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
 -void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
 +auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
 {
     setNeedsOverflowCheck();
     auto checkedNewCapacity = CheckedInt32(requestedCapacity);
     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
 -        return this->overflowed();
 -    expandCapacity(checkedNewCapacity);
 +        return Status::Overflowed;
 +    return expandCapacity(checkedNewCapacity);
 }
 -void MarkedArgumentBufferBase::expandCapacity()
 +auto MarkedVectorBase::expandCapacity() -> Status
 {
     setNeedsOverflowCheck();
     auto checkedNewCapacity = CheckedInt32(m_capacity) * 2;
     if (UNLIKELY(checkedNewCapacity.hasOverflowed()))
 -        return this->overflowed();
 -    expandCapacity(checkedNewCapacity);
 +        return Status::Overflowed;
 +    return expandCapacity(checkedNewCapacity);
 }
 -void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
 +auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
 {
     setNeedsOverflowCheck();
     ASSERT(m_capacity < newCapacity);
     auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue);
     if (UNLIKELY(checkedSize.hasOverflowed()))
 -        return this->overflowed();
 +        return Status::Overflowed;
     EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize));
     if (!newBuffer)
 -        return this->overflowed();
 +        return Status::Overflowed;
     for (int i = 0; i < m_size; ++i) {
         newBuffer[i] = m_buffer[i];
         addMarkSet(JSValue::decode(m_buffer[i]));
@@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
     m_buffer = newBuffer;
     m_capacity = newCapacity;
 +    return Status::Success;
 }
 -void MarkedArgumentBufferBase::slowAppend(JSValue v)
 +auto MarkedVectorBase::slowAppend(JSValue v) -> Status
 {
     ASSERT(m_size <= m_capacity);
 -    if (m_size == m_capacity)
 -        expandCapacity();
 -    if (UNLIKELY(Base::hasOverflowed())) {
 -        ASSERT(m_needsOverflowCheck);
 -        return;
 +    if (m_size == m_capacity) {
 +        auto status = expandCapacity();
 +        if (status == Status::Overflowed) {
 +            ASSERT(m_needsOverflowCheck);
 +            return status;
 +        }
     }
 -
     slotFor(m_size) = JSValue::encode(v);
     ++m_size;
     addMarkSet(v);
 +    return Status::Success;
 }
 } // namespace JSC
 diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
 index 8ea9b0e308b8..01a6d5e0e5dc 100644
 --- a/Source/JavaScriptCore/runtime/ArgList.h
 +++ b/Source/JavaScriptCore/runtime/ArgList.h
@@ -22,26 +22,27 @@
 #pragma once
 #include "CallFrame.h"
 +#include "JSCast.h"
 #include <wtf/CheckedArithmetic.h>
 #include <wtf/ForbidHeapAllocation.h>
 #include <wtf/HashSet.h>
 namespace JSC {
 -class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {
 -    WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);
 -    WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);
 +class alignas(alignof(EncodedJSValue)) MarkedVectorBase {
 +    WTF_MAKE_NONCOPYABLE(MarkedVectorBase);
 +    WTF_MAKE_NONMOVABLE(MarkedVectorBase);
     WTF_FORBID_HEAP_ALLOCATION;
     friend class VM;
     friend class ArgList;
 +protected:
 +    enum class Status { Success, Overflowed };
 public:
 -    using Base = RecordOverflow;
 -    typedef HashSet<MarkedArgumentBufferBase*> ListSet;
 +    typedef HashSet<MarkedVectorBase*> ListSet;
 -    ~MarkedArgumentBufferBase()
 +    ~MarkedVectorBase()
     {
 -        ASSERT(!m_needsOverflowCheck);
         if (m_markSet)
             m_markSet->remove(this);
@@ -52,92 +53,20 @@ public:
     size_t size() const { return m_size; }
     bool isEmpty() const { return !m_size; }
 -    JSValue at(int i) const
 -    {
 -        if (i >= m_size)
 -            return jsUndefined();
 -
 -        return JSValue::decode(slotFor(i));
 -    }
 -
 -    void clear()
 -    {
 -        ASSERT(!m_needsOverflowCheck);
 -        clearOverflow();
 -        m_size = 0;
 -    }
 -
 -    enum OverflowCheckAction {
 -        CrashOnOverflow,
 -        WillCheckLater
 -    };
 -    template<OverflowCheckAction action>
 -    void appendWithAction(JSValue v)
 -    {
 -        ASSERT(m_size <= m_capacity);
 -        if (m_size == m_capacity || mallocBase()) {
 -            slowAppend(v);
 -            if (action == CrashOnOverflow)
 -                RELEASE_ASSERT(!hasOverflowed());
 -            return;
 -        }
 -
 -        slotFor(m_size) = JSValue::encode(v);
 -        ++m_size;
 -    }
 -    void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
 -    void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
 -
     void removeLast()
     { 
         ASSERT(m_size);
         m_size--;
     }
 -    JSValue last() 
 -    {
 -        ASSERT(m_size);
 -        return JSValue::decode(slotFor(m_size - 1));
 -    }
 -
 -    JSValue takeLast()
 -    {
 -        JSValue result = last();
 -        removeLast();
 -        return result;
 -    }
 -        
     template<typename Visitor> static void markLists(Visitor&, ListSet&);
 -    void ensureCapacity(size_t requestedCapacity)
 -    {
 -        if (requestedCapacity > static_cast<size_t>(m_capacity))
 -            slowEnsureCapacity(requestedCapacity);
 -    }
 -
 -    bool hasOverflowed()
 -    {
 -        clearNeedsOverflowCheck();
 -        return Base::hasOverflowed();
 -    }
 -
     void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); }
 -    template<typename Functor>
 -    void fill(size_t count, const Functor& func)
 -    {
 -        ASSERT(!m_size);
 -        ensureCapacity(count);
 -        if (Base::hasOverflowed())
 -            return;
 -        m_size = count;
 -        func(reinterpret_cast<JSValue*>(&slotFor(0)));
 -    }
 -
 protected:
     // Constructor for a read-write list, to which you may append values.
     // FIXME: Remove all clients of this API, then remove this API.
 -    MarkedArgumentBufferBase(size_t capacity)
 +    MarkedVectorBase(size_t capacity)
         : m_size(0)
         , m_capacity(capacity)
         , m_buffer(inlineBuffer())
@@ -147,17 +76,16 @@ protected:
     EncodedJSValue* inlineBuffer()
     {
 -        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));
 +        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));
     }
 -private:
 -    void expandCapacity();
 -    void expandCapacity(int newCapacity);
 -    void slowEnsureCapacity(size_t requestedCapacity);
 +    Status expandCapacity();
 +    Status expandCapacity(int newCapacity);
 +    Status slowEnsureCapacity(size_t requestedCapacity);
     void addMarkSet(JSValue);
 -    JS_EXPORT_PRIVATE void slowAppend(JSValue);
 +    JS_EXPORT_PRIVATE Status slowAppend(JSValue);
     EncodedJSValue& slotFor(int item) const
     {
@@ -172,11 +100,14 @@ private:
     }
 #if ASSERT_ENABLED
 -    void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
 +    void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }
 +    void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }
     void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; }
     bool m_needsOverflowCheck { false };
 +    bool m_overflowCheckEnabled { true };
 #else
 +    void disableNeedsOverflowCheck() { }
     void setNeedsOverflowCheck() { }
     void clearNeedsOverflowCheck() { }
 #endif // ASSERT_ENABLED
@@ -186,22 +117,114 @@ private:
     ListSet* m_markSet;
 };
 -template<size_t passedInlineCapacity = 8>
 -class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {
 +template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>
 +class MarkedVector : public OverflowHandler, public MarkedVectorBase  {
 public:
     static constexpr size_t inlineCapacity = passedInlineCapacity;
 -    MarkedArgumentBufferWithSize()
 -        : MarkedArgumentBufferBase(inlineCapacity)
 +    MarkedVector()
 +        : MarkedVectorBase(inlineCapacity)
     {
         ASSERT(inlineBuffer() == m_inlineBuffer);
 +        if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {
 +            // CrashOnOverflow handles overflows immediately. So, we do not
 +            // need to check for it after.
 +            disableNeedsOverflowCheck();
 +        }
 +    }
 +
 +    auto at(int i) const -> decltype(auto)
 +    {
 +        if constexpr (std::is_same_v<T, JSValue>) {
 +            if (i >= m_size)
 +                return jsUndefined();
 +            return JSValue::decode(slotFor(i));
 +        } else {
 +            if (i >= m_size)
 +                return static_cast<T>(nullptr);
 +            return jsCast<T>(JSValue::decode(slotFor(i)).asCell());
 +        }
 +    }
 +
 +    void clear()
 +    {
 +        ASSERT(!m_needsOverflowCheck);
 +        OverflowHandler::clearOverflow();
 +        m_size = 0;
 +    }
 +
 +    void append(T v)
 +    {
 +        ASSERT(m_size <= m_capacity);
 +        if (m_size == m_capacity || mallocBase()) {
 +            if (slowAppend(v) == Status::Overflowed)
 +                this->overflowed();
 +            return;
 +        }
 +
 +        slotFor(m_size) = JSValue::encode(v);
 +        ++m_size;
 +    }
 +
 +    void appendWithCrashOnOverflow(T v)
 +    {
 +        append(v);
 +        if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)
 +            RELEASE_ASSERT(!this->hasOverflowed());
 +    }
 +
 +    auto last() const -> decltype(auto)
 +    {
 +        if constexpr (std::is_same_v<T, JSValue>) {
 +            ASSERT(m_size);
 +            return JSValue::decode(slotFor(m_size - 1));
 +        } else {
 +            ASSERT(m_size);
 +            return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());
 +        }
 +    }
 +
 +    JSValue takeLast()
 +    {
 +        JSValue result = last();
 +        removeLast();
 +        return result;
 +    }
 +
 +    void ensureCapacity(size_t requestedCapacity)
 +    {
 +        if (requestedCapacity > static_cast<size_t>(m_capacity)) {
 +            if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)
 +                this->overflowed();
 +        }
 +    }
 +
 +    bool hasOverflowed()
 +    {
 +        clearNeedsOverflowCheck();
 +        return OverflowHandler::hasOverflowed();
 +    }
 +
 +    template<typename Functor>
 +    void fill(size_t count, const Functor& func)
 +    {
 +        ASSERT(!m_size);
 +        ensureCapacity(count);
 +        if (OverflowHandler::hasOverflowed())
 +            return;
 +        m_size = count;
 +        func(reinterpret_cast<JSValue*>(&slotFor(0)));
     }
 private:
     EncodedJSValue m_inlineBuffer[inlineCapacity] { };
 };
 -using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;
 +template<size_t passedInlineCapacity>
 +class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {
 +};
 +
 +using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
 class ArgList {
     WTF_MAKE_FAST_ALLOCATED;
 diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
 index 13d04e3bdb3b..f827b2ec6a6b 100644
 --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
 +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
@@ -1,5 +1,5 @@
 /*
 - * Copyright (C) 2020 Apple Inc. All rights reserved.
 + * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -219,7 +219,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop
     ASSERT(!isMainThread());
 }
 -void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
 +void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
 {
     // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes.
     if (!copyDataFromBusesToJSArray(globalObject, inputs, toJSArray(m_jsInputs)))
 diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
 index 3f3d708c7ae4..b0bce3609198 100644
 --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
 +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
@@ -1,5 +1,5 @@
 /*
 - * Copyright (C) 2020 Apple Inc. All rights reserved.
 + * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
@@ -41,7 +41,8 @@
 namespace JSC {
 class JSArray;
 -class MarkedArgumentBufferBase;
 +template<typename T, size_t, class> class MarkedVector;
 +using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
 }
 namespace WebCore {
@@ -71,7 +72,7 @@ public:
 private:
     explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&);
 -    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
 +    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const MemoryCompactLookupOnlyRobinHoodHashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
     AudioWorkletGlobalScope& m_globalScope;
     String m_name;
 diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
 index e0d4316a169f..5897e1066512 100644
 --- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
 +++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
@@ -540,6 +540,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;
 using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>;
 class CloneBase {
 +    WTF_FORBID_HEAP_ALLOCATION;
 protected:
     CloneBase(JSGlobalObject* lexicalGlobalObject)
         : m_lexicalGlobalObject(lexicalGlobalObject)
@@ -617,6 +618,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8
 }
 class CloneSerializer : CloneBase {
 +    WTF_FORBID_HEAP_ALLOCATION;
 public:
     static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps,
 #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS)
@@ -2150,6 +2152,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
 }
 class CloneDeserializer : CloneBase {
 +    WTF_FORBID_HEAP_ALLOCATION;
 public:
     static String deserializeString(const Vector<uint8_t>& buffer)
     {
@@ -3921,10 +3924,10 @@ DeserializationResult CloneDeserializer::deserialize()
     Vector<uint32_t, 16> indexStack;
     Vector<Identifier, 16> propertyNameStack;
 -    Vector<JSObject*, 32> outputObjectStack;
 -    Vector<JSValue, 4> mapKeyStack;
 -    Vector<JSMap*, 4> mapStack;
 -    Vector<JSSet*, 4> setStack;
 +    MarkedVector<JSObject*, 32> outputObjectStack;
 +    MarkedVector<JSValue, 4> mapKeyStack;
 +    MarkedVector<JSMap*, 4> mapStack;
 +    MarkedVector<JSSet*, 4> setStack;
     Vector<WalkerState, 16> stateStack;
     WalkerState lexicalGlobalObject = StateUnknown;
     JSValue outValue;
 -- 
 2.40.0
--- a/SOURCES/CVE-2023-32373.patch
+++ b/SOURCES/CVE-2023-32373.patch
@ -1,36 +0,0 @@
 From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
 From: Antoine Quint <graouts@webkit.org>
 Date: Mon, 22 May 2023 13:37:32 -0700
 Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
 https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
 Reviewed by Dean Jackson and Darin Adler.
 Ensure that the animation's effect and target are kept alive for the duration of this method
 since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
 these two pointers could be changed to a null value using the Web Animations API.
 * Source/WebCore/animation/WebAnimation.cpp:
 (WebCore::WebAnimation::commitStyles):
 Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
 Canonical link: https://commits.webkit.org/264363@main
 ---
 Source/WebCore/animation/WebAnimation.cpp | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
 index 68ea47985807..ae20c79c36cf 100644
 --- a/Source/WebCore/animation/WebAnimation.cpp
 +++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
     // https://drafts.csswg.org/web-animations-1/#commit-computed-styles
     // 1. Let targets be the set of all effect targets for animation effects associated with animation.
 -    auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
 -    auto* target = effect ? effect->target() : nullptr;
 +    RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
 +    RefPtr target = effect ? effect->target() : nullptr;
     // 2. For each target in targets:
     //
--- a/SOURCES/CVE-2023-42917.patch
+++ b/SOURCES/CVE-2023-42917.patch
@ -0,0 +1,80 @@
 From 00352dd86bfa102b6e4b792120e3ef3498a27d1e Mon Sep 17 00:00:00 2001
 From: Russell Epstein <repstein@apple.com>
 Date: Fri, 17 Nov 2023 15:48:32 -0800
 Subject: [PATCH] Cherry-pick b0a755e34426.
 https://bugs.webkit.org/show_bug.cgi?id=265067
    Race condition between JSObject::getDirectConcurrently users and Structure::flattenDictionaryStructure
    https://bugs.webkit.org/show_bug.cgi?id=265067
    rdar://118548733
    Reviewed by Justin Michaud and Mark Lam.
    Like Array shift/unshift, flattenDictionaryStructure is the other code which can shrink butterfly for named properties (no other code does it).
    Compiler threads rely on the fact that normally named property storage never shrunk. And we should catch this exceptional case by taking a cellLock
    in the compiler thread. But flattenDictionaryStructure is not taking cellLock correctly.
    This patch computes afterOutOfLineCapacity first to detect that whether this flattening will shrink the butterfly.
    And if it is, then we take a cellLock. We do not need to take it if we do not shrink the butterfly.
    * Source/JavaScriptCore/runtime/Structure.cpp:
    (JSC::Structure::flattenDictionaryStructure):
    Canonical link: https://commits.webkit.org/267815.577@safari-7617-branch
    Canonical link: https://commits.webkit.org/265870.632@safari-7616.2.9.10-branch
 ---
 Source/JavaScriptCore/runtime/Structure.cpp | 28 +++++++++++++++------
 1 file changed, 21 insertions(+), 7 deletions(-)
 diff --git a/Source/JavaScriptCore/runtime/Structure.cpp b/Source/JavaScriptCore/runtime/Structure.cpp
 index 2922e2478794c..9d094e2c8adc8 100644
 --- a/Source/JavaScriptCore/runtime/Structure.cpp
 +++ b/Source/JavaScriptCore/runtime/Structure.cpp
@@ -913,17 +913,31 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
     checkOffsetConsistency();
     ASSERT(isDictionary());
     ASSERT(object->structure() == this);
 -    
 -    GCSafeConcurrentJSLocker locker(m_lock, vm);
 -    
 -    object->setStructureIDDirectly(id().nuke());
 -    WTF::storeStoreFence();
 +    Locker<JSCellLock> cellLocker(NoLockingNecessary);
 +
 +    PropertyTable* table = nullptr;
     size_t beforeOutOfLineCapacity = this->outOfLineCapacity();
 +    size_t afterOutOfLineCapacity = beforeOutOfLineCapacity;
     if (isUncacheableDictionary()) {
 -        PropertyTable* table = propertyTableOrNull();
 +        table = propertyTableOrNull();
         ASSERT(table);
 +        PropertyOffset maxOffset = invalidOffset;
 +        if (unsigned propertyCount = table->size())
 +            maxOffset = offsetForPropertyNumber(propertyCount - 1, m_inlineCapacity);
 +        afterOutOfLineCapacity = outOfLineCapacity(maxOffset);
 +    }
 +    // This is the only case we shrink butterfly in this function. We should take a cell lock to protect against concurrent access to the butterfly.
 +    if (beforeOutOfLineCapacity != afterOutOfLineCapacity)
 +        cellLocker = Locker { object->cellLock() };
 +
 +    GCSafeConcurrentJSLocker locker(m_lock, vm);
 +
 +    object->setStructureIDDirectly(id().nuke());
 +    WTF::storeStoreFence();
 +
 +    if (isUncacheableDictionary()) {
         size_t propertyCount = table->size();
         // Holds our values compacted by insertion order. This is OK since GC is deferred.
@@ -955,7 +969,7 @@ Structure* Structure::flattenDictionaryStructure(VM& vm, JSObject* object)
     setDictionaryKind(NoneDictionaryKind);
     setHasBeenFlattenedBefore(true);
 -    size_t afterOutOfLineCapacity = this->outOfLineCapacity();
 +    ASSERT(this->outOfLineCapacity() == afterOutOfLineCapacity);
     if (object->butterfly() && beforeOutOfLineCapacity != afterOutOfLineCapacity) {
         ASSERT(beforeOutOfLineCapacity > afterOutOfLineCapacity);
--- a/SOURCES/evolution-shared-secondary-process.patch
+++ b/SOURCES/evolution-shared-secondary-process.patch
@ -1,26 +1,14 @@
 From ffe84688fc8a91b1e6d1c4462120fc44349a7c05 Mon Sep 17 00:00:00 2001
 From: Michael Catanzaro <mcatanzaro@redhat.com>
 Date: Thu, 27 Oct 2022 19:12:43 -0500
 Subject: [PATCH] Force Evolution to use single secondary process
 ---
 Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp | 3 +++
 1 file changed, 3 insertions(+)
 diff --git a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
-index 6bb6767869af..2a05a69d9b0d 100644
+index a30f5b13be26..72ad006cde21 100644
 --- a/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
 +++ b/Source/WebKit/UIProcess/API/glib/WebKitWebContext.cpp
-@@ -431,6 +431,9 @@ static void webkitWebContextConstructed(GObject* object)
+@@ -438,6 +438,9 @@ static void webkitWebContextConstructed(GObject* object)
     }
     configuration.setTimeZoneOverride(String::fromUTF8(priv->timeZoneOverride.data(), priv->timeZoneOverride.length()));
 +    if (!g_strcmp0(g_get_prgname(), "evolution"))
 +        configuration.setUsesSingleWebProcess(true);
 +
 #if !ENABLE(2022_GLIB_API)
     if (!priv->websiteDataManager)
         priv->websiteDataManager = adoptGRef(webkit_website_data_manager_new("local-storage-directory", priv->localStorageDirectory.data(), nullptr));
 -- 
 2.31.1
--- a/SOURCES/glib-dep.patch
+++ b/SOURCES/glib-dep.patch
@ -0,0 +1,19 @@
 diff --git a/glib-dep.patch b/glib-dep.patch
 new file mode 100644
 index 0000000..dbc0ab6
 --- /dev/null
 +++ b/glib-dep.patch
@@ -0,0 +1,13 @@
 +diff --git a/Source/WTF/wtf/glib/Sandbox.cpp b/Source/WTF/wtf/glib/Sandbox.cpp
 +index 9b07bb8cb5a9b..a8169511fe851 100644
 +--- a/Source/WTF/wtf/glib/Sandbox.cpp
 ++++ b/Source/WTF/wtf/glib/Sandbox.cpp
 +@@ -58,7 +58,7 @@ bool isInsideUnsupportedContainer()
 +         int waitStatus = 0;
 +         gboolean spawnSucceeded = g_spawn_sync(nullptr, const_cast<char**>(bwrapArgs), nullptr,
 +             G_SPAWN_STDERR_TO_DEV_NULL, nullptr, nullptr, nullptr, nullptr, &waitStatus, nullptr);
 +-        supportedContainer = spawnSucceeded && g_spawn_check_wait_status(waitStatus, nullptr);
 ++        supportedContainer = spawnSucceeded && g_spawn_check_exit_status(waitStatus, nullptr);
 +         if (!supportedContainer)
 +             WTFLogAlways("Bubblewrap does not work inside of this container, sandboxing will be disabled.");
 +     }
--- a/SOURCES/gstreamer-1.16.1.patch
+++ b/SOURCES/gstreamer-1.16.1.patch
@ -0,0 +1,57 @@
 diff --git a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
 index a861b913ccfc..df21a1f67e98 100644
 --- a/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
 +++ b/Source/WebCore/platform/graphics/gstreamer/GLVideoSinkGStreamer.cpp
@@ -88,7 +88,25 @@ static void webKitGLVideoSinkConstructed(GObject* object)
     ASSERT(colorconvert);
     gst_bin_add_many(GST_BIN_CAST(sink), upload, colorconvert, sink->priv->appSink.get(), nullptr);
 -    GRefPtr<GstCaps> caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
 +    // Workaround until we can depend on GStreamer 1.16.2.
 +    // https://gitlab.freedesktop.org/gstreamer/gst-plugins-base/commit/8d32de090554cf29fe359f83aa46000ba658a693
 +    // Forcing a color conversion to RGBA here allows glupload to internally use
 +    // an uploader that adds a VideoMeta, through the TextureUploadMeta caps
 +    // feature, without needing the patch above. However this specific caps
 +    // feature is going to be removed from GStreamer so it is considered a
 +    // short-term workaround. This code path most likely will have a negative
 +    // performance impact on embedded platforms as well. Downstream embedders
 +    // are highly encouraged to cherry-pick the patch linked above in their BSP
 +    // and set the WEBKIT_GST_NO_RGBA_CONVERSION environment variable until
 +    // GStreamer 1.16.2 is released.
 +    // See also https://bugs.webkit.org/show_bug.cgi?id=201422
 +    GRefPtr<GstCaps> caps;
 +    if (webkitGstCheckVersion(1, 16, 2) || getenv("WEBKIT_GST_NO_RGBA_CONVERSION"))
 +        caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) " GST_GL_CAPS_FORMAT));
 +    else {
 +        GST_INFO_OBJECT(sink, "Forcing RGBA as GStreamer is not new enough.");
 +        caps = adoptGRef(gst_caps_from_string("video/x-raw, format = (string) RGBA"));
 +    }
     gst_caps_set_features(caps.get(), 0, gst_caps_features_new(GST_CAPS_FEATURE_MEMORY_GL_MEMORY, nullptr));
     g_object_set(sink->priv->appSink.get(), "caps", caps.get(), nullptr);
 diff --git a/Source/cmake/GStreamerChecks.cmake b/Source/cmake/GStreamerChecks.cmake
 index ba8423e2795c..df9d3204910d 100644
 --- a/Source/cmake/GStreamerChecks.cmake
 +++ b/Source/cmake/GStreamerChecks.cmake
@@ -36,7 +36,7 @@ if (ENABLE_VIDEO OR ENABLE_WEB_AUDIO)
               list(APPEND GSTREAMER_COMPONENTS webrtc)
           endif ()
 -          find_package(GStreamer 1.16.2 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
 +          find_package(GStreamer 1.16.0 REQUIRED COMPONENTS ${GSTREAMER_COMPONENTS})
           if (ENABLE_WEB_AUDIO)
               if (NOT PC_GSTREAMER_AUDIO_FOUND OR NOT PC_GSTREAMER_FFT_FOUND)
 diff --git a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
 index 0b81e04559f0..4c6ae470e49f 100644
 --- a/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
 +++ b/Source/WebCore/platform/graphics/gstreamer/MediaPlayerPrivateGStreamer.cpp
@@ -479,7 +479,6 @@ bool MediaPlayerPrivateGStreamer::doSeek(const MediaTime& position, float rate)
     auto seekStart = toGstClockTime(startTime);
     auto seekStop = toGstClockTime(endTime);
 -    GST_DEBUG_OBJECT(pipeline(), "[Seek] Performing actual seek to %" GST_TIMEP_FORMAT " (endTime: %" GST_TIMEP_FORMAT ") at rate %f", &seekStart, &seekStop, rate);
     return gst_element_seek(m_pipeline.get(), rate, GST_FORMAT_TIME, m_seekFlags, GST_SEEK_TYPE_SET, seekStart, GST_SEEK_TYPE_SET, seekStop);
 }
--- a/SOURCES/icu60.patch
+++ b/SOURCES/icu60.patch
@ -1,17 +1,3 @@
 From 833cfdd150b6f7f0fb021ac5de7890dff158f5fd Mon Sep 17 00:00:00 2001
 From: Michael Catanzaro <mcatanzaro@redhat.com>
 Date: Thu, 27 Oct 2022 16:32:43 -0500
 Subject: [PATCH] Build against ICU 60
 ---
 Source/JavaScriptCore/runtime/IntlCache.cpp        |  3 +++
 Source/JavaScriptCore/runtime/IntlCache.h          |  3 +++
 Source/JavaScriptCore/runtime/IntlDisplayNames.cpp | 11 +++++++++++
 Source/JavaScriptCore/runtime/IntlDisplayNames.h   |  7 +++++++
 Source/JavaScriptCore/runtime/IntlObject.cpp       |  6 +++++-
 Source/cmake/OptionsGTK.cmake                      |  2 +-
 6 files changed, 30 insertions(+), 2 deletions(-)
 diff --git a/Source/JavaScriptCore/runtime/IntlCache.cpp b/Source/JavaScriptCore/runtime/IntlCache.cpp
 index b17d7340df56..94a5474059b6 100644
 --- a/Source/JavaScriptCore/runtime/IntlCache.cpp
@ -62,7 +48,7 @@ index 058b2423786d..e7a8c82f392b 100644
 private:
     UDateTimePatternGenerator* getSharedPatternGenerator(const CString& locale, UErrorCode& status)
 diff --git a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
-index c281f796eaee..1bc3c0c8a8c6 100644
+index f38161e7f95b..068613ce8feb 100644
 --- a/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
 +++ b/Source/JavaScriptCore/runtime/IntlDisplayNames.cpp
@@ -110,6 +110,7 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
@ -73,18 +59,20 @@ index c281f796eaee..1bc3c0c8a8c6 100644
     UErrorCode status = U_ZERO_ERROR;
     UDisplayContext contexts[] = {
-@@ -137,6 +138,10 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
+@@ -137,15 +138,19 @@ void IntlDisplayNames::initializeDisplayNames(JSGlobalObject* globalObject, JSVa
         throwTypeError(globalObject, scope, "failed to initialize DisplayNames"_s);
         return;
     }
 +#else
-+        throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s);
+    throwTypeError(globalObject, scope, "failed to initialize Intl.DisplayNames since feature is not supported by the ICU version"_s);
-+        return;
+    return;
 +#endif
 }
 // https://tc39.es/proposal-intl-displaynames/#sec-Intl.DisplayNames.prototype.of
-@@ -146,6 +151,7 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
+ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) const
 {
 -
     VM& vm = globalObject->vm();
     auto scope = DECLARE_THROW_SCOPE(vm);
@ -92,7 +80,7 @@ index c281f796eaee..1bc3c0c8a8c6 100644
     ASSERT(m_displayNames);
     auto code = codeValue.toWTFString(globalObject);
     RETURN_IF_EXCEPTION(scope, { });
-@@ -350,6 +356,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
+@@ -350,6 +355,11 @@ JSValue IntlDisplayNames::of(JSGlobalObject* globalObject, JSValue codeValue) co
         return throwTypeError(globalObject, scope, "Failed to query a display name."_s);
     }
     return jsString(vm, String(WTFMove(buffer)));
@ -123,18 +111,18 @@ index d80dc3d83a15..f2bf36275c79 100644
 enum class RelevantExtensionKey : uint8_t;
 diff --git a/Source/JavaScriptCore/runtime/IntlObject.cpp b/Source/JavaScriptCore/runtime/IntlObject.cpp
-index f7dc4d578d77..a6ccbe1b9f74 100644
+index 0080abf51be4..d23c7c021334 100644
 --- a/Source/JavaScriptCore/runtime/IntlObject.cpp
 +++ b/Source/JavaScriptCore/runtime/IntlObject.cpp
-@@ -153,7 +153,6 @@ namespace JSC {
+@@ -164,7 +164,6 @@ namespace JSC {
-   getCanonicalLocales   intlObjectFuncGetCanonicalLocales            DontEnum|Function 1
+   supportedValuesOf     intlObjectFuncSupportedValuesOf              DontEnum|Function 1
   Collator              createCollatorConstructor                    DontEnum|PropertyCallback
   DateTimeFormat        createDateTimeFormatConstructor              DontEnum|PropertyCallback
 -  DisplayNames          createDisplayNamesConstructor                DontEnum|PropertyCallback
   Locale                createLocaleConstructor                      DontEnum|PropertyCallback
   NumberFormat          createNumberFormatConstructor                DontEnum|PropertyCallback
   PluralRules           createPluralRulesConstructor                 DontEnum|PropertyCallback
-@@ -239,6 +238,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject* globalObject)
+@@ -252,6 +251,11 @@ void IntlObject::finishCreation(VM& vm, JSGlobalObject*)
     Base::finishCreation(vm);
     ASSERT(inherits(info()));
     JSC_TO_STRING_TAG_WITHOUT_TRANSITION();
@ -144,21 +132,38 @@ index f7dc4d578d77..a6ccbe1b9f74 100644
 +    UNUSED_PARAM(&createDisplayNamesConstructor);
 +#endif
 #if HAVE(ICU_U_LIST_FORMATTER)
-     putDirectWithoutTransition(vm, vm.propertyNames->ListFormat, createListFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
+     if (Options::useIntlDurationFormat())
- #else
+         putDirectWithoutTransition(vm, vm.propertyNames->DurationFormat, createDurationFormatConstructor(vm, this), static_cast<unsigned>(PropertyAttribute::DontEnum));
 diff --git a/Source/cmake/OptionsGTK.cmake b/Source/cmake/OptionsGTK.cmake
-index 5e653a9e0b5a..0977f2c49037 100644
+index 8bd6ed347418..9d0a7e88b16a 100644
 --- a/Source/cmake/OptionsGTK.cmake
 +++ b/Source/cmake/OptionsGTK.cmake
-@@ -19,7 +19,7 @@ find_package(Freetype 2.4.2 REQUIRED)
+@@ -18,7 +18,7 @@ find_package(Fontconfig 2.8.0 REQUIRED)
 find_package(Freetype 2.4.2 REQUIRED)
 find_package(LibGcrypt 1.6.0 REQUIRED)
 find_package(GLIB 2.56.4 REQUIRED COMPONENTS gio gio-unix gobject gthread gmodule)
 find_package(HarfBuzz 0.9.18 REQUIRED COMPONENTS ICU)
 -find_package(ICU 61.2 REQUIRED COMPONENTS data i18n uc)
-+find_package(ICU 60.2 REQUIRED COMPONENTS data i18n uc)
+find_package(ICU 60 REQUIRED COMPONENTS data i18n uc)
 find_package(JPEG REQUIRED)
 find_package(LibEpoxy 1.4.0 REQUIRED)
 find_package(LibXml2 2.8.0 REQUIRED)
- find_package(PNG REQUIRED)
+diff --git a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
-- 
+index fdcaa71f2011..f6aa1b0e3def 100644
-2.31.1
+--- a/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
-
+++ b/Source/JavaScriptCore/runtime/IntlDurationFormat.cpp
@@ -41,7 +41,6 @@
 #endif
 #endif
 #include <unicode/ulistformatter.h>
 -#include <unicode/unumberformatter.h>
 #include <unicode/ures.h>
 #if HAVE(ICU_U_LIST_FORMATTER)
 #define U_HIDE_DRAFT_API 1
@@ -49,6 +48,7 @@
 #if HAVE(ICU_U_LIST_FORMATTER)
 #include <unicode/uformattedvalue.h>
 +#include <unicode/unumberformatter.h>
 #endif
 namespace JSC {
--- a/SOURCES/webkitgtk-2.38.5.tar.xz.asc
+++ b/SOURCES/webkitgtk-2.38.5.tar.xz.asc
@ -1,6 +0,0 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCY+yu2QAKCRDz0yLQ7EWC
 w7UkAKCS0EoptKZRn3/Z+WgGerHQEQXaFQCg51h2++dwb1bqVZ05Q1YtHmoT2gk=
 =or/S
 -----END PGP SIGNATURE-----
--- a/SOURCES/webkitgtk-2.40.5.tar.xz.asc
+++ b/SOURCES/webkitgtk-2.40.5.tar.xz.asc
@ -0,0 +1,6 @@
 -----BEGIN PGP SIGNATURE-----
 iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCZMjRYQAKCRDz0yLQ7EWC
 wwPPAJ0XUmEmSr4IFQWpbDfPOR9keXY+lwCfVLyOFL8T55psriGN4vkxVZqq+EM=
 =nGCs
 -----END PGP SIGNATURE-----
--- a/SPECS/webkit2gtk3.spec
+++ b/SPECS/webkit2gtk3.spec
@ -6,8 +6,8 @@
        cp -p %1 _license_files/$(echo '%1' | sed -e 's!/!.!g')
 Name:           webkit2gtk3
-Version:        2.38.5
+Version:        2.40.5
-Release:        1%{?dist}.5.alma
+Release:        1%{?dist}.alma.1
 Summary:        GTK Web content engine library
 License:        LGPLv2
@ -25,23 +25,28 @@ Patch0:         evolution-shared-secondary-process.patch
 # https://bugs.webkit.org/show_bug.cgi?id=235367
 Patch1:         icu60.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
+# https://github.com/WebKit/WebKit/pull/14498
-Patch2:         CVE-2023-28204.patch
+Patch2:         glib-dep.patch
-# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
+
-Patch3:         CVE-2023-28205.patch
+# Partial revert of https://github.com/WebKit/WebKit/pull/6087
-# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
+Patch3:         gstreamer-1.16.1.patch
-Patch4:         CVE-2023-32373.patch
+
 # Patches were taken from:
 # https://git.almalinux.org/rpms/webkit2gtk3/commit/876f553c6cd33386eb8b184bbc7618a1b03a2826	
 Patch4:         CVE-2023-42917.patch
 BuildRequires:  bison
 BuildRequires:  cmake
 BuildRequires:  flex
 BuildRequires:  gcc-c++
 BuildRequires:  gcc-toolset-13
 BuildRequires:  gettext
 BuildRequires:  git
 BuildRequires:  gperf
 BuildRequires:  hyphen-devel
 BuildRequires:  libatomic
 BuildRequires:  ninja-build
 BuildRequires:  openssl-devel
 BuildRequires:  perl(English)
 BuildRequires:  perl(FindBin)
 BuildRequires:  perl(JSON::PP)
@ -49,6 +54,8 @@ BuildRequires:  python3
 BuildRequires:  ruby
 BuildRequires:  rubygem-json
 BuildRequires:  rubygems
 BuildRequires:  shadow-utils
 BuildRequires:  unifdef
 BuildRequires:  pkgconfig(atspi-2)
 BuildRequires:  pkgconfig(cairo)
@ -61,16 +68,19 @@ BuildRequires:  pkgconfig(enchant-2)
 %endif
 BuildRequires:  pkgconfig(fontconfig)
 BuildRequires:  pkgconfig(freetype2)
 BuildRequires:  pkgconfig(gbm)
 BuildRequires:  pkgconfig(gl)
 BuildRequires:  pkgconfig(glib-2.0)
 BuildRequires:  pkgconfig(glesv2)
 BuildRequires:  pkgconfig(gobject-introspection-1.0)
 BuildRequires:  pkgconfig(gstreamer-1.0)
 BuildRequires:  pkgconfig(gstreamer-plugins-bad-1.0)
 BuildRequires:  pkgconfig(gstreamer-plugins-base-1.0)
 BuildRequires:  pkgconfig(gtk+-3.0)
 BuildRequires:  pkgconfig(harfbuzz)
 BuildRequires:  pkgconfig(icu-uc)
 BuildRequires:  pkgconfig(lcms2)
 BuildRequires:  pkgconfig(libdrm)
 BuildRequires:  pkgconfig(libjpeg)
 BuildRequires:  pkgconfig(libnotify)
 BuildRequires:  pkgconfig(libopenjp2)
@ -191,19 +201,27 @@ rm -rf Source/ThirdParty/qunit/
 %global optflags %(echo %{optflags} | sed 's/-g /-g1 /')
 %endif
-# bmalloc and JIT are disabled on aarch64 only in RHEL because of the nonstandard
+# The system GCC is too old to build WebKit, so use a GCC Toolset instead.
-# page size that's causing problems there. WebKit's build system sets appropriate
+# This prints warnings complaining that it should not be used except in
-# defaults for all other architectures, and all other distros except RHEL.
+# SCL scriplets, but I can't figure out any other way to make it work.
 source scl_source enable gcc-toolset-13
 # -DUSE_SYSTEM_MALLOC=ON is really bad for security, but libpas requires
 # __atomic_compare_exchange_16 which does not seem to be available.
 mkdir -p %{_target_platform}
 pushd %{_target_platform}
 %cmake \
  -GNinja \
  -DPORT=GTK \
  -DCMAKE_BUILD_TYPE=Release \
  -DUSE_SYSTEM_MALLOC=ON \
  -DENABLE_JIT=OFF \
  -DENABLE_BUBBLEWRAP_SANDBOX=OFF \
  -DENABLE_JIT=OFF \
  -DUSE_SOUP2=ON \
  -DUSE_AVIF=OFF \
  -DENABLE_DOCUMENTATION=OFF \
  -DUSE_GSTREAMER_TRANSCODER=OFF \
  -DENABLE_GAMEPAD=OFF \
 %if 0%{?rhel}
 %ifarch aarch64
@ -220,12 +238,11 @@ export NINJA_STATUS="[%f/%t][%e] "
 %install
 %ninja_install -C %{_target_platform}
-%find_lang WebKit2GTK-4.0
+%find_lang WebKitGTK-4.0
 # Finally, copy over and rename various files for %%license inclusion
 %add_to_license_files Source/JavaScriptCore/COPYING.LIB
 %add_to_license_files Source/ThirdParty/ANGLE/LICENSE
 %add_to_license_files Source/ThirdParty/ANGLE/src/common/third_party/smhasher/LICENSE
 %add_to_license_files Source/ThirdParty/ANGLE/src/third_party/libXNVCtrl/LICENSE
 %add_to_license_files Source/WebCore/LICENSE-APPLE
 %add_to_license_files Source/WebCore/LICENSE-LGPL-2
@ -237,7 +254,7 @@ export NINJA_STATUS="[%f/%t][%e] "
 %add_to_license_files Source/WTF/wtf/dtoa/COPYING
 %add_to_license_files Source/WTF/wtf/dtoa/LICENSE
-%files -f WebKit2GTK-4.0.lang
+%files -f WebKitGTK-4.0.lang
 %license _license_files/*ThirdParty*
 %license _license_files/*WebCore*
 %license _license_files/*WebInspectorUI*
@ -281,8 +298,18 @@ export NINJA_STATUS="[%f/%t][%e] "
 %{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
 %changelog
-* Tue Jul 18 2023 Andrew Lukoshko <alukoshko@almalinux.org> - 2.38.5-1.5.alma
+* Tue Dec 12 2023 Eduard Abdullin <eabdullin@almalinux.org> - 2.40.5-1.1.alma.1
- Disable JIT (CVE-2023-32435, CVE-2023-32439)
+- Add patch for CVE-2023-42917
 * Tue Aug 01 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.40.5-1
 - Upgrade to 2.40.5. Also, disable JIT
  Resolves: #2176269
  Resolves: #2185742
  Resolves: #2209728
  Resolves: #2209745
  Resolves: #2218649
  Resolves: #2218651
  Resolves: #2224611
 * Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.4
 - Add patch for CVE-2023-28204
`@ -1,2 +1,2 @@`
	`SOURCES/webkitgtk-2.38.5.tar.xz`	`SOURCES/webkitgtk-2.40.5.tar.xz`
	`SOURCES/webkitgtk-keys.gpg`	`SOURCES/webkitgtk-keys.gpg`
`@ -1,2 +1,2 @@`
	`1774390c628bb3a524d4ed76f11de4a878078db6 SOURCES/webkitgtk-2.38.5.tar.xz`	`2f4d06b021115eb4106177f7d5f534f45b5d3b2e SOURCES/webkitgtk-2.40.5.tar.xz`
	`cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg`	`cf57cbbadf2a07c6ede1c886f9742b7d352460c0 SOURCES/webkitgtk-keys.gpg`