rpms
/
webkit2gtk3
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import webkit2gtk3-2.38.5-1.el9_2.2

This commit is contained in:
CentOS Sources 2023-06-05 08:00:26 +00:00 committed by Stepan Oksanichenko
parent bf4ac994c8
commit b74bce62d4
3 changed files with 215 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

167
SOURCES/CVE-2023-28204.patch Normal file
View File

@ -0,0 +1,167 @@
From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 22 May 2023 13:40:46 -0700
Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
https://bugs.webkit.org/show_bug.cgi?id=254930
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
https://bugs.webkit.org/show_bug.cgi?id=254930
rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
Canonical link: https://commits.webkit.org/264365@main
---
...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
.../runtime/StringPrototype.cpp | 10 ++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++--
3 files changed, 79 insertions(+), 2 deletions(-)
create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
new file mode 100644
index 000000000000..25b1a70b81d2
--- /dev/null
+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
@@ -0,0 +1,35 @@
+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
+// and that we do advance in String.replace() when processing an empty match.
+
+let expected = "|";
+
+for (let i = 0; i < 11; ++i)
+ expected += String.fromCodePoint(128512) + '|';
+
+let str = String.fromCodePoint(128512).repeat(11);
+
+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
+ return '|';
+});
+
+
+if (result1 !== expected)
+ print("FAILED: \"" + result1 + " !== " + expected + '"');
+
+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
+ return '|';
+});
+
+if (result2 !== expected)
+ print("FAILED: \"" + result2 + " !== " + expected + '"');
+
+expected = "|" + String.fromCodePoint(128512);
+
+str = String.fromCodePoint(128512).repeat(1);
+
+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
+ return '|';
+});
+
+if (result3 !== expected)
+ print("FAILED: \"" + result3 + " !== " + expected + '"');
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1dbfa9..459295f728a7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1a66d..b1a22b253866 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,38 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
+
+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
+ // We don't want any side effects like the next() in readChecked() above.
+ int readForCharacterDump(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +514,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.40.1

36
SOURCES/CVE-2023-32373.patch Normal file
View File

@ -0,0 +1,36 @@
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
- auto* target = effect ? effect->target() : nullptr;
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+ RefPtr target = effect ? effect->target() : nullptr;
// 2. For each target in targets:
//

14
SPECS/webkit2gtk3.spec
View File

@ -12,7 +12,7 @@
Name: webkit2gtk3
Version: 2.38.5
Release: 1%{?dist}.1
Release: 1%{?dist}.2
Summary: GTK Web content engine library
License: LGPLv2
@ -24,8 +24,12 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
# $ gpg --export --export-options export-minimal D7FCF61CF9A2DEAB31D81BD3F3D322D0EC4582C3 5AA3BC334FD7E3369E7C77B291C559DBE4C9123B > webkitgtk-keys.gpg
Source2: webkitgtk-keys.gpg
# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
Patch0: CVE-2023-28204.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
Patch0: CVE-2023-28205.patch
Patch1: CVE-2023-28205.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
Patch2: CVE-2023-32373.patch
BuildRequires: bison
BuildRequires: bubblewrap
@ -290,6 +294,12 @@ export NINJA_STATUS="[%f/%t][%e] "
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
%changelog
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.2
- Add patch for CVE-2023-28204
Resolves: #2209747
- Add patch for CVE-2023-32373
Resolves: #2209730
* Tue Apr 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.1
- Add patch for CVE-2023-28205
Resolves: #2185745