import webkit2gtk3-2.36.7-1.el9_1.3
This commit is contained in:
		
							parent
							
								
									38e5f49c6a
								
							
						
					
					
						commit
						d4fb4f80f9
					
				
							
								
								
									
										652
									
								
								SOURCES/CVE-2023-28205.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										652
									
								
								SOURCES/CVE-2023-28205.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,652 @@ | |||||||
|  | From 162f94957f5a65aa0177bdea2b5810d44b637b5a Mon Sep 17 00:00:00 2001 | ||||||
|  | From: Mark Lam <mark.lam@apple.com> | ||||||
|  | Date: Fri, 31 Mar 2023 10:49:49 -0700 | ||||||
|  | Subject: [PATCH] Cherry-pick 259548.395@safari-7615.1.26.11-branch | ||||||
|  |  (1039f0c3235f). <bug> | ||||||
|  | 
 | ||||||
|  |     Cherry-pick 2c49ff7b0481. rdar://problem/107369977 | ||||||
|  | 
 | ||||||
|  |         CloneDeserializer::deserialize() should store cell pointers in a MarkedVector. | ||||||
|  |         https://bugs.webkit.org/show_bug.cgi?id=254797 | ||||||
|  |         rdar://107369977 | ||||||
|  | 
 | ||||||
|  |         Reviewed by Justin Michaud. | ||||||
|  | 
 | ||||||
|  |         Previously, CloneDeserializer::deserialize() was storing pointers to newly created objects | ||||||
|  |         in a few Vectors.  This is problematic because the GC is not aware of Vectors, and cannot | ||||||
|  |         scan them.  In this patch, we refactor the MarkedArgumentBuffer class into a MarkedVector | ||||||
|  |         template class that offer 2 enhancements: | ||||||
|  | 
 | ||||||
|  |         1. It can be configured to store specific types of cell pointer types.  This avoids us | ||||||
|  |            having to constantly cast JSValues into these pointers. | ||||||
|  | 
 | ||||||
|  |         2. It allows us to specify the type of OverflowHandler we want to use.  In this case, | ||||||
|  |            we want to use CrashOnOverflow.  The previous MarkedArgumentBuffer always assumes | ||||||
|  |            RecordOnOverflow.  This allows us to avoid having to manually check for overflows, | ||||||
|  |            or have to use appendWithCrashOnOverflow.  For our current needs, MarkedVector can be | ||||||
|  |            used as a drop in replacement for Vector. | ||||||
|  | 
 | ||||||
|  |         And we fix the CloneDeserializer::deserialize() issue by replacing the use of Vectors | ||||||
|  |         with MarkedVector instead. | ||||||
|  | 
 | ||||||
|  |         * Source/JavaScriptCore/heap/Heap.cpp: | ||||||
|  |         (JSC::Heap::addCoreConstraints): | ||||||
|  |         * Source/JavaScriptCore/heap/Heap.h: | ||||||
|  |         * Source/JavaScriptCore/heap/HeapInlines.h: | ||||||
|  |         * Source/JavaScriptCore/runtime/ArgList.cpp: | ||||||
|  |         (JSC::MarkedVectorBase::addMarkSet): | ||||||
|  |         (JSC::MarkedVectorBase::markLists): | ||||||
|  |         (JSC::MarkedVectorBase::slowEnsureCapacity): | ||||||
|  |         (JSC::MarkedVectorBase::expandCapacity): | ||||||
|  |         (JSC::MarkedVectorBase::slowAppend): | ||||||
|  |         (JSC::MarkedArgumentBufferBase::addMarkSet): Deleted. | ||||||
|  |         (JSC::MarkedArgumentBufferBase::markLists): Deleted. | ||||||
|  |         (JSC::MarkedArgumentBufferBase::slowEnsureCapacity): Deleted. | ||||||
|  |         (JSC::MarkedArgumentBufferBase::expandCapacity): Deleted. | ||||||
|  |         (JSC::MarkedArgumentBufferBase::slowAppend): Deleted. | ||||||
|  |         * Source/JavaScriptCore/runtime/ArgList.h: | ||||||
|  |         (JSC::MarkedVectorWithSize::MarkedVectorWithSize): | ||||||
|  |         (JSC::MarkedVectorWithSize::at const): | ||||||
|  |         (JSC::MarkedVectorWithSize::clear): | ||||||
|  |         (JSC::MarkedVectorWithSize::append): | ||||||
|  |         (JSC::MarkedVectorWithSize::appendWithCrashOnOverflow): | ||||||
|  |         (JSC::MarkedVectorWithSize::last const): | ||||||
|  |         (JSC::MarkedVectorWithSize::takeLast): | ||||||
|  |         (JSC::MarkedVectorWithSize::ensureCapacity): | ||||||
|  |         (JSC::MarkedVectorWithSize::hasOverflowed): | ||||||
|  |         (JSC::MarkedVectorWithSize::fill): | ||||||
|  |         (JSC::MarkedArgumentBufferWithSize::MarkedArgumentBufferWithSize): Deleted. | ||||||
|  |         * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp: | ||||||
|  |         (WebCore::AudioWorkletProcessor::buildJSArguments): | ||||||
|  |         * Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h: | ||||||
|  |         * Source/WebCore/bindings/js/SerializedScriptValue.cpp: | ||||||
|  |         (WebCore::CloneDeserializer::deserialize): | ||||||
|  | 
 | ||||||
|  |         Canonical link: https://commits.webkit.org/259548.530@safari-7615-branch | ||||||
|  | 
 | ||||||
|  |     Identifier: 259548.395@safari-7615.1.26.11-branch | ||||||
|  | ---
 | ||||||
|  |  Source/JavaScriptCore/heap/Heap.cpp           |   6 +- | ||||||
|  |  Source/JavaScriptCore/heap/Heap.h             |   8 +- | ||||||
|  |  Source/JavaScriptCore/heap/HeapInlines.h      |   6 +- | ||||||
|  |  Source/JavaScriptCore/runtime/ArgList.cpp     |  46 ++-- | ||||||
|  |  Source/JavaScriptCore/runtime/ArgList.h       | 206 ++++++++++-------- | ||||||
|  |  .../webaudio/AudioWorkletProcessor.cpp        |   4 +- | ||||||
|  |  .../Modules/webaudio/AudioWorkletProcessor.h  |   7 +- | ||||||
|  |  .../bindings/js/SerializedScriptValue.cpp     |  11 +- | ||||||
|  |  8 files changed, 160 insertions(+), 134 deletions(-) | ||||||
|  | 
 | ||||||
|  | diff --git a/Source/JavaScriptCore/heap/Heap.cpp b/Source/JavaScriptCore/heap/Heap.cpp
 | ||||||
|  | index 8e53ddead1fd..7e3f8487f3db 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/heap/Heap.cpp
 | ||||||
|  | +++ b/Source/JavaScriptCore/heap/Heap.cpp
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | - *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
 | ||||||
|  | + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
 | ||||||
|  |   *  Copyright (C) 2007 Eric Seidel <eric@webkit.org> | ||||||
|  |   * | ||||||
|  |   *  This library is free software; you can redistribute it and/or | ||||||
|  | @@ -2836,9 +2836,9 @@ void Heap::addCoreConstraints()
 | ||||||
|  |                      visitor.appendUnbarriered(pair.key); | ||||||
|  |              } | ||||||
|  |               | ||||||
|  | -            if (m_markListSet && m_markListSet->size()) {
 | ||||||
|  | +            if (!m_markListSet.isEmpty()) {
 | ||||||
|  |                  SetRootMarkReasonScope rootScope(visitor, RootMarkReason::ConservativeScan); | ||||||
|  | -                MarkedArgumentBufferBase::markLists(visitor, *m_markListSet);
 | ||||||
|  | +                MarkedVectorBase::markLists(visitor, m_markListSet);
 | ||||||
|  |              } | ||||||
|  |   | ||||||
|  |              { | ||||||
|  | diff --git a/Source/JavaScriptCore/heap/Heap.h b/Source/JavaScriptCore/heap/Heap.h
 | ||||||
|  | index af0e4c46a6ce..fd8cf668baae 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/heap/Heap.h
 | ||||||
|  | +++ b/Source/JavaScriptCore/heap/Heap.h
 | ||||||
|  | @@ -1,7 +1,7 @@
 | ||||||
|  |  /* | ||||||
|  |   *  Copyright (C) 1999-2000 Harri Porten (porten@kde.org) | ||||||
|  |   *  Copyright (C) 2001 Peter Kelly (pmk@post.com) | ||||||
|  | - *  Copyright (C) 2003-2022 Apple Inc. All rights reserved.
 | ||||||
|  | + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
 | ||||||
|  |   * | ||||||
|  |   *  This library is free software; you can redistribute it and/or | ||||||
|  |   *  modify it under the terms of the GNU Lesser General Public | ||||||
|  | @@ -85,7 +85,7 @@ class MarkStackArray;
 | ||||||
|  |  class MarkStackMergingConstraint; | ||||||
|  |  class MarkedJSValueRefArray; | ||||||
|  |  class BlockDirectory; | ||||||
|  | -class MarkedArgumentBufferBase;
 | ||||||
|  | +class MarkedVectorBase;
 | ||||||
|  |  class MarkingConstraint; | ||||||
|  |  class MarkingConstraintSet; | ||||||
|  |  class MutatorScheduler; | ||||||
|  | @@ -410,7 +410,7 @@ public:
 | ||||||
|  |      JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> protectedObjectTypeCounts(); | ||||||
|  |      JS_EXPORT_PRIVATE std::unique_ptr<TypeCountSet> objectTypeCounts(); | ||||||
|  |   | ||||||
|  | -    HashSet<MarkedArgumentBufferBase*>& markListSet();
 | ||||||
|  | +    HashSet<MarkedVectorBase*>& markListSet();
 | ||||||
|  |      void addMarkedJSValueRefArray(MarkedJSValueRefArray*); | ||||||
|  |       | ||||||
|  |      template<typename Functor> void forEachProtectedCell(const Functor&); | ||||||
|  | @@ -779,7 +779,7 @@ private:
 | ||||||
|  |      size_t m_deprecatedExtraMemorySize { 0 }; | ||||||
|  |   | ||||||
|  |      ProtectCountSet m_protectedValues; | ||||||
|  | -    std::unique_ptr<HashSet<MarkedArgumentBufferBase*>> m_markListSet;
 | ||||||
|  | +    HashSet<MarkedVectorBase*> m_markListSet;
 | ||||||
|  |      SentinelLinkedList<MarkedJSValueRefArray, BasicRawSentinelNode<MarkedJSValueRefArray>> m_markedJSValueRefArrays; | ||||||
|  |   | ||||||
|  |      std::unique_ptr<MachineThreads> m_machineThreads; | ||||||
|  | diff --git a/Source/JavaScriptCore/heap/HeapInlines.h b/Source/JavaScriptCore/heap/HeapInlines.h
 | ||||||
|  | index 39c06b659d9c..4d767a564d5f 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/heap/HeapInlines.h
 | ||||||
|  | +++ b/Source/JavaScriptCore/heap/HeapInlines.h
 | ||||||
|  | @@ -206,11 +206,9 @@ inline void Heap::decrementDeferralDepthAndGCIfNeeded()
 | ||||||
|  |      } | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -inline HashSet<MarkedArgumentBufferBase*>& Heap::markListSet()
 | ||||||
|  | +inline HashSet<MarkedVectorBase*>& Heap::markListSet()
 | ||||||
|  |  { | ||||||
|  | -    if (!m_markListSet)
 | ||||||
|  | -        m_markListSet = makeUnique<HashSet<MarkedArgumentBufferBase*>>();
 | ||||||
|  | -    return *m_markListSet;
 | ||||||
|  | +    return m_markListSet;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  inline void Heap::reportExtraMemoryAllocated(size_t size) | ||||||
|  | diff --git a/Source/JavaScriptCore/runtime/ArgList.cpp b/Source/JavaScriptCore/runtime/ArgList.cpp
 | ||||||
|  | index f2815b80c8c7..a72dea74a56f 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/runtime/ArgList.cpp
 | ||||||
|  | +++ b/Source/JavaScriptCore/runtime/ArgList.cpp
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | - *  Copyright (C) 2003-2021 Apple Inc. All rights reserved.
 | ||||||
|  | + *  Copyright (C) 2003-2023 Apple Inc. All rights reserved.
 | ||||||
|  |   * | ||||||
|  |   *  This library is free software; you can redistribute it and/or | ||||||
|  |   *  modify it under the terms of the GNU Library General Public | ||||||
|  | @@ -27,7 +27,7 @@ using std::min;
 | ||||||
|  |   | ||||||
|  |  namespace JSC { | ||||||
|  |   | ||||||
|  | -void MarkedArgumentBufferBase::addMarkSet(JSValue v)
 | ||||||
|  | +void MarkedVectorBase::addMarkSet(JSValue v)
 | ||||||
|  |  { | ||||||
|  |      if (m_markSet) | ||||||
|  |          return; | ||||||
|  | @@ -52,47 +52,47 @@ void ArgList::getSlice(int startIndex, ArgList& result) const
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  template<typename Visitor> | ||||||
|  | -void MarkedArgumentBufferBase::markLists(Visitor& visitor, ListSet& markSet)
 | ||||||
|  | +void MarkedVectorBase::markLists(Visitor& visitor, ListSet& markSet)
 | ||||||
|  |  { | ||||||
|  |      ListSet::iterator end = markSet.end(); | ||||||
|  |      for (ListSet::iterator it = markSet.begin(); it != end; ++it) { | ||||||
|  | -        MarkedArgumentBufferBase* list = *it;
 | ||||||
|  | +        MarkedVectorBase* list = *it;
 | ||||||
|  |          for (int i = 0; i < list->m_size; ++i) | ||||||
|  |              visitor.appendUnbarriered(JSValue::decode(list->slotFor(i))); | ||||||
|  |      } | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -template void MarkedArgumentBufferBase::markLists(AbstractSlotVisitor&, ListSet&);
 | ||||||
|  | -template void MarkedArgumentBufferBase::markLists(SlotVisitor&, ListSet&);
 | ||||||
|  | +template void MarkedVectorBase::markLists(AbstractSlotVisitor&, ListSet&);
 | ||||||
|  | +template void MarkedVectorBase::markLists(SlotVisitor&, ListSet&);
 | ||||||
|  |   | ||||||
|  | -void MarkedArgumentBufferBase::slowEnsureCapacity(size_t requestedCapacity)
 | ||||||
|  | +auto MarkedVectorBase::slowEnsureCapacity(size_t requestedCapacity) -> Status
 | ||||||
|  |  { | ||||||
|  |      setNeedsOverflowCheck(); | ||||||
|  |      auto checkedNewCapacity = CheckedInt32(requestedCapacity); | ||||||
|  |      if (UNLIKELY(checkedNewCapacity.hasOverflowed())) | ||||||
|  | -        return this->overflowed();
 | ||||||
|  | -    expandCapacity(checkedNewCapacity);
 | ||||||
|  | +        return Status::Overflowed;
 | ||||||
|  | +    return expandCapacity(checkedNewCapacity);
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -void MarkedArgumentBufferBase::expandCapacity()
 | ||||||
|  | +auto MarkedVectorBase::expandCapacity() -> Status
 | ||||||
|  |  { | ||||||
|  |      setNeedsOverflowCheck(); | ||||||
|  |      auto checkedNewCapacity = CheckedInt32(m_capacity) * 2; | ||||||
|  |      if (UNLIKELY(checkedNewCapacity.hasOverflowed())) | ||||||
|  | -        return this->overflowed();
 | ||||||
|  | -    expandCapacity(checkedNewCapacity);
 | ||||||
|  | +        return Status::Overflowed;
 | ||||||
|  | +    return expandCapacity(checkedNewCapacity);
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
 | ||||||
|  | +auto MarkedVectorBase::expandCapacity(int newCapacity) -> Status
 | ||||||
|  |  { | ||||||
|  |      setNeedsOverflowCheck(); | ||||||
|  |      ASSERT(m_capacity < newCapacity); | ||||||
|  |      auto checkedSize = CheckedSize(newCapacity) * sizeof(EncodedJSValue); | ||||||
|  |      if (UNLIKELY(checkedSize.hasOverflowed())) | ||||||
|  | -        return this->overflowed();
 | ||||||
|  | +        return Status::Overflowed;
 | ||||||
|  |      EncodedJSValue* newBuffer = static_cast<EncodedJSValue*>(Gigacage::tryMalloc(Gigacage::JSValue, checkedSize)); | ||||||
|  |      if (!newBuffer) | ||||||
|  | -        return this->overflowed();
 | ||||||
|  | +        return Status::Overflowed;
 | ||||||
|  |      for (int i = 0; i < m_size; ++i) { | ||||||
|  |          newBuffer[i] = m_buffer[i]; | ||||||
|  |          addMarkSet(JSValue::decode(m_buffer[i])); | ||||||
|  | @@ -103,21 +103,23 @@ void MarkedArgumentBufferBase::expandCapacity(int newCapacity)
 | ||||||
|  |   | ||||||
|  |      m_buffer = newBuffer; | ||||||
|  |      m_capacity = newCapacity; | ||||||
|  | +    return Status::Success;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -void MarkedArgumentBufferBase::slowAppend(JSValue v)
 | ||||||
|  | +auto MarkedVectorBase::slowAppend(JSValue v) -> Status
 | ||||||
|  |  { | ||||||
|  |      ASSERT(m_size <= m_capacity); | ||||||
|  | -    if (m_size == m_capacity)
 | ||||||
|  | -        expandCapacity();
 | ||||||
|  | -    if (UNLIKELY(Base::hasOverflowed())) {
 | ||||||
|  | -        ASSERT(m_needsOverflowCheck);
 | ||||||
|  | -        return;
 | ||||||
|  | +    if (m_size == m_capacity) {
 | ||||||
|  | +        auto status = expandCapacity();
 | ||||||
|  | +        if (status == Status::Overflowed) {
 | ||||||
|  | +            ASSERT(m_needsOverflowCheck);
 | ||||||
|  | +            return status;
 | ||||||
|  | +        }
 | ||||||
|  |      } | ||||||
|  | -
 | ||||||
|  |      slotFor(m_size) = JSValue::encode(v); | ||||||
|  |      ++m_size; | ||||||
|  |      addMarkSet(v); | ||||||
|  | +    return Status::Success;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  } // namespace JSC | ||||||
|  | diff --git a/Source/JavaScriptCore/runtime/ArgList.h b/Source/JavaScriptCore/runtime/ArgList.h
 | ||||||
|  | index 8ea9b0e308b8..07632263266b 100644
 | ||||||
|  | --- a/Source/JavaScriptCore/runtime/ArgList.h
 | ||||||
|  | +++ b/Source/JavaScriptCore/runtime/ArgList.h
 | ||||||
|  | @@ -28,20 +28,20 @@
 | ||||||
|  |   | ||||||
|  |  namespace JSC { | ||||||
|  |   | ||||||
|  | -class alignas(alignof(EncodedJSValue)) MarkedArgumentBufferBase : public RecordOverflow {
 | ||||||
|  | -    WTF_MAKE_NONCOPYABLE(MarkedArgumentBufferBase);
 | ||||||
|  | -    WTF_MAKE_NONMOVABLE(MarkedArgumentBufferBase);
 | ||||||
|  | +class alignas(alignof(EncodedJSValue)) MarkedVectorBase {
 | ||||||
|  | +    WTF_MAKE_NONCOPYABLE(MarkedVectorBase);
 | ||||||
|  | +    WTF_MAKE_NONMOVABLE(MarkedVectorBase);
 | ||||||
|  |      WTF_FORBID_HEAP_ALLOCATION; | ||||||
|  |      friend class VM; | ||||||
|  |      friend class ArgList; | ||||||
|  |   | ||||||
|  | +protected:
 | ||||||
|  | +    enum class Status { Success, Overflowed };
 | ||||||
|  |  public: | ||||||
|  | -    using Base = RecordOverflow;
 | ||||||
|  | -    typedef HashSet<MarkedArgumentBufferBase*> ListSet;
 | ||||||
|  | +    typedef HashSet<MarkedVectorBase*> ListSet;
 | ||||||
|  |   | ||||||
|  | -    ~MarkedArgumentBufferBase()
 | ||||||
|  | +    ~MarkedVectorBase()
 | ||||||
|  |      { | ||||||
|  | -        ASSERT(!m_needsOverflowCheck);
 | ||||||
|  |          if (m_markSet) | ||||||
|  |              m_markSet->remove(this); | ||||||
|  |   | ||||||
|  | @@ -52,92 +52,20 @@ public:
 | ||||||
|  |      size_t size() const { return m_size; } | ||||||
|  |      bool isEmpty() const { return !m_size; } | ||||||
|  |   | ||||||
|  | -    JSValue at(int i) const
 | ||||||
|  | -    {
 | ||||||
|  | -        if (i >= m_size)
 | ||||||
|  | -            return jsUndefined();
 | ||||||
|  | -
 | ||||||
|  | -        return JSValue::decode(slotFor(i));
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  | -    void clear()
 | ||||||
|  | -    {
 | ||||||
|  | -        ASSERT(!m_needsOverflowCheck);
 | ||||||
|  | -        clearOverflow();
 | ||||||
|  | -        m_size = 0;
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  | -    enum OverflowCheckAction {
 | ||||||
|  | -        CrashOnOverflow,
 | ||||||
|  | -        WillCheckLater
 | ||||||
|  | -    };
 | ||||||
|  | -    template<OverflowCheckAction action>
 | ||||||
|  | -    void appendWithAction(JSValue v)
 | ||||||
|  | -    {
 | ||||||
|  | -        ASSERT(m_size <= m_capacity);
 | ||||||
|  | -        if (m_size == m_capacity || mallocBase()) {
 | ||||||
|  | -            slowAppend(v);
 | ||||||
|  | -            if (action == CrashOnOverflow)
 | ||||||
|  | -                RELEASE_ASSERT(!hasOverflowed());
 | ||||||
|  | -            return;
 | ||||||
|  | -        }
 | ||||||
|  | -
 | ||||||
|  | -        slotFor(m_size) = JSValue::encode(v);
 | ||||||
|  | -        ++m_size;
 | ||||||
|  | -    }
 | ||||||
|  | -    void append(JSValue v) { appendWithAction<WillCheckLater>(v); }
 | ||||||
|  | -    void appendWithCrashOnOverflow(JSValue v) { appendWithAction<CrashOnOverflow>(v); }
 | ||||||
|  | -
 | ||||||
|  |      void removeLast() | ||||||
|  |      {  | ||||||
|  |          ASSERT(m_size); | ||||||
|  |          m_size--; | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -    JSValue last() 
 | ||||||
|  | -    {
 | ||||||
|  | -        ASSERT(m_size);
 | ||||||
|  | -        return JSValue::decode(slotFor(m_size - 1));
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  | -    JSValue takeLast()
 | ||||||
|  | -    {
 | ||||||
|  | -        JSValue result = last();
 | ||||||
|  | -        removeLast();
 | ||||||
|  | -        return result;
 | ||||||
|  | -    }
 | ||||||
|  | -        
 | ||||||
|  |      template<typename Visitor> static void markLists(Visitor&, ListSet&); | ||||||
|  |   | ||||||
|  | -    void ensureCapacity(size_t requestedCapacity)
 | ||||||
|  | -    {
 | ||||||
|  | -        if (requestedCapacity > static_cast<size_t>(m_capacity))
 | ||||||
|  | -            slowEnsureCapacity(requestedCapacity);
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  | -    bool hasOverflowed()
 | ||||||
|  | -    {
 | ||||||
|  | -        clearNeedsOverflowCheck();
 | ||||||
|  | -        return Base::hasOverflowed();
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  |      void overflowCheckNotNeeded() { clearNeedsOverflowCheck(); } | ||||||
|  |   | ||||||
|  | -    template<typename Functor>
 | ||||||
|  | -    void fill(size_t count, const Functor& func)
 | ||||||
|  | -    {
 | ||||||
|  | -        ASSERT(!m_size);
 | ||||||
|  | -        ensureCapacity(count);
 | ||||||
|  | -        if (Base::hasOverflowed())
 | ||||||
|  | -            return;
 | ||||||
|  | -        m_size = count;
 | ||||||
|  | -        func(reinterpret_cast<JSValue*>(&slotFor(0)));
 | ||||||
|  | -    }
 | ||||||
|  | -
 | ||||||
|  |  protected: | ||||||
|  |      // Constructor for a read-write list, to which you may append values. | ||||||
|  |      // FIXME: Remove all clients of this API, then remove this API. | ||||||
|  | -    MarkedArgumentBufferBase(size_t capacity)
 | ||||||
|  | +    MarkedVectorBase(size_t capacity)
 | ||||||
|  |          : m_size(0) | ||||||
|  |          , m_capacity(capacity) | ||||||
|  |          , m_buffer(inlineBuffer()) | ||||||
|  | @@ -147,17 +75,16 @@ protected:
 | ||||||
|  |   | ||||||
|  |      EncodedJSValue* inlineBuffer() | ||||||
|  |      { | ||||||
|  | -        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedArgumentBufferBase));
 | ||||||
|  | +        return bitwise_cast<EncodedJSValue*>(bitwise_cast<uint8_t*>(this) + sizeof(MarkedVectorBase));
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  | -private:
 | ||||||
|  | -    void expandCapacity();
 | ||||||
|  | -    void expandCapacity(int newCapacity);
 | ||||||
|  | -    void slowEnsureCapacity(size_t requestedCapacity);
 | ||||||
|  | +    Status expandCapacity();
 | ||||||
|  | +    Status expandCapacity(int newCapacity);
 | ||||||
|  | +    Status slowEnsureCapacity(size_t requestedCapacity);
 | ||||||
|  |   | ||||||
|  |      void addMarkSet(JSValue); | ||||||
|  |   | ||||||
|  | -    JS_EXPORT_PRIVATE void slowAppend(JSValue);
 | ||||||
|  | +    JS_EXPORT_PRIVATE Status slowAppend(JSValue);
 | ||||||
|  |   | ||||||
|  |      EncodedJSValue& slotFor(int item) const | ||||||
|  |      { | ||||||
|  | @@ -172,11 +99,14 @@ private:
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |  #if ASSERT_ENABLED | ||||||
|  | -    void setNeedsOverflowCheck() { m_needsOverflowCheck = true; }
 | ||||||
|  | +    void disableNeedsOverflowCheck() { m_overflowCheckEnabled = false; }
 | ||||||
|  | +    void setNeedsOverflowCheck() { m_needsOverflowCheck = m_overflowCheckEnabled; }
 | ||||||
|  |      void clearNeedsOverflowCheck() { m_needsOverflowCheck = false; } | ||||||
|  |   | ||||||
|  |      bool m_needsOverflowCheck { false }; | ||||||
|  | +    bool m_overflowCheckEnabled { true };
 | ||||||
|  |  #else | ||||||
|  | +    void disableNeedsOverflowCheck() { }
 | ||||||
|  |      void setNeedsOverflowCheck() { } | ||||||
|  |      void clearNeedsOverflowCheck() { } | ||||||
|  |  #endif // ASSERT_ENABLED | ||||||
|  | @@ -186,22 +116,114 @@ private:
 | ||||||
|  |      ListSet* m_markSet; | ||||||
|  |  }; | ||||||
|  |   | ||||||
|  | -template<size_t passedInlineCapacity = 8>
 | ||||||
|  | -class MarkedArgumentBufferWithSize : public MarkedArgumentBufferBase {
 | ||||||
|  | +template<typename T, size_t passedInlineCapacity = 8, class OverflowHandler = CrashOnOverflow>
 | ||||||
|  | +class MarkedVector : public OverflowHandler, public MarkedVectorBase  {
 | ||||||
|  |  public: | ||||||
|  |      static constexpr size_t inlineCapacity = passedInlineCapacity; | ||||||
|  |   | ||||||
|  | -    MarkedArgumentBufferWithSize()
 | ||||||
|  | -        : MarkedArgumentBufferBase(inlineCapacity)
 | ||||||
|  | +    MarkedVector()
 | ||||||
|  | +        : MarkedVectorBase(inlineCapacity)
 | ||||||
|  |      { | ||||||
|  |          ASSERT(inlineBuffer() == m_inlineBuffer); | ||||||
|  | +        if constexpr (std::is_same_v<OverflowHandler, CrashOnOverflow>) {
 | ||||||
|  | +            // CrashOnOverflow handles overflows immediately. So, we do not
 | ||||||
|  | +            // need to check for it after.
 | ||||||
|  | +            disableNeedsOverflowCheck();
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    auto at(int i) const -> decltype(auto)
 | ||||||
|  | +    {
 | ||||||
|  | +        if constexpr (std::is_same_v<T, JSValue>) {
 | ||||||
|  | +            if (i >= m_size)
 | ||||||
|  | +                return jsUndefined();
 | ||||||
|  | +            return JSValue::decode(slotFor(i));
 | ||||||
|  | +        } else {
 | ||||||
|  | +            if (i >= m_size)
 | ||||||
|  | +                return static_cast<T>(nullptr);
 | ||||||
|  | +            return jsCast<T>(JSValue::decode(slotFor(i)).asCell());
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    void clear()
 | ||||||
|  | +    {
 | ||||||
|  | +        ASSERT(!m_needsOverflowCheck);
 | ||||||
|  | +        OverflowHandler::clearOverflow();
 | ||||||
|  | +        m_size = 0;
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    void append(T v)
 | ||||||
|  | +    {
 | ||||||
|  | +        ASSERT(m_size <= m_capacity);
 | ||||||
|  | +        if (m_size == m_capacity || mallocBase()) {
 | ||||||
|  | +            if (slowAppend(v) == Status::Overflowed)
 | ||||||
|  | +                this->overflowed();
 | ||||||
|  | +            return;
 | ||||||
|  | +        }
 | ||||||
|  | +
 | ||||||
|  | +        slotFor(m_size) = JSValue::encode(v);
 | ||||||
|  | +        ++m_size;
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    void appendWithCrashOnOverflow(T v)
 | ||||||
|  | +    {
 | ||||||
|  | +        append(v);
 | ||||||
|  | +        if constexpr (!std::is_same<OverflowHandler, CrashOnOverflow>::value)
 | ||||||
|  | +            RELEASE_ASSERT(!this->hasOverflowed());
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    auto last() const -> decltype(auto)
 | ||||||
|  | +    {
 | ||||||
|  | +        if constexpr (std::is_same_v<T, JSValue>) {
 | ||||||
|  | +            ASSERT(m_size);
 | ||||||
|  | +            return JSValue::decode(slotFor(m_size - 1));
 | ||||||
|  | +        } else {
 | ||||||
|  | +            ASSERT(m_size);
 | ||||||
|  | +            return jsCast<T>(JSValue::decode(slotFor(m_size - 1)).asCell());
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    JSValue takeLast()
 | ||||||
|  | +    {
 | ||||||
|  | +        JSValue result = last();
 | ||||||
|  | +        removeLast();
 | ||||||
|  | +        return result;
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    void ensureCapacity(size_t requestedCapacity)
 | ||||||
|  | +    {
 | ||||||
|  | +        if (requestedCapacity > static_cast<size_t>(m_capacity)) {
 | ||||||
|  | +            if (slowEnsureCapacity(requestedCapacity) == Status::Overflowed)
 | ||||||
|  | +                this->overflowed();
 | ||||||
|  | +        }
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    bool hasOverflowed()
 | ||||||
|  | +    {
 | ||||||
|  | +        clearNeedsOverflowCheck();
 | ||||||
|  | +        return OverflowHandler::hasOverflowed();
 | ||||||
|  | +    }
 | ||||||
|  | +
 | ||||||
|  | +    template<typename Functor>
 | ||||||
|  | +    void fill(size_t count, const Functor& func)
 | ||||||
|  | +    {
 | ||||||
|  | +        ASSERT(!m_size);
 | ||||||
|  | +        ensureCapacity(count);
 | ||||||
|  | +        if (OverflowHandler::hasOverflowed())
 | ||||||
|  | +            return;
 | ||||||
|  | +        m_size = count;
 | ||||||
|  | +        func(reinterpret_cast<JSValue*>(&slotFor(0)));
 | ||||||
|  |      } | ||||||
|  |   | ||||||
|  |  private: | ||||||
|  |      EncodedJSValue m_inlineBuffer[inlineCapacity] { }; | ||||||
|  |  }; | ||||||
|  |   | ||||||
|  | -using MarkedArgumentBuffer = MarkedArgumentBufferWithSize<>;
 | ||||||
|  | +template<size_t passedInlineCapacity>
 | ||||||
|  | +class MarkedArgumentBufferWithSize : public MarkedVector<JSValue, passedInlineCapacity, RecordOverflow> {
 | ||||||
|  | +};
 | ||||||
|  | +
 | ||||||
|  | +using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
 | ||||||
|  |   | ||||||
|  |  class ArgList { | ||||||
|  |      WTF_MAKE_FAST_ALLOCATED; | ||||||
|  | diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
 | ||||||
|  | index c8c486a6e9a6..4f0a26574132 100644
 | ||||||
|  | --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
 | ||||||
|  | +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.cpp
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | - * Copyright (C) 2020 Apple Inc. All rights reserved.
 | ||||||
|  | + * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
 | ||||||
|  |   * | ||||||
|  |   * Redistribution and use in source and binary forms, with or without | ||||||
|  |   * modification, are permitted provided that the following conditions | ||||||
|  | @@ -218,7 +218,7 @@ AudioWorkletProcessor::AudioWorkletProcessor(AudioWorkletGlobalScope& globalScop
 | ||||||
|  |      ASSERT(!isMainThread()); | ||||||
|  |  } | ||||||
|  |   | ||||||
|  | -void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBufferBase& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const HashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
 | ||||||
|  | +void AudioWorkletProcessor::buildJSArguments(VM& vm, JSGlobalObject& globalObject, MarkedArgumentBuffer& args, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const HashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap)
 | ||||||
|  |  { | ||||||
|  |      // For performance reasons, we cache the arrays passed to JS and reconstruct them only when the topology changes. | ||||||
|  |      if (!copyDataFromBusesToJSArray(vm, globalObject, inputs, toJSArray(m_jsInputs))) | ||||||
|  | diff --git a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
 | ||||||
|  | index 7d256ea557bb..9ad78225ee51 100644
 | ||||||
|  | --- a/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
 | ||||||
|  | +++ b/Source/WebCore/Modules/webaudio/AudioWorkletProcessor.h
 | ||||||
|  | @@ -1,5 +1,5 @@
 | ||||||
|  |  /* | ||||||
|  | - * Copyright (C) 2020 Apple Inc. All rights reserved.
 | ||||||
|  | + * Copyright (C) 2020-2023 Apple Inc. All rights reserved.
 | ||||||
|  |   * | ||||||
|  |   * Redistribution and use in source and binary forms, with or without | ||||||
|  |   * modification, are permitted provided that the following conditions | ||||||
|  | @@ -40,7 +40,8 @@
 | ||||||
|  |   | ||||||
|  |  namespace JSC { | ||||||
|  |  class JSArray; | ||||||
|  | -class MarkedArgumentBufferBase;
 | ||||||
|  | +template<typename T, size_t, class> class MarkedVector;
 | ||||||
|  | +using MarkedArgumentBuffer = MarkedVector<JSValue, 8, RecordOverflow>;
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  namespace WebCore { | ||||||
|  | @@ -69,7 +70,7 @@ public:
 | ||||||
|  |   | ||||||
|  |  private: | ||||||
|  |      explicit AudioWorkletProcessor(AudioWorkletGlobalScope&, const AudioWorkletProcessorConstructionData&); | ||||||
|  | -    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBufferBase&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const HashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
 | ||||||
|  | +    void buildJSArguments(JSC::VM&, JSC::JSGlobalObject&, JSC::MarkedArgumentBuffer&, const Vector<RefPtr<AudioBus>>& inputs, Vector<Ref<AudioBus>>& outputs, const HashMap<String, std::unique_ptr<AudioFloatArray>>& paramValuesMap);
 | ||||||
|  |   | ||||||
|  |      AudioWorkletGlobalScope& m_globalScope; | ||||||
|  |      String m_name; | ||||||
|  | diff --git a/Source/WebCore/bindings/js/SerializedScriptValue.cpp b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
 | ||||||
|  | index 2e6038948a8a..a9841fe057b8 100644
 | ||||||
|  | --- a/Source/WebCore/bindings/js/SerializedScriptValue.cpp
 | ||||||
|  | +++ b/Source/WebCore/bindings/js/SerializedScriptValue.cpp
 | ||||||
|  | @@ -539,6 +539,7 @@ static const unsigned StringDataIs8BitFlag = 0x80000000;
 | ||||||
|  |  using DeserializationResult = std::pair<JSC::JSValue, SerializationReturnCode>; | ||||||
|  |   | ||||||
|  |  class CloneBase { | ||||||
|  | +    WTF_FORBID_HEAP_ALLOCATION;
 | ||||||
|  |  protected: | ||||||
|  |      CloneBase(JSGlobalObject* lexicalGlobalObject) | ||||||
|  |          : m_lexicalGlobalObject(lexicalGlobalObject) | ||||||
|  | @@ -616,6 +617,7 @@ template <> bool writeLittleEndian<uint8_t>(Vector<uint8_t>& buffer, const uint8
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  class CloneSerializer : CloneBase { | ||||||
|  | +    WTF_FORBID_HEAP_ALLOCATION;
 | ||||||
|  |  public: | ||||||
|  |      static SerializationReturnCode serialize(JSGlobalObject* lexicalGlobalObject, JSValue value, Vector<RefPtr<MessagePort>>& messagePorts, Vector<RefPtr<JSC::ArrayBuffer>>& arrayBuffers, const Vector<RefPtr<ImageBitmap>>& imageBitmaps, | ||||||
|  |  #if ENABLE(OFFSCREEN_CANVAS_IN_WORKERS) | ||||||
|  | @@ -2148,6 +2150,7 @@ SerializationReturnCode CloneSerializer::serialize(JSValue in)
 | ||||||
|  |  } | ||||||
|  |   | ||||||
|  |  class CloneDeserializer : CloneBase { | ||||||
|  | +    WTF_FORBID_HEAP_ALLOCATION;
 | ||||||
|  |  public: | ||||||
|  |      static String deserializeString(const Vector<uint8_t>& buffer) | ||||||
|  |      { | ||||||
|  | @@ -3920,10 +3923,10 @@ DeserializationResult CloneDeserializer::deserialize()
 | ||||||
|  |   | ||||||
|  |      Vector<uint32_t, 16> indexStack; | ||||||
|  |      Vector<Identifier, 16> propertyNameStack; | ||||||
|  | -    Vector<JSObject*, 32> outputObjectStack;
 | ||||||
|  | -    Vector<JSValue, 4> mapKeyStack;
 | ||||||
|  | -    Vector<JSMap*, 4> mapStack;
 | ||||||
|  | -    Vector<JSSet*, 4> setStack;
 | ||||||
|  | +    MarkedVector<JSObject*, 32> outputObjectStack;
 | ||||||
|  | +    MarkedVector<JSValue, 4> mapKeyStack;
 | ||||||
|  | +    MarkedVector<JSMap*, 4> mapStack;
 | ||||||
|  | +    MarkedVector<JSSet*, 4> setStack;
 | ||||||
|  |      Vector<WalkerState, 16> stateStack; | ||||||
|  |      WalkerState lexicalGlobalObject = StateUnknown; | ||||||
|  |      JSValue outValue; | ||||||
|  | -- 
 | ||||||
|  | 2.40.0 | ||||||
|  | 
 | ||||||
| @ -17,7 +17,7 @@ | |||||||
| 
 | 
 | ||||||
| Name:           webkit2gtk3 | Name:           webkit2gtk3 | ||||||
| Version:        2.36.7 | Version:        2.36.7 | ||||||
| Release:        1%{?dist}.2 | Release:        1%{?dist}.3 | ||||||
| Summary:        GTK Web content engine library | Summary:        GTK Web content engine library | ||||||
| 
 | 
 | ||||||
| License:        LGPLv2 | License:        LGPLv2 | ||||||
| @ -37,9 +37,10 @@ Patch0:         aarch64-page-size.patch | |||||||
| 
 | 
 | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2153683 | # https://bugzilla.redhat.com/show_bug.cgi?id=2153683 | ||||||
| Patch1:         CVE-2022-42856.patch | Patch1:         CVE-2022-42856.patch | ||||||
| 
 |  | ||||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=2169934 | # https://bugzilla.redhat.com/show_bug.cgi?id=2169934 | ||||||
| Patch2:         CVE-2023-23529.patch | Patch2:         CVE-2023-23529.patch | ||||||
|  | # https://bugzilla.redhat.com/show_bug.cgi?id=2185744 | ||||||
|  | Patch3:         CVE-2023-28205.patch | ||||||
| 
 | 
 | ||||||
| BuildRequires:  bison | BuildRequires:  bison | ||||||
| BuildRequires:  bubblewrap | BuildRequires:  bubblewrap | ||||||
| @ -326,6 +327,10 @@ export NINJA_STATUS="[%f/%t][%e] " | |||||||
| %endif | %endif | ||||||
| 
 | 
 | ||||||
| %changelog | %changelog | ||||||
|  | * Tue Apr 11 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.3 | ||||||
|  | - Add patch for CVE-2023-28205 | ||||||
|  |   Resolves: #2185744 | ||||||
|  | 
 | ||||||
| * Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.2 | * Wed Feb 15 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.36.7-1.2 | ||||||
| - Add patch for CVE-2023-23529 | - Add patch for CVE-2023-23529 | ||||||
|   Resolves: #2170000 |   Resolves: #2170000 | ||||||
|  | |||||||
		Loading…
	
		Reference in New Issue
	
	Block a user