packages/webkitgtk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:a5270917114401ccb04e247a8812373486af6cd8
Branches Tags
packages:main
..
compare: packages:1778d4775e9e66eba6cfbe556aa1d00a88fbf7f0
Branches Tags
packages:main

No commits in common. "a5270917114401ccb04e247a8812373486af6cd8" and "1778d4775e9e66eba6cfbe556aa1d00a88fbf7f0" have entirely different histories.
a527091711 ... 1778d4775e

10 changed files with 20 additions and 326 deletions
Show Stats Expand all files Collapse all files

2
webkitgtk-add-loongarch-and-sw.patch → 0001-webkitgtk-add-loongarch.patch
View File

@ -5,7 +5,7 @@
defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
defined(__sparc__) || defined(__sparc) || defined(__s390__) || \
- defined(__SH4__) || defined(__alpha__) || \
+ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || defined(__sw_64__) || \
+ defined(__SH4__) || defined(__alpha__) || defined(__loongarch64) || \
defined(_MIPS_ARCH_MIPS32R2) || \
defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \
defined(__riscv) || \

102
backport-CVE-2023-28204.patch
View File

@ -1,102 +0,0 @@
From e34edaa74575ee13efcebdb7672b949a743ab32a Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 3 Apr 2023 20:25:08 -0700
Subject: [PATCH] [JSC] RegExpGlobalData::performMatch issue leading to OOB
read https://bugs.webkit.org/show_bug.cgi?id=254930 rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
---
.../runtime/StringPrototype.cpp | 10 ++++++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 19 +++++++++++++++++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1d..459295f7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1..d222e620 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,21 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +497,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.33.0

36
backport-CVE-2023-32373.patch
View File

@ -1,36 +0,0 @@
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
- auto* target = effect ? effect->target() : nullptr;
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+ RefPtr target = effect ? effect->target() : nullptr;
// 2. For each target in targets:
//

32
backport-CVE-2023-32409.patch
View File

@ -1,32 +0,0 @@
From 54408f5746f2401721bd56d71de132a22b6f9856 Mon Sep 17 00:00:00 2001
From: Mike Wyrzykowski <mwyrzykowski@apple.com>
Date: Wed, 12 Apr 2023 17:30:56 -0700
Subject: [PATCH] [WebGPU] RemoteBuffer unmap should check the input vector
https://bugs.webkit.org/show_bug.cgi?id=255350 <rdar://107947502>
Reviewed by Myles C. Maxfield.
Ensure data vector passed to unmap is valid for the currently
mapped buffer.
* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp:
(WebKit::RemoteBuffer::unmap):
Canonical link: https://commits.webkit.org/262895@main
---
Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
index f533f5c30c32b..ec12ea2ac171b 100644
--- a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+++ b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
@@ -79,7 +79,7 @@ void RemoteBuffer::getMappedRange(PAL::WebGPU::Size64 offset, std::optional<PAL:
void RemoteBuffer::unmap(Vector<uint8_t>&& data)
{
- if (!m_mappedRange)
+ if (!m_mappedRange || m_mappedRange->byteLength < data.size())
return;
ASSERT(m_isMapped);

41
backport-CVE-2024-40779.patch
View File

@ -1,41 +0,0 @@
From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jya@apple.com>
Date: Fri, 14 Jun 2024 16:08:19 -0700
Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
(ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
HeapBufferOverflow in computeSampleUsingLinearInterpolation
https://bugs.webkit.org/show_bug.cgi?id=275431
rdar://125617812
Reviewed by Youenn Fablet.
Add boundary check.
This is a copy of blink code for that same function.
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
---
.../webaudio/AudioBufferSourceNode.cpp | 6 +++++
1 file changed, 6 insertions(+)
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
index 298bd48cdff5..740b793e0ec5 100644
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -350,6 +350,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
if (readIndex2 >= maxFrame)
readIndex2 = m_isLooping ? minFrame : readIndex;
+ // Final sanity check on buffer access.
+ // FIXME: as an optimization, try to get rid of this inner-loop check and
+ // put assertions and guards before the loop.
+ if (readIndex >= bufferLength || readIndex2 >= bufferLength)
+ break;
+
// Linear interpolation.
for (unsigned i = 0; i < numberOfChannels; ++i) {
float* destination = destinationChannels[i];

41
backport-CVE-2024-40780.patch
View File

@ -1,41 +0,0 @@
From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
From: Jer Noble <jer.noble@apple.com>
Date: Tue, 11 Jun 2024 11:54:06 -0700
Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
(64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
https://bugs.webkit.org/show_bug.cgi?id=275273
rdar://125617842
Reviewed by Eric Carlson.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
---
.../webaudio/AudioBufferSourceNode.cpp | 7 +++++
1 file changed, 7 insertions(+)
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
index f86bffb9b507..298bd48cdff5 100644
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -328,9 +328,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
virtualReadIndex = readIndex;
} else if (!pitchRate) {
unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
+ int deltaFrames = static_cast<int>(virtualDeltaFrames);
+ maxFrame = static_cast<unsigned>(virtualMaxFrame);
+
+ if (readIndex >= maxFrame)
+ readIndex -= deltaFrames;
for (unsigned i = 0; i < numberOfChannels; ++i)
std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
+
+ virtualReadIndex = readIndex;
} else if (reverse) {
unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));

42
backport-CVE-2024-4558.patch
View File

@ -1,42 +0,0 @@
From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
From: Kimmo Kinnunen <kkinnunen@apple.com>
Date: Tue, 14 May 2024 22:37:29 -0700
Subject: [PATCH] Cherry-pick ANGLE.
https://bugs.webkit.org/show_bug.cgi?id=274165
https://bugs.webkit.org/show_bug.cgi?id=274165
rdar://127764804
Reviewed by Dan Glastonbury.
Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
GL: Sync unpack state for glCompressedTexSubImage3D
Unpack state is supposed to be ignored for compressed tex image calls
but some drivers use it anyways and read incorrect data.
Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
Bug: chromium:337766133
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
---
Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
index c659aacb9e48..f96eefe53f11 100644
--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
nativegl::GetCompressedSubTexImageFormat(functions, features, format);
stateManager->bindTexture(getType(), mTextureID);
+ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
if (nativegl::UseTexImage2D(getType()))
{
ASSERT(area.z == 0 && area.depth == 1);

38
webkitgtk.spec → webkit2gtk3.spec
View File

@ -9,7 +9,7 @@
#Basic Information
Name: webkit2gtk3
Version: 2.36.3
Release: 8
Release: 3
Summary: GTK+ Web content engine library
License: LGPLv2
URL: https://www.webkitgtk.org/
@ -20,15 +20,12 @@ Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
#Patch6000: backport-CVE-2021-42762.patch
#Patch6001: backport-CVE-2022-30293-CVE-2022-30294.patch
Patch1000: webkitgtk-add-loongarch-and-sw.patch
Patch6000: backport-CVE-2023-28204.patch
Patch6001: backport-CVE-2023-32373.patch
Patch6002: backport-CVE-2023-32409.patch
Patch6003: backport-CVE-2024-4558.patch
Patch6004: backport-CVE-2024-40779.patch
Patch6005: backport-CVE-2024-40780.patch
%ifarch loongarch64
Patch0001: 0001-webkitgtk-add-loongarch.patch
%endif
%ifarch sw_64
Patch0002: webkitgtk-2.32.1-sw.patch
%endif
#Dependency
BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant2-devel
@ -124,9 +121,6 @@ rm -rf Source/ThirdParty/qunit/
%build
%global optflags %(echo %{optflags} -Wl,--no-keep-memory | sed 's/-g /-g1 /')
export CFLAGS="%{optflags} -fPIE -pie"
export CXXFLAGS="%{optflags} -fPIE -pie"
export LDFLAGS="%{build_ldflags} -pie"
mkdir -p %{_target_platform}
pushd %{_target_platform}
%cmake \
@ -221,24 +215,6 @@ done
%endif
%changelog
* Fri May 09 2025 lingsheng <lingsheng1@h-partners.com> - 2.36.3-8
- Adapt repo name webkitgtk
* Thu Aug 22 2024 lingsheng <lingsheng1@h-partners.com> - 2.36.3-7
- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
* Tue Jun 11 2024 yangchenguang <yangchenguang@kylinsec.com.cn> - 2.36.3-6
- Modfiy loongarch64 and sw_64 support use all arch
* Fri May 31 2024 lingsheng <lingsheng1@h-partners.com> - 2.36.3-5
- Type:enhancement
- ID:NA
- SUG:NA
- DESC:add build option PIE
* Mon May 29 2023 zhangpan<zhangpan103@h-partners.com> - 2.36.3-4
- fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409
* Tue Nov 29 2022 wuzx<wuzx1226@qq.com> - 2.36.3-3
- Add sw64 architecture

0
webkitgtk.yaml → webkit2gtk3.yaml
View File

12
webkitgtk-2.32.1-sw.patch Executable file
View File

@ -0,0 +1,12 @@
diff -Naur webkitgtk-2.32.1.org/Source/WTF/wtf/dtoa/utils.h webkitgtk-2.32.1.sw/Source/WTF/wtf/dtoa/utils.h
--- webkitgtk-2.32.1.org/Source/WTF/wtf/dtoa/utils.h 2022-06-06 15:32:28.840000000 +0000
+++ webkitgtk-2.32.1.sw/Source/WTF/wtf/dtoa/utils.h 2022-06-06 15:33:01.600000000 +0000
@@ -86,7 +86,7 @@
defined(__powerpc__) || defined(__ppc__) || defined(__ppc64__) || \
defined(_POWER) || defined(_ARCH_PPC) || defined(_ARCH_PPC64) || \
defined(__sparc__) || defined(__sparc) || defined(__s390__) || \
- defined(__SH4__) || defined(__alpha__) || \
+ defined(__SH4__) || defined(__alpha__) || defined(__sw_64__) || \
defined(_MIPS_ARCH_MIPS32R2) || \
defined(__AARCH64EL__) || defined(__aarch64__) || defined(__AARCH64EB__) || \
defined(__riscv) || \