rpms
/
webkit2gtk3
21
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

import webkit2gtk3-2.38.5-1.el8_8.4

Browse Source
i8c changed/i8c/webkit2gtk3-2.38.5-1.el8_8.4
MSVSphere Packaging Team 1 year ago
parent 717a91e24e
commit b52c484514
3 changed files with 217 additions and 4 deletions
Show Stats Download Patch File Download Diff File

167
SOURCES/CVE-2023-28204.patch
Unescape View File

@ -0,0 +1,167 @@
From 8efa99e7b5d5a37aefb476cc27ee24c2be4da0c7 Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 22 May 2023 13:40:46 -0700
Subject: [PATCH] Cherry-pick 264365@main (698c6e293734).
https://bugs.webkit.org/show_bug.cgi?id=254930
[JSC] RegExpGlobalData::performMatch issue leading to OOB read
https://bugs.webkit.org/show_bug.cgi?id=254930
rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Originally-landed-as: 259548.551@safari-7615-branch (e34edaa74575). rdar://107436732
Canonical link: https://commits.webkit.org/264365@main
---
...place-regexp-matchBOL-correct-advancing.js | 35 ++++++++++++++++++
.../runtime/StringPrototype.cpp | 10 ++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 36 +++++++++++++++++--
3 files changed, 79 insertions(+), 2 deletions(-)
create mode 100644 JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
diff --git a/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
new file mode 100644
index 000000000000..25b1a70b81d2
--- /dev/null
+++ b/JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js
@@ -0,0 +1,35 @@
+// Check that we don't advance for BOL assertions when matching a non-BMP character in the YARR interpreter
+// and that we do advance in String.replace() when processing an empty match.
+
+let expected = "|";
+
+for (let i = 0; i < 11; ++i)
+ expected += String.fromCodePoint(128512) + '|';
+
+let str = String.fromCodePoint(128512).repeat(11);
+
+let result1 = str.replace(/(?!(?=^a|()+()+x)(abc))/gmu, r => {
+ return '|';
+});
+
+
+if (result1 !== expected)
+ print("FAILED: \"" + result1 + " !== " + expected + '"');
+
+let result2= str.replace(/(?!(?=^a|x)(abc))/gmu, r => {
+ return '|';
+});
+
+if (result2 !== expected)
+ print("FAILED: \"" + result2 + " !== " + expected + '"');
+
+expected = "|" + String.fromCodePoint(128512);
+
+str = String.fromCodePoint(128512).repeat(1);
+
+let result3= str.replace(/(?!(?=^a|x)(abc))/mu, r => {
+ return '|';
+});
+
+if (result3 !== expected)
+ print("FAILED: \"" + result3 + " !== " + expected + '"');
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1dbfa9..459295f728a7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1a66d..b1a22b253866 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,38 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
+
+ // readForCharacterDump() is only for use by the DUMP_CURR_CHAR macro.
+ // We don't want any side effects like the next() in readChecked() above.
+ int readForCharacterDump(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +514,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.40.1

36
SOURCES/CVE-2023-32373.patch
Unescape View File

@ -0,0 +1,36 @@
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
- auto* target = effect ? effect->target() : nullptr;
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+ RefPtr target = effect ? effect->target() : nullptr;
// 2. For each target in targets:
//

18
SPECS/webkit2gtk3.spec
Unescape View File

@ -7,7 +7,7 @@
Name: webkit2gtk3
Version: 2.38.5
Release: 1%{?dist}.3
Release: 1%{?dist}.4
Summary: GTK Web content engine library
License: LGPLv2
@ -25,8 +25,12 @@ Patch0: evolution-shared-secondary-process.patch
# https://bugs.webkit.org/show_bug.cgi?id=235367
Patch1: icu60.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2185741
Patch2: CVE-2023-28205.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2209208
Patch2: CVE-2023-28204.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2185745
Patch3: CVE-2023-28205.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=2209214
Patch4: CVE-2023-32373.patch
BuildRequires: bison
BuildRequires: cmake
@ -276,9 +280,15 @@ export NINJA_STATUS="[%f/%t][%e] "
%{_datadir}/gir-1.0/JavaScriptCore-4.0.gir
%changelog
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.38.5-1.3
* Wed Jul 26 2023 MSVSphere Packaging Team <packager@msvsphere.ru> - 2.38.5-1.4
- Rebuilt for MSVSphere 8.8
* Thu May 25 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.4
- Add patch for CVE-2023-28204
Resolves: #2209744
- Add patch for CVE-2023-32373
Resolves: #2209727
* Fri Apr 14 2023 Michael Catanzaro <mcatanzaro@redhat.com> - 2.38.5-1.3
- Restore libwpe and wpebackend-fdo dependencies
Related: #2185741 (sort of)

Write Preview
Loading…
Cancel
Save