packages/webkitgtk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!46 fix CVE-2022-30293 and CVE-2022-30294

Browse Source 
From: @houjinchang666666 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
This commit is contained in:
openeuler-ci-bot 2022-06-07 07:51:00 +00:00 committed by Gitee
commit 17db4d394b
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 92 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

87
backport-CVE-2022-30293-CVE-2022-30294.patch Normal file
View File

@ -0,0 +1,87 @@
From: Miguel Gomez <magomez@igalia.com>
Date: 2022-03-22
Subject: [PATCH] backport-CVE-2022-30293-CVE-2022-30294.patch
Ensure that proxies are invalidated before destroying them.
https://bugs.webkit.org/show_bug.cgi?id=237187
Reference:https://bugs.webkit.org/attachment.cgi?id=455361&action=prettypatch
---
.../CoordinatedGraphicsScene.cpp | 26 ++++++++++++++++---
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp b/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
index cb276223..372021a6 100644
--- a/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
+++ b/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
@@ -230,10 +230,11 @@ void CoordinatedGraphicsScene::updateSceneState()
};
Vector<ImageBacking> imageBacking;
} layersByBacking;
+ HashSet<Ref<WebCore::TextureMapperPlatformLayerProxy>> replacedProxiesToInvalidate;
// Access the scene state and perform state update for each layer.
m_nicosia.scene->accessState(
- [this, &layersByBacking](Nicosia::Scene::State& state)
+ [this, &layersByBacking, &replacedProxiesToInvalidate](Nicosia::Scene::State& state)
{
// FIXME: try to minimize the amount of work in case the Scene::State object
// didn't change (i.e. no layer flush was done), but don't forget to properly
@@ -250,12 +251,24 @@ void CoordinatedGraphicsScene::updateSceneState()
}
}
- // Gather all the to-be-removed layers so that composition-side state
- // can be properly purged after the current state's set of layers is adopted.
HashSet<RefPtr<Nicosia::CompositionLayer>> removedLayers;
for (auto& layer : m_nicosia.state.layers) {
+ // Gather all the to-be-removed layers so that composition-side state
+ // can be properly purged after the current state's set of layers is adopted.
if (!state.layers.contains(layer))
removedLayers.add(layer);
+ else {
+ // Store references to all the proxies that are being used by the layers that are kept in the tree.
+ // When adopting the new state, the existent proxies may be replaced or detached from their layers, causing the
+ // reference to be lost without having a chance to invalidate them. After the call to commitState, we will
+ // invalidate all the proxies that are not being used anymore.
+ layer->accessCommitted(
+ [&replacedProxiesToInvalidate](const Nicosia::CompositionLayer::LayerState& committed)
+ {
+ if (committed.contentLayer)
+ replacedProxiesToInvalidate.add(Ref { contentLayerImpl(*committed.contentLayer).proxy() });
+ });
+ }
}
m_nicosia.state = state;
@@ -270,7 +283,7 @@ void CoordinatedGraphicsScene::updateSceneState()
for (auto& compositionLayer : m_nicosia.state.layers) {
auto& layer = texmapLayer(*compositionLayer);
compositionLayer->commitState(
- [&layer, &layersByBacking]
+ [&layer, &layersByBacking, &replacedProxiesToInvalidate]
(const Nicosia::CompositionLayer::LayerState& layerState)
{
if (layerState.delta.positionChanged)
@@ -346,6 +359,7 @@ void CoordinatedGraphicsScene::updateSceneState()
auto& impl = contentLayerImpl(*layerState.contentLayer);
layersByBacking.contentLayer.append(
{ std::ref(layer), std::ref(impl.proxy()), layerState.delta.contentLayerChanged });
+ replacedProxiesToInvalidate.remove(Ref { impl.proxy() });
} else if (layerState.imageBacking) {
auto& impl = imageBackingImpl(*layerState.imageBacking);
layersByBacking.imageBacking.append(
@@ -407,6 +421,10 @@ void CoordinatedGraphicsScene::updateSceneState()
for (auto& proxy : proxiesForSwapping)
proxy->swapBuffer();
+
+ for (auto& proxy : replacedProxiesToInvalidate)
+ proxy->invalidate();
+ replacedProxiesToInvalidate = { };
}
void CoordinatedGraphicsScene::ensureRootLayer()
--
2.33.0

7
webkit2gtk3.spec
View File

@ -10,7 +10,7 @@
#Basic Information #Basic Information
Name: webkit2gtk3 Name: webkit2gtk3
Version: 2.32.4 Version: 2.32.4
Release: 2 Release: 3
Summary: GTK+ Web content engine library Summary: GTK+ Web content engine library
License: LGPLv2 License: LGPLv2
URL: http://www.webkitgtk.org/ URL: http://www.webkitgtk.org/
@ -18,7 +18,7 @@ Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc Source1: https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
Patch6000: backport-CVE-2021-42762.patch Patch6000: backport-CVE-2021-42762.patch
Patch6001: backport-CVE-2022-30293-CVE-2022-30294.patch
#Dependency #Dependency
BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant2-devel BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant2-devel
BuildRequires: flex fontconfig-devel freetype-devel ninja-build BuildRequires: flex fontconfig-devel freetype-devel ninja-build
@ -203,6 +203,9 @@ done
%endif %endif
%changelog %changelog
* Tue Jun 07 2022 houjinchang<houjinchang@huawei.com> - 2.32.4-3
- fix CVE-2022-30293 and CVE-2022-30294
* Thu Nov 04 2021 liuyumeng<liuyumeng5@huawei.com> - 2.32.4-2 * Thu Nov 04 2021 liuyumeng<liuyumeng5@huawei.com> - 2.32.4-2
- fix CVE-2021-42762 - fix CVE-2021-42762