!48 Update to 2.36.3

From: @zhang__3125 
Reviewed-by: @dwl301 
Signed-off-by: @dwl301

backport-CVE-2021-42762.patch

@@ -1,456 +0,0 @@
-From c5f884ac0f6b96f2d6e097b6b5e9628e3fd905e9 Mon Sep 17 00:00:00 2001
-From: "commit-queue@webkit.org"
- <commit-queue@webkit.org@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
-Date: Tue, 19 Oct 2021 14:27:17 +0000
-Subject: [PATCH] Update seccomp filters with latest changes from flatpak
- https://bugs.webkit.org/show_bug.cgi?id=231479
-
-Patch by Michael Catanzaro <mcatanzaro@gnome.org> on 2021-10-19
-Reviewed by Adrian Perez de Castro.
-
-Additionally, let's fix a minor inconsistency in our error-handling code: all but one of
-our codepaths carefully free and close resources, but the process is about to crash so
-there's not really any reason to do so. The code is slightly simpler if we don't bother.
-
-The seemingly-extraneous include order changes are required to placate the style checker.
-
-* UIProcess/Launcher/glib/BubblewrapLauncher.cpp:
-(WebKit::seccompStrerror):
-(WebKit::setupSeccomp):
-* UIProcess/Launcher/glib/Syscalls.h: Added.
-
-git-svn-id: http://svn.webkit.org/repository/webkit/trunk@284451 268f45cc-cd09-0410-ab3c-d52691b4dbfc
-
-Backported by Mike Gorse <mgorse@suse.com>
----
-diff -urpN webkitgtk-2.32.4.orig/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp webkitgtk-2.32.4/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp
---- webkitgtk-2.32.4.orig/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2021-05-05 00:33:24.000000000 -0500
-+++ webkitgtk-2.32.4/Source/WebKit/UIProcess/Launcher/glib/BubblewrapLauncher.cpp	2021-10-24 15:30:36.081940385 -0500
-@@ -25,6 +25,7 @@
- #include <glib.h>
- #include <seccomp.h>
- #include <sys/ioctl.h>
-+#include <sys/mman.h>
- #include <unistd.h>
- #include <wtf/FileSystem.h>
- #include <wtf/UniStdExtras.h>
-@@ -32,6 +33,12 @@
- #include <wtf/glib/GRefPtr.h>
- #include <wtf/glib/GUniquePtr.h>
- 
-+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
-+#include <linux/memfd.h>
-+#endif
-+
-+#include "Syscalls.h"
-+
- #if PLATFORM(GTK)
- #include "WaylandCompositor.h"
- #endif
-@@ -42,13 +49,7 @@
- #define BASE_DIRECTORY "wpe"
- #endif
- 
--#include <sys/mman.h>
--
--#ifndef MFD_ALLOW_SEALING
--
--#if HAVE(LINUX_MEMFD_H)
--
--#include <linux/memfd.h>
-+#if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
- 
- // These defines were added in glibc 2.27, the same release that added memfd_create.
- // But the kernel added all of this in Linux 3.17. So it's totally safe for us to
-@@ -67,9 +68,7 @@ static int memfd_create(const char* name
- {
-     return syscall(__NR_memfd_create, name, flags);
- }
--#endif // #if HAVE(LINUX_MEMFD_H)
--
--#endif // #ifndef MFD_ALLOW_SEALING
-+#endif // #if !defined(MFD_ALLOW_SEALING) && HAVE(LINUX_MEMFD_H)
- 
- namespace WebKit {
- using namespace WebCore;
-@@ -596,6 +595,28 @@ static void bindSymlinksRealPath(Vector<
-     }
- }
- 
-+// Translate a libseccomp error code into an error message. libseccomp
-+// mostly returns negative errno values such as -ENOMEM, but some
-+// standard errno values are used for non-standard purposes where their
-+// strerror() would be misleading.
-+static const char* seccompStrerror(int negativeErrno)
-+{
-+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno < 0, "Non-negative error value from libseccomp?");
-+    RELEASE_ASSERT_WITH_MESSAGE(negativeErrno > INT_MIN, "Out of range error value from libseccomp?");
-+
-+    switch (negativeErrno) {
-+    case -EDOM:
-+        return "Architecture-specific failure";
-+    case -EFAULT:
-+        return "Internal libseccomp failure (unknown syscall?)";
-+    case -ECANCELED:
-+        return "System failure beyond the control of libseccomp";
-+    }
-+
-+    // e.g. -ENOMEM: the result of strerror() is good enough
-+    return g_strerror(-negativeErrno);
-+}
-+
- static int setupSeccomp()
- {
-     // NOTE: This is shared code (flatpak-run.c - LGPLv2.1+)
-@@ -623,6 +644,10 @@ static int setupSeccomp()
-     //    in common/flatpak-run.c
-     //  https://git.gnome.org/browse/linux-user-chroot
-     //    in src/setup-seccomp.c
-+    //
-+    // Other useful resources:
-+    // https://github.com/systemd/systemd/blob/HEAD/src/shared/seccomp-util.c
-+    // https://github.com/moby/moby/blob/HEAD/profiles/seccomp/default.json
- 
- #if defined(__s390__) || defined(__s390x__) || defined(__CRIS__)
-     // Architectures with CONFIG_CLONE_BACKWARDS2: the child stack
-@@ -636,47 +661,70 @@ static int setupSeccomp()
-     struct scmp_arg_cmp ttyArg = SCMP_A1(SCMP_CMP_MASKED_EQ, 0xFFFFFFFFu, TIOCSTI);
-     struct {
-         int scall;
-+        int errnum;
-         struct scmp_arg_cmp* arg;
-     } syscallBlockList[] = {
-         // Block dmesg
--        { SCMP_SYS(syslog), nullptr },
-+        { SCMP_SYS(syslog), EPERM, nullptr },
-         // Useless old syscall.
--        { SCMP_SYS(uselib), nullptr },
-+        { SCMP_SYS(uselib), EPERM, nullptr },
-         // Don't allow disabling accounting.
--        { SCMP_SYS(acct), nullptr },
-+        { SCMP_SYS(acct), EPERM, nullptr },
-         // 16-bit code is unnecessary in the sandbox, and modify_ldt is a
-         // historic source of interesting information leaks.
--        { SCMP_SYS(modify_ldt), nullptr },
-+        { SCMP_SYS(modify_ldt), EPERM, nullptr },
-         // Don't allow reading current quota use.
--        { SCMP_SYS(quotactl), nullptr },
-+        { SCMP_SYS(quotactl), EPERM, nullptr },
- 
-         // Don't allow access to the kernel keyring.
--        { SCMP_SYS(add_key), nullptr },
--        { SCMP_SYS(keyctl), nullptr },
--        { SCMP_SYS(request_key), nullptr },
-+        { SCMP_SYS(add_key), EPERM, nullptr },
-+        { SCMP_SYS(keyctl), EPERM, nullptr },
-+        { SCMP_SYS(request_key), EPERM, nullptr },
- 
-         // Scary VM/NUMA ops 
--        { SCMP_SYS(move_pages), nullptr },
--        { SCMP_SYS(mbind), nullptr },
--        { SCMP_SYS(get_mempolicy), nullptr },
--        { SCMP_SYS(set_mempolicy), nullptr },
--        { SCMP_SYS(migrate_pages), nullptr },
-+        { SCMP_SYS(move_pages), EPERM, nullptr },
-+        { SCMP_SYS(mbind), EPERM, nullptr },
-+        { SCMP_SYS(get_mempolicy), EPERM, nullptr },
-+        { SCMP_SYS(set_mempolicy), EPERM, nullptr },
-+        { SCMP_SYS(migrate_pages), EPERM, nullptr },
- 
-         // Don't allow subnamespace setups:
--        { SCMP_SYS(unshare), nullptr },
--        { SCMP_SYS(mount), nullptr },
--        { SCMP_SYS(pivot_root), nullptr },
--        { SCMP_SYS(clone), &cloneArg },
-+        { SCMP_SYS(unshare), EPERM, nullptr },
-+        { SCMP_SYS(setns), EPERM, nullptr },
-+        { SCMP_SYS(mount), EPERM, nullptr },
-+        { SCMP_SYS(umount), EPERM, nullptr },
-+        { SCMP_SYS(umount2), EPERM, nullptr },
-+        { SCMP_SYS(pivot_root), EPERM, nullptr },
-+        { SCMP_SYS(chroot), EPERM, nullptr },
-+        { SCMP_SYS(clone), EPERM, &cloneArg },
- 
-         // Don't allow faking input to the controlling tty (CVE-2017-5226)
--        { SCMP_SYS(ioctl), &ttyArg },
-+        { SCMP_SYS(ioctl), EPERM, &ttyArg },
-+
-+        // seccomp can't look into clone3()'s struct clone_args to check whether
-+        // the flags are OK, so we have no choice but to block clone3().
-+        // Return ENOSYS so user-space will fall back to clone().
-+        // (GHSA-67h7-w3jq-vh4q; see also https://github.com/moby/moby/commit/9f6b562d)
-+        { SCMP_SYS(clone3), ENOSYS, nullptr },
-+
-+        // New mount manipulation APIs can also change our VFS. There's no
-+        // legitimate reason to do these in the sandbox, so block all of them
-+        // rather than thinking about which ones might be dangerous.
-+        // (GHSA-67h7-w3jq-vh4q)
-+        { SCMP_SYS(open_tree), ENOSYS, nullptr },
-+        { SCMP_SYS(move_mount), ENOSYS, nullptr },
-+        { SCMP_SYS(fsopen), ENOSYS, nullptr },
-+        { SCMP_SYS(fsconfig), ENOSYS, nullptr },
-+        { SCMP_SYS(fsmount), ENOSYS, nullptr },
-+        { SCMP_SYS(fspick), ENOSYS, nullptr },
-+        { SCMP_SYS(mount_setattr), ENOSYS, nullptr },
- 
-         // Profiling operations; we expect these to be done by tools from outside
-         // the sandbox. In particular perf has been the source of many CVEs.
--        { SCMP_SYS(perf_event_open), nullptr },
-+        { SCMP_SYS(perf_event_open), EPERM, nullptr },
-         // Don't allow you to switch to bsd emulation or whatnot.
--        { SCMP_SYS(personality), nullptr },
--        { SCMP_SYS(ptrace), nullptr }
-+        { SCMP_SYS(personality), EPERM, nullptr },
-+        { SCMP_SYS(ptrace), EPERM, nullptr }
-     };
- 
-     scmp_filter_ctx seccomp = seccomp_init(SCMP_ACT_ALLOW);
-@@ -684,29 +732,28 @@ static int setupSeccomp()
-         g_error("Failed to init seccomp");
- 
-     for (auto& rule : syscallBlockList) {
--        int scall = rule.scall;
-         int r;
-         if (rule.arg)
--            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 1, *rule.arg);
-+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 1, *rule.arg);
-         else
--            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(EPERM), scall, 0);
--        if (r == -EFAULT) {
--            seccomp_release(seccomp);
--            g_error("Failed to add seccomp rule");
--        }
-+            r = seccomp_rule_add(seccomp, SCMP_ACT_ERRNO(rule.errnum), rule.scall, 0);
-+        // EFAULT means "internal libseccomp error", but in practice we get
-+        // this for syscall numbers added via Syscalls.h (flatpak-syscalls-private.h)
-+        // when trying to filter them on a non-native architecture, because
-+        // libseccomp cannot map the syscall number to a name and back to a
-+        // number for the non-native architecture.
-+        if (r == -EFAULT)
-+            g_info("Unable to block syscall %d: syscall not known to libseccomp?", rule.scall);
-+        else if (r < 0)
-+            g_error("Failed to block syscall %d: %s", rule.scall, seccompStrerror(r));
-     }
- 
-     int tmpfd = memfd_create("seccomp-bpf", 0);
--    if (tmpfd == -1) {
--        seccomp_release(seccomp);
-+    if (tmpfd == -1)
-         g_error("Failed to create memfd: %s", g_strerror(errno));
--    }
- 
--    if (seccomp_export_bpf(seccomp, tmpfd)) {
--        seccomp_release(seccomp);
--        close(tmpfd);
--        g_error("Failed to export seccomp bpf");
--    }
-+    if (int r = seccomp_export_bpf(seccomp, tmpfd))
-+        g_error("Failed to export seccomp bpf: %s", seccompStrerror(r));
- 
-     if (lseek(tmpfd, 0, SEEK_SET) < 0)
-         g_error("lseek failed: %s", g_strerror(errno));
-Binary files webkitgtk-2.32.4.orig/Source/WebKit/UIProcess/Launcher/glib/.BubblewrapLauncher.cpp.swp and webkitgtk-2.32.4/Source/WebKit/UIProcess/Launcher/glib/.BubblewrapLauncher.cpp.swp differ
-diff -urpN webkitgtk-2.32.4.orig/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h webkitgtk-2.32.4/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h
---- webkitgtk-2.32.4.orig/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h	1969-12-31 18:00:00.000000000 -0600
-+++ webkitgtk-2.32.4/Source/WebKit/UIProcess/Launcher/glib/Syscalls.h	2021-10-22 15:25:49.765033525 -0500
-@@ -0,0 +1,200 @@
-+/*
-+ * Copyright 2021 Collabora Ltd.
-+ * SPDX-License-Identifier: LGPL-2.1-or-later
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU Lesser General Public
-+ * License as published by the Free Software Foundation; either
-+ * version 2.1 of the License, or (at your option) any later version.
-+ *
-+ * This library is distributed in the hope that it will be useful,
-+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
-+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
-+ * Lesser General Public License for more details.
-+ *
-+ * You should have received a copy of the GNU Lesser General Public
-+ * License along with this library. If not, see <http://www.gnu.org/licenses/>.
-+ */
-+
-+// This file is a copy of flatpak-syscalls-private.h, reformatted a bit to placate WebKit's style checker.
-+//
-+// Upstream is here:
-+// https://github.com/flatpak/flatpak/blob/26b12484eb8a6219b9e7aa287b298a894b2f34ca/common/flatpak-syscalls-private.h
-+
-+#pragma once
-+
-+#include <sys/syscall.h>
-+
-+#if defined(_MIPS_SIM)
-+# if _MIPS_SIM == _MIPS_SIM_ABI32
-+#   define FLATPAK_MISSING_SYSCALL_BASE 4000
-+# elif _MIPS_SIM == _MIPS_SIM_ABI64
-+#   define FLATPAK_MISSING_SYSCALL_BASE 5000
-+# elif _MIPS_SIM == _MIPS_SIM_NABI32
-+#   define FLATPAK_MISSING_SYSCALL_BASE 6000
-+# else
-+#   error "Unknown MIPS ABI"
-+# endif
-+#endif
-+
-+#if defined(__ia64__)
-+# define FLATPAK_MISSING_SYSCALL_BASE 1024
-+#endif
-+
-+#if defined(__alpha__)
-+# define FLATPAK_MISSING_SYSCALL_BASE 110
-+#endif
-+
-+#if defined(__x86_64__) && defined(__ILP32__)
-+# define FLATPAK_MISSING_SYSCALL_BASE 0x40000000
-+#endif
-+
-+// FLATPAK_MISSING_SYSCALL_BASE:
-+//
-+// Number to add to the syscall numbers of recently-added syscalls
-+// to get the appropriate syscall for the current ABI.
-+#ifndef FLATPAK_MISSING_SYSCALL_BASE
-+# define FLATPAK_MISSING_SYSCALL_BASE 0
-+#endif
-+
-+#ifndef __NR_open_tree
-+# define __NR_open_tree (FLATPAK_MISSING_SYSCALL_BASE + 428)
-+#endif
-+#ifndef __SNR_open_tree
-+# define __SNR_open_tree __NR_open_tree
-+#endif
-+
-+#ifndef __NR_move_mount
-+# define __NR_move_mount (FLATPAK_MISSING_SYSCALL_BASE + 429)
-+#endif
-+#ifndef __SNR_move_mount
-+# define __SNR_move_mount __NR_move_mount
-+#endif
-+
-+#ifndef __NR_fsopen
-+# define __NR_fsopen (FLATPAK_MISSING_SYSCALL_BASE + 430)
-+#endif
-+#ifndef __SNR_fsopen
-+# define __SNR_fsopen __NR_fsopen
-+#endif
-+
-+#ifndef __NR_fsconfig
-+# define __NR_fsconfig (FLATPAK_MISSING_SYSCALL_BASE + 431)
-+#endif
-+#ifndef __SNR_fsconfig
-+# define __SNR_fsconfig __NR_fsconfig
-+#endif
-+
-+#ifndef __NR_fsmount
-+# define __NR_fsmount (FLATPAK_MISSING_SYSCALL_BASE + 432)
-+#endif
-+#ifndef __SNR_fsmount
-+# define __SNR_fsmount __NR_fsmount
-+#endif
-+
-+#ifndef __NR_fspick
-+# define __NR_fspick (FLATPAK_MISSING_SYSCALL_BASE + 433)
-+#endif
-+#ifndef __SNR_fspick
-+# define __SNR_fspick __NR_fspick
-+#endif
-+
-+#ifndef __NR_pidfd_open
-+# define __NR_pidfd_open (FLATPAK_MISSING_SYSCALL_BASE + 434)
-+#endif
-+#ifndef __SNR_pidfd_open
-+# define __SNR_pidfd_open __NR_pidfd_open
-+#endif
-+
-+#ifndef __NR_clone3
-+# define __NR_clone3 (FLATPAK_MISSING_SYSCALL_BASE + 435)
-+#endif
-+#ifndef __SNR_clone3
-+# define __SNR_clone3 __NR_clone3
-+#endif
-+
-+#ifndef __NR_close_range
-+# define __NR_close_range (FLATPAK_MISSING_SYSCALL_BASE + 436)
-+#endif
-+#ifndef __SNR_close_range
-+# define __SNR_close_range __NR_close_range
-+#endif
-+
-+#ifndef __NR_openat2
-+# define __NR_openat2 (FLATPAK_MISSING_SYSCALL_BASE + 437)
-+#endif
-+#ifndef __SNR_openat2
-+# define __SNR_openat2 __NR_openat2
-+#endif
-+
-+#ifndef __NR_pidfd_getfd
-+# define __NR_pidfd_getfd (FLATPAK_MISSING_SYSCALL_BASE + 438)
-+#endif
-+#ifndef __SNR_pidfd_getfd
-+# define __SNR_pidfd_getfd __NR_pidfd_getfd
-+#endif
-+
-+#ifndef __NR_faccessat2
-+# define __NR_faccessat2 (FLATPAK_MISSING_SYSCALL_BASE + 439)
-+#endif
-+#ifndef __SNR_faccessat2
-+# define __SNR_faccessat2 __NR_faccessat2
-+#endif
-+
-+#ifndef __NR_process_madvise
-+# define __NR_process_madvise (FLATPAK_MISSING_SYSCALL_BASE + 440)
-+#endif
-+#ifndef __SNR_process_madvise
-+# define __SNR_process_madvise __NR_process_madvise
-+#endif
-+
-+#ifndef __NR_epoll_pwait2
-+# define __NR_epoll_pwait2 (FLATPAK_MISSING_SYSCALL_BASE + 441)
-+#endif
-+#ifndef __SNR_epoll_pwait2
-+# define __SNR_epoll_pwait2 __NR_epoll_pwait2
-+#endif
-+
-+#ifndef __NR_mount_setattr
-+# define __NR_mount_setattr (FLATPAK_MISSING_SYSCALL_BASE + 442)
-+#endif
-+#ifndef __SNR_mount_setattr
-+# define __SNR_mount_setattr __NR_mount_setattr
-+#endif
-+
-+#ifndef __NR_quotactl_fd
-+# define __NR_quotactl_fd (FLATPAK_MISSING_SYSCALL_BASE + 443)
-+#endif
-+#ifndef __SNR_quotactl_fd
-+# define __SNR_quotactl_fd __NR_quotactl_fd
-+#endif
-+
-+#ifndef __NR_landlock_create_ruleset
-+# define __NR_landlock_create_ruleset (FLATPAK_MISSING_SYSCALL_BASE + 444)
-+#endif
-+#ifndef __SNR_landlock_create_ruleset
-+# define __SNR_landlock_create_ruleset __NR_landlock_create_ruleset
-+#endif
-+
-+#ifndef __NR_landlock_add_rule
-+# define __NR_landlock_add_rule (FLATPAK_MISSING_SYSCALL_BASE + 445)
-+#endif
-+#ifndef __SNR_landlock_add_rule
-+# define __SNR_landlock_add_rule __NR_landlock_add_rule
-+#endif
-+
-+#ifndef __NR_landlock_restrict_self
-+# define __NR_landlock_restrict_self (FLATPAK_MISSING_SYSCALL_BASE + 446)
-+#endif
-+#ifndef __SNR_landlock_restrict_self
-+# define __SNR_landlock_restrict_self __NR_landlock_restrict_self
-+#endif
-+
-+#ifndef __NR_memfd_secret
-+# define __NR_memfd_secret (FLATPAK_MISSING_SYSCALL_BASE + 447)
-+#endif
-+#ifndef __SNR_memfd_secret
-+# define __SNR_memfd_secret __NR_memfd_secret
-+#endif
-+
-+// Last updated: Linux 5.14, syscall numbers < 448

backport-CVE-2022-30293-CVE-2022-30294.patch

@@ -1,87 +0,0 @@
-From: Miguel Gomez  <magomez@igalia.com>
-Date: 2022-03-22
-Subject: [PATCH] backport-CVE-2022-30293-CVE-2022-30294.patch
-      Ensure that proxies are invalidated before destroying them.
-      https://bugs.webkit.org/show_bug.cgi?id=237187
-
-Reference:https://bugs.webkit.org/attachment.cgi?id=455361&action=prettypatch
-
----
- .../CoordinatedGraphicsScene.cpp              | 26 ++++++++++++++++---
- 1 file changed, 22 insertions(+), 4 deletions(-)
-
-diff --git a/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp b/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
-index cb276223..372021a6 100644
---- a/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
-+++ b/Source/WebKit/Shared/CoordinatedGraphics/CoordinatedGraphicsScene.cpp
-@@ -230,10 +230,11 @@ void CoordinatedGraphicsScene::updateSceneState()
-         };
-         Vector<ImageBacking> imageBacking;
-     } layersByBacking;
-+    HashSet<Ref<WebCore::TextureMapperPlatformLayerProxy>> replacedProxiesToInvalidate;
- 
-     // Access the scene state and perform state update for each layer.
-     m_nicosia.scene->accessState(
--        [this, &layersByBacking](Nicosia::Scene::State& state)
-+        [this, &layersByBacking, &replacedProxiesToInvalidate](Nicosia::Scene::State& state)
-         {
-             // FIXME: try to minimize the amount of work in case the Scene::State object
-             // didn't change (i.e. no layer flush was done), but don't forget to properly
-@@ -250,12 +251,24 @@ void CoordinatedGraphicsScene::updateSceneState()
-                 }
-             }
- 
--            // Gather all the to-be-removed layers so that composition-side state
--            // can be properly purged after the current state's set of layers is adopted.
-             HashSet<RefPtr<Nicosia::CompositionLayer>> removedLayers;
-             for (auto& layer : m_nicosia.state.layers) {
-+                // Gather all the to-be-removed layers so that composition-side state
-+                // can be properly purged after the current state's set of layers is adopted.
-                 if (!state.layers.contains(layer))
-                     removedLayers.add(layer);
-+                else {
-+                    // Store references to all the proxies that are being used by the layers that are kept in the tree.
-+                    // When adopting the new state, the existent proxies may be replaced or detached from their layers, causing the
-+                    // reference to be lost without having a chance to invalidate them. After the call to commitState, we will
-+                    // invalidate all the proxies that are not being used anymore.
-+                    layer->accessCommitted(
-+                        [&replacedProxiesToInvalidate](const Nicosia::CompositionLayer::LayerState& committed)
-+                        {
-+                            if (committed.contentLayer)
-+                                replacedProxiesToInvalidate.add(Ref { contentLayerImpl(*committed.contentLayer).proxy() });
-+                        });
-+                }
-             }
- 
-             m_nicosia.state = state;
-@@ -270,7 +283,7 @@ void CoordinatedGraphicsScene::updateSceneState()
-             for (auto& compositionLayer : m_nicosia.state.layers) {
-                 auto& layer = texmapLayer(*compositionLayer);
-                 compositionLayer->commitState(
--                    [&layer, &layersByBacking]
-+                    [&layer, &layersByBacking, &replacedProxiesToInvalidate]
-                     (const Nicosia::CompositionLayer::LayerState& layerState)
-                     {
-                         if (layerState.delta.positionChanged)
-@@ -346,6 +359,7 @@ void CoordinatedGraphicsScene::updateSceneState()
-                             auto& impl = contentLayerImpl(*layerState.contentLayer);
-                             layersByBacking.contentLayer.append(
-                                 { std::ref(layer), std::ref(impl.proxy()), layerState.delta.contentLayerChanged });
-+                            replacedProxiesToInvalidate.remove(Ref { impl.proxy() });
-                         } else if (layerState.imageBacking) {
-                             auto& impl = imageBackingImpl(*layerState.imageBacking);
-                             layersByBacking.imageBacking.append(
-@@ -407,6 +421,10 @@ void CoordinatedGraphicsScene::updateSceneState()
- 
-     for (auto& proxy : proxiesForSwapping)
-         proxy->swapBuffer();
-+
-+    for (auto& proxy : replacedProxiesToInvalidate)
-+        proxy->invalidate();
-+    replacedProxiesToInvalidate = { };
- }
- 
- void CoordinatedGraphicsScene::ensureRootLayer()
--- 
-2.33.0
-

webkit2gtk3.spec

@@ -6,19 +6,21 @@
 %bcond_without docs
 %endif
 
-
 #Basic Information
 Name:           webkit2gtk3
-Version:        2.32.4
+Version:        2.36.3
-Release:        4
+Release:        1
 Summary:        GTK+ Web content engine library
 License:        LGPLv2
-URL:            http://www.webkitgtk.org/
+URL:            https://www.webkitgtk.org/
-Source0:        http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
+Source0:        https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
 Source1:        https://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz.asc
 
-Patch6000:	backport-CVE-2021-42762.patch
+#Patch0:         aarch64-page-size.patch
-Patch6001:      backport-CVE-2022-30293-CVE-2022-30294.patch 
+
+#Patch6000:	backport-CVE-2021-42762.patch
+#Patch6001:      backport-CVE-2022-30293-CVE-2022-30294.patch 
+
 #Dependency
 BuildRequires:  at-spi2-core-devel bison cairo-devel cmake enchant2-devel
 BuildRequires:  flex fontconfig-devel freetype-devel ninja-build
@@ -35,9 +37,11 @@ BuildRequires:  libwayland-egl-devel libwayland-server-devel openjpeg2-devel
 BuildRequires:  mesa-libEGL-devel mesa-libGL-devel libglvnd-devel
 BuildRequires:  pcre-devel perl-File-Copy-Recursive perl-JSON-PP perl-Switch
 BuildRequires:  python3 ruby rubygems sqlite-devel upower-devel woff2-devel pkgconfig(libsystemd)
+BuildRequires:  perl lcms2-devel libgcrypt-devel libtasn1-devel wayland-devel
+#BuildRequires:  pkgconfig(manette-0.2)
 Requires:       geoclue2 bubblewrap xdg-dbus-proxy
 Requires:       webkit2gtk3-jsc = %{version}-%{release}
-Recommends:     xdg-desktop-portal-gtk
+Recommends:     xdg-desktop-portal-gtk gstreamer1-plugins-bad-free gstreamer1-plugins-good
 
 Provides:       bundled(angle)
 Provides:       bundled(xdgmime)
@@ -121,6 +125,7 @@ pushd %{_target_platform}
   -DENABLE_GTKDOC=ON \
 %endif
   -DENABLE_MINIBROWSER=ON \
+  -DUSE_SOUP2=ON \
   -DPYTHON_EXECUTABLE=%{_bindir}/python3 \
   -DENABLE_GAMEPAD=OFF \
   -DCMAKE_EXE_LINKER_FLAGS="-Wl,--as-needed -Wl,-z,now -pthread" \
@@ -187,6 +192,7 @@ done
 %files jsc-devel
 %{_libexecdir}/webkit2gtk-4.0/jsc
 %dir %{_includedir}/webkitgtk-4.0
+%{_includedir}/webkitgtk-4.0/jsc/
 %{_includedir}/webkitgtk-4.0/JavaScriptCore/
 %{_libdir}/libjavascriptcoregtk-4.0.so
 %{_libdir}/pkgconfig/javascriptcoregtk-4.0.pc
@@ -203,6 +209,9 @@ done
 %endif
 
 %changelog
+* Mon Jun 13 2022 lin zhang <lin.zhang@turbolinux.com.cn> 2.36.3-1
+- Update to 2.36.3
+
 * Fri Jun 10 2022 zhujunhao<zhujunhao11@huawei.com> - 2.32.4-4
 - add wayland-porotocols-devel buildrequires
 
@@ -259,4 +268,3 @@ done
 
 * Wed Sep 18 2019 openEuler Buildteam <buildteam@openeuler.org> - 2.22.2-1
 - Package init
-

webkit2gtk3.yaml

@@ -1,5 +1,5 @@
 version_control: NA
 src_repo: 
 tag_prefix: 
-seperator: 
+separator: 
-url: https://www.webkitgtk.org/releases/
+url: https://www.webkitgtk.org/releases/

webkitgtk-2.32.4.tar.xz.asc

@@ -1,6 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iF0EABEDAB0WIQTX/PYc+aLeqzHYG9Pz0yLQ7EWCwwUCYURqiAAKCRDz0yLQ7EWC
-w9+SAJwN6Q7lTZgc9lxWQL3B4lbRQRmG9QCgs2qAd3eR88c8sf8TYmRMIAYsOeg=
-=DC0M
------END PGP SIGNATURE-----

webkitgtk-2.36.3.tar.xz.asc

@@ -0,0 +1,6 @@
+-----BEGIN PGP SIGNATURE-----
+
+iF0EABECAB0WIQRao7wzT9fjNp58d7KRxVnb5MkSOwUCYpHpvAAKCRCRxVnb5MkS
+O27PAJ9ptAQKzmWX16VWJ1yyn/CaHwKJ8QCfV5gesH/nXmV7IsZn5vv+jDixo58=
+=AWMS
+-----END PGP SIGNATURE-----