packages/webkitgtk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409

Browse Source
This commit is contained in:
zhangpan 2023-05-29 09:16:09 +00:00
parent 7110193e70
commit 47818e499a
4 changed files with 178 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

102
backport-CVE-2023-28204.patch Normal file
View File

@ -0,0 +1,102 @@
From e34edaa74575ee13efcebdb7672b949a743ab32a Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 3 Apr 2023 20:25:08 -0700
Subject: [PATCH] [JSC] RegExpGlobalData::performMatch issue leading to OOB
read https://bugs.webkit.org/show_bug.cgi?id=254930 rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
---
.../runtime/StringPrototype.cpp | 10 ++++++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 19 +++++++++++++++++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1d..459295f7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1..d222e620 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,21 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +497,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.33.0

36
backport-CVE-2023-32373.patch Normal file
View File

@ -0,0 +1,36 @@
From 85fd2302d16a09a82d9a6e81eb286babb23c4b3c Mon Sep 17 00:00:00 2001
From: Antoine Quint <graouts@webkit.org>
Date: Mon, 22 May 2023 13:37:32 -0700
Subject: [PATCH] Potential use-after-free in WebAnimation::commitStyles
https://bugs.webkit.org/show_bug.cgi?id=254840 rdar://107444873
Reviewed by Dean Jackson and Darin Adler.
Ensure that the animation's effect and target are kept alive for the duration of this method
since it is possible that calling updateStyleIfNeeded() could call into JavaScript and thus
these two pointers could be changed to a null value using the Web Animations API.
* Source/WebCore/animation/WebAnimation.cpp:
(WebCore::WebAnimation::commitStyles):
Originally-landed-as: 259548.532@safari-7615-branch (1d6fe184ea53). rdar://107444873
Canonical link: https://commits.webkit.org/264363@main
---
Source/WebCore/animation/WebAnimation.cpp | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/Source/WebCore/animation/WebAnimation.cpp b/Source/WebCore/animation/WebAnimation.cpp
index 68ea47985807..ae20c79c36cf 100644
--- a/Source/WebCore/animation/WebAnimation.cpp
+++ b/Source/WebCore/animation/WebAnimation.cpp
@@ -1531,8 +1531,8 @@ ExceptionOr<void> WebAnimation::commitStyles()
// https://drafts.csswg.org/web-animations-1/#commit-computed-styles
// 1. Let targets be the set of all effect targets for animation effects associated with animation.
- auto* effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
- auto* target = effect ? effect->target() : nullptr;
+ RefPtr effect = dynamicDowncast<KeyframeEffect>(m_effect.get());
+ RefPtr target = effect ? effect->target() : nullptr;
// 2. For each target in targets:
//

32
backport-CVE-2023-32409.patch Normal file
View File

@ -0,0 +1,32 @@
From 54408f5746f2401721bd56d71de132a22b6f9856 Mon Sep 17 00:00:00 2001
From: Mike Wyrzykowski <mwyrzykowski@apple.com>
Date: Wed, 12 Apr 2023 17:30:56 -0700
Subject: [PATCH] [WebGPU] RemoteBuffer unmap should check the input vector
https://bugs.webkit.org/show_bug.cgi?id=255350 <rdar://107947502>
Reviewed by Myles C. Maxfield.
Ensure data vector passed to unmap is valid for the currently
mapped buffer.
* Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp:
(WebKit::RemoteBuffer::unmap):
Canonical link: https://commits.webkit.org/262895@main
---
Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
index f533f5c30c32b..ec12ea2ac171b 100644
--- a/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
+++ b/Source/WebKit/GPUProcess/graphics/WebGPU/RemoteBuffer.cpp
@@ -79,7 +79,7 @@ void RemoteBuffer::getMappedRange(PAL::WebGPU::Size64 offset, std::optional<PAL:
void RemoteBuffer::unmap(Vector<uint8_t>&& data)
{
- if (!m_mappedRange)
+ if (!m_mappedRange || m_mappedRange->byteLength < data.size())
return;
ASSERT(m_isMapped);

9
webkit2gtk3.spec
View File

@ -14,7 +14,7 @@
Name: webkit2gtk3 Name: webkit2gtk3
Version: 2.38.2 Version: 2.38.2
Release: 3 Release: 4
Summary: GTK web content engine library Summary: GTK web content engine library
License: LGPLv2 License: LGPLv2
URL: https://www.webkitgtk.org/ URL: https://www.webkitgtk.org/
@ -28,6 +28,10 @@ Patch0001: 0001-webkitgtk-add-loongarch.patch
Patch0002: webkitgtk-2.32.1-sw.patch Patch0002: webkitgtk-2.32.1-sw.patch
%endif %endif
Patch6000: backport-CVE-2023-28204.patch
Patch6001: backport-CVE-2023-32373.patch
Patch6002: backport-CVE-2023-32409.patch
#Dependency #Dependency
BuildRequires: bison BuildRequires: bison
BuildRequires: bubblewrap BuildRequires: bubblewrap
@ -563,6 +567,9 @@ popd
%endif %endif
%changelog %changelog
* Mon May 29 2023 zhangpan <zhangpan103@h-partners.com> - 2.38.2-4
- fix CVE-2023-28204 CVE-2023-32373 CVE-2023-32409
* Fri Mar 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-3 * Fri Mar 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-3
- strip binary files - strip binary files