fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780

2024-08-26 02:09:02 +00:00 · 2024-08-26 02:09:02 +00:00 · e58db3f574
commit e58db3f574
parent e2dcb86a7a
6 changed files with 145 additions and 3 deletions
--- a/backport-CVE-2024-40779.patch
+++ b/backport-CVE-2024-40779.patch
@ -0,0 +1,41 @@
 From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
 From: Jean-Yves Avenard <jya@apple.com>
 Date: Fri, 14 Jun 2024 16:08:19 -0700
 Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
 (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
 HeapBufferOverflow in computeSampleUsingLinearInterpolation
 https://bugs.webkit.org/show_bug.cgi?id=275431
 rdar://125617812
 Reviewed by Youenn Fablet.
 Add boundary check.
 This is a copy of blink code for that same function.
 https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
 * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
 (WebCore::AudioBufferSourceNode::renderFromBuffer):
 Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
 ---
 .../webaudio/AudioBufferSourceNode.cpp        |  6 +++++
 1 file changed, 6 insertions(+)
 diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
 index 298bd48cdff5..740b793e0ec5 100644
 --- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
 +++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -350,6 +350,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
             if (readIndex2 >= maxFrame)
                 readIndex2 = m_isLooping ? minFrame : readIndex;
 +            // Final sanity check on buffer access.
 +            // FIXME: as an optimization, try to get rid of this inner-loop check and
 +            // put assertions and guards before the loop.
 +            if (readIndex >= bufferLength || readIndex2 >= bufferLength)
 +                break;
 +
             // Linear interpolation.
             for (unsigned i = 0; i < numberOfChannels; ++i) {
                 float* destination = destinationChannels[i];
--- a/backport-CVE-2024-40780.patch
+++ b/backport-CVE-2024-40780.patch
@ -0,0 +1,41 @@
 From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
 From: Jer Noble <jer.noble@apple.com>
 Date: Tue, 11 Jun 2024 11:54:06 -0700
 Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
 (64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
 Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
 https://bugs.webkit.org/show_bug.cgi?id=275273
 rdar://125617842
 Reviewed by Eric Carlson.
 * Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
 (WebCore::AudioBufferSourceNode::renderFromBuffer):
 Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
 ---
 .../webaudio/AudioBufferSourceNode.cpp        |  7 +++++
 1 file changed, 7 insertions(+)
 diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
 index f86bffb9b507..298bd48cdff5 100644
 --- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
 +++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -328,9 +328,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
         virtualReadIndex = readIndex;
     } else if (!pitchRate) {
         unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
 +        int deltaFrames = static_cast<int>(virtualDeltaFrames);
 +        maxFrame = static_cast<unsigned>(virtualMaxFrame);
 +
 +        if (readIndex >= maxFrame)
 +            readIndex -= deltaFrames;
         for (unsigned i = 0; i < numberOfChannels; ++i)
             std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
 +
 +        virtualReadIndex = readIndex;
     } else if (reverse) {
         unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
         unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
--- a/backport-CVE-2024-4558.patch
+++ b/backport-CVE-2024-4558.patch
@ -0,0 +1,42 @@
 From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
 From: Kimmo Kinnunen <kkinnunen@apple.com>
 Date: Tue, 14 May 2024 22:37:29 -0700
 Subject: [PATCH] Cherry-pick ANGLE.
 https://bugs.webkit.org/show_bug.cgi?id=274165
 https://bugs.webkit.org/show_bug.cgi?id=274165
 rdar://127764804
 Reviewed by Dan Glastonbury.
 Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
 GL: Sync unpack state for glCompressedTexSubImage3D
 Unpack state is supposed to be ignored for compressed tex image calls
 but some drivers use it anyways and read incorrect data.
 Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
 Bug: chromium:337766133
 Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
 Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
 Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
 Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
 Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
 ---
 Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
 1 file changed, 1 insertion(+)
 diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
 index c659aacb9e48..f96eefe53f11 100644
 --- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
 +++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
         nativegl::GetCompressedSubTexImageFormat(functions, features, format);
     stateManager->bindTexture(getType(), mTextureID);
 +    ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
     if (nativegl::UseTexImage2D(getType()))
     {
         ASSERT(area.z == 0 && area.depth == 1);
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@ -14,7 +14,7 @@
 Name:           webkit2gtk3
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
 Patch6005:      backport-CVE-2024-4558.patch
 Patch6006:      backport-CVE-2024-40779.patch
 Patch6007:      backport-CVE-2024-40780.patch
 #Dependency
 BuildRequires:  bison
@ -291,6 +294,9 @@ popd
 %endif
 %changelog
 * Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
 - fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error
--- a/webkit2gtk4_1.spec
+++ b/webkit2gtk4_1.spec
@ -14,7 +14,7 @@
 Name:           webkit2gtk4.1
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
 Patch6005:      backport-CVE-2024-4558.patch
 Patch6006:      backport-CVE-2024-40779.patch
 Patch6007:      backport-CVE-2024-40780.patch
 #Dependency
 BuildRequires:  bison
@ -260,6 +263,9 @@ popd
 %endif
 %changelog
 * Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
 - fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error
--- a/webkit2gtk5_0.spec
+++ b/webkit2gtk5_0.spec
@ -14,7 +14,7 @@
 Name:           webkit2gtk5.0
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
 Patch6005:      backport-CVE-2024-4558.patch
 Patch6006:      backport-CVE-2024-40779.patch
 Patch6007:      backport-CVE-2024-40780.patch
 #Dependency
 BuildRequires:  bison
@ -260,6 +263,9 @@ popd
 %endif
 %changelog
 * Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
 - fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error