fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
This commit is contained in:
lingsheng
parent
e2dcb86a7a
commit
e58db3f574
41
backport-CVE-2024-40779.patch
Normal file
41
backport-CVE-2024-40779.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
|
||||
From: Jean-Yves Avenard <jya@apple.com>
|
||||
Date: Fri, 14 Jun 2024 16:08:19 -0700
|
||||
Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
|
||||
(ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
|
||||
|
||||
HeapBufferOverflow in computeSampleUsingLinearInterpolation
|
||||
https://bugs.webkit.org/show_bug.cgi?id=275431
|
||||
rdar://125617812
|
||||
|
||||
Reviewed by Youenn Fablet.
|
||||
|
||||
Add boundary check.
|
||||
This is a copy of blink code for that same function.
|
||||
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
|
||||
|
||||
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
|
||||
(WebCore::AudioBufferSourceNode::renderFromBuffer):
|
||||
|
||||
Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
|
||||
---
|
||||
.../webaudio/AudioBufferSourceNode.cpp | 6 +++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
index 298bd48cdff5..740b793e0ec5 100644
|
||||
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
@@ -350,6 +350,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
|
||||
if (readIndex2 >= maxFrame)
|
||||
readIndex2 = m_isLooping ? minFrame : readIndex;
|
||||
|
||||
+ // Final sanity check on buffer access.
|
||||
+ // FIXME: as an optimization, try to get rid of this inner-loop check and
|
||||
+ // put assertions and guards before the loop.
|
||||
+ if (readIndex >= bufferLength || readIndex2 >= bufferLength)
|
||||
+ break;
|
||||
+
|
||||
// Linear interpolation.
|
||||
for (unsigned i = 0; i < numberOfChannels; ++i) {
|
||||
float* destination = destinationChannels[i];
|
||||
41
backport-CVE-2024-40780.patch
Normal file
41
backport-CVE-2024-40780.patch
Normal file
@ -0,0 +1,41 @@
|
||||
From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
|
||||
From: Jer Noble <jer.noble@apple.com>
|
||||
Date: Tue, 11 Jun 2024 11:54:06 -0700
|
||||
Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
|
||||
(64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
|
||||
|
||||
Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
|
||||
https://bugs.webkit.org/show_bug.cgi?id=275273
|
||||
rdar://125617842
|
||||
|
||||
Reviewed by Eric Carlson.
|
||||
|
||||
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
|
||||
(WebCore::AudioBufferSourceNode::renderFromBuffer):
|
||||
|
||||
Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
|
||||
---
|
||||
.../webaudio/AudioBufferSourceNode.cpp | 7 +++++
|
||||
1 file changed, 7 insertions(+)
|
||||
|
||||
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
index f86bffb9b507..298bd48cdff5 100644
|
||||
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
|
||||
@@ -328,9 +328,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
|
||||
virtualReadIndex = readIndex;
|
||||
} else if (!pitchRate) {
|
||||
unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
|
||||
+ int deltaFrames = static_cast<int>(virtualDeltaFrames);
|
||||
+ maxFrame = static_cast<unsigned>(virtualMaxFrame);
|
||||
+
|
||||
+ if (readIndex >= maxFrame)
|
||||
+ readIndex -= deltaFrames;
|
||||
|
||||
for (unsigned i = 0; i < numberOfChannels; ++i)
|
||||
std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
|
||||
+
|
||||
+ virtualReadIndex = readIndex;
|
||||
} else if (reverse) {
|
||||
unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
|
||||
unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
|
||||
42
backport-CVE-2024-4558.patch
Normal file
42
backport-CVE-2024-4558.patch
Normal file
@ -0,0 +1,42 @@
|
||||
From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
|
||||
From: Kimmo Kinnunen <kkinnunen@apple.com>
|
||||
Date: Tue, 14 May 2024 22:37:29 -0700
|
||||
Subject: [PATCH] Cherry-pick ANGLE.
|
||||
https://bugs.webkit.org/show_bug.cgi?id=274165
|
||||
|
||||
https://bugs.webkit.org/show_bug.cgi?id=274165
|
||||
rdar://127764804
|
||||
|
||||
Reviewed by Dan Glastonbury.
|
||||
|
||||
Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
|
||||
|
||||
GL: Sync unpack state for glCompressedTexSubImage3D
|
||||
|
||||
Unpack state is supposed to be ignored for compressed tex image calls
|
||||
but some drivers use it anyways and read incorrect data.
|
||||
|
||||
Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
|
||||
|
||||
Bug: chromium:337766133
|
||||
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
|
||||
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
|
||||
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
|
||||
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
|
||||
Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
|
||||
---
|
||||
Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
|
||||
index c659aacb9e48..f96eefe53f11 100644
|
||||
--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
|
||||
+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
|
||||
@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
|
||||
nativegl::GetCompressedSubTexImageFormat(functions, features, format);
|
||||
|
||||
stateManager->bindTexture(getType(), mTextureID);
|
||||
+ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
|
||||
if (nativegl::UseTexImage2D(getType()))
|
||||
{
|
||||
ASSERT(area.z == 0 && area.depth == 1);
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
Name: webkit2gtk3
|
||||
Version: 2.38.2
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: GTK web content engine library
|
||||
License: LGPLv2
|
||||
URL: https://www.webkitgtk.org/
|
||||
@ -33,6 +33,9 @@ Patch6001: backport-CVE-2023-32373.patch
|
||||
Patch6002: backport-CVE-2023-32409.patch
|
||||
Patch6003: backport-Fix-build-with-Ruby-3.2.patch
|
||||
Patch6004: backport-CVE-2023-39928.patch
|
||||
Patch6005: backport-CVE-2024-4558.patch
|
||||
Patch6006: backport-CVE-2024-40779.patch
|
||||
Patch6007: backport-CVE-2024-40780.patch
|
||||
|
||||
#Dependency
|
||||
BuildRequires: bison
|
||||
@ -291,6 +294,9 @@ popd
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
|
||||
- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
|
||||
|
||||
* Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
|
||||
- fix check_install error
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
Name: webkit2gtk4.1
|
||||
Version: 2.38.2
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: GTK web content engine library
|
||||
License: LGPLv2
|
||||
URL: https://www.webkitgtk.org/
|
||||
@ -33,6 +33,9 @@ Patch6001: backport-CVE-2023-32373.patch
|
||||
Patch6002: backport-CVE-2023-32409.patch
|
||||
Patch6003: backport-Fix-build-with-Ruby-3.2.patch
|
||||
Patch6004: backport-CVE-2023-39928.patch
|
||||
Patch6005: backport-CVE-2024-4558.patch
|
||||
Patch6006: backport-CVE-2024-40779.patch
|
||||
Patch6007: backport-CVE-2024-40780.patch
|
||||
|
||||
#Dependency
|
||||
BuildRequires: bison
|
||||
@ -260,6 +263,9 @@ popd
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
|
||||
- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
|
||||
|
||||
* Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
|
||||
- fix check_install error
|
||||
|
||||
|
||||
@ -14,7 +14,7 @@
|
||||
|
||||
Name: webkit2gtk5.0
|
||||
Version: 2.38.2
|
||||
Release: 8
|
||||
Release: 9
|
||||
Summary: GTK web content engine library
|
||||
License: LGPLv2
|
||||
URL: https://www.webkitgtk.org/
|
||||
@ -33,6 +33,9 @@ Patch6001: backport-CVE-2023-32373.patch
|
||||
Patch6002: backport-CVE-2023-32409.patch
|
||||
Patch6003: backport-Fix-build-with-Ruby-3.2.patch
|
||||
Patch6004: backport-CVE-2023-39928.patch
|
||||
Patch6005: backport-CVE-2024-4558.patch
|
||||
Patch6006: backport-CVE-2024-40779.patch
|
||||
Patch6007: backport-CVE-2024-40780.patch
|
||||
|
||||
#Dependency
|
||||
BuildRequires: bison
|
||||
@ -260,6 +263,9 @@ popd
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
|
||||
- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
|
||||
|
||||
* Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
|
||||
- fix check_install error
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user