From 52f63ec1f5df82e23acf9e324eb545257fce4c49 Mon Sep 17 00:00:00 2001 From: lingsheng <860373352@qq.com> Date: Fri, 23 Aug 2024 07:51:31 +0000 Subject: [PATCH] fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780 --- backport-CVE-2024-40779.patch | 47 ++++++++++++++++++++++++++++++++++ backport-CVE-2024-40780.patch | 46 +++++++++++++++++++++++++++++++++ backport-CVE-2024-4558.patch | 48 +++++++++++++++++++++++++++++++++++ webkit2gtk3.spec | 8 +++++- 4 files changed, 148 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2024-40779.patch create mode 100644 backport-CVE-2024-40780.patch create mode 100644 backport-CVE-2024-4558.patch diff --git a/backport-CVE-2024-40779.patch b/backport-CVE-2024-40779.patch new file mode 100644 index 0000000..036fe88 --- /dev/null +++ b/backport-CVE-2024-40779.patch @@ -0,0 +1,47 @@ +From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001 +From: Jean-Yves Avenard +Date: Fri, 14 Jun 2024 16:08:19 -0700 +Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch + (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431 + +HeapBufferOverflow in computeSampleUsingLinearInterpolation +https://bugs.webkit.org/show_bug.cgi?id=275431 +rdar://125617812 + +Reviewed by Youenn Fablet. + +Add boundary check. +This is a copy of blink code for that same function. +https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341 + +* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp: +(WebCore::AudioBufferSourceNode::renderFromBuffer): + +Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44 + +Reference:https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848 +Conflict:Adapt context +--- + Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +index fbd2b63..d98bdaf 100644 +--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp ++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +@@ -323,6 +323,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination + if (readIndex2 >= maxFrame) + readIndex2 = loop() ? minFrame : maxFrame - 1; + ++ // Final sanity check on buffer access. ++ // FIXME: as an optimization, try to get rid of this inner-loop check and ++ // put assertions and guards before the loop. ++ if (readIndex >= bufferLength || readIndex2 >= bufferLength) ++ break; ++ + // Linear interpolation. + for (unsigned i = 0; i < numberOfChannels; ++i) { + float* destination = destinationChannels[i]; +-- +2.33.0 + diff --git a/backport-CVE-2024-40780.patch b/backport-CVE-2024-40780.patch new file mode 100644 index 0000000..abf03d5 --- /dev/null +++ b/backport-CVE-2024-40780.patch @@ -0,0 +1,46 @@ +From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001 +From: Jer Noble +Date: Tue, 11 Jun 2024 11:54:06 -0700 +Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch + (64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273 + +Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value +https://bugs.webkit.org/show_bug.cgi?id=275273 +rdar://125617842 + +Reviewed by Eric Carlson. + +* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp: +(WebCore::AudioBufferSourceNode::renderFromBuffer): + +Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44 + +Reference:https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5 +Conflict:Adapt context +--- + Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +index d98bdaf..0c87230 100644 +--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp ++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +@@ -308,9 +308,15 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination + virtualReadIndex = readIndex; + } else if (!pitchRate) { + unsigned readIndex = static_cast(virtualReadIndex); ++ int deltaFrames = static_cast(virtualDeltaFrames); ++ maxFrame = static_cast(virtualMaxFrame); ++ ++ if (readIndex >= maxFrame) ++ readIndex -= deltaFrames; + + for (unsigned i = 0; i < numberOfChannels; ++i) + std::fill_n(destinationChannels[i], framesToProcess, sourceChannels[i][readIndex]); ++ virtualReadIndex = readIndex; + } else if (reverse) { + unsigned maxFrame = static_cast(virtualMaxFrame); + unsigned minFrame = static_cast(floorf(virtualMinFrame)); +-- +2.33.0 + diff --git a/backport-CVE-2024-4558.patch b/backport-CVE-2024-4558.patch new file mode 100644 index 0000000..605deec --- /dev/null +++ b/backport-CVE-2024-4558.patch @@ -0,0 +1,48 @@ +From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001 +From: Kimmo Kinnunen +Date: Tue, 14 May 2024 22:37:29 -0700 +Subject: [PATCH] Cherry-pick ANGLE. + https://bugs.webkit.org/show_bug.cgi?id=274165 + +https://bugs.webkit.org/show_bug.cgi?id=274165 +rdar://127764804 + +Reviewed by Dan Glastonbury. + +Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2: + +GL: Sync unpack state for glCompressedTexSubImage3D + +Unpack state is supposed to be ignored for compressed tex image calls +but some drivers use it anyways and read incorrect data. + +Texture3DTestES3.PixelUnpackStateTexSubImage covers this case. + +Bug: chromium:337766133 +Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22 +Reviewed-on:https://chromium-review.googlesource.com/c/angle/angle/+/5498735 +Commit-Queue: Shahbaz Youssefi +Reviewed-by: Shahbaz Youssefi +Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44 + +Reference:https://github.com/WebKit/WebKit/commit/9d7ec80f78039e6646fcfc455ab4c05aa393f34c +Conflict:StateManager->mStateManager,adapt context +--- + Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp +index 2ff6fbc..d0fea5d 100644 +--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp ++++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp +@@ -530,6 +530,7 @@ gl::Error TextureGL::setCompressedSubImage(const gl::Context *context, + nativegl::GetCompressedSubTexImageFormat(mFunctions, mWorkarounds, format); + + mStateManager->bindTexture(getTarget(), mTextureID); ++ ANGLE_TRY(mStateManager->setPixelUnpackState(context, unpack)); + if (UseTexImage2D(getTarget())) + { + ASSERT(area.z == 0 && area.depth == 1); +-- +2.33.0 + diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec index 5870860..19492f6 100644 --- a/webkit2gtk3.spec +++ b/webkit2gtk3.spec @@ -9,7 +9,7 @@ #Basic Information Name: webkit2gtk3 Version: 2.22.2 -Release: 12 +Release: 13 Summary: GTK+ Web content engine library License: LGPLv2 URL: http://www.webkitgtk.org/ @@ -23,6 +23,9 @@ Patch2: cloop-big-endians.patch Patch3: python2.patch Patch4: webkit-aarch64_page_size.patch Patch6000: backport-CVE-2023-28204.patch +Patch6001: backport-CVE-2024-4558.patch +Patch6002: backport-CVE-2024-40779.patch +Patch6003: backport-CVE-2024-40780.patch #Dependency BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant2-devel @@ -189,6 +192,9 @@ done %{_datadir}/gtk-doc/html/webkitdomgtk-4.0/ %changelog +* Fri Aug 23 2024 lingsheng - 2.22.2-13 +- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780 + * Mon May 29 2023 zhangpan - 2.22.2-12 - fix CVE-2023-28204 -- Gitee