packages/webkitgtk
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: packages:342c17609f2b86be30e2ce35cd8bb26726f18d43
Branches Tags
packages:main
...
compare: packages:65d757a65ff79508585ce63ffa174c616a8cd2aa
Branches Tags
packages:main

10 Commits
342c17609f ... 65d757a65f

Author SHA1 Message Date
openeuler-ci-bot
65d757a65f
!129 Adapt repo name webkitgtk 
From: @ultra_planet 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2025-05-09 08:14:16 +00:00
lingsheng
97254a09f5 Adapt repo name webkitgtk 2025-05-09 11:08:44 +08:00
openeuler-ci-bot
d9b931fdab
!108 fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780 
From: @ultra_planet 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2024-08-26 11:05:41 +00:00
lingsheng
52f63ec1f5 fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780 2024-08-23 08:03:07 +00:00
openeuler-ci-bot
b3a9312816
!76 fix CVE-2023-28204 
From: @zppzhangpan 
Reviewed-by: @t_feng 
Signed-off-by: @t_feng
 2023-05-30 09:24:31 +00:00
zhangpan
8ad4a014d8 fix CVE-2023-28204 2023-05-29 09:32:45 +00:00
openeuler-ci-bot
13c0873dab !19 modify BuildRequires to enchant2-devel 
From: @jinzhimin369
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
 2021-04-28 11:19:02 +08:00
jinzhimin369
77ff8b00c3 modify BuildRequires to enchant2-devel 2021-01-18 20:46:56 +08:00
openeuler-ci-bot
73a08c8720 !14 修改license 
From: @shirely16
Reviewed-by: @orange-snn
Signed-off-by: @orange-snn
 2020-12-15 20:42:13 +08:00
18302918689
ec92be7000 modify license 2020-12-15 18:44:17 +08:00
5 changed files with 265 additions and 3 deletions
Show Stats Expand all files Collapse all files

102
backport-CVE-2023-28204.patch Normal file
View File

@ -0,0 +1,102 @@
From e34edaa74575ee13efcebdb7672b949a743ab32a Mon Sep 17 00:00:00 2001
From: Michael Saboff <msaboff@apple.com>
Date: Mon, 3 Apr 2023 20:25:08 -0700
Subject: [PATCH] [JSC] RegExpGlobalData::performMatch issue leading to OOB
read https://bugs.webkit.org/show_bug.cgi?id=254930 rdar://107436732
Reviewed by Alexey Shvayka.
Fixed two issues:
1) In YarrInterpreter.cpp::matchAssertionBOL() we were advancing the string position for non-BMP
characters. Since it is an assertion, we shouldn't advance the character position.
Made the same fix to matchAssertionEOL().
2) In StringPrototype.cpp::replaceUsingRegExpSearch(), we need to advance past both elements of
a non-BMP character for the case where the RegExp match is empty.
* JSTests/stress/string-replace-regexp-matchBOL-correct-advancing.js: New test.
* Source/JavaScriptCore/runtime/StringPrototype.cpp:
(JSC::replaceUsingRegExpSearch):
* Source/JavaScriptCore/yarr/YarrInterpreter.cpp:
(JSC::Yarr::Interpreter::InputStream::readCheckedDontAdvance):
(JSC::Yarr::Interpreter::matchAssertionBOL):
(JSC::Yarr::Interpreter::matchAssertionEOL):
Canonical link: https://commits.webkit.org/259548.551@safari-7615-branch
---
.../runtime/StringPrototype.cpp | 10 ++++++++++
.../JavaScriptCore/yarr/YarrInterpreter.cpp | 19 +++++++++++++++++--
2 files changed, 27 insertions(+), 2 deletions(-)
diff --git a/Source/JavaScriptCore/runtime/StringPrototype.cpp b/Source/JavaScriptCore/runtime/StringPrototype.cpp
index 08104b1d..459295f7 100644
--- a/Source/JavaScriptCore/runtime/StringPrototype.cpp
+++ b/Source/JavaScriptCore/runtime/StringPrototype.cpp
@@ -603,6 +603,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
}
} else {
@@ -682,6 +687,11 @@ static ALWAYS_INLINE JSString* replaceUsingRegExpSearch(
startPosition++;
if (startPosition > sourceLen)
break;
+ if (U16_IS_LEAD(source[startPosition - 1]) && U16_IS_TRAIL(source[startPosition])) {
+ startPosition++;
+ if (startPosition > sourceLen)
+ break;
+ }
}
} while (global);
}
diff --git a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
index 95a848a1..d222e620 100644
--- a/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
+++ b/Source/JavaScriptCore/yarr/YarrInterpreter.cpp
@@ -209,6 +209,21 @@ public:
}
return result;
}
+
+ int readCheckedDontAdvance(unsigned negativePositionOffest)
+ {
+ RELEASE_ASSERT(pos >= negativePositionOffest);
+ unsigned p = pos - negativePositionOffest;
+ ASSERT(p < length);
+ int result = input[p];
+ if (U16_IS_LEAD(result) && decodeSurrogatePairs && p + 1 < length && U16_IS_TRAIL(input[p + 1])) {
+ if (atEnd())
+ return -1;
+
+ result = U16_GET_SUPPLEMENTARY(result, input[p + 1]);
+ }
+ return result;
+ }
int readSurrogatePairChecked(unsigned negativePositionOffset)
{
@@ -482,13 +497,13 @@ public:
bool matchAssertionBOL(ByteTerm& term)
{
- return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition + 1)));
+ return (input.atStart(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition + 1)));
}
bool matchAssertionEOL(ByteTerm& term)
{
if (term.inputPosition)
- return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readChecked(term.inputPosition)));
+ return (input.atEnd(term.inputPosition)) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.readCheckedDontAdvance(term.inputPosition)));
return (input.atEnd()) || (pattern->multiline() && testCharacterClass(pattern->newlineCharacterClass, input.read()));
}
--
2.33.0

47
backport-CVE-2024-40779.patch Normal file
View File

@ -0,0 +1,47 @@
From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
From: Jean-Yves Avenard <jya@apple.com>
Date: Fri, 14 Jun 2024 16:08:19 -0700
Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
(ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
HeapBufferOverflow in computeSampleUsingLinearInterpolation
https://bugs.webkit.org/show_bug.cgi?id=275431
rdar://125617812
Reviewed by Youenn Fablet.
Add boundary check.
This is a copy of blink code for that same function.
https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
Reference:https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848
Conflict:Adapt context
---
Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
index fbd2b63..d98bdaf 100644
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -323,6 +323,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
if (readIndex2 >= maxFrame)
readIndex2 = loop() ? minFrame : maxFrame - 1;
+ // Final sanity check on buffer access.
+ // FIXME: as an optimization, try to get rid of this inner-loop check and
+ // put assertions and guards before the loop.
+ if (readIndex >= bufferLength || readIndex2 >= bufferLength)
+ break;
+
// Linear interpolation.
for (unsigned i = 0; i < numberOfChannels; ++i) {
float* destination = destinationChannels[i];
--
2.33.0

46
backport-CVE-2024-40780.patch Normal file
View File

@ -0,0 +1,46 @@
From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
From: Jer Noble <jer.noble@apple.com>
Date: Tue, 11 Jun 2024 11:54:06 -0700
Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
(64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
https://bugs.webkit.org/show_bug.cgi?id=275273
rdar://125617842
Reviewed by Eric Carlson.
* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
(WebCore::AudioBufferSourceNode::renderFromBuffer):
Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
Reference:https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
Conflict:Adapt context
---
Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
index d98bdaf..0c87230 100644
--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
@@ -308,9 +308,15 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
virtualReadIndex = readIndex;
} else if (!pitchRate) {
unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
+ int deltaFrames = static_cast<int>(virtualDeltaFrames);
+ maxFrame = static_cast<unsigned>(virtualMaxFrame);
+
+ if (readIndex >= maxFrame)
+ readIndex -= deltaFrames;
for (unsigned i = 0; i < numberOfChannels; ++i)
std::fill_n(destinationChannels[i], framesToProcess, sourceChannels[i][readIndex]);
+ virtualReadIndex = readIndex;
} else if (reverse) {
unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
--
2.33.0

48
backport-CVE-2024-4558.patch Normal file
View File

@ -0,0 +1,48 @@
From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
From: Kimmo Kinnunen <kkinnunen@apple.com>
Date: Tue, 14 May 2024 22:37:29 -0700
Subject: [PATCH] Cherry-pick ANGLE.
https://bugs.webkit.org/show_bug.cgi?id=274165
https://bugs.webkit.org/show_bug.cgi?id=274165
rdar://127764804
Reviewed by Dan Glastonbury.
Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
GL: Sync unpack state for glCompressedTexSubImage3D
Unpack state is supposed to be ignored for compressed tex image calls
but some drivers use it anyways and read incorrect data.
Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
Bug: chromium:337766133
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
Reviewed-on:https://chromium-review.googlesource.com/c/angle/angle/+/5498735
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
Reference:https://github.com/WebKit/WebKit/commit/9d7ec80f78039e6646fcfc455ab4c05aa393f34c
Conflict:StateManager->mStateManager,adapt context
---
Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
1 file changed, 1 insertion(+)
diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
index 2ff6fbc..d0fea5d 100644
--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
@@ -530,6 +530,7 @@ gl::Error TextureGL::setCompressedSubImage(const gl::Context *context,
nativegl::GetCompressedSubTexImageFormat(mFunctions, mWorkarounds, format);
mStateManager->bindTexture(getTarget(), mTextureID);
+ ANGLE_TRY(mStateManager->setPixelUnpackState(context, unpack));
if (UseTexImage2D(getTarget()))
{
ASSERT(area.z == 0 && area.depth == 1);
--
2.33.0

25
webkit2gtk3.spec → webkitgtk.spec
View File

@ -9,9 +9,9 @@
#Basic Information
Name: webkit2gtk3
Version: 2.22.2
Release: 9
Release: 14
Summary: GTK+ Web content engine library
License: LGPLv2 AND BSD-3-Clause AND ICU AND MIT
License: LGPLv2
URL: http://www.webkitgtk.org/
Source0: http://webkitgtk.org/releases/webkitgtk-%{version}.tar.xz
@ -22,9 +22,13 @@ Patch2: cloop-big-endians.patch
# Explicitly specify python2 over python
Patch3: python2.patch
Patch4: webkit-aarch64_page_size.patch
Patch6000: backport-CVE-2023-28204.patch
Patch6001: backport-CVE-2024-4558.patch
Patch6002: backport-CVE-2024-40779.patch
Patch6003: backport-CVE-2024-40780.patch
#Dependency
BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant-devel
BuildRequires: at-spi2-core-devel bison cairo-devel cmake enchant2-devel
BuildRequires: flex fontconfig-devel freetype-devel ninja-build
BuildRequires: git geoclue2-devel gettext gcc-c++ glib2-devel gnutls-devel
BuildRequires: gobject-introspection-devel gperf
@ -188,6 +192,21 @@ done
%{_datadir}/gtk-doc/html/webkitdomgtk-4.0/
%changelog
* Fri May 09 2025 lingsheng <lingsheng1@h-partners.com> - 2.22.2-14
- Adapt repo name webkitgtk
* Fri Aug 23 2024 lingsheng <lingsheng1@h-partners.com> - 2.22.2-13
- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
* Mon May 29 2023 zhangpan<zhangpan103@h-partners.com> - 2.22.2-12
- fix CVE-2023-28204
* Mon Jan 18 2021 jinzhimin<jinzhimin2@huawei.com> - 2.22.2-11
- modify BuildRequires to enchant2-devel
* Tue Dec 15 2020 hanhui<hanhui15@huawei.com> - 2.22.2-10
- modify license
* Tue Oct 13 2020 hanhui <hanhui15@huawei.com> - 2.22.2-9
- change mesa-libEGL-devel to libglvnd-devel in buildrequires