fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780

2024-08-23 07:51:31 +00:00 · 2024-08-23 07:51:31 +00:00 · 52f63ec1f5
commit 52f63ec1f5
parent b3a9312816
4 changed files with 148 additions and 1 deletions
--- a/backport-CVE-2024-40779.patch
+++ b/backport-CVE-2024-40779.patch
@ -0,0 +1,47 @@
+From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Fri, 14 Jun 2024 16:08:19 -0700
+Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
+ (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
+
+HeapBufferOverflow in computeSampleUsingLinearInterpolation
+https://bugs.webkit.org/show_bug.cgi?id=275431
+rdar://125617812
+
+Reviewed by Youenn Fablet.
+
+Add boundary check.
+This is a copy of blink code for that same function.
+https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
+
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+
+Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
+
+Reference:https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848
+Conflict:Adapt context
+---
+ Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index fbd2b63..d98bdaf 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -323,6 +323,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+             if (readIndex2 >= maxFrame)
+                 readIndex2 = loop() ? minFrame : maxFrame - 1;
+ 
+            // Final sanity check on buffer access.
+            // FIXME: as an optimization, try to get rid of this inner-loop check and
+            // put assertions and guards before the loop.
+            if (readIndex >= bufferLength || readIndex2 >= bufferLength)
+                break;
+
+             // Linear interpolation.
+             for (unsigned i = 0; i < numberOfChannels; ++i) {
+                 float* destination = destinationChannels[i];
+-- 
+2.33.0
+
--- a/backport-CVE-2024-40780.patch
+++ b/backport-CVE-2024-40780.patch
@ -0,0 +1,46 @@
+From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
+From: Jer Noble <jer.noble@apple.com>
+Date: Tue, 11 Jun 2024 11:54:06 -0700
+Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
+ (64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
+
+Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
+https://bugs.webkit.org/show_bug.cgi?id=275273
+rdar://125617842
+
+Reviewed by Eric Carlson.
+
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+
+Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
+
+Reference:https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
+Conflict:Adapt context
+---
+ Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index d98bdaf..0c87230 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -308,9 +308,15 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+         virtualReadIndex = readIndex;
+     } else if (!pitchRate) {
+         unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
+        int deltaFrames = static_cast<int>(virtualDeltaFrames);
+        maxFrame = static_cast<unsigned>(virtualMaxFrame);
+
+        if (readIndex >= maxFrame)
+            readIndex -= deltaFrames;
+ 
+         for (unsigned i = 0; i < numberOfChannels; ++i)
+             std::fill_n(destinationChannels[i], framesToProcess, sourceChannels[i][readIndex]);
+        virtualReadIndex = readIndex;
+     } else if (reverse) {
+         unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
+         unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
+-- 
+2.33.0
+
--- a/backport-CVE-2024-4558.patch
+++ b/backport-CVE-2024-4558.patch
@ -0,0 +1,48 @@
+From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
+From: Kimmo Kinnunen <kkinnunen@apple.com>
+Date: Tue, 14 May 2024 22:37:29 -0700
+Subject: [PATCH] Cherry-pick ANGLE.
+ https://bugs.webkit.org/show_bug.cgi?id=274165
+
+https://bugs.webkit.org/show_bug.cgi?id=274165
+rdar://127764804
+
+Reviewed by Dan Glastonbury.
+
+Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
+
+GL: Sync unpack state for glCompressedTexSubImage3D
+
+Unpack state is supposed to be ignored for compressed tex image calls
+but some drivers use it anyways and read incorrect data.
+
+Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
+
+Bug: chromium:337766133
+Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
+Reviewed-on:https://chromium-review.googlesource.com/c/angle/angle/+/5498735
+Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
+
+Reference:https://github.com/WebKit/WebKit/commit/9d7ec80f78039e6646fcfc455ab4c05aa393f34c
+Conflict:StateManager->mStateManager,adapt context
+---
+ Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+index 2ff6fbc..d0fea5d 100644
+--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+@@ -530,6 +530,7 @@ gl::Error TextureGL::setCompressedSubImage(const gl::Context *context,
+         nativegl::GetCompressedSubTexImageFormat(mFunctions, mWorkarounds, format);
+ 
+     mStateManager->bindTexture(getTarget(), mTextureID);
+    ANGLE_TRY(mStateManager->setPixelUnpackState(context, unpack));
+     if (UseTexImage2D(getTarget()))
+     {
+         ASSERT(area.z == 0 && area.depth == 1);
+-- 
+2.33.0
+
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@ -9,7 +9,7 @@
 #Basic Information
 Name:           webkit2gtk3
 Version:        2.22.2
-Release:        12
+Release:        13
 Summary:        GTK+ Web content engine library
 License:        LGPLv2
 URL:            http://www.webkitgtk.org/
@ -23,6 +23,9 @@ Patch2:     cloop-big-endians.patch
 Patch3:     python2.patch
 Patch4:     webkit-aarch64_page_size.patch
 Patch6000:  backport-CVE-2023-28204.patch
+Patch6001:  backport-CVE-2024-4558.patch
+Patch6002:  backport-CVE-2024-40779.patch
+Patch6003:  backport-CVE-2024-40780.patch

 #Dependency
 BuildRequires:  at-spi2-core-devel bison cairo-devel cmake enchant2-devel
@ -189,6 +192,9 @@ done
 %{_datadir}/gtk-doc/html/webkitdomgtk-4.0/

 %changelog
+* Fri Aug 23 2024 lingsheng <lingsheng1@h-partners.com> - 2.22.2-13
+- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
+
 * Mon May 29 2023 zhangpan<zhangpan103@h-partners.com> - 2.22.2-12
 - fix CVE-2023-28204