webkitgtk: fix CVE-2022-42867

A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42867 https://support.apple.com/en-us/HT213537 (From OE-Core rev: d4a872b6ac8c41d9c3f4d5f7255d4561684ef7d5) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2023-06-09 14:09:05 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-06-21 04:00:58 -1000
commit: b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd (patch)
tree: c7d4623f46a9dd9448912ff7a1cfec77e8f33faa
parent: ab62b82a81a21b59e139ea32d7f2d3f8b5951f5b (diff)
download: poky-b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd.tar.gz
2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
new file mode 100644
index 0000000000..bf06809051
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
+From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
+From: Yogita Urade <yogita.urade@windriver.com>
+Date: Wed, 7 Jun 2023 08:15:11 +0000
+Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
+ should take pointer arguments  like other similar functions
+ https://bugs.webkit.org/show_bug.cgi?id=247317  rdar://100273147
+Reviewed by Alan Baradlay.
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+Canonical link: https://commits.webkit.org/256215@main
+CVE: CVE-2022-42867
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++--------
+ Source/WebCore/rendering/RenderElement.h   |  2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..931686b8 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
+++ b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+     return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
+void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
+ {
+     auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
+         if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+     };
+     auto isRegisteredWithNewFillImages = [&]() -> bool {
+-        for (auto* layer = &newLayers; layer; layer = layer->next()) {
+        for (auto* layer = newLayers; layer; layer = layer->next()) {
+             if (layer->image() && !layer->image()->hasClient(*this))
+                 return false;
+         }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+     // If images have the same characteristics and this element is already registered as a
+     // client to the new images, there is nothing to do.
+-    if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
+    if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
+         return;
+     // Add before removing, to avoid removing all clients of an image that is in both sets.
+-    for (auto* layer = &newLayers; layer; layer = layer->next()) {
+    for (auto* layer = newLayers; layer; layer = layer->next()) {
+         if (layer->image())
+             layer->image()->addClient(*this);
+     }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+ {
+-    updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
+-    updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
+-    updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
+-    updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
+-    updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
+    auto registerImages = [this](auto* style, auto* oldStyle) {
+        if (!style && !oldStyle)
+            return;
+        updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
+        updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
+        updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
+        updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
+        updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
+    };
+
+    registerImages(&style(), oldStyle);
+
+    // Are there other pseudo-elements that need the resources to be registered?
+    registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
+     SVGRenderSupport::styleChanged(*this, oldStyle);
+diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
+index f376cecb..d6ba2cdf 100644
+--- a/Source/WebCore/rendering/RenderElement.h
+++ b/Source/WebCore/rendering/RenderElement.h
+@@ -349,7 +349,7 @@ private:
+     bool shouldRepaintForStyleDifference(StyleDifference) const;
+     bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
+-    void updateFillImages(const FillLayer*, const FillLayer&);
+    void updateFillImages(const FillLayer*, const FillLayer*);
+     void updateImage(StyleImage*, StyleImage*);
+     void updateShapeImage(const ShapeValue*, const ShapeValue*);
+--
+2.35.5
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 8f6514a82b..062f209932 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-32923.patch \
           file://CVE-2022-46691.patch \
           file://CVE-2022-46699.patch \
+           file://CVE-2022-42867.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
author	Yogita Urade <yogita.urade@windriver.com>	2023-06-09 14:09:05 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-06-21 04:00:58 -1000
commit	b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd (patch)
tree	c7d4623f46a9dd9448912ff7a1cfec77e8f33faa
parent	ab62b82a81a21b59e139ea32d7f2d3f8b5951f5b (diff)
download	poky-b4a7ec6e0e41c442024da3d5d4e20c3c807f55dd.tar.gz

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch new file mode 100644 index 0000000000..bf06809051 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
		1	From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
		2	From: Yogita Urade <yogita.urade@windriver.com>
		3	Date: Wed, 7 Jun 2023 08:15:11 +0000
		4	Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
		5	should take pointer arguments like other similar functions
		6	https://bugs.webkit.org/show_bug.cgi?id=247317 rdar://100273147
		7
		8	Reviewed by Alan Baradlay.
		9
		10	* Source/WebCore/rendering/RenderElement.cpp:
		11	(WebCore::RenderElement::updateFillImages):
		12	(WebCore::RenderElement::styleDidChange):
		13	* Source/WebCore/rendering/RenderElement.h:
		14
		15	Canonical link: https://commits.webkit.org/256215@main
		16
		17	CVE: CVE-2022-42867
		18
		19	Upstream-Status: Backport
		20	[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
		21
		22	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		23	---
		24	Source/WebCore/rendering/RenderElement.cpp \| 27 ++++++++++++++--------
		25	Source/WebCore/rendering/RenderElement.h \| 2 +-
		26	2 files changed, 19 insertions(+), 10 deletions(-)
		27
		28	diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
		29	index da43bf3d..931686b8 100644
		30	--- a/Source/WebCore/rendering/RenderElement.cpp
		31	+++ b/Source/WebCore/rendering/RenderElement.cpp
		32	@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
		33	return diff == StyleDifference::Repaint \|\| (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
		34	}
		35
		36	-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
		37	+void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
		38	{
		39	auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
		40	if (layer1 == layer2)
		41	@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
		42	};
		43
		44	auto isRegisteredWithNewFillImages = [&]() -> bool {
		45	- for (auto* layer = &newLayers; layer; layer = layer->next()) {
		46	+ for (auto* layer = newLayers; layer; layer = layer->next()) {
		47	if (layer->image() && !layer->image()->hasClient(*this))
		48	return false;
		49	}
		50	@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
		51
		52	// If images have the same characteristics and this element is already registered as a
		53	// client to the new images, there is nothing to do.
		54	- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
		55	+ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
		56	return;
		57
		58	// Add before removing, to avoid removing all clients of an image that is in both sets.
		59	- for (auto* layer = &newLayers; layer; layer = layer->next()) {
		60	+ for (auto* layer = newLayers; layer; layer = layer->next()) {
		61	if (layer->image())
		62	layer->image()->addClient(*this);
		63	}
		64	@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
		65
		66	void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
		67	{
		68	- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
		69	- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
		70	- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
		71	- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
		72	- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
		73	+ auto registerImages = [this](auto* style, auto* oldStyle) {
		74	+ if (!style && !oldStyle)
		75	+ return;
		76	+ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
		77	+ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
		78	+ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
		79	+ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
		80	+ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
		81	+ };
		82	+
		83	+ registerImages(&style(), oldStyle);
		84	+
		85	+ // Are there other pseudo-elements that need the resources to be registered?
		86	+ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
		87
		88	SVGRenderSupport::styleChanged(*this, oldStyle);
		89
		90	diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
		91	index f376cecb..d6ba2cdf 100644
		92	--- a/Source/WebCore/rendering/RenderElement.h
		93	+++ b/Source/WebCore/rendering/RenderElement.h
		94	@@ -349,7 +349,7 @@ private:
		95	bool shouldRepaintForStyleDifference(StyleDifference) const;
		96	bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
		97
		98	- void updateFillImages(const FillLayer*, const FillLayer&);
		99	+ void updateFillImages(const FillLayer, const FillLayer);
		100	void updateImage(StyleImage, StyleImage);
		101	void updateShapeImage(const ShapeValue, const ShapeValue);
		102
		103	--
		104	2.35.5


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 8f6514a82b..062f209932 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
19	file://CVE-2022-32923.patch \	19	file://CVE-2022-32923.patch \
20	file://CVE-2022-46691.patch \	20	file://CVE-2022-46691.patch \
21	file://CVE-2022-46699.patch \	21	file://CVE-2022-46699.patch \
		22	file://CVE-2022-42867.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	24	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
24		25