webkitgtk: fix CVE-2023-32435

Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:

* drop the patches for the files WasmAirIRGenerator64.cpp and
  WasmAirIRGeneratorBase.h which are involved in 2.40.0
* drop test cases as well

CVE: CVE-2023-32435

(From OE-Core rev: c54f98d35f2cb276dc49a5ccd4813ccc34c6f668)

Signed-off-by: Kai Kang <kai.kang@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>

2 files changed, 60 insertions, 0 deletions

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch
new file mode 100644
index 0000000000..c6ac6b4a1c
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2023-32435.patch
@@ -0,0 +1,59 @@
+CVE: CVE-2023-32435
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/50c7aae]
+
+Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:
+
+* drop the patches for the files WasmAirIRGenerator64.cpp and
+  WasmAirIRGeneratorBase.h which are involved in 2.40.0
+* drop test cases as well
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 50c7aaec2f53ab3b960f1b299aad5009df6f1967 Mon Sep 17 00:00:00 2001
+From: Justin Michaud <justin_michaud@apple.com>
+Date: Wed, 8 Feb 2023 14:41:34 -0800
+Subject: [PATCH] Fixup air pointer args if they are not valid in BBQ
+ https://bugs.webkit.org/show_bug.cgi?id=251890 rdar://105079565
+
+Reviewed by Mark Lam and Yusuke Suzuki.
+
+We are not fixing up air args if their offsets don't fit into the instruction
+in a few cases.
+
+Here are some examples:
+
+MoveDouble 28480(%sp), %q16 ; too big
+MoveVector 248(%sp), %q16 ; not 16-byte aligned
+
+Let's fix up these arguments. We also fix a missing validation check
+when parsing exception tags exposed by this test.
+
+* Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:
+(JSC::Wasm::AirIRGenerator64::addReturn):
+* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
+(JSC::Wasm::AirIRGeneratorBase::emitPatchpoint):
+
+oops
+
+Canonical link: https://commits.webkit.org/260038@main
+---
+ Source/JavaScriptCore/wasm/WasmSectionParser.cpp  |  2 +
+ 1 files changed, 2 insertions(+), 0 deletions(-)
+
+diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+index 6b8f9016..a5f3a88b 100644
+--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
++++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+@@ -917,6 +917,8 @@ auto SectionParser::parseException() -> PartialResult
+         WASM_PARSER_FAIL_IF(!parseVarUInt32(typeNumber), "can't get ", exceptionNumber, "th Exception's type number");
+         WASM_PARSER_FAIL_IF(typeNumber >= m_info->typeCount(), exceptionNumber, "th Exception type number is invalid ", typeNumber);
+         TypeIndex typeIndex = TypeInformation::get(m_info->typeSignatures[typeNumber]);
++        auto signature = TypeInformation::getFunctionSignature(typeIndex);
++        WASM_PARSER_FAIL_IF(!signature.returnsVoid(), exceptionNumber, "th Exception type cannot have a non-void return type ", typeNumber);
+         m_info->internalExceptionTypeIndices.uncheckedAppend(typeIndex);
+     }
+ 
+-- 
+2.34.1
+
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
index 4cef133c19..813198df5f 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.38.6.bb
@@ -14,6 +14,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
            file://reproducibility.patch \
            file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
            file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
+           file://CVE-2023-32435.patch \
            file://CVE-2023-32439.patch \
            "
 SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"