webkitgtk: Security fix for CVE-2024-40776 and CVE-2024-40780

CVE fixed: - CVE-2024-40776 webkitgtk: Use after free may lead to Remote Code Execution - CVE-2024-40780 webkitgtk: Out-of-bounds read was addressed with improved bounds checking Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b and https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5 (From OE-Core rev: e4c82db8a7c3273fe30bc99880fcdcd7ab061924) Signed-off-by: Rohini Sangam <rsangam@mvista.com> Signed-off-by: Siddharth Doshi <sdoshi@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Rohini Sangam <rsangam@mvista.com> 2025-01-03 10:57:53 +0530
committer: Steve Sakoman <steve@sakoman.com> 2025-01-09 08:41:03 -0800
commit: de796b196657ad42056b84e7723253619a6176b6 (patch)
tree: 4871d969f920322d429f58bd9bc2dc606230c609
parent: 2e7af13f664594cea5b9dabe2057e971cc3ed675 (diff)
download: poky-de796b196657ad42056b84e7723253619a6176b6.tar.gz
3 files changed, 237 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
new file mode 100644
index 0000000000..60f18168fe
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
@@ -0,0 +1,141 @@
+From b951404ea74ae432312a83138f5c8945a0d09e1b Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Wed, 24 Apr 2024 19:01:06 -0700
+Subject: [PATCH] CVE-2024-40776: Always copy all audio channels to the AudioBus 
+to guarantee data lifetime.
+Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b
+CVE: CVE-2024-40776
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ ...et-concurrent-resampler-crash-expected.txt |  1 +
+ ...dioworklet-concurrent-resampler-crash.html | 44 +++++++++++++++++++
+ .../platform/audio/MultiChannelResampler.cpp  | 21 ++-------
+ .../platform/audio/MultiChannelResampler.h    |  2 -
+ 4 files changed, 48 insertions(+), 20 deletions(-)
+ create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+new file mode 100644
+index 00000000..654ddf7f
+--- /dev/null
+++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
+@@ -0,0 +1 @@
+This test passes if it does not crash.
+diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+new file mode 100644
+index 00000000..b3ab181d
+--- /dev/null
+++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
+@@ -0,0 +1,44 @@
+<html>
+<head>
+    <script>
+        let worklet_source = `
+            class Processor extends AudioWorkletProcessor {
+                process(inputs, outputs, parameters) {
+                    return true;
+                }
+            }
+            registerProcessor('P2', Processor);
+        `;
+
+        let blob = new Blob([worklet_source], { type: 'application/javascript' });
+        let worklet = URL.createObjectURL(blob);
+
+        var ctx = new AudioContext({ sampleRate: 44100});
+        const dest = ctx.destination;
+        dest.channelCountMode = "max";
+
+        async function main() {
+            await ctx.audioWorklet.addModule(worklet);
+            var script_processor = ctx.createScriptProcessor();
+            script_processor.onaudioprocess = function() {
+                dest.channelCount = 1;
+                audio_worklet.disconnect();
+                if (window.testRunner)
+                    testRunner.notifyDone();
+            }
+            var audio_worklet = new AudioWorkletNode(ctx, "P2");
+            script_processor.connect(audio_worklet);
+            audio_worklet.connect(dest);
+        }
+    </script>
+</head>
+<body onload="main()">
+    <p>This test passes if it does not crash.</p>
+    <script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+    </script>
+</body>
+</html>
+diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.cpp b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
+index 1dadc58c..13db6f26 100644
+--- a/Source/WebCore/platform/audio/MultiChannelResampler.cpp
+++ b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
+@@ -41,18 +41,8 @@ namespace WebCore {
+ MultiChannelResampler::MultiChannelResampler(double scaleFactor, unsigned numberOfChannels, unsigned requestFrames, Function<void(AudioBus*, size_t framesToProcess)>&& provideInput)
+     : m_numberOfChannels(numberOfChannels)
+     , m_provideInput(WTFMove(provideInput))
+-    , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames, false))
+    , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames))
+ {
+-    // As an optimization, we will use the buffer passed to provideInputForChannel() as channel memory for the first channel so we
+-    // only need to allocate memory if there is more than one channel.
+-    if (numberOfChannels > 1) {
+-        m_channelsMemory.reserveInitialCapacity(numberOfChannels - 1);
+-        for (unsigned channelIndex = 1; channelIndex < numberOfChannels; ++channelIndex) {
+-            m_channelsMemory.uncheckedAppend(makeUnique<AudioFloatArray>(requestFrames));
+-            m_multiChannelBus->setChannelMemory(channelIndex, m_channelsMemory.last()->data(), requestFrames);
+-        }
+-    }
+-
+     // Create each channel's resampler.
+     for (unsigned channelIndex = 0; channelIndex < numberOfChannels; ++channelIndex)
+         m_kernels.append(makeUnique<SincResampler>(scaleFactor, requestFrames, std::bind(&MultiChannelResampler::provideInputForChannel, this, std::placeholders::_1, std::placeholders::_2, channelIndex)));
+@@ -89,15 +79,10 @@ void MultiChannelResampler::process(AudioBus* destination, size_t framesToProces
+ void MultiChannelResampler::provideInputForChannel(float* buffer, size_t framesToProcess, unsigned channelIndex)
+ {
+     ASSERT(channelIndex < m_multiChannelBus->numberOfChannels());
+-    ASSERT(framesToProcess == m_multiChannelBus->length());
+    ASSERT(framesToProcess <= m_multiChannelBus->length());
+ 
+-    if (!channelIndex) {
+-        // As an optimization, we use the provided buffer as memory for the first channel in the AudioBus. This avoids
+-        // having to memcpy() for the first channel.
+-        m_multiChannelBus->setChannelMemory(0, buffer, framesToProcess);
+    if (!channelIndex)
+         m_provideInput(m_multiChannelBus.get(), framesToProcess);
+-        return;
+-    }
+ 
+     // Copy the channel data from what we received from m_multiChannelProvider.
+     memcpy(buffer, m_multiChannelBus->channel(channelIndex)->data(), sizeof(float) * framesToProcess);
+diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.h b/Source/WebCore/platform/audio/MultiChannelResampler.h
+index e96cc56b..274fe364 100644
+--- a/Source/WebCore/platform/audio/MultiChannelResampler.h
+++ b/Source/WebCore/platform/audio/MultiChannelResampler.h
+@@ -29,7 +29,6 @@
+ #ifndef MultiChannelResampler_h
+ #define MultiChannelResampler_h
+ 
+-#include "AudioArray.h"
+ #include <memory>
+ #include <wtf/Function.h>
+ #include <wtf/Vector.h>
+@@ -62,7 +61,6 @@ private:
+     size_t m_outputFramesReady { 0 };
+     Function<void(AudioBus*, size_t framesToProcess)> m_provideInput;
+     RefPtr<AudioBus> m_multiChannelBus;
+-    Vector<std::unique_ptr<AudioFloatArray>> m_channelsMemory;
+ };
+ 
+ } // namespace WebCore
+-- 
+2.35.7
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
new file mode 100644
index 0000000000..ab41213d7d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
@@ -0,0 +1,94 @@
+From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
+From: Jer Noble <jer.noble@apple.com>
+Date: Tue, 11 Jun 2024 11:54:06 -0700
+Subject: [PATCH] CVE-2024-40780: Add check in AudioBufferSourceNode::renderFromBuffer() 
+when detune is set to large negative value
+Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
+CVE: CVE-2024-40780
+Signed-off-by: Rohini Sangam <rsangam@mvista.com>
+---
+ ...buffersourcenode-detune-crash-expected.txt | 10 +++++++
+ .../audiobuffersourcenode-detune-crash.html   | 30 +++++++++++++++++++
+ .../webaudio/AudioBufferSourceNode.cpp        |  7 +++++
+ 3 files changed, 47 insertions(+)
+ create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+new file mode 100644
+index 00000000..914ba0b1
+--- /dev/null
+++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
+@@ -0,0 +1,10 @@
+Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.
+
+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
+
+
+PASS Test passed because it did not crash.
+PASS successfullyParsed is true
+
+TEST COMPLETE
+
+diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+new file mode 100644
+index 00000000..e8af579d
+--- /dev/null
+++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
+@@ -0,0 +1,30 @@
+<!DOCTYPE html>
+<html>
+    <head>
+    <script src="../resources/js-test-pre.js"></script>
+    <script src="resources/audio-testing.js"></script>
+    </head>
+    <body>
+        <script>
+            description("Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.");
+
+            jsTestIsAsync = true;
+
+            var context = new AudioContext();
+            var src = context.createBufferSource();
+            var buffer = context.createBuffer(1, 256, 44100);
+            src.buffer = buffer;
+            src.start(undefined, 1);
+            src.connect(context.listener.positionX, 0);
+            var panner = context.createPanner();
+            src.detune.value = -0xffffff;
+            panner.connect(context.destination);
+            setTimeout(() => {
+                testPassed("Test passed because it did not crash.");
+                finishJSTest();
+            }, 100);
+        </script>
+
+        <script src="../resources/js-test-post.js"></script>
+    </body>
+</html>
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index 689d37a1..f68e7ff5 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -327,9 +327,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+         virtualReadIndex = readIndex;
+     } else if (!pitchRate) {
+         unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
+        int deltaFrames = static_cast<int>(virtualDeltaFrames);
+        maxFrame = static_cast<unsigned>(virtualMaxFrame);
+
+        if (readIndex >= maxFrame)
+            readIndex -= deltaFrames;
+ 
+         for (unsigned i = 0; i < numberOfChannels; ++i)
+             std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
+
+        virtualReadIndex = readIndex;
+     } else if (reverse) {
+         unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
+         unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
+-- 
+2.35.7
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 4849ee50ff..2006d1d55e 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -26,6 +26,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2023-32439.patch \
           file://CVE-2024-40779.patch \
           file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
+           file://CVE-2024-40776.patch \
+           file://CVE-2024-40780.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
author	Rohini Sangam <rsangam@mvista.com>	2025-01-03 10:57:53 +0530
committer	Steve Sakoman <steve@sakoman.com>	2025-01-09 08:41:03 -0800
commit	de796b196657ad42056b84e7723253619a6176b6 (patch)
tree	4871d969f920322d429f58bd9bc2dc606230c609
parent	2e7af13f664594cea5b9dabe2057e971cc3ed675 (diff)
download	poky-de796b196657ad42056b84e7723253619a6176b6.tar.gz

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch new file mode 100644 index 0000000000..60f18168fe --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40776.patch
@@ -0,0 +1,141 @@
		1	From b951404ea74ae432312a83138f5c8945a0d09e1b Mon Sep 17 00:00:00 2001
		2	From: Jean-Yves Avenard <jya@apple.com>
		3	Date: Wed, 24 Apr 2024 19:01:06 -0700
		4	Subject: [PATCH] CVE-2024-40776: Always copy all audio channels to the AudioBus
		5	to guarantee data lifetime.
		6
		7	Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/b951404ea74ae432312a83138f5c8945a0d09e1b
		8	CVE: CVE-2024-40776
		9
		10	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
		11	---
		12	...et-concurrent-resampler-crash-expected.txt \| 1 +
		13	...dioworklet-concurrent-resampler-crash.html \| 44 +++++++++++++++++++
		14	.../platform/audio/MultiChannelResampler.cpp \| 21 ++-------
		15	.../platform/audio/MultiChannelResampler.h \| 2 -
		16	4 files changed, 48 insertions(+), 20 deletions(-)
		17	create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
		18	create mode 100644 LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
		19
		20	diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
		21	new file mode 100644
		22	index 00000000..654ddf7f
		23	--- /dev/null
		24	+++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash-expected.txt
		25	@@ -0,0 +1 @@
		26	+This test passes if it does not crash.
		27	diff --git a/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
		28	new file mode 100644
		29	index 00000000..b3ab181d
		30	--- /dev/null
		31	+++ b/LayoutTests/webaudio/crashtest/audioworklet-concurrent-resampler-crash.html
		32	@@ -0,0 +1,44 @@
		33	+<html>
		34	+<head>
		35	+ <script>
		36	+ let worklet_source = `
		37	+ class Processor extends AudioWorkletProcessor {
		38	+ process(inputs, outputs, parameters) {
		39	+ return true;
		40	+ }
		41	+ }
		42	+ registerProcessor('P2', Processor);
		43	+ `;
		44	+
		45	+ let blob = new Blob([worklet_source], { type: 'application/javascript' });
		46	+ let worklet = URL.createObjectURL(blob);
		47	+
		48	+ var ctx = new AudioContext({ sampleRate: 44100});
		49	+ const dest = ctx.destination;
		50	+ dest.channelCountMode = "max";
		51	+
		52	+ async function main() {
		53	+ await ctx.audioWorklet.addModule(worklet);
		54	+ var script_processor = ctx.createScriptProcessor();
		55	+ script_processor.onaudioprocess = function() {
		56	+ dest.channelCount = 1;
		57	+ audio_worklet.disconnect();
		58	+ if (window.testRunner)
		59	+ testRunner.notifyDone();
		60	+ }
		61	+ var audio_worklet = new AudioWorkletNode(ctx, "P2");
		62	+ script_processor.connect(audio_worklet);
		63	+ audio_worklet.connect(dest);
		64	+ }
		65	+ </script>
		66	+</head>
		67	+<body onload="main()">
		68	+ <p>This test passes if it does not crash.</p>
		69	+ <script>
		70	+ if (window.testRunner) {
		71	+ testRunner.waitUntilDone();
		72	+ testRunner.dumpAsText();
		73	+ }
		74	+ </script>
		75	+</body>
		76	+</html>
		77	diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.cpp b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
		78	index 1dadc58c..13db6f26 100644
		79	--- a/Source/WebCore/platform/audio/MultiChannelResampler.cpp
		80	+++ b/Source/WebCore/platform/audio/MultiChannelResampler.cpp
		81	@@ -41,18 +41,8 @@ namespace WebCore {
		82	MultiChannelResampler::MultiChannelResampler(double scaleFactor, unsigned numberOfChannels, unsigned requestFrames, Function<void(AudioBus*, size_t framesToProcess)>&& provideInput)
		83	: m_numberOfChannels(numberOfChannels)
		84	, m_provideInput(WTFMove(provideInput))
		85	- , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames, false))
		86	+ , m_multiChannelBus(AudioBus::create(numberOfChannels, requestFrames))
		87	{
		88	- // As an optimization, we will use the buffer passed to provideInputForChannel() as channel memory for the first channel so we
		89	- // only need to allocate memory if there is more than one channel.
		90	- if (numberOfChannels > 1) {
		91	- m_channelsMemory.reserveInitialCapacity(numberOfChannels - 1);
		92	- for (unsigned channelIndex = 1; channelIndex < numberOfChannels; ++channelIndex) {
		93	- m_channelsMemory.uncheckedAppend(makeUnique<AudioFloatArray>(requestFrames));
		94	- m_multiChannelBus->setChannelMemory(channelIndex, m_channelsMemory.last()->data(), requestFrames);
		95	- }
		96	- }
		97	-
		98	// Create each channel's resampler.
		99	for (unsigned channelIndex = 0; channelIndex < numberOfChannels; ++channelIndex)
		100	m_kernels.append(makeUnique<SincResampler>(scaleFactor, requestFrames, std::bind(&MultiChannelResampler::provideInputForChannel, this, std::placeholders::_1, std::placeholders::_2, channelIndex)));
		101	@@ -89,15 +79,10 @@ void MultiChannelResampler::process(AudioBus* destination, size_t framesToProces
		102	void MultiChannelResampler::provideInputForChannel(float* buffer, size_t framesToProcess, unsigned channelIndex)
		103	{
		104	ASSERT(channelIndex < m_multiChannelBus->numberOfChannels());
		105	- ASSERT(framesToProcess == m_multiChannelBus->length());
		106	+ ASSERT(framesToProcess <= m_multiChannelBus->length());
		107
		108	- if (!channelIndex) {
		109	- // As an optimization, we use the provided buffer as memory for the first channel in the AudioBus. This avoids
		110	- // having to memcpy() for the first channel.
		111	- m_multiChannelBus->setChannelMemory(0, buffer, framesToProcess);
		112	+ if (!channelIndex)
		113	m_provideInput(m_multiChannelBus.get(), framesToProcess);
		114	- return;
		115	- }
		116
		117	// Copy the channel data from what we received from m_multiChannelProvider.
		118	memcpy(buffer, m_multiChannelBus->channel(channelIndex)->data(), sizeof(float) * framesToProcess);
		119	diff --git a/Source/WebCore/platform/audio/MultiChannelResampler.h b/Source/WebCore/platform/audio/MultiChannelResampler.h
		120	index e96cc56b..274fe364 100644
		121	--- a/Source/WebCore/platform/audio/MultiChannelResampler.h
		122	+++ b/Source/WebCore/platform/audio/MultiChannelResampler.h
		123	@@ -29,7 +29,6 @@
		124	#ifndef MultiChannelResampler_h
		125	#define MultiChannelResampler_h
		126
		127	-#include "AudioArray.h"
		128	#include <memory>
		129	#include <wtf/Function.h>
		130	#include <wtf/Vector.h>
		131	@@ -62,7 +61,6 @@ private:
		132	size_t m_outputFramesReady { 0 };
		133	Function<void(AudioBus*, size_t framesToProcess)> m_provideInput;
		134	RefPtr<AudioBus> m_multiChannelBus;
		135	- Vector<std::unique_ptr<AudioFloatArray>> m_channelsMemory;
		136	};
		137
		138	} // namespace WebCore
		139	--
		140	2.35.7
		141


diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch new file mode 100644 index 0000000000..ab41213d7d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40780.patch
@@ -0,0 +1,94 @@
		1	From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
		2	From: Jer Noble <jer.noble@apple.com>
		3	Date: Tue, 11 Jun 2024 11:54:06 -0700
		4	Subject: [PATCH] CVE-2024-40780: Add check in AudioBufferSourceNode::renderFromBuffer()
		5	when detune is set to large negative value
		6
		7	Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/e83e4c7460972898dc06a5f5ab36eed7c6b101b5
		8	CVE: CVE-2024-40780
		9
		10	Signed-off-by: Rohini Sangam <rsangam@mvista.com>
		11	---
		12	...buffersourcenode-detune-crash-expected.txt \| 10 +++++++
		13	.../audiobuffersourcenode-detune-crash.html \| 30 +++++++++++++++++++
		14	.../webaudio/AudioBufferSourceNode.cpp \| 7 +++++
		15	3 files changed, 47 insertions(+)
		16	create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
		17	create mode 100644 LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
		18
		19	diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
		20	new file mode 100644
		21	index 00000000..914ba0b1
		22	--- /dev/null
		23	+++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash-expected.txt
		24	@@ -0,0 +1,10 @@
		25	+Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.
		26	+
		27	+On success, you will see a series of "PASS" messages, followed by "TEST COMPLETE".
		28	+
		29	+
		30	+PASS Test passed because it did not crash.
		31	+PASS successfullyParsed is true
		32	+
		33	+TEST COMPLETE
		34	+
		35	diff --git a/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
		36	new file mode 100644
		37	index 00000000..e8af579d
		38	--- /dev/null
		39	+++ b/LayoutTests/webaudio/audiobuffersourcenode-detune-crash.html
		40	@@ -0,0 +1,30 @@
		41	+<!DOCTYPE html>
		42	+<html>
		43	+ <head>
		44	+ <script src="../resources/js-test-pre.js"></script>
		45	+ <script src="resources/audio-testing.js"></script>
		46	+ </head>
		47	+ <body>
		48	+ <script>
		49	+ description("Attempting to create a AudioBufferSourceNode with a large negative detune value should not crash.");
		50	+
		51	+ jsTestIsAsync = true;
		52	+
		53	+ var context = new AudioContext();
		54	+ var src = context.createBufferSource();
		55	+ var buffer = context.createBuffer(1, 256, 44100);
		56	+ src.buffer = buffer;
		57	+ src.start(undefined, 1);
		58	+ src.connect(context.listener.positionX, 0);
		59	+ var panner = context.createPanner();
		60	+ src.detune.value = -0xffffff;
		61	+ panner.connect(context.destination);
		62	+ setTimeout(() => {
		63	+ testPassed("Test passed because it did not crash.");
		64	+ finishJSTest();
		65	+ }, 100);
		66	+ </script>
		67	+
		68	+ <script src="../resources/js-test-post.js"></script>
		69	+ </body>
		70	+</html>
		71	diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		72	index 689d37a1..f68e7ff5 100644
		73	--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		74	+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		75	@@ -327,9 +327,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
		76	virtualReadIndex = readIndex;
		77	} else if (!pitchRate) {
		78	unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
		79	+ int deltaFrames = static_cast<int>(virtualDeltaFrames);
		80	+ maxFrame = static_cast<unsigned>(virtualMaxFrame);
		81	+
		82	+ if (readIndex >= maxFrame)
		83	+ readIndex -= deltaFrames;
		84
		85	for (unsigned i = 0; i < numberOfChannels; ++i)
		86	std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
		87	+
		88	+ virtualReadIndex = readIndex;
		89	} else if (reverse) {
		90	unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
		91	unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
		92	--
		93	2.35.7
		94


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 4849ee50ff..2006d1d55e 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -26,6 +26,8 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
26	file://CVE-2023-32439.patch \	26	file://CVE-2023-32439.patch \
27	file://CVE-2024-40779.patch \	27	file://CVE-2024-40779.patch \
28	file://0d3344e17d258106617b0e6d783d073b188a2548.patch \	28	file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
		29	file://CVE-2024-40776.patch \
		30	file://CVE-2024-40780.patch \
29	"	31	"
30	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	32	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
31		33