webkitgtk: fix CVE-2022-48503

The issue was addressed with improved bounds checks. This issue is fixed in tvOS 15.6, watchOS 8.7, iOS 15.6 and iPadOS 15.6, macOS Monterey 12.5, Safari 15.6. Processing web content may lead to arbitrary code execution. References: https://nvd.nist.gov/vuln/detail/CVE-2022-48503 https://support.apple.com/en-us/HT213340 https://bugs.webkit.org/show_bug.cgi?id=241931 (From OE-Core rev: 8f956bc19963a02ee7b908bb49301a2ea5052066) Signed-off-by: Yogita Urade <yogita.urade@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Yogita Urade <yogita.urade@windriver.com> 2023-09-08 13:58:28 +0000
committer: Steve Sakoman <steve@sakoman.com> 2023-09-18 04:28:04 -1000
commit: e60ba6d4fe2d4a0a99085708ecfe1b5a9534a259 (patch)
tree: 336a75e66fe165722fea4fb95883ef2e621419b5 /meta
parent: 084b7e5f9c76a83de201ca77a25ecaa06ac1f6c4 (diff)
download: poky-e60ba6d4fe2d4a0a99085708ecfe1b5a9534a259.tar.gz
2 files changed, 226 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
new file mode 100644
index 0000000000..b67751736d
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
@@ -0,0 +1,225 @@
+From 612c245823a515c8c70c2ad486957bd8a850f0f9 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Tue, 5 Sep 2023 08:40:19 +0000
+Subject: [PATCH] [JSC] Refactor wasm section ordering code
+ https://bugs.webkit.org/show_bug.cgi?id=241931 rdar://83326477
+Reviewed by Keith Miller.
+This patch refactors existing validateOrder code since it is too adhoc right now.
+* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
+(JSC::Wasm::ModuleInformation::dataSegmentsCount const):
+* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
+(JSC::Wasm::SectionParser::parseData):
+(JSC::Wasm::SectionParser::parseDataCount):
+* Source/JavaScriptCore/wasm/WasmSectionParser.h:
+* Source/JavaScriptCore/wasm/WasmSections.h:
+(JSC::Wasm::orderingNumber):
+(JSC::Wasm::isKnownSection):
+(JSC::Wasm::validateOrder):
+(JSC::Wasm::makeString):
+* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:
+(JSC::Wasm::StreamingParser::parseSectionPayload):
+(JSC::Wasm::StreamingParser::finalize):
+Canonical link: https://commits.webkit.org/251800@main
+CVE: CVE-2022-48503
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/612c245823a515c8c70c2ad486957bd8a850f0f9]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ .../wasm/WasmModuleInformation.h              |  4 +-
+ .../JavaScriptCore/wasm/WasmSectionParser.cpp |  3 ++
+ .../JavaScriptCore/wasm/WasmSectionParser.h   |  2 +-
+ Source/JavaScriptCore/wasm/WasmSections.h     | 52 +++++++++++--------
+ .../wasm/WasmStreamingParser.cpp              | 11 +++-
+ 5 files changed, 45 insertions(+), 27 deletions(-)
+diff --git a/Source/JavaScriptCore/wasm/WasmModuleInformation.h b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
+index ae6bbeed..f9f1baf7 100644
+--- a/Source/JavaScriptCore/wasm/WasmModuleInformation.h
+++ b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
+@@ -86,7 +86,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> {
+     uint32_t memoryCount() const { return memory ? 1 : 0; }
+     uint32_t tableCount() const { return tables.size(); }
+     uint32_t elementCount() const { return elements.size(); }
+-    uint32_t dataSegmentsCount() const { return numberOfDataSegments; }
+    uint32_t dataSegmentsCount() const { return numberOfDataSegments.value_or(0); }
+     const TableInformation& table(unsigned index) const { return tables[index]; }
+@@ -131,7 +131,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> {
+     Vector<CustomSection> customSections;
+     Ref<NameSection> nameSection;
+     BranchHints branchHints;
+-    uint32_t numberOfDataSegments { 0 };
+    std::optional<uint32_t> numberOfDataSegments;
+     BitVector m_declaredFunctions;
+     BitVector m_declaredExceptions;
+diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+index 5b511811..c55ee3c0 100644
+--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+@@ -768,6 +768,8 @@ auto SectionParser::parseData() -> PartialResult
+     uint32_t segmentCount;
+     WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data section's count");
+     WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count is too big ", segmentCount, " maximum ", maxDataSegments);
+    if (m_info->numberOfDataSegments)
+        WASM_PARSER_FAIL_IF(segmentCount != m_info->numberOfDataSegments.value(), "Data section's count ", segmentCount, " is different from Data Count section's count ", m_info->numberOfDataSegments.value());
+     WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), "can't allocate enough memory for Data section's ", segmentCount, " segments");
+     for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; ++segmentNumber) {
+@@ -847,6 +849,7 @@ auto SectionParser::parseDataCount() -> PartialResult
+ {
+     uint32_t numberOfDataSegments;
+     WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get Data Count section's count");
+    WASM_PARSER_FAIL_IF(numberOfDataSegments > maxDataSegments, "Data Count section's count is too big ", numberOfDataSegments , " maximum ", maxDataSegments);
+     m_info->numberOfDataSegments = numberOfDataSegments;
+     return { };
+diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.h b/Source/JavaScriptCore/wasm/WasmSectionParser.h
+index 91fd3ed8..4d7dcbac 100644
+--- a/Source/JavaScriptCore/wasm/WasmSectionParser.h
+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.h
+@@ -44,7 +44,7 @@ public:
+     {
+     }
+-#define WASM_SECTION_DECLARE_PARSER(NAME, ID, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME();
+#define WASM_SECTION_DECLARE_PARSER(NAME, ID, ORDERING, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME();
+     FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_DECLARE_PARSER)
+ #undef WASM_SECTION_DECLARE_PARSER
+diff --git a/Source/JavaScriptCore/wasm/WasmSections.h b/Source/JavaScriptCore/wasm/WasmSections.h
+index bef20701..b422a587 100644
+--- a/Source/JavaScriptCore/wasm/WasmSections.h
+++ b/Source/JavaScriptCore/wasm/WasmSections.h
+@@ -33,20 +33,21 @@ IGNORE_RETURN_TYPE_WARNINGS_BEGIN
+ namespace JSC { namespace Wasm {
+// macro(Name, ID, OrderingNumber, Description).
+ #define FOR_EACH_KNOWN_WASM_SECTION(macro) \
+-    macro(Type,       1, "Function signature declarations") \
+-    macro(Import,     2, "Import declarations") \
+-    macro(Function,   3, "Function declarations") \
+-    macro(Table,      4, "Indirect function table and other tables") \
+-    macro(Memory,     5, "Memory attributes") \
+-    macro(Global,     6, "Global declarations") \
+-    macro(Export,     7, "Exports") \
+-    macro(Start,      8, "Start function declaration") \
+-    macro(Element,    9, "Elements section") \
+-    macro(Code,      10, "Function bodies (code)") \
+-    macro(Data,      11, "Data segments") \
+-    macro(DataCount, 12, "Data count") \
+-    macro(Exception, 13, "Exception declarations") \
+    macro(Type,       1,  1, "Function signature declarations") \
+    macro(Import,     2,  2, "Import declarations") \
+    macro(Function,   3,  3, "Function declarations") \
+    macro(Table,      4,  4, "Indirect function table and other tables") \
+    macro(Memory,     5,  5, "Memory attributes") \
+    macro(Global,     6,  7, "Global declarations") \
+    macro(Export,     7,  8, "Exports") \
+    macro(Start,      8,  9, "Start function declaration") \
+    macro(Element,    9, 10, "Elements section") \
+    macro(Code,      10, 12, "Function bodies (code)") \
+    macro(Data,      11, 13, "Data segments") \
+    macro(DataCount, 12, 11, "Data count") \
+    macro(Exception, 13,  6, "Exception declarations") \
+ enum class Section : uint8_t {
+     // It's important that Begin is less than every other section number and that Custom is greater.
+@@ -54,18 +55,29 @@ enum class Section : uint8_t {
+     // Also, Begin is not a real section but is used as a marker for validating the ordering
+     // of sections.
+     Begin = 0,
+-#define DEFINE_WASM_SECTION_ENUM(NAME, ID, DESCRIPTION) NAME = ID,
+#define DEFINE_WASM_SECTION_ENUM(NAME, ID, ORDERING, DESCRIPTION) NAME = ID,
+     FOR_EACH_KNOWN_WASM_SECTION(DEFINE_WASM_SECTION_ENUM)
+ #undef DEFINE_WASM_SECTION_ENUM
+     Custom
+ };
+ static_assert(static_cast<uint8_t>(Section::Begin) < static_cast<uint8_t>(Section::Type), "Begin should come before the first known section.");
+inline unsigned orderingNumber(Section section)
+{
+    switch (section) {
+#define ORDERING_OF_SECTION(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return ORDERING;
+        FOR_EACH_KNOWN_WASM_SECTION(ORDERING_OF_SECTION)
+#undef VALIDATE_SECTION
+    default:
+        return static_cast<unsigned>(section);
+    }
+}
+
+ template<typename Int>
+ inline bool isKnownSection(Int section)
+ {
+     switch (section) {
+-#define VALIDATE_SECTION(NAME, ID, DESCRIPTION) case static_cast<Int>(Section::NAME): return true;
+#define VALIDATE_SECTION(NAME, ID, ORDERING, DESCRIPTION) case static_cast<Int>(Section::NAME): return true;
+         FOR_EACH_KNOWN_WASM_SECTION(VALIDATE_SECTION)
+ #undef VALIDATE_SECTION
+     default:
+@@ -89,13 +101,7 @@ inline bool decodeSection(uint8_t sectionByte, Section& section)
+ inline bool validateOrder(Section previousKnown, Section next)
+ {
+     ASSERT(isKnownSection(previousKnown) || previousKnown == Section::Begin);
+-    if (previousKnown == Section::DataCount && next == Section::Code)
+-        return true;
+-    if (previousKnown == Section::Exception)
+-        return next >= Section::Global;
+-    if (next == Section::Exception)
+-        return previousKnown <= Section::Memory;
+-    return static_cast<uint8_t>(previousKnown) < static_cast<uint8_t>(next);
+    return orderingNumber(previousKnown) < orderingNumber(next);
+ }
+ inline const char* makeString(Section section)
+@@ -105,7 +111,7 @@ inline const char* makeString(Section section)
+         return "Begin";
+     case Section::Custom:
+         return "Custom";
+-#define STRINGIFY_SECTION_NAME(NAME, ID, DESCRIPTION) case Section::NAME: return #NAME;
+#define STRINGIFY_SECTION_NAME(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return #NAME;
+         FOR_EACH_KNOWN_WASM_SECTION(STRINGIFY_SECTION_NAME)
+ #undef STRINGIFY_SECTION_NAME
+     }
+diff --git a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
+index fa552eff..25e7e32d 100644
+--- a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
+++ b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
+@@ -161,7 +161,7 @@ auto StreamingParser::parseSectionPayload(Vector<uint8_t>&& data) -> State
+ {
+     SectionParser parser(data.data(), data.size(), m_offset, m_info.get());
+     switch (m_section) {
+-#define WASM_SECTION_PARSE(NAME, ID, DESCRIPTION) \
+#define WASM_SECTION_PARSE(NAME, ID, ORDERING, DESCRIPTION) \
+     case Section::NAME: { \
+         WASM_STREAMING_PARSER_FAIL_IF_HELPER_FAILS(parser.parse ## NAME()); \
+         break; \
+@@ -393,9 +393,18 @@ auto StreamingParser::finalize() -> State
+             m_state = fail("Number of functions parsed (", m_functionCount, ") does not match the number of declared functions (", m_info->functions.size(), ")");
+             break;
+         }
+
+        if (m_info->numberOfDataSegments) {
+            if (UNLIKELY(m_info->data.size() != m_info->numberOfDataSegments.value())) {
+                m_state = fail("Data section's count ", m_info->data.size(), " is different from Data Count section's count ", m_info->numberOfDataSegments.value());
+                break;
+            }
+        }
+
+         if (m_remaining.isEmpty()) {
+             if (UNLIKELY(Options::useEagerWebAssemblyModuleHashing()))
+                 m_info->nameSection->setHash(m_hasher.computeHexDigest());
+
+             m_state = State::Finished;
+             m_client.didFinishParsing();
+         } else
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 20f475bebd..10fcd0813a 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-42867.patch \
           file://CVE-2022-46700.patch \
           file://CVE-2023-23529.patch \
+           file://CVE-2022-48503.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
author	Yogita Urade <yogita.urade@windriver.com>	2023-09-08 13:58:28 +0000
committer	Steve Sakoman <steve@sakoman.com>	2023-09-18 04:28:04 -1000
commit	e60ba6d4fe2d4a0a99085708ecfe1b5a9534a259 (patch)
tree	336a75e66fe165722fea4fb95883ef2e621419b5 /meta
parent	084b7e5f9c76a83de201ca77a25ecaa06ac1f6c4 (diff)
download	poky-e60ba6d4fe2d4a0a99085708ecfe1b5a9534a259.tar.gz

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch new file mode 100644 index 0000000000..b67751736d --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-48503.patch
@@ -0,0 +1,225 @@
		1	From 612c245823a515c8c70c2ad486957bd8a850f0f9 Mon Sep 17 00:00:00 2001
		2	From: Yusuke Suzuki <ysuzuki@apple.com>
		3	Date: Tue, 5 Sep 2023 08:40:19 +0000
		4	Subject: [PATCH] [JSC] Refactor wasm section ordering code
		5	https://bugs.webkit.org/show_bug.cgi?id=241931 rdar://83326477
		6
		7	Reviewed by Keith Miller.
		8
		9	This patch refactors existing validateOrder code since it is too adhoc right now.
		10
		11	* Source/JavaScriptCore/wasm/WasmModuleInformation.h:
		12	(JSC::Wasm::ModuleInformation::dataSegmentsCount const):
		13	* Source/JavaScriptCore/wasm/WasmSectionParser.cpp:
		14	(JSC::Wasm::SectionParser::parseData):
		15	(JSC::Wasm::SectionParser::parseDataCount):
		16	* Source/JavaScriptCore/wasm/WasmSectionParser.h:
		17	* Source/JavaScriptCore/wasm/WasmSections.h:
		18	(JSC::Wasm::orderingNumber):
		19	(JSC::Wasm::isKnownSection):
		20	(JSC::Wasm::validateOrder):
		21	(JSC::Wasm::makeString):
		22	* Source/JavaScriptCore/wasm/WasmStreamingParser.cpp:
		23	(JSC::Wasm::StreamingParser::parseSectionPayload):
		24	(JSC::Wasm::StreamingParser::finalize):
		25
		26	Canonical link: https://commits.webkit.org/251800@main
		27
		28	CVE: CVE-2022-48503
		29
		30	Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/612c245823a515c8c70c2ad486957bd8a850f0f9]
		31
		32	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		33	---
		34	.../wasm/WasmModuleInformation.h \| 4 +-
		35	.../JavaScriptCore/wasm/WasmSectionParser.cpp \| 3 ++
		36	.../JavaScriptCore/wasm/WasmSectionParser.h \| 2 +-
		37	Source/JavaScriptCore/wasm/WasmSections.h \| 52 +++++++++++--------
		38	.../wasm/WasmStreamingParser.cpp \| 11 +++-
		39	5 files changed, 45 insertions(+), 27 deletions(-)
		40
		41	diff --git a/Source/JavaScriptCore/wasm/WasmModuleInformation.h b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
		42	index ae6bbeed..f9f1baf7 100644
		43	--- a/Source/JavaScriptCore/wasm/WasmModuleInformation.h
		44	+++ b/Source/JavaScriptCore/wasm/WasmModuleInformation.h
		45	@@ -86,7 +86,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> {
		46	uint32_t memoryCount() const { return memory ? 1 : 0; }
		47	uint32_t tableCount() const { return tables.size(); }
		48	uint32_t elementCount() const { return elements.size(); }
		49	- uint32_t dataSegmentsCount() const { return numberOfDataSegments; }
		50	+ uint32_t dataSegmentsCount() const { return numberOfDataSegments.value_or(0); }
		51
		52	const TableInformation& table(unsigned index) const { return tables[index]; }
		53
		54	@@ -131,7 +131,7 @@ struct ModuleInformation : public ThreadSafeRefCounted<ModuleInformation> {
		55	Vector<CustomSection> customSections;
		56	Ref<NameSection> nameSection;
		57	BranchHints branchHints;
		58	- uint32_t numberOfDataSegments { 0 };
		59	+ std::optional<uint32_t> numberOfDataSegments;
		60
		61	BitVector m_declaredFunctions;
		62	BitVector m_declaredExceptions;
		63	diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
		64	index 5b511811..c55ee3c0 100644
		65	--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
		66	+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
		67	@@ -768,6 +768,8 @@ auto SectionParser::parseData() -> PartialResult
		68	uint32_t segmentCount;
		69	WASM_PARSER_FAIL_IF(!parseVarUInt32(segmentCount), "can't get Data section's count");
		70	WASM_PARSER_FAIL_IF(segmentCount > maxDataSegments, "Data section's count is too big ", segmentCount, " maximum ", maxDataSegments);
		71	+ if (m_info->numberOfDataSegments)
		72	+ WASM_PARSER_FAIL_IF(segmentCount != m_info->numberOfDataSegments.value(), "Data section's count ", segmentCount, " is different from Data Count section's count ", m_info->numberOfDataSegments.value());
		73	WASM_PARSER_FAIL_IF(!m_info->data.tryReserveCapacity(segmentCount), "can't allocate enough memory for Data section's ", segmentCount, " segments");
		74
		75	for (uint32_t segmentNumber = 0; segmentNumber < segmentCount; ++segmentNumber) {
		76	@@ -847,6 +849,7 @@ auto SectionParser::parseDataCount() -> PartialResult
		77	{
		78	uint32_t numberOfDataSegments;
		79	WASM_PARSER_FAIL_IF(!parseVarUInt32(numberOfDataSegments), "can't get Data Count section's count");
		80	+ WASM_PARSER_FAIL_IF(numberOfDataSegments > maxDataSegments, "Data Count section's count is too big ", numberOfDataSegments , " maximum ", maxDataSegments);
		81
		82	m_info->numberOfDataSegments = numberOfDataSegments;
		83	return { };
		84	diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.h b/Source/JavaScriptCore/wasm/WasmSectionParser.h
		85	index 91fd3ed8..4d7dcbac 100644
		86	--- a/Source/JavaScriptCore/wasm/WasmSectionParser.h
		87	+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.h
		88	@@ -44,7 +44,7 @@ public:
		89	{
		90	}
		91
		92	-#define WASM_SECTION_DECLARE_PARSER(NAME, ID, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME();
		93	+#define WASM_SECTION_DECLARE_PARSER(NAME, ID, ORDERING, DESCRIPTION) PartialResult WARN_UNUSED_RETURN parse ## NAME();
		94	FOR_EACH_KNOWN_WASM_SECTION(WASM_SECTION_DECLARE_PARSER)
		95	#undef WASM_SECTION_DECLARE_PARSER
		96
		97	diff --git a/Source/JavaScriptCore/wasm/WasmSections.h b/Source/JavaScriptCore/wasm/WasmSections.h
		98	index bef20701..b422a587 100644
		99	--- a/Source/JavaScriptCore/wasm/WasmSections.h
		100	+++ b/Source/JavaScriptCore/wasm/WasmSections.h
		101	@@ -33,20 +33,21 @@ IGNORE_RETURN_TYPE_WARNINGS_BEGIN
		102
		103	namespace JSC { namespace Wasm {
		104
		105	+// macro(Name, ID, OrderingNumber, Description).
		106	#define FOR_EACH_KNOWN_WASM_SECTION(macro) \
		107	- macro(Type, 1, "Function signature declarations") \
		108	- macro(Import, 2, "Import declarations") \
		109	- macro(Function, 3, "Function declarations") \
		110	- macro(Table, 4, "Indirect function table and other tables") \
		111	- macro(Memory, 5, "Memory attributes") \
		112	- macro(Global, 6, "Global declarations") \
		113	- macro(Export, 7, "Exports") \
		114	- macro(Start, 8, "Start function declaration") \
		115	- macro(Element, 9, "Elements section") \
		116	- macro(Code, 10, "Function bodies (code)") \
		117	- macro(Data, 11, "Data segments") \
		118	- macro(DataCount, 12, "Data count") \
		119	- macro(Exception, 13, "Exception declarations") \
		120	+ macro(Type, 1, 1, "Function signature declarations") \
		121	+ macro(Import, 2, 2, "Import declarations") \
		122	+ macro(Function, 3, 3, "Function declarations") \
		123	+ macro(Table, 4, 4, "Indirect function table and other tables") \
		124	+ macro(Memory, 5, 5, "Memory attributes") \
		125	+ macro(Global, 6, 7, "Global declarations") \
		126	+ macro(Export, 7, 8, "Exports") \
		127	+ macro(Start, 8, 9, "Start function declaration") \
		128	+ macro(Element, 9, 10, "Elements section") \
		129	+ macro(Code, 10, 12, "Function bodies (code)") \
		130	+ macro(Data, 11, 13, "Data segments") \
		131	+ macro(DataCount, 12, 11, "Data count") \
		132	+ macro(Exception, 13, 6, "Exception declarations") \
		133
		134	enum class Section : uint8_t {
		135	// It's important that Begin is less than every other section number and that Custom is greater.
		136	@@ -54,18 +55,29 @@ enum class Section : uint8_t {
		137	// Also, Begin is not a real section but is used as a marker for validating the ordering
		138	// of sections.
		139	Begin = 0,
		140	-#define DEFINE_WASM_SECTION_ENUM(NAME, ID, DESCRIPTION) NAME = ID,
		141	+#define DEFINE_WASM_SECTION_ENUM(NAME, ID, ORDERING, DESCRIPTION) NAME = ID,
		142	FOR_EACH_KNOWN_WASM_SECTION(DEFINE_WASM_SECTION_ENUM)
		143	#undef DEFINE_WASM_SECTION_ENUM
		144	Custom
		145	};
		146	static_assert(static_cast<uint8_t>(Section::Begin) < static_cast<uint8_t>(Section::Type), "Begin should come before the first known section.");
		147
		148	+inline unsigned orderingNumber(Section section)
		149	+{
		150	+ switch (section) {
		151	+#define ORDERING_OF_SECTION(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return ORDERING;
		152	+ FOR_EACH_KNOWN_WASM_SECTION(ORDERING_OF_SECTION)
		153	+#undef VALIDATE_SECTION
		154	+ default:
		155	+ return static_cast<unsigned>(section);
		156	+ }
		157	+}
		158	+
		159	template<typename Int>
		160	inline bool isKnownSection(Int section)
		161	{
		162	switch (section) {
		163	-#define VALIDATE_SECTION(NAME, ID, DESCRIPTION) case static_cast<Int>(Section::NAME): return true;
		164	+#define VALIDATE_SECTION(NAME, ID, ORDERING, DESCRIPTION) case static_cast<Int>(Section::NAME): return true;
		165	FOR_EACH_KNOWN_WASM_SECTION(VALIDATE_SECTION)
		166	#undef VALIDATE_SECTION
		167	default:
		168	@@ -89,13 +101,7 @@ inline bool decodeSection(uint8_t sectionByte, Section& section)
		169	inline bool validateOrder(Section previousKnown, Section next)
		170	{
		171	ASSERT(isKnownSection(previousKnown) \|\| previousKnown == Section::Begin);
		172	- if (previousKnown == Section::DataCount && next == Section::Code)
		173	- return true;
		174	- if (previousKnown == Section::Exception)
		175	- return next >= Section::Global;
		176	- if (next == Section::Exception)
		177	- return previousKnown <= Section::Memory;
		178	- return static_cast<uint8_t>(previousKnown) < static_cast<uint8_t>(next);
		179	+ return orderingNumber(previousKnown) < orderingNumber(next);
		180	}
		181
		182	inline const char* makeString(Section section)
		183	@@ -105,7 +111,7 @@ inline const char* makeString(Section section)
		184	return "Begin";
		185	case Section::Custom:
		186	return "Custom";
		187	-#define STRINGIFY_SECTION_NAME(NAME, ID, DESCRIPTION) case Section::NAME: return #NAME;
		188	+#define STRINGIFY_SECTION_NAME(NAME, ID, ORDERING, DESCRIPTION) case Section::NAME: return #NAME;
		189	FOR_EACH_KNOWN_WASM_SECTION(STRINGIFY_SECTION_NAME)
		190	#undef STRINGIFY_SECTION_NAME
		191	}
		192	diff --git a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
		193	index fa552eff..25e7e32d 100644
		194	--- a/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
		195	+++ b/Source/JavaScriptCore/wasm/WasmStreamingParser.cpp
		196	@@ -161,7 +161,7 @@ auto StreamingParser::parseSectionPayload(Vector<uint8_t>&& data) -> State
		197	{
		198	SectionParser parser(data.data(), data.size(), m_offset, m_info.get());
		199	switch (m_section) {
		200	-#define WASM_SECTION_PARSE(NAME, ID, DESCRIPTION) \
		201	+#define WASM_SECTION_PARSE(NAME, ID, ORDERING, DESCRIPTION) \
		202	case Section::NAME: { \
		203	WASM_STREAMING_PARSER_FAIL_IF_HELPER_FAILS(parser.parse ## NAME()); \
		204	break; \
		205	@@ -393,9 +393,18 @@ auto StreamingParser::finalize() -> State
		206	m_state = fail("Number of functions parsed (", m_functionCount, ") does not match the number of declared functions (", m_info->functions.size(), ")");
		207	break;
		208	}
		209	+
		210	+ if (m_info->numberOfDataSegments) {
		211	+ if (UNLIKELY(m_info->data.size() != m_info->numberOfDataSegments.value())) {
		212	+ m_state = fail("Data section's count ", m_info->data.size(), " is different from Data Count section's count ", m_info->numberOfDataSegments.value());
		213	+ break;
		214	+ }
		215	+ }
		216	+
		217	if (m_remaining.isEmpty()) {
		218	if (UNLIKELY(Options::useEagerWebAssemblyModuleHashing()))
		219	m_info->nameSection->setHash(m_hasher.computeHexDigest());
		220	+
		221	m_state = State::Finished;
		222	m_client.didFinishParsing();
		223	} else
		224	--
		225	2.40.0


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 20f475bebd..10fcd0813a 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -22,6 +22,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
22	file://CVE-2022-42867.patch \	22	file://CVE-2022-42867.patch \
23	file://CVE-2022-46700.patch \	23	file://CVE-2022-46700.patch \
24	file://CVE-2023-23529.patch \	24	file://CVE-2023-23529.patch \
		25	file://CVE-2022-48503.patch \
25	"	26	"
26	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	27	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
27		28