2 files changed, 92 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
new file mode 100644
index 0000000000..6fac907256
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
@@ -0,0 +1,91 @@
+From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Fri, 14 Jun 2024 16:08:19 -0700
+Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
+ (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
+HeapBufferOverflow in computeSampleUsingLinearInterpolation
+https://bugs.webkit.org/show_bug.cgi?id=275431
+rdar://125617812
+Reviewed by Youenn Fablet.
+Add boundary check.
+This is a copy of blink code for that same function.
+https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
+* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt: Added.
+* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html: Added.
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848]
+CVE: CVE-2024-40779
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ ...er-sourcenode-resampler-crash-expected.txt |  1 +
+ ...udiobuffer-sourcenode-resampler-crash.html | 25 +++++++++++++++++++
+ .../webaudio/AudioBufferSourceNode.cpp        |  6 +++++
+ 3 files changed, 32 insertions(+)
+ create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+ create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+new file mode 100644
+index 00000000..654ddf7f
+--- /dev/null
+++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
+@@ -0,0 +1 @@
+This test passes if it does not crash.
+diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+new file mode 100644
+index 00000000..5fb2dd8c
+--- /dev/null
+++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
+@@ -0,0 +1,25 @@
+<html>
+<head>
+    <script>
+        async function main() {
+            var ctx = new AudioContext();
+            var src = new AudioBufferSourceNode(ctx);
+            src.buffer = ctx.createBuffer(1, 8192, 44100);
+            src.start(undefined, 0.5);
+            src.playbackRate.value = -1;
+            src.connect(ctx.destination, 0, 0);
+            if (window.testRunner)
+                testRunner.notifyDone();
+        }
+    </script>
+</head>
+<body onload="main()">
+    <p>This test passes if it does not crash.</p>
+    <script>
+    if (window.testRunner) {
+        testRunner.waitUntilDone();
+        testRunner.dumpAsText();
+    }
+    </script>
+</body>
+</html>
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index 35b8c818..689d37a1 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -342,6 +342,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+             if (readIndex2 >= maxFrame)
+                 readIndex2 = m_isLooping ? minFrame : readIndex;
+            // Final sanity check on buffer access.
+            // FIXME: as an optimization, try to get rid of this inner-loop check and
+            // put assertions and guards before the loop.
+            if (readIndex >= bufferLength || readIndex2 >= bufferLength)
+                break;
+
+             // Linear interpolation.
+             for (unsigned i = 0; i < numberOfChannels; ++i) {
+                 float* destination = destinationChannels[i];
+--
+2.34.1
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index f4b8456749..a2d455ab92 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2023-23529.patch \
           file://CVE-2022-48503.patch \
           file://CVE-2023-32439.patch \
+           file://CVE-2024-40779.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch new file mode 100644 index 0000000000..6fac907256 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch
@@ -0,0 +1,91 @@
		1	From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
		2	From: Jean-Yves Avenard <jya@apple.com>
		3	Date: Fri, 14 Jun 2024 16:08:19 -0700
		4	Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
		5	(ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
		6
		7	HeapBufferOverflow in computeSampleUsingLinearInterpolation
		8	https://bugs.webkit.org/show_bug.cgi?id=275431
		9	rdar://125617812
		10
		11	Reviewed by Youenn Fablet.
		12
		13	Add boundary check.
		14	This is a copy of blink code for that same function.
		15	https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
		16
		17	* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt: Added.
		18	* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html: Added.
		19	* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
		20	(WebCore::AudioBufferSourceNode::renderFromBuffer):
		21
		22	Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
		23
		24	Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848]
		25	CVE: CVE-2024-40779
		26	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		27	---
		28	...er-sourcenode-resampler-crash-expected.txt \| 1 +
		29	...udiobuffer-sourcenode-resampler-crash.html \| 25 +++++++++++++++++++
		30	.../webaudio/AudioBufferSourceNode.cpp \| 6 +++++
		31	3 files changed, 32 insertions(+)
		32	create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
		33	create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
		34
		35	diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
		36	new file mode 100644
		37	index 00000000..654ddf7f
		38	--- /dev/null
		39	+++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt
		40	@@ -0,0 +1 @@
		41	+This test passes if it does not crash.
		42	diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
		43	new file mode 100644
		44	index 00000000..5fb2dd8c
		45	--- /dev/null
		46	+++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html
		47	@@ -0,0 +1,25 @@
		48	+<html>
		49	+<head>
		50	+ <script>
		51	+ async function main() {
		52	+ var ctx = new AudioContext();
		53	+ var src = new AudioBufferSourceNode(ctx);
		54	+ src.buffer = ctx.createBuffer(1, 8192, 44100);
		55	+ src.start(undefined, 0.5);
		56	+ src.playbackRate.value = -1;
		57	+ src.connect(ctx.destination, 0, 0);
		58	+ if (window.testRunner)
		59	+ testRunner.notifyDone();
		60	+ }
		61	+ </script>
		62	+</head>
		63	+<body onload="main()">
		64	+ <p>This test passes if it does not crash.</p>
		65	+ <script>
		66	+ if (window.testRunner) {
		67	+ testRunner.waitUntilDone();
		68	+ testRunner.dumpAsText();
		69	+ }
		70	+ </script>
		71	+</body>
		72	+</html>
		73	diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		74	index 35b8c818..689d37a1 100644
		75	--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		76	+++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
		77	@@ -342,6 +342,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
		78	if (readIndex2 >= maxFrame)
		79	readIndex2 = m_isLooping ? minFrame : readIndex;
		80
		81	+ // Final sanity check on buffer access.
		82	+ // FIXME: as an optimization, try to get rid of this inner-loop check and
		83	+ // put assertions and guards before the loop.
		84	+ if (readIndex >= bufferLength \|\| readIndex2 >= bufferLength)
		85	+ break;
		86	+
		87	// Linear interpolation.
		88	for (unsigned i = 0; i < numberOfChannels; ++i) {
		89	float* destination = destinationChannels[i];
		90	--
		91	2.34.1


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index f4b8456749..a2d455ab92 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -24,6 +24,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
24	file://CVE-2023-23529.patch \	24	file://CVE-2023-23529.patch \
25	file://CVE-2022-48503.patch \	25	file://CVE-2022-48503.patch \
26	file://CVE-2023-32439.patch \	26	file://CVE-2023-32439.patch \
		27	file://CVE-2024-40779.patch \
27	"	28	"
28	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	29	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
29		30