2 files changed, 105 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
new file mode 100644
index 0000000000..bf06809051
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
+From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
+From: Yogita Urade <yogita.urade@windriver.com>
+Date: Wed, 7 Jun 2023 08:15:11 +0000
+Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
+ should take pointer arguments  like other similar functions
+ https://bugs.webkit.org/show_bug.cgi?id=247317  rdar://100273147
+Reviewed by Alan Baradlay.
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+Canonical link: https://commits.webkit.org/256215@main
+CVE: CVE-2022-42867
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++--------
+ Source/WebCore/rendering/RenderElement.h   |  2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..931686b8 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
+++ b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+     return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
+void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
+ {
+     auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
+         if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+     };
+     auto isRegisteredWithNewFillImages = [&]() -> bool {
+-        for (auto* layer = &newLayers; layer; layer = layer->next()) {
+        for (auto* layer = newLayers; layer; layer = layer->next()) {
+             if (layer->image() && !layer->image()->hasClient(*this))
+                 return false;
+         }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+     // If images have the same characteristics and this element is already registered as a
+     // client to the new images, there is nothing to do.
+-    if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
+    if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
+         return;
+     // Add before removing, to avoid removing all clients of an image that is in both sets.
+-    for (auto* layer = &newLayers; layer; layer = layer->next()) {
+    for (auto* layer = newLayers; layer; layer = layer->next()) {
+         if (layer->image())
+             layer->image()->addClient(*this);
+     }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+ {
+-    updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
+-    updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
+-    updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
+-    updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
+-    updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
+    auto registerImages = [this](auto* style, auto* oldStyle) {
+        if (!style && !oldStyle)
+            return;
+        updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
+        updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
+        updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
+        updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
+        updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
+    };
+
+    registerImages(&style(), oldStyle);
+
+    // Are there other pseudo-elements that need the resources to be registered?
+    registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
+     SVGRenderSupport::styleChanged(*this, oldStyle);
+diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
+index f376cecb..d6ba2cdf 100644
+--- a/Source/WebCore/rendering/RenderElement.h
+++ b/Source/WebCore/rendering/RenderElement.h
+@@ -349,7 +349,7 @@ private:
+     bool shouldRepaintForStyleDifference(StyleDifference) const;
+     bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
+-    void updateFillImages(const FillLayer*, const FillLayer&);
+    void updateFillImages(const FillLayer*, const FillLayer*);
+     void updateImage(StyleImage*, StyleImage*);
+     void updateShapeImage(const ShapeValue*, const ShapeValue*);
+--
+2.35.5
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 8f6514a82b..062f209932 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://CVE-2022-32923.patch \
           file://CVE-2022-46691.patch \
           file://CVE-2022-46699.patch \
+           file://CVE-2022-42867.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch new file mode 100644 index 0000000000..bf06809051 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch
@@ -0,0 +1,104 @@
		1	From f67a882170609d15836204a689dc552322fbe653 Mon Sep 17 00:00:00 2001
		2	From: Yogita Urade <yogita.urade@windriver.com>
		3	Date: Wed, 7 Jun 2023 08:15:11 +0000
		4	Subject: [oe-core][kirkstone][PATCH 1/1] RenderElement::updateFillImages
		5	should take pointer arguments like other similar functions
		6	https://bugs.webkit.org/show_bug.cgi?id=247317 rdar://100273147
		7
		8	Reviewed by Alan Baradlay.
		9
		10	* Source/WebCore/rendering/RenderElement.cpp:
		11	(WebCore::RenderElement::updateFillImages):
		12	(WebCore::RenderElement::styleDidChange):
		13	* Source/WebCore/rendering/RenderElement.h:
		14
		15	Canonical link: https://commits.webkit.org/256215@main
		16
		17	CVE: CVE-2022-42867
		18
		19	Upstream-Status: Backport
		20	[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
		21
		22	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		23	---
		24	Source/WebCore/rendering/RenderElement.cpp \| 27 ++++++++++++++--------
		25	Source/WebCore/rendering/RenderElement.h \| 2 +-
		26	2 files changed, 19 insertions(+), 10 deletions(-)
		27
		28	diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
		29	index da43bf3d..931686b8 100644
		30	--- a/Source/WebCore/rendering/RenderElement.cpp
		31	+++ b/Source/WebCore/rendering/RenderElement.cpp
		32	@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
		33	return diff == StyleDifference::Repaint \|\| (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
		34	}
		35
		36	-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
		37	+void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
		38	{
		39	auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
		40	if (layer1 == layer2)
		41	@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
		42	};
		43
		44	auto isRegisteredWithNewFillImages = [&]() -> bool {
		45	- for (auto* layer = &newLayers; layer; layer = layer->next()) {
		46	+ for (auto* layer = newLayers; layer; layer = layer->next()) {
		47	if (layer->image() && !layer->image()->hasClient(*this))
		48	return false;
		49	}
		50	@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
		51
		52	// If images have the same characteristics and this element is already registered as a
		53	// client to the new images, there is nothing to do.
		54	- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
		55	+ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
		56	return;
		57
		58	// Add before removing, to avoid removing all clients of an image that is in both sets.
		59	- for (auto* layer = &newLayers; layer; layer = layer->next()) {
		60	+ for (auto* layer = newLayers; layer; layer = layer->next()) {
		61	if (layer->image())
		62	layer->image()->addClient(*this);
		63	}
		64	@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
		65
		66	void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
		67	{
		68	- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
		69	- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
		70	- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
		71	- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
		72	- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
		73	+ auto registerImages = [this](auto* style, auto* oldStyle) {
		74	+ if (!style && !oldStyle)
		75	+ return;
		76	+ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
		77	+ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
		78	+ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
		79	+ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
		80	+ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
		81	+ };
		82	+
		83	+ registerImages(&style(), oldStyle);
		84	+
		85	+ // Are there other pseudo-elements that need the resources to be registered?
		86	+ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
		87
		88	SVGRenderSupport::styleChanged(*this, oldStyle);
		89
		90	diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
		91	index f376cecb..d6ba2cdf 100644
		92	--- a/Source/WebCore/rendering/RenderElement.h
		93	+++ b/Source/WebCore/rendering/RenderElement.h
		94	@@ -349,7 +349,7 @@ private:
		95	bool shouldRepaintForStyleDifference(StyleDifference) const;
		96	bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
		97
		98	- void updateFillImages(const FillLayer*, const FillLayer&);
		99	+ void updateFillImages(const FillLayer, const FillLayer);
		100	void updateImage(StyleImage, StyleImage);
		101	void updateShapeImage(const ShapeValue, const ShapeValue);
		102
		103	--
		104	2.35.5


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 8f6514a82b..062f209932 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -19,6 +19,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
19	file://CVE-2022-32923.patch \	19	file://CVE-2022-32923.patch \
20	file://CVE-2022-46691.patch \	20	file://CVE-2022-46691.patch \
21	file://CVE-2022-46699.patch \	21	file://CVE-2022-46699.patch \
		22	file://CVE-2022-42867.patch \
22	"	23	"
23	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	24	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
24		25