2 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
new file mode 100644
index 0000000000..ff9df40433
--- /dev/null
+++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
+From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
+From: Yijia Huang <hyjorc1@gmail.com>
+Date: Mon, 10 Oct 2022 15:42:34 -0700
+Subject: [PATCH] [JSC] Should model BigInt with side effects
+ https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
+Reviewed by Yusuke Suzuki.
+Operations with two BigInt operands have side effects,
+which should not be hoisted from loops.
+* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
+(JSC::DFG::doesWrites):
+* Source/JavaScriptCore/dfg/DFGClobberize.h:
+(JSC::DFG::clobberize):
+Canonical link: https://commits.webkit.org/255368@main
+CVE: CVE-2022-46691
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index 0363ab20dcd8..4b1bcfea1fd7 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+     case ValueBitRShift:
+         // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
+         if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) {
+            read(World);
+            write(SideState);
+             def(PureValue(node));
+             return;
+         }
+--
+2.40.0
diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
index 1dac4f5677..02258f84e4 100644
--- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
+++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
           file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
           file://CVE-2022-32888.patch \
           file://CVE-2022-32923.patch \
+           file://CVE-2022-46691.patch \
           "
 SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"

diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch new file mode 100644 index 0000000000..ff9df40433 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch
@@ -0,0 +1,43 @@
		1	From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001
		2	From: Yijia Huang <hyjorc1@gmail.com>
		3	Date: Mon, 10 Oct 2022 15:42:34 -0700
		4	Subject: [PATCH] [JSC] Should model BigInt with side effects
		5	https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823
		6
		7	Reviewed by Yusuke Suzuki.
		8
		9	Operations with two BigInt operands have side effects,
		10	which should not be hoisted from loops.
		11
		12	* Source/JavaScriptCore/dfg/DFGClobberize.cpp:
		13	(JSC::DFG::doesWrites):
		14	* Source/JavaScriptCore/dfg/DFGClobberize.h:
		15	(JSC::DFG::clobberize):
		16
		17	Canonical link: https://commits.webkit.org/255368@main
		18
		19	CVE: CVE-2022-46691
		20
		21	Upstream-Status: Backport
		22	[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c]
		23
		24	Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
		25	---
		26	Source/JavaScriptCore/dfg/DFGClobberize.h \| 2 ++
		27	1 file changed, 2 insertions(+)
		28
		29	diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
		30	index 0363ab20dcd8..4b1bcfea1fd7 100644
		31	--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
		32	+++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
		33	@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
		34	case ValueBitRShift:
		35	// FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand.
		36	if (node->isBinaryUseKind(AnyBigIntUse) \|\| node->isBinaryUseKind(BigInt32Use) \|\| node->isBinaryUseKind(HeapBigIntUse)) {
		37	+ read(World);
		38	+ write(SideState);
		39	def(PureValue(node));
		40	return;
		41	}
		42	--
		43	2.40.0


diff --git a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb index 1dac4f5677..02258f84e4 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.36.8.bb
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
17	file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \	17	file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
18	file://CVE-2022-32888.patch \	18	file://CVE-2022-32888.patch \
19	file://CVE-2022-32923.patch \	19	file://CVE-2022-32923.patch \
		20	file://CVE-2022-46691.patch \
20	"	21	"
21	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"	22	SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
22		23