Upstream-Status: Backport from https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848
Signed-off-by: Hitendra Prajapati <[email protected]> --- .../webkit/webkitgtk/CVE-2024-40779.patch | 92 +++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.44.1.bb | 1 + 2 files changed, 93 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch new file mode 100644 index 0000000000..1a7e27dcb6 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2024-40779.patch @@ -0,0 +1,92 @@ +From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001 +From: Jean-Yves Avenard <[email protected]> +Date: Fri, 14 Jun 2024 16:08:19 -0700 +Subject: [PATCH] Cherry-pick [email protected] + (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431 + +HeapBufferOverflow in computeSampleUsingLinearInterpolation +https://bugs.webkit.org/show_bug.cgi?id=275431 +rdar://125617812 + +Reviewed by Youenn Fablet. + +Add boundary check. +This is a copy of blink code for that same function. +https://source.chromium.org/chromium/chromium/src//main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341 + +* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt: Added. +* LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html: Added. +* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp: +(WebCore::AudioBufferSourceNode::renderFromBuffer): + +Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44 + +Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/2fe5ae29a5f6434ef456afe9673a4f400ec63848] +CVE: CVE-2024-40779 +Signed-off-by: Hitendra Prajapati <[email protected]> +--- + ...er-sourcenode-resampler-crash-expected.txt | 1 + + ...udiobuffer-sourcenode-resampler-crash.html | 25 +++++++++++++++++++ + .../webaudio/AudioBufferSourceNode.cpp | 6 +++++ + 3 files changed, 32 insertions(+) + create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt + create mode 100644 LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html + +diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt +new file mode 100644 +index 00000000..654ddf7f +--- /dev/null ++++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash-expected.txt +@@ -0,0 +1 @@ ++This test passes if it does not crash. +diff --git a/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html +new file mode 100644 +index 00000000..5fb2dd8c +--- /dev/null ++++ b/LayoutTests/webaudio/crashtest/audiobuffer-sourcenode-resampler-crash.html +@@ -0,0 +1,25 @@ ++<html> ++<head> ++ <script> ++ async function main() { ++ var ctx = new AudioContext(); ++ var src = new AudioBufferSourceNode(ctx); ++ src.buffer = ctx.createBuffer(1, 8192, 44100); ++ src.start(undefined, 0.5); ++ src.playbackRate.value = -1; ++ src.connect(ctx.destination, 0, 0); ++ if (window.testRunner) ++ testRunner.notifyDone(); ++ } ++ </script> ++</head> ++<body onload="main()"> ++ <p>This test passes if it does not crash.</p> ++ <script> ++ if (window.testRunner) { ++ testRunner.waitUntilDone(); ++ testRunner.dumpAsText(); ++ } ++ </script> ++</body> ++</html> +diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +index 42f2779e..7963fb9f 100644 +--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp ++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp +@@ -343,6 +343,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination + if (readIndex2 >= maxFrame) + readIndex2 = m_isLooping ? minFrame : readIndex; + ++ // Final sanity check on buffer access. ++ // FIXME: as an optimization, try to get rid of this inner-loop check and ++ // put assertions and guards before the loop. ++ if (readIndex >= bufferLength || readIndex2 >= bufferLength) ++ break; ++ + // Linear interpolation. + for (unsigned i = 0; i < numberOfChannels; ++i) { + float* destination = destinationChannels[i]; +-- +2.25.1 + diff --git a/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb b/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb index c4a3c464c1..29f834ee9b 100644 --- a/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb +++ b/meta/recipes-sato/webkit/webkitgtk_2.44.1.bb @@ -18,6 +18,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \ file://30e1d5e22213fdaca2a29ec3400c927d710a37a8.patch \ file://0001-Remove-ARM-specific-declarations-in-FELighting.h-unn.patch \ file://0002-More-dynamicDowncast-adoption-in-platform-code.patch \ + file://CVE-2024-40779.patch \ " SRC_URI[sha256sum] = "425b1459b0f04d0600c78d1abb5e7edfa3c060a420f8b231e9a6a2d5d29c5561" -- 2.25.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#204836): https://lists.openembedded.org/g/openembedded-core/message/204836 Mute This Topic: https://lists.openembedded.org/mt/108624468/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
