From e58db3f574f3f9c80b2b8d740308dada044b3376 Mon Sep 17 00:00:00 2001
From: lingsheng <860373352@qq.com>
Date: Mon, 26 Aug 2024 02:09:02 +0000
Subject: [PATCH] fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780

---
 backport-CVE-2024-40779.patch | 41 ++++++++++++++++++++++++++++++++++
 backport-CVE-2024-40780.patch | 41 ++++++++++++++++++++++++++++++++++
 backport-CVE-2024-4558.patch  | 42 +++++++++++++++++++++++++++++++++++
 webkit2gtk3.spec              |  8 ++++++-
 webkit2gtk4_1.spec            |  8 ++++++-
 webkit2gtk5_0.spec            |  8 ++++++-
 6 files changed, 145 insertions(+), 3 deletions(-)
 create mode 100644 backport-CVE-2024-40779.patch
 create mode 100644 backport-CVE-2024-40780.patch
 create mode 100644 backport-CVE-2024-4558.patch

diff --git a/backport-CVE-2024-40779.patch b/backport-CVE-2024-40779.patch
new file mode 100644
index 0000000..d642192
--- /dev/null
+++ b/backport-CVE-2024-40779.patch
@@ -0,0 +1,41 @@
+From 2fe5ae29a5f6434ef456afe9673a4f400ec63848 Mon Sep 17 00:00:00 2001
+From: Jean-Yves Avenard <jya@apple.com>
+Date: Fri, 14 Jun 2024 16:08:19 -0700
+Subject: [PATCH] Cherry-pick 272448.1085@safari-7618.3.10-branch
+ (ff52ff7cb64e). https://bugs.webkit.org/show_bug.cgi?id=275431
+
+HeapBufferOverflow in computeSampleUsingLinearInterpolation
+https://bugs.webkit.org/show_bug.cgi?id=275431
+rdar://125617812
+
+Reviewed by Youenn Fablet.
+
+Add boundary check.
+This is a copy of blink code for that same function.
+https://source.chromium.org/chromium/chromium/src/+/main:third_party/blink/renderer/modules/webaudio/audio_buffer_source_handler.cc;l=336-341
+
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+
+Canonical link: https://commits.webkit.org/274313.347@webkitglib/2.44
+---
+ .../webaudio/AudioBufferSourceNode.cpp        |  6 +++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index 298bd48cdff5..740b793e0ec5 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -350,6 +350,12 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+             if (readIndex2 >= maxFrame)
+                 readIndex2 = m_isLooping ? minFrame : readIndex;
+ 
++            // Final sanity check on buffer access.
++            // FIXME: as an optimization, try to get rid of this inner-loop check and
++            // put assertions and guards before the loop.
++            if (readIndex >= bufferLength || readIndex2 >= bufferLength)
++                break;
++
+             // Linear interpolation.
+             for (unsigned i = 0; i < numberOfChannels; ++i) {
+                 float* destination = destinationChannels[i];
diff --git a/backport-CVE-2024-40780.patch b/backport-CVE-2024-40780.patch
new file mode 100644
index 0000000..9157ff2
--- /dev/null
+++ b/backport-CVE-2024-40780.patch
@@ -0,0 +1,41 @@
+From e83e4c7460972898dc06a5f5ab36eed7c6b101b5 Mon Sep 17 00:00:00 2001
+From: Jer Noble <jer.noble@apple.com>
+Date: Tue, 11 Jun 2024 11:54:06 -0700
+Subject: [PATCH] Cherry-pick 272448.1080@safari-7618.3.10-branch
+ (64c9479d6f29). https://bugs.webkit.org/show_bug.cgi?id=275273
+
+Add check in AudioBufferSourceNode::renderFromBuffer() when detune is set to large negative value
+https://bugs.webkit.org/show_bug.cgi?id=275273
+rdar://125617842
+
+Reviewed by Eric Carlson.
+
+* Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp:
+(WebCore::AudioBufferSourceNode::renderFromBuffer):
+
+Canonical link: https://commits.webkit.org/274313.345@webkitglib/2.44
+---
+ .../webaudio/AudioBufferSourceNode.cpp        |  7 +++++
+ 1 file changed, 7 insertions(+)
+
+diff --git a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+index f86bffb9b507..298bd48cdff5 100644
+--- a/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
++++ b/Source/WebCore/Modules/webaudio/AudioBufferSourceNode.cpp
+@@ -328,9 +328,16 @@ bool AudioBufferSourceNode::renderFromBuffer(AudioBus* bus, unsigned destination
+         virtualReadIndex = readIndex;
+     } else if (!pitchRate) {
+         unsigned readIndex = static_cast<unsigned>(virtualReadIndex);
++        int deltaFrames = static_cast<int>(virtualDeltaFrames);
++        maxFrame = static_cast<unsigned>(virtualMaxFrame);
++
++        if (readIndex >= maxFrame)
++            readIndex -= deltaFrames;
+ 
+         for (unsigned i = 0; i < numberOfChannels; ++i)
+             std::fill_n(destinationChannels[i] + writeIndex, framesToProcess, sourceChannels[i][readIndex]);
++
++        virtualReadIndex = readIndex;
+     } else if (reverse) {
+         unsigned maxFrame = static_cast<unsigned>(virtualMaxFrame);
+         unsigned minFrame = static_cast<unsigned>(floorf(virtualMinFrame));
diff --git a/backport-CVE-2024-4558.patch b/backport-CVE-2024-4558.patch
new file mode 100644
index 0000000..d5f2869
--- /dev/null
+++ b/backport-CVE-2024-4558.patch
@@ -0,0 +1,42 @@
+From 9d7ec80f78039e6646fcfc455ab4c05aa393f34c Mon Sep 17 00:00:00 2001
+From: Kimmo Kinnunen <kkinnunen@apple.com>
+Date: Tue, 14 May 2024 22:37:29 -0700
+Subject: [PATCH] Cherry-pick ANGLE.
+ https://bugs.webkit.org/show_bug.cgi?id=274165
+
+https://bugs.webkit.org/show_bug.cgi?id=274165
+rdar://127764804
+
+Reviewed by Dan Glastonbury.
+
+Cherry-pick ANGLE upstream commit 1bb1ee061fe0bce322fb93b447a72e72c993a1f2:
+
+GL: Sync unpack state for glCompressedTexSubImage3D
+
+Unpack state is supposed to be ignored for compressed tex image calls
+but some drivers use it anyways and read incorrect data.
+
+Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
+
+Bug: chromium:337766133
+Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
+Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+Canonical link: https://commits.webkit.org/274313.341@webkitglib/2.44
+---
+ Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+index c659aacb9e48..f96eefe53f11 100644
+--- a/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
++++ b/Source/ThirdParty/ANGLE/src/libANGLE/renderer/gl/TextureGL.cpp
+@@ -664,6 +664,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
+         nativegl::GetCompressedSubTexImageFormat(functions, features, format);
+ 
+     stateManager->bindTexture(getType(), mTextureID);
++    ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
+     if (nativegl::UseTexImage2D(getType()))
+     {
+         ASSERT(area.z == 0 && area.depth == 1);
diff --git a/webkit2gtk3.spec b/webkit2gtk3.spec
index a8873ad..11965c8 100644
--- a/webkit2gtk3.spec
+++ b/webkit2gtk3.spec
@@ -14,7 +14,7 @@
 
 Name:           webkit2gtk3
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
+Patch6005:      backport-CVE-2024-4558.patch
+Patch6006:      backport-CVE-2024-40779.patch
+Patch6007:      backport-CVE-2024-40780.patch
 
 #Dependency
 BuildRequires:  bison
@@ -291,6 +294,9 @@ popd
 %endif
 
 %changelog
+* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
+- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
+
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error
 
diff --git a/webkit2gtk4_1.spec b/webkit2gtk4_1.spec
index 48993c8..ca5ef4a 100644
--- a/webkit2gtk4_1.spec
+++ b/webkit2gtk4_1.spec
@@ -14,7 +14,7 @@
 
 Name:           webkit2gtk4.1
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
+Patch6005:      backport-CVE-2024-4558.patch
+Patch6006:      backport-CVE-2024-40779.patch
+Patch6007:      backport-CVE-2024-40780.patch
 
 #Dependency
 BuildRequires:  bison
@@ -260,6 +263,9 @@ popd
 %endif
 
 %changelog
+* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
+- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
+
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error
 
diff --git a/webkit2gtk5_0.spec b/webkit2gtk5_0.spec
index f4f6a71..5f2de0a 100644
--- a/webkit2gtk5_0.spec
+++ b/webkit2gtk5_0.spec
@@ -14,7 +14,7 @@
 
 Name:           webkit2gtk5.0
 Version:        2.38.2
-Release:        8
+Release:        9
 Summary:        GTK web content engine library
 License:        LGPLv2
 URL:            https://www.webkitgtk.org/
@@ -33,6 +33,9 @@ Patch6001:      backport-CVE-2023-32373.patch
 Patch6002:      backport-CVE-2023-32409.patch
 Patch6003:      backport-Fix-build-with-Ruby-3.2.patch
 Patch6004:      backport-CVE-2023-39928.patch
+Patch6005:      backport-CVE-2024-4558.patch
+Patch6006:      backport-CVE-2024-40779.patch
+Patch6007:      backport-CVE-2024-40780.patch
 
 #Dependency
 BuildRequires:  bison
@@ -260,6 +263,9 @@ popd
 %endif
 
 %changelog
+* Mon Aug 26 2024 lingsheng <lingsheng1@h-partners.com> - 2.38.2-9
+- fix CVE-2024-4558 CVE-2024-40779 CVE-2024-40780
+
 * Wed Oct 11 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.38.2-8
 - fix check_install error
 
-- 
Gitee