diff options
Diffstat (limited to 'meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch')
-rw-r--r-- | meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch new file mode 100644 index 0000000000..ff9df40433 --- /dev/null +++ b/meta/recipes-sato/webkit/webkitgtk/CVE-2022-46691.patch @@ -0,0 +1,43 @@ +From fd57a49d07c9c285780495344073350182fd7c7c Mon Sep 17 00:00:00 2001 +From: Yijia Huang <hyjorc1@gmail.com> +Date: Mon, 10 Oct 2022 15:42:34 -0700 +Subject: [PATCH] [JSC] Should model BigInt with side effects + https://bugs.webkit.org/show_bug.cgi?id=246291 rdar://100494823 + +Reviewed by Yusuke Suzuki. + +Operations with two BigInt operands have side effects, +which should not be hoisted from loops. + +* Source/JavaScriptCore/dfg/DFGClobberize.cpp: +(JSC::DFG::doesWrites): +* Source/JavaScriptCore/dfg/DFGClobberize.h: +(JSC::DFG::clobberize): + +Canonical link: https://commits.webkit.org/255368@main + +CVE: CVE-2022-46691 + +Upstream-Status: Backport +[https://github.com/WebKit/WebKit/commit/fd57a49d07c9c285780495344073350182fd7c7c] + +Signed-off-by: Yogita Urade <yogita.urade@windriver.com> +--- + Source/JavaScriptCore/dfg/DFGClobberize.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h +index 0363ab20dcd8..4b1bcfea1fd7 100644 +--- a/Source/JavaScriptCore/dfg/DFGClobberize.h ++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h +@@ -811,6 +811,8 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu + case ValueBitRShift: + // FIXME: this use of single-argument isBinaryUseKind would prevent us from specializing (for example) for a HeapBigInt left-operand and a BigInt32 right-operand. + if (node->isBinaryUseKind(AnyBigIntUse) || node->isBinaryUseKind(BigInt32Use) || node->isBinaryUseKind(HeapBigIntUse)) { ++ read(World); ++ write(SideState); + def(PureValue(node)); + return; + } +-- +2.40.0 |