CVE: CVE-2023-32435

Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/50c7aae]

Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:

* drop the patches for the files WasmAirIRGenerator64.cpp and
  WasmAirIRGeneratorBase.h which are involved in 2.40.0
* drop test cases as well

Signed-off-by: Kai Kang <kai.kang@windriver.com>

From 50c7aaec2f53ab3b960f1b299aad5009df6f1967 Mon Sep 17 00:00:00 2001
From: Justin Michaud <justin_michaud@apple.com>
Date: Wed, 8 Feb 2023 14:41:34 -0800
Subject: [PATCH] Fixup air pointer args if they are not valid in BBQ
 https://bugs.webkit.org/show_bug.cgi?id=251890 rdar://105079565

Reviewed by Mark Lam and Yusuke Suzuki.

We are not fixing up air args if their offsets don't fit into the instruction
in a few cases.

Here are some examples:

MoveDouble 28480(%sp), %q16 ; too big
MoveVector 248(%sp), %q16 ; not 16-byte aligned

Let's fix up these arguments. We also fix a missing validation check
when parsing exception tags exposed by this test.

* Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:
(JSC::Wasm::AirIRGenerator64::addReturn):
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::AirIRGeneratorBase::emitPatchpoint):

oops

Canonical link: https://commits.webkit.org/260038@main
---
 Source/JavaScriptCore/wasm/WasmSectionParser.cpp  |  2 +
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
index 6b8f9016..a5f3a88b 100644
--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
@@ -917,6 +917,8 @@ auto SectionParser::parseException() -> PartialResult
         WASM_PARSER_FAIL_IF(!parseVarUInt32(typeNumber), "can't get ", exceptionNumber, "th Exception's type number");
         WASM_PARSER_FAIL_IF(typeNumber >= m_info->typeCount(), exceptionNumber, "th Exception type number is invalid ", typeNumber);
         TypeIndex typeIndex = TypeInformation::get(m_info->typeSignatures[typeNumber]);
+        auto signature = TypeInformation::getFunctionSignature(typeIndex);
+        WASM_PARSER_FAIL_IF(!signature.returnsVoid(), exceptionNumber, "th Exception type cannot have a non-void return type ", typeNumber);
         m_info->internalExceptionTypeIndices.uncheckedAppend(typeIndex);
     }
 
-- 
2.34.1