1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
CVE: CVE-2023-32435
Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/50c7aae]
Backport and rebase patch to fix CVE-2023-32435 for webkitgtk 2.38.6:
* drop the patches for the files WasmAirIRGenerator64.cpp and
WasmAirIRGeneratorBase.h which are involved in 2.40.0
* drop test cases as well
Signed-off-by: Kai Kang <kai.kang@windriver.com>
From 50c7aaec2f53ab3b960f1b299aad5009df6f1967 Mon Sep 17 00:00:00 2001
From: Justin Michaud <justin_michaud@apple.com>
Date: Wed, 8 Feb 2023 14:41:34 -0800
Subject: [PATCH] Fixup air pointer args if they are not valid in BBQ
https://bugs.webkit.org/show_bug.cgi?id=251890 rdar://105079565
Reviewed by Mark Lam and Yusuke Suzuki.
We are not fixing up air args if their offsets don't fit into the instruction
in a few cases.
Here are some examples:
MoveDouble 28480(%sp), %q16 ; too big
MoveVector 248(%sp), %q16 ; not 16-byte aligned
Let's fix up these arguments. We also fix a missing validation check
when parsing exception tags exposed by this test.
* Source/JavaScriptCore/wasm/WasmAirIRGenerator64.cpp:
(JSC::Wasm::AirIRGenerator64::addReturn):
* Source/JavaScriptCore/wasm/WasmAirIRGeneratorBase.h:
(JSC::Wasm::AirIRGeneratorBase::emitPatchpoint):
oops
Canonical link: https://commits.webkit.org/260038@main
---
Source/JavaScriptCore/wasm/WasmSectionParser.cpp | 2 +
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
index 6b8f9016..a5f3a88b 100644
--- a/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
+++ b/Source/JavaScriptCore/wasm/WasmSectionParser.cpp
@@ -917,6 +917,8 @@ auto SectionParser::parseException() -> PartialResult
WASM_PARSER_FAIL_IF(!parseVarUInt32(typeNumber), "can't get ", exceptionNumber, "th Exception's type number");
WASM_PARSER_FAIL_IF(typeNumber >= m_info->typeCount(), exceptionNumber, "th Exception type number is invalid ", typeNumber);
TypeIndex typeIndex = TypeInformation::get(m_info->typeSignatures[typeNumber]);
+ auto signature = TypeInformation::getFunctionSignature(typeIndex);
+ WASM_PARSER_FAIL_IF(!signature.returnsVoid(), exceptionNumber, "th Exception type cannot have a non-void return type ", typeNumber);
m_info->internalExceptionTypeIndices.uncheckedAppend(typeIndex);
}
--
2.34.1
|
