4 files changed, 110 insertions, 12 deletions

diff --git a/www/webkit-gtk/Makefile b/www/webkit-gtk/Makefile
index ca79b6cd100..43b6eb4166d 100644
--- a/www/webkit-gtk/Makefile
+++ b/www/webkit-gtk/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.155 2018/12/14 15:51:13 leot Exp $
+# $NetBSD: Makefile,v 1.155.2.1 2019/03/06 13:43:24 bsiegert Exp $
 
-DISTNAME=	webkitgtk-2.22.5
-PKGNAME=	${DISTNAME:S/webkitgtk/webkit-gtk/}
+DISTNAME=	webkitgtk-2.22.6
 PKGREVISION=	1
+PKGNAME=	${DISTNAME:S/webkitgtk/webkit-gtk/}
 CATEGORIES=	www
 MASTER_SITES=	https://www.webkitgtk.org/releases/
 EXTRACT_SUFX=	.tar.xz
@@ -24,7 +24,8 @@ USE_TOOLS+=	automake bison flex gmake perl pkg-config msgfmt
 # Enabling -gdwarf-2 hits GNU ar limits on file size.
 CTF_SUPPORTED=	no
 
-GCC_REQD+=	6
+GCC_REQD+=		6
+USE_GCC_RUNTIME=	yes
 
 # Using ld.gold subverts Pkgsrc wrappers, and this package also crashes buggy
 # versions of ld.gold.
diff --git a/www/webkit-gtk/PLIST b/www/webkit-gtk/PLIST
index 60432225976..4d6378a69cb 100644
--- a/www/webkit-gtk/PLIST
+++ b/www/webkit-gtk/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.45 2018/12/13 22:50:27 leot Exp $
+@comment $NetBSD: PLIST,v 1.45.2.1 2019/03/06 13:43:24 bsiegert Exp $
 bin/WebKitWebDriver
 include/webkitgtk-4.0/JavaScriptCore/JSBase.h
 include/webkitgtk-4.0/JavaScriptCore/JSContextRef.h
@@ -208,10 +208,10 @@ ${PLIST.introspection}lib/girepository-1.0/WebKit2-4.0.typelib
 ${PLIST.introspection}lib/girepository-1.0/WebKit2WebExtension-4.0.typelib
 lib/libjavascriptcoregtk-4.0.so
 lib/libjavascriptcoregtk-4.0.so.18
-lib/libjavascriptcoregtk-4.0.so.18.11.6
+lib/libjavascriptcoregtk-4.0.so.18.11.7
 lib/libwebkit2gtk-4.0.so
 lib/libwebkit2gtk-4.0.so.37
-lib/libwebkit2gtk-4.0.so.37.33.6
+lib/libwebkit2gtk-4.0.so.37.33.7
 lib/pkgconfig/javascriptcoregtk-4.0.pc
 lib/pkgconfig/webkit2gtk-4.0.pc
 lib/pkgconfig/webkit2gtk-web-extension-4.0.pc
diff --git a/www/webkit-gtk/distinfo b/www/webkit-gtk/distinfo
index 0d9a9ee6d9b..80dfa92e5eb 100644
--- a/www/webkit-gtk/distinfo
+++ b/www/webkit-gtk/distinfo
@@ -1,13 +1,14 @@
-$NetBSD: distinfo,v 1.114 2018/12/23 22:23:09 roy Exp $
+$NetBSD: distinfo,v 1.114.2.1 2019/03/06 13:43:24 bsiegert Exp $
 
-SHA1 (webkitgtk-2.22.5.tar.xz) = 809b067a1672a81a4ce31363a0872c668cc72953
-RMD160 (webkitgtk-2.22.5.tar.xz) = 6f251088424cfb2fc082a5625ba9f71fbc686759
-SHA512 (webkitgtk-2.22.5.tar.xz) = fcea9fab3d71869cc10e322b1b63864a9594624f6aa3e29efd8b47e5ca639145f8c2cdb299ecb51eadf3ac1238dac06b4b7ebe94969b2f61a21cea8b609007bc
-Size (webkitgtk-2.22.5.tar.xz) = 16774560 bytes
+SHA1 (webkitgtk-2.22.6.tar.xz) = 26a8f8951da03aa4dfc2c25257b6899ea3c2558f
+RMD160 (webkitgtk-2.22.6.tar.xz) = 4ddd00a0eed1e8122a71e070f1f6f5f49f59ca75
+SHA512 (webkitgtk-2.22.6.tar.xz) = 18f4a4c145b524bebf1eaae58057e1e6cb74ba5a162c5195f072ba25c4399e7749c74fe6f8e9351bb9f2630a2c43f59935943e5bb318a5c4977f727a68602709
+Size (webkitgtk-2.22.6.tar.xz) = 16773696 bytes
 SHA1 (patch-CMakeLists.txt) = 93466370f447c6be9008512aa1fc2dc0bd2b843b
 SHA1 (patch-Source_JavaScriptCore_assembler_ARM64Assembler.h) = a41e02c7a1f9bfb91a2af36ec0410e1bf2b9a745
 SHA1 (patch-Source_JavaScriptCore_assembler_ARMAssembler.h) = bae08310572c2e23c69cbf6aa9760a67345dcfe3
 SHA1 (patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp) = ab75ef8714e5071fcd094735717a2f5d0321c747
+SHA1 (patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp) = 802d83a69975d0754dfb6198488aacc7e3f04d83
 SHA1 (patch-Source_JavaScriptCore_heap_MarkedSpace.cpp) = e6a23d5ef22bddd0a9606fb0e472960e4cf5673e
 SHA1 (patch-Source_JavaScriptCore_jit_ExecutableAllocator.cpp) = 36d29a5db03c2413ae93224ac391f3ff248983e8
 SHA1 (patch-Source_JavaScriptCore_offlineasm_arm64.rb) = 784baf6f3baba2986fbcb7aa10e7abed8f8c6336
diff --git a/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
new file mode 100644
index 00000000000..ad5c6427090
--- /dev/null
+++ b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp
@@ -0,0 +1,96 @@
+$NetBSD: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp,v 1.2.2.2 2019/03/06 13:43:24 bsiegert Exp $
+
+Fix remote code execution in JavaScript. From upstream commit:
+
+From d51ece4028133113e9e5d0f2576ad23489801ddc Mon Sep 17 00:00:00 2001
+From: "mark.lam@apple.com"
+ <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc>
+Date: Tue, 19 Feb 2019 02:32:10 +0000
+Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq
+ and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800
+ <rdar://problem/48183773>
+
+Reviewed by Yusuke Suzuki.
+
+Fix doesGC() for the following nodes:
+
+    CompareEq:
+    CompareLess:
+    CompareLessEq:
+    CompareGreater:
+    CompareGreaterEq:
+    CompareStrictEq:
+        Only return false (i.e. does not GC) for child node use kinds that have
+        been vetted to not do anything that can GC.  For all other use kinds
+        (including StringUse and BigIntUse), we return true (i.e. does GC).
+
+* dfg/DFGDoesGC.cpp:
+(JSC::DFG::doesGC):
+
+
+git-svn-id: http://svn.webkit.org/repository/webkit/trunk@241753 268f45cc-cd09-0410-ab3c-d52691b4dbfc
+
+--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp.orig	2019-02-08 16:17:00.000000000 +0000
++++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp
+@@ -146,14 +146,8 @@ bool doesGC(Graph& graph, Node* node)
+     case RegExpTest:
+     case RegExpMatchFast:
+     case RegExpMatchFastGlobal:
+-    case CompareLess:
+-    case CompareLessEq:
+-    case CompareGreater:
+-    case CompareGreaterEq:
+     case CompareBelow:
+     case CompareBelowEq:
+-    case CompareEq:
+-    case CompareStrictEq:
+     case CompareEqPtr:
+     case SameValue:
+     case Call:
+@@ -374,6 +368,46 @@ bool doesGC(Graph& graph, Node* node)
+     case MapSet:
+         return true;
+ 
++    case CompareEq:
++    case CompareLess:
++    case CompareLessEq:
++    case CompareGreater:
++    case CompareGreaterEq:
++        if (node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            )
++            return false;
++        if (node->op() == CompareEq) {
++            if (node->isBinaryUseKind(BooleanUse)
++                || node->isBinaryUseKind(SymbolUse)
++                || node->isBinaryUseKind(ObjectUse)
++                || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse))
++                return false;
++        }
++        return true;
++
++    case CompareStrictEq:
++        if (node->isBinaryUseKind(BooleanUse)
++            || node->isBinaryUseKind(Int32Use)
++#if USE(JSVALUE64)
++            || node->isBinaryUseKind(Int52RepUse)
++#endif
++            || node->isBinaryUseKind(DoubleRepUse)
++            || node->isBinaryUseKind(SymbolUse)
++            || node->isBinaryUseKind(SymbolUse, UntypedUse)
++            || node->isBinaryUseKind(UntypedUse, SymbolUse)
++            || node->isBinaryUseKind(StringIdentUse)
++            || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse)
++            || node->isBinaryUseKind(ObjectUse)
++            || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse)
++            || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse))
++            return false;
++        return true;
++
+     case GetIndexedPropertyStorage:
+         if (node->arrayMode().type() == Array::String)
+             return true;