diff options
-rw-r--r-- | www/webkit-gtk/Makefile | 9 | ||||
-rw-r--r-- | www/webkit-gtk/PLIST | 6 | ||||
-rw-r--r-- | www/webkit-gtk/distinfo | 11 | ||||
-rw-r--r-- | www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp | 96 |
4 files changed, 110 insertions, 12 deletions
diff --git a/www/webkit-gtk/Makefile b/www/webkit-gtk/Makefile index ca79b6cd100..43b6eb4166d 100644 --- a/www/webkit-gtk/Makefile +++ b/www/webkit-gtk/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.155 2018/12/14 15:51:13 leot Exp $ +# $NetBSD: Makefile,v 1.155.2.1 2019/03/06 13:43:24 bsiegert Exp $ -DISTNAME= webkitgtk-2.22.5 -PKGNAME= ${DISTNAME:S/webkitgtk/webkit-gtk/} +DISTNAME= webkitgtk-2.22.6 PKGREVISION= 1 +PKGNAME= ${DISTNAME:S/webkitgtk/webkit-gtk/} CATEGORIES= www MASTER_SITES= https://www.webkitgtk.org/releases/ EXTRACT_SUFX= .tar.xz @@ -24,7 +24,8 @@ USE_TOOLS+= automake bison flex gmake perl pkg-config msgfmt # Enabling -gdwarf-2 hits GNU ar limits on file size. CTF_SUPPORTED= no -GCC_REQD+= 6 +GCC_REQD+= 6 +USE_GCC_RUNTIME= yes # Using ld.gold subverts Pkgsrc wrappers, and this package also crashes buggy # versions of ld.gold. diff --git a/www/webkit-gtk/PLIST b/www/webkit-gtk/PLIST index 60432225976..4d6378a69cb 100644 --- a/www/webkit-gtk/PLIST +++ b/www/webkit-gtk/PLIST @@ -1,4 +1,4 @@ -@comment $NetBSD: PLIST,v 1.45 2018/12/13 22:50:27 leot Exp $ +@comment $NetBSD: PLIST,v 1.45.2.1 2019/03/06 13:43:24 bsiegert Exp $ bin/WebKitWebDriver include/webkitgtk-4.0/JavaScriptCore/JSBase.h include/webkitgtk-4.0/JavaScriptCore/JSContextRef.h @@ -208,10 +208,10 @@ ${PLIST.introspection}lib/girepository-1.0/WebKit2-4.0.typelib ${PLIST.introspection}lib/girepository-1.0/WebKit2WebExtension-4.0.typelib lib/libjavascriptcoregtk-4.0.so lib/libjavascriptcoregtk-4.0.so.18 -lib/libjavascriptcoregtk-4.0.so.18.11.6 +lib/libjavascriptcoregtk-4.0.so.18.11.7 lib/libwebkit2gtk-4.0.so lib/libwebkit2gtk-4.0.so.37 -lib/libwebkit2gtk-4.0.so.37.33.6 +lib/libwebkit2gtk-4.0.so.37.33.7 lib/pkgconfig/javascriptcoregtk-4.0.pc lib/pkgconfig/webkit2gtk-4.0.pc lib/pkgconfig/webkit2gtk-web-extension-4.0.pc diff --git a/www/webkit-gtk/distinfo b/www/webkit-gtk/distinfo index 0d9a9ee6d9b..80dfa92e5eb 100644 --- a/www/webkit-gtk/distinfo +++ b/www/webkit-gtk/distinfo @@ -1,13 +1,14 @@ -$NetBSD: distinfo,v 1.114 2018/12/23 22:23:09 roy Exp $ +$NetBSD: distinfo,v 1.114.2.1 2019/03/06 13:43:24 bsiegert Exp $ -SHA1 (webkitgtk-2.22.5.tar.xz) = 809b067a1672a81a4ce31363a0872c668cc72953 -RMD160 (webkitgtk-2.22.5.tar.xz) = 6f251088424cfb2fc082a5625ba9f71fbc686759 -SHA512 (webkitgtk-2.22.5.tar.xz) = fcea9fab3d71869cc10e322b1b63864a9594624f6aa3e29efd8b47e5ca639145f8c2cdb299ecb51eadf3ac1238dac06b4b7ebe94969b2f61a21cea8b609007bc -Size (webkitgtk-2.22.5.tar.xz) = 16774560 bytes +SHA1 (webkitgtk-2.22.6.tar.xz) = 26a8f8951da03aa4dfc2c25257b6899ea3c2558f +RMD160 (webkitgtk-2.22.6.tar.xz) = 4ddd00a0eed1e8122a71e070f1f6f5f49f59ca75 +SHA512 (webkitgtk-2.22.6.tar.xz) = 18f4a4c145b524bebf1eaae58057e1e6cb74ba5a162c5195f072ba25c4399e7749c74fe6f8e9351bb9f2630a2c43f59935943e5bb318a5c4977f727a68602709 +Size (webkitgtk-2.22.6.tar.xz) = 16773696 bytes SHA1 (patch-CMakeLists.txt) = 93466370f447c6be9008512aa1fc2dc0bd2b843b SHA1 (patch-Source_JavaScriptCore_assembler_ARM64Assembler.h) = a41e02c7a1f9bfb91a2af36ec0410e1bf2b9a745 SHA1 (patch-Source_JavaScriptCore_assembler_ARMAssembler.h) = bae08310572c2e23c69cbf6aa9760a67345dcfe3 SHA1 (patch-Source_JavaScriptCore_assembler_MacroAssemblerARM.cpp) = ab75ef8714e5071fcd094735717a2f5d0321c747 +SHA1 (patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp) = 802d83a69975d0754dfb6198488aacc7e3f04d83 SHA1 (patch-Source_JavaScriptCore_heap_MarkedSpace.cpp) = e6a23d5ef22bddd0a9606fb0e472960e4cf5673e SHA1 (patch-Source_JavaScriptCore_jit_ExecutableAllocator.cpp) = 36d29a5db03c2413ae93224ac391f3ff248983e8 SHA1 (patch-Source_JavaScriptCore_offlineasm_arm64.rb) = 784baf6f3baba2986fbcb7aa10e7abed8f8c6336 diff --git a/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp new file mode 100644 index 00000000000..ad5c6427090 --- /dev/null +++ b/www/webkit-gtk/patches/patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp @@ -0,0 +1,96 @@ +$NetBSD: patch-Source_JavaScriptCore_dfg_DFGDoesGC.cpp,v 1.2.2.2 2019/03/06 13:43:24 bsiegert Exp $ + +Fix remote code execution in JavaScript. From upstream commit: + +From d51ece4028133113e9e5d0f2576ad23489801ddc Mon Sep 17 00:00:00 2001 +From: "mark.lam@apple.com" + <mark.lam@apple.com@268f45cc-cd09-0410-ab3c-d52691b4dbfc> +Date: Tue, 19 Feb 2019 02:32:10 +0000 +Subject: [PATCH] Fix DFG doesGC() for CompareEq/Less/LessEq/Greater/GreaterEq + and CompareStrictEq nodes. https://bugs.webkit.org/show_bug.cgi?id=194800 + <rdar://problem/48183773> + +Reviewed by Yusuke Suzuki. + +Fix doesGC() for the following nodes: + + CompareEq: + CompareLess: + CompareLessEq: + CompareGreater: + CompareGreaterEq: + CompareStrictEq: + Only return false (i.e. does not GC) for child node use kinds that have + been vetted to not do anything that can GC. For all other use kinds + (including StringUse and BigIntUse), we return true (i.e. does GC). + +* dfg/DFGDoesGC.cpp: +(JSC::DFG::doesGC): + + +git-svn-id: http://svn.webkit.org/repository/webkit/trunk@241753 268f45cc-cd09-0410-ab3c-d52691b4dbfc + +--- Source/JavaScriptCore/dfg/DFGDoesGC.cpp.orig 2019-02-08 16:17:00.000000000 +0000 ++++ Source/JavaScriptCore/dfg/DFGDoesGC.cpp +@@ -146,14 +146,8 @@ bool doesGC(Graph& graph, Node* node) + case RegExpTest: + case RegExpMatchFast: + case RegExpMatchFastGlobal: +- case CompareLess: +- case CompareLessEq: +- case CompareGreater: +- case CompareGreaterEq: + case CompareBelow: + case CompareBelowEq: +- case CompareEq: +- case CompareStrictEq: + case CompareEqPtr: + case SameValue: + case Call: +@@ -374,6 +368,46 @@ bool doesGC(Graph& graph, Node* node) + case MapSet: + return true; + ++ case CompareEq: ++ case CompareLess: ++ case CompareLessEq: ++ case CompareGreater: ++ case CompareGreaterEq: ++ if (node->isBinaryUseKind(Int32Use) ++#if USE(JSVALUE64) ++ || node->isBinaryUseKind(Int52RepUse) ++#endif ++ || node->isBinaryUseKind(DoubleRepUse) ++ || node->isBinaryUseKind(StringIdentUse) ++ ) ++ return false; ++ if (node->op() == CompareEq) { ++ if (node->isBinaryUseKind(BooleanUse) ++ || node->isBinaryUseKind(SymbolUse) ++ || node->isBinaryUseKind(ObjectUse) ++ || node->isBinaryUseKind(ObjectUse, ObjectOrOtherUse) || node->isBinaryUseKind(ObjectOrOtherUse, ObjectUse)) ++ return false; ++ } ++ return true; ++ ++ case CompareStrictEq: ++ if (node->isBinaryUseKind(BooleanUse) ++ || node->isBinaryUseKind(Int32Use) ++#if USE(JSVALUE64) ++ || node->isBinaryUseKind(Int52RepUse) ++#endif ++ || node->isBinaryUseKind(DoubleRepUse) ++ || node->isBinaryUseKind(SymbolUse) ++ || node->isBinaryUseKind(SymbolUse, UntypedUse) ++ || node->isBinaryUseKind(UntypedUse, SymbolUse) ++ || node->isBinaryUseKind(StringIdentUse) ++ || node->isBinaryUseKind(ObjectUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, ObjectUse) ++ || node->isBinaryUseKind(ObjectUse) ++ || node->isBinaryUseKind(MiscUse, UntypedUse) || node->isBinaryUseKind(UntypedUse, MiscUse) ++ || node->isBinaryUseKind(StringIdentUse, NotStringVarUse) || node->isBinaryUseKind(NotStringVarUse, StringIdentUse)) ++ return false; ++ return true; ++ + case GetIndexedPropertyStorage: + if (node->arrayMode().type() == Array::String) + return true; |