From: Justin Michaud Date: Fri, 21 Jul 2023 09:24:47 +0000 (+0100) Subject: Fix CVE-2023-37450 X-Git-Tag: archive/raspbian/2.40.3-2_deb12u2+rpi1^2~1 X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=7f68f2435aac2d95a1cc0ca20d3058bd352301ee;p=webkit2gtk.git Fix CVE-2023-37450 Origin: https://github.com/WebKit/WebKit/commit/4f99c0670d2d91dbc51725a7af6909e186db1b07 =================================================================== Gbp-Pq: Name fix-CVE-2023-37450.patch --- diff --git a/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h b/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h index 704ebe7115..122ad39981 100644 --- a/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h +++ b/Source/JavaScriptCore/dfg/DFGPreciseLocalClobberize.h @@ -191,13 +191,19 @@ private: case CreateRest: { bool isForwardingNode = false; bool isPhantomNode = false; + bool mayReadArguments = false; switch (m_node->op()) { case ForwardVarargs: + // This is used iff allInlineFramesAreTailCalls, so we will + // actually do a real tail call and destroy our frame. + case TailCallForwardVarargs: + isForwardingNode = true; + break; case CallForwardVarargs: case ConstructForwardVarargs: - case TailCallForwardVarargs: case TailCallForwardVarargsInlinedCaller: isForwardingNode = true; + mayReadArguments = true; break; case PhantomDirectArguments: case PhantomClonedArguments: @@ -209,7 +215,10 @@ private: if (isPhantomNode && m_graph.m_plan.isFTL()) break; - + + if (mayReadArguments) + readWorld(m_node); + if (isForwardingNode && m_node->hasArgumentsChild() && m_node->argumentsChild() && (m_node->argumentsChild()->op() == PhantomNewArrayWithSpread || m_node->argumentsChild()->op() == PhantomSpread)) { if (m_node->argumentsChild()->op() == PhantomNewArrayWithSpread)