File webkit2gtk3-CVE-2024-44308.patch of Package webkit2gtk3.36439
From 53e7f27d262249310bd6b7ad452e7df334c92b7d Mon Sep 17 00:00:00 2001
From: Daniel Liu <danlliu@umich.edu>
Date: Wed, 13 Nov 2024 12:27:15 -0800
Subject: [PATCH] Cherry-pick ded4d02c0a93.
https://bugs.webkit.org/show_bug.cgi?id=283063
Don't allocate DFG register after a slow path
https://bugs.webkit.org/show_bug.cgi?id=283063
rdar://139747120
Reviewed by Yusuke Suzuki.
Allocating a DFG register after a slow path means that if the slow path
is taken, we end up with an incorrect global state.
* Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp:
(JSC::DFG::SpeculativeJIT::compilePutByValForIntTypedArray):
Canonical link: https://commits.webkit.org/282416.295@webkitglib/2.46
---
Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
index 356d52b21a12..d041b63e8ba9 100644
--- a/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
+++ b/Source/JavaScriptCore/dfg/DFGSpeculativeJIT.cpp
@@ -3528,6 +3528,14 @@ void SpeculativeJIT::compilePutByValForIntTypedArray(Node* node, TypedArrayType
}
}
+ GPRReg scratch2GPR = InvalidGPRReg;
+#if USE(JSVALUE64)
+ if (node->arrayMode().mayBeResizableOrGrowableSharedTypedArray()) {
+ scratch2.emplace(this);
+ scratch2GPR = scratch2->gpr();
+ }
+#endif
+
bool result = getIntTypedArrayStoreOperand(
value, propertyReg,
#if USE(JSVALUE32_64)
@@ -3539,14 +3547,6 @@ void SpeculativeJIT::compilePutByValForIntTypedArray(Node* node, TypedArrayType
return;
}
- GPRReg scratch2GPR = InvalidGPRReg;
-#if USE(JSVALUE64)
- if (node->arrayMode().mayBeResizableOrGrowableSharedTypedArray()) {
- scratch2.emplace(this);
- scratch2GPR = scratch2->gpr();
- }
-#endif
-
GPRReg valueGPR = value.gpr();
GPRReg scratchGPR = scratch.gpr();
#if USE(JSVALUE32_64)
--
2.47.0
