new file mode 100644
@@ -0,0 +1,104 @@
+From 8747a631dff858a27ab1a75edb7f21658c2962e2 Mon Sep 17 00:00:00 2001
+From: Yogita Urade <yogita.urade@windriver.com>
+Date: Fri, 2 Jun 2023 10:22:34 +0000
+Subject: [PATCH] RenderElement::updateFillImages should take pointer arguments
+ like other similar functions https://bugs.webkit.org/show_bug.cgi?id=247317
+ rdar://100273147
+
+Reviewed by Alan Baradlay.
+
+* Source/WebCore/rendering/RenderElement.cpp:
+(WebCore::RenderElement::updateFillImages):
+(WebCore::RenderElement::styleDidChange):
+* Source/WebCore/rendering/RenderElement.h:
+
+Canonical link: https://commits.webkit.org/256215@main
+
+CVE: CVE-2022-42867
+
+Upstream-Status: Backport
+[https://github.com/WebKit/WebKit/commit/091a04e55c801ac6ba13f4b328fbee2eece853fc]
+
+Signed-off-by: Yogita Urade <yogita.urade@windriver.com>
+---
+ Source/WebCore/rendering/RenderElement.cpp | 27 ++++++++++++++--------
+ Source/WebCore/rendering/RenderElement.h | 2 +-
+ 2 files changed, 19 insertions(+), 10 deletions(-)
+
+diff --git a/Source/WebCore/rendering/RenderElement.cpp b/Source/WebCore/rendering/RenderElement.cpp
+index da43bf3d..eb0a9b4c 100644
+--- a/Source/WebCore/rendering/RenderElement.cpp
++++ b/Source/WebCore/rendering/RenderElement.cpp
+@@ -358,7 +358,7 @@ inline bool RenderElement::shouldRepaintForStyleDifference(StyleDifference diff)
+ return diff == StyleDifference::Repaint || (diff == StyleDifference::RepaintIfTextOrBorderOrOutline && hasImmediateNonWhitespaceTextChildOrBorderOrOutline());
+ }
+
+-void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer& newLayers)
++void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer* newLayers)
+ {
+ auto fillImagesAreIdentical = [](const FillLayer* layer1, const FillLayer* layer2) -> bool {
+ if (layer1 == layer2)
+@@ -379,7 +379,7 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+ };
+
+ auto isRegisteredWithNewFillImages = [&]() -> bool {
+- for (auto* layer = &newLayers; layer; layer = layer->next()) {
++ for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image() && !layer->image()->hasClient(*this))
+ return false;
+ }
+@@ -388,11 +388,11 @@ void RenderElement::updateFillImages(const FillLayer* oldLayers, const FillLayer
+
+ // If images have the same characteristics and this element is already registered as a
+ // client to the new images, there is nothing to do.
+- if (fillImagesAreIdentical(oldLayers, &newLayers) && isRegisteredWithNewFillImages())
++ if (fillImagesAreIdentical(oldLayers, newLayers) && isRegisteredWithNewFillImages())
+ return;
+
+ // Add before removing, to avoid removing all clients of an image that is in both sets.
+- for (auto* layer = &newLayers; layer; layer = layer->next()) {
++ for (auto* layer = newLayers; layer; layer = layer->next()) {
+ if (layer->image())
+ layer->image()->addClient(*this);
+ }
+@@ -937,11 +937,20 @@ static inline bool areCursorsEqual(const RenderStyle* a, const RenderStyle* b)
+
+ void RenderElement::styleDidChange(StyleDifference diff, const RenderStyle* oldStyle)
+ {
+- updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, m_style.backgroundLayers());
+- updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, m_style.maskLayers());
+- updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, m_style.borderImage().image());
+- updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, m_style.maskBoxImage().image());
+- updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, m_style.shapeOutside());
++ auto registerImages = [this](auto* style, auto* oldStyle) {
++ if (!style && !oldStyle)
++ return;
++ updateFillImages(oldStyle ? &oldStyle->backgroundLayers() : nullptr, style ? &style->backgroundLayers() : nullptr);
++ updateFillImages(oldStyle ? &oldStyle->maskLayers() : nullptr, style ? &style->maskLayers() : nullptr);
++ updateImage(oldStyle ? oldStyle->borderImage().image() : nullptr, style ? style->borderImage().image() : nullptr);
++ updateImage(oldStyle ? oldStyle->maskBoxImage().image() : nullptr, style ? style->maskBoxImage().image() : nullptr);
++ updateShapeImage(oldStyle ? oldStyle->shapeOutside() : nullptr, style ? style->shapeOutside() : nullptr);
++ };
++
++ registerImages(&style(), oldStyle);
++
++ // Are there other pseudo-elements that need the resources to be registered?
++ registerImages(style().getCachedPseudoStyle(PseudoId::FirstLine), oldStyle ? oldStyle->getCachedPseudoStyle(PseudoId::FirstLine) : nullptr);
+
+ SVGRenderSupport::styleChanged(*this, oldStyle);
+
+diff --git a/Source/WebCore/rendering/RenderElement.h b/Source/WebCore/rendering/RenderElement.h
+index f376cecb..d6ba2cdf 100644
+--- a/Source/WebCore/rendering/RenderElement.h
++++ b/Source/WebCore/rendering/RenderElement.h
+@@ -349,7 +349,7 @@ private:
+ bool shouldRepaintForStyleDifference(StyleDifference) const;
+ bool hasImmediateNonWhitespaceTextChildOrBorderOrOutline() const;
+
+- void updateFillImages(const FillLayer*, const FillLayer&);
++ void updateFillImages(const FillLayer*, const FillLayer*);
+ void updateImage(StyleImage*, StyleImage*);
+ void updateShapeImage(const ShapeValue*, const ShapeValue*);
+
+--
+2.35.5
@@ -17,6 +17,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://0001-When-building-introspection-files-do-not-quote-CFLAG.patch \
file://CVE-2022-32888.patch \
file://CVE-2022-32923.patch \
+ file://CVE-2022-42867.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"
A use after free issue was addressed with improved memory management. This issue is fixed in Safari 16.2, tvOS 16.2, macOS Ventura 13.1, iOS 16.2 and iPadOS 16.2, watchOS 9.2. Processing maliciously crafted web content may lead to arbitrary code execution. Reference: https://nvd.nist.gov/vuln/detail/CVE-2022-42867 https://support.apple.com/en-us/HT213537 Signed-off-by: Yogita Urade <yogita.urade@windriver.com> --- .../webkit/webkitgtk/CVE-2022-42867.patch | 104 ++++++++++++++++++ meta/recipes-sato/webkit/webkitgtk_2.36.8.bb | 1 + 2 files changed, 105 insertions(+) create mode 100644 meta/recipes-sato/webkit/webkitgtk/CVE-2022-42867.patch