dev-qt/qtwebengine: backport CVE-2025-5419 fix

Not the only issue, but this one is known exploited in the wild giving it higher priority (rest will likely wait until Qt 6.9.2 like usual). Bug: https://bugs.gentoo.org/957076 Signed-off-by: Ionen Wolkens <ionen@gentoo.org>
author: Ionen Wolkens <ionen@gentoo.org> 2025-06-05 03:50:47 -0400
committer: Ionen Wolkens <ionen@gentoo.org> 2025-06-05 04:26:13 -0400
commit: 94676230c246ba7f32acd763397dd702f3a369d0 (patch)
tree: 15b4b1ab712e43f6e70a4fa553b4c89df1f9e1ac /dev-qt/qtwebengine/files
parent: 97f7ddf6867fd6b950ac7c4ba8deeb8900e28651 (diff)
download: gentoo-94676230c246ba7f32acd763397dd702f3a369d0.tar.gz
gentoo-94676230c246ba7f32acd763397dd702f3a369d0.tar.bz2
gentoo-94676230c246ba7f32acd763397dd702f3a369d0.zip
1 files changed, 36 insertions, 0 deletions
diff --git a/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch
new file mode 100644
index 000000000000..f42c854f46ca
--- /dev/null
+++ b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch
@@ -0,0 +1,36 @@
+https://bugs.gentoo.org/957076
+https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/650558
+--- a/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
++++ b/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
+@@ -325,8 +325,9 @@
+           // access once available.
+           const bool is_on_heap_store = store.kind.tagged_base;
+-          const bool is_field_store = !store.index().valid();
++          const bool is_fixed_offset_store = !store.index().valid();
+           const uint8_t size = store.stored_rep.SizeInBytes();
+-          // For now we consider only stores of fields of objects on the heap.
+-          if (is_on_heap_store && is_field_store) {
++          // For now we consider only stores of fixed offsets of objects on the
++          // heap.
++          if (is_on_heap_store && is_fixed_offset_store) {
+             bool is_eliminable_store = false;
+             switch (table_.GetObservability(store.base(), store.offset, size)) {
+@@ -415,9 +416,14 @@
+           // access once available.
+           const bool is_on_heap_load = load.kind.tagged_base;
+-          const bool is_field_load = !load.index().valid();
++          const bool is_fixed_offset_load = !load.index().valid();
+           // For now we consider only loads of fields of objects on the heap.
+-          if (is_on_heap_load && is_field_load) {
+-            table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
+-                                                             load.offset);
++          if (is_on_heap_load) {
++            if (is_fixed_offset_load) {
++              table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
++                                                               load.offset);
++            } else {
++              // A dynamically indexed load might alias any fixed offset.
++              table_.MarkAllStoresAsObservable();
++            }
+           }
+           break;
author	Ionen Wolkens <ionen@gentoo.org>	2025-06-05 03:50:47 -0400
committer	Ionen Wolkens <ionen@gentoo.org>	2025-06-05 04:26:13 -0400
commit	94676230c246ba7f32acd763397dd702f3a369d0 (patch)
tree	15b4b1ab712e43f6e70a4fa553b4c89df1f9e1ac /dev-qt/qtwebengine/files
parent	97f7ddf6867fd6b950ac7c4ba8deeb8900e28651 (diff)
download	gentoo-94676230c246ba7f32acd763397dd702f3a369d0.tar.gz gentoo-94676230c246ba7f32acd763397dd702f3a369d0.tar.bz2 gentoo-94676230c246ba7f32acd763397dd702f3a369d0.zip