2 files changed, 37 insertions, 0 deletions

diff --git a/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch
new file mode 100644
index 000000000000..f42c854f46ca
--- /dev/null
+++ b/dev-qt/qtwebengine/files/qtwebengine-6.9.1-CVE-2025-5419.patch
@@ -0,0 +1,36 @@
+https://bugs.gentoo.org/957076
+https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/650558
+--- a/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
++++ b/src/3rdparty/chromium/v8/src/compiler/turboshaft/store-store-elimination-reducer-inl.h
+@@ -325,8 +325,9 @@
+           // access once available.
+           const bool is_on_heap_store = store.kind.tagged_base;
+-          const bool is_field_store = !store.index().valid();
++          const bool is_fixed_offset_store = !store.index().valid();
+           const uint8_t size = store.stored_rep.SizeInBytes();
+-          // For now we consider only stores of fields of objects on the heap.
+-          if (is_on_heap_store && is_field_store) {
++          // For now we consider only stores of fixed offsets of objects on the
++          // heap.
++          if (is_on_heap_store && is_fixed_offset_store) {
+             bool is_eliminable_store = false;
+             switch (table_.GetObservability(store.base(), store.offset, size)) {
+@@ -415,9 +416,14 @@
+           // access once available.
+           const bool is_on_heap_load = load.kind.tagged_base;
+-          const bool is_field_load = !load.index().valid();
++          const bool is_fixed_offset_load = !load.index().valid();
+           // For now we consider only loads of fields of objects on the heap.
+-          if (is_on_heap_load && is_field_load) {
+-            table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
+-                                                             load.offset);
++          if (is_on_heap_load) {
++            if (is_fixed_offset_load) {
++              table_.MarkPotentiallyAliasingStoresAsObservable(load.base(),
++                                                               load.offset);
++            } else {
++              // A dynamically indexed load might alias any fixed offset.
++              table_.MarkAllStoresAsObservable();
++            }
+           }
+           break;
diff --git a/dev-qt/qtwebengine/qtwebengine-6.9.1.ebuild b/dev-qt/qtwebengine/qtwebengine-6.9.1-r1.ebuild
index 02532f6ac935..2c63e4e725dc 100644
--- a/dev-qt/qtwebengine/qtwebengine-6.9.1.ebuild
+++ b/dev-qt/qtwebengine/qtwebengine-6.9.1-r1.ebuild
@@ -110,6 +110,7 @@ PATCHES=( "${WORKDIR}"/patches/${PN} )
 PATCHES+=(
 	# add extras as needed here, may merge in set if carries across versions
 	"${FILESDIR}"/${PN}-6.8.3-gperf3.2.patch
+	"${FILESDIR}"/${PN}-6.9.1-CVE-2025-5419.patch
 )
 
 python_check_deps() {