qt6-webengine/CVE-2022-1096-qtwebengine-6.2.patch

From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 29 Mar 2022 17:31:58 +0200
Subject: [Backport] CVE-2022-1096

[runtime] Fix handling of interceptors

--- a/src/3rdparty/chromium/v8/src/objects/objects.cc
+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc
@@ -2513,6 +2513,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
           Maybe<bool> result =
               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
           if (result.IsNothing() || result.FromJust()) return result;
+          // Assuming that the callback have side effects, we use
+          // Object::SetSuperProperty() which works properly regardless on
+          // whether the property was present on the receiver or not when
+          // storing to the receiver.
+          // Proceed lookup from the next state.
+          it->Next();
         } else {
           Maybe<PropertyAttributes> maybe_attributes =
               JSObject::GetPropertyAttributesWithInterceptor(it);
@@ -2533,10 +2539,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
             // property to the receiver.
             it->NotFound();
           }
-          return Object::SetSuperProperty(it, value, store_origin,
-                                          should_throw);
         }
-        break;
+        return Object::SetSuperProperty(it, value, store_origin, should_throw);
       }

       case LookupIterator::ACCESSOR: {
Accepting request 966949 from KDE:Qt:6.2 - Add security fixes: * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163) * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552) OBS-URL: https://build.opensuse.org/request/show/966949 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt6/qt6-webengine?expand=0&rev=9 2022-04-05 07:50:17 +00:00			`From: Allan Sandfeld Jensen <allan.jensen@qt.io>`
			`Date: Tue, 29 Mar 2022 17:31:58 +0200`
			`Subject: [Backport] CVE-2022-1096`

			`[runtime] Fix handling of interceptors`

			`--- a/src/3rdparty/chromium/v8/src/objects/objects.cc`
			`+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc`
			`@@ -2513,6 +2513,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,`
			`Maybe<bool> result =`
			`JSObject::SetPropertyWithInterceptor(it, should_throw, value);`
			`if (result.IsNothing() \|\| result.FromJust()) return result;`
			`+ // Assuming that the callback have side effects, we use`
			`+ // Object::SetSuperProperty() which works properly regardless on`
			`+ // whether the property was present on the receiver or not when`
			`+ // storing to the receiver.`
			`+ // Proceed lookup from the next state.`
			`+ it->Next();`
			`} else {`
			`Maybe<PropertyAttributes> maybe_attributes =`
			`JSObject::GetPropertyAttributesWithInterceptor(it);`
			`@@ -2533,10 +2539,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,`
			`// property to the receiver.`
			`it->NotFound();`
			`}`
			`- return Object::SetSuperProperty(it, value, store_origin,`
			`- should_throw);`
			`}`
			`- break;`
			`+ return Object::SetSuperProperty(it, value, store_origin, should_throw);`
			`}`

			`case LookupIterator::ACCESSOR: {`