new file mode 100644
@@ -0,0 +1,128 @@
+CVE: CVE-2023-32439
+
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/ebefb9e]
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From ebefb9e6b7e7440ab6bb29452f4ac6350bd8b975 Mon Sep 17 00:00:00 2001
+From: Yijia Huang <yijia_huang@apple.com>
+Date: Wed, 10 May 2023 09:41:48 -0700
+Subject: [PATCH] Cherry-pick 263909@main (52fe95e5805c).
+ https://bugs.webkit.org/show_bug.cgi?id=256567
+
+ EnumeratorNextUpdateIndexAndMode and HasIndexedProperty should have different heap location kinds
+ https://bugs.webkit.org/show_bug.cgi?id=256567
+ rdar://109089013
+
+ Reviewed by Yusuke Suzuki.
+
+ EnumeratorNextUpdateIndexAndMode and HasIndexedProperty are different DFG nodes. However,
+ they might introduce the same heap location kind in DFGClobberize.h which might lead to
+ hash collision. We should introduce a new locationn kind for EnumeratorNextUpdateIndexAndMode.
+
+ * JSTests/stress/heap-location-collision-dfg-clobberize.js: Added.
+ (foo):
+ * Source/JavaScriptCore/dfg/DFGClobberize.h:
+ (JSC::DFG::clobberize):
+ * Source/JavaScriptCore/dfg/DFGHeapLocation.cpp:
+ (WTF::printInternal):
+ * Source/JavaScriptCore/dfg/DFGHeapLocation.h:
+
+ Canonical link: https://commits.webkit.org/263909@main
+
+Canonical link: https://commits.webkit.org/260527.376@webkitglib/2.40
+---
+ .../stress/heap-location-collision-dfg-clobberize.js | 12 ++++++++++++
+ Source/JavaScriptCore/dfg/DFGClobberize.h | 7 ++++---
+ Source/JavaScriptCore/dfg/DFGHeapLocation.cpp | 4 ++++
+ Source/JavaScriptCore/dfg/DFGHeapLocation.h | 1 +
+ 4 files changed, 21 insertions(+), 3 deletions(-)
+ create mode 100644 JSTests/stress/heap-location-collision-dfg-clobberize.js
+
+diff --git a/JSTests/stress/heap-location-collision-dfg-clobberize.js b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+new file mode 100644
+index 000000000000..ed40601ea37f
+--- /dev/null
++++ b/JSTests/stress/heap-location-collision-dfg-clobberize.js
+@@ -0,0 +1,12 @@
++//@ runDefault("--watchdog=300", "--watchdog-exception-ok")
++const arr = [0];
++
++function foo() {
++ for (let _ in arr) {
++ 0 in arr;
++ while(1);
++ }
++}
++
++
++foo();
+diff --git a/Source/JavaScriptCore/dfg/DFGClobberize.h b/Source/JavaScriptCore/dfg/DFGClobberize.h
+index e4db64155316..5ec334787c0c 100644
+--- a/Source/JavaScriptCore/dfg/DFGClobberize.h
++++ b/Source/JavaScriptCore/dfg/DFGClobberize.h
+@@ -383,6 +383,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+
+ read(JSObject_butterfly);
+ ArrayMode mode = node->arrayMode();
++ LocationKind locationKind = node->op() == EnumeratorNextUpdateIndexAndMode ? EnumeratorNextUpdateIndexAndModeLoc : HasIndexedPropertyLoc;
+ switch (mode.type()) {
+ case Array::ForceExit: {
+ write(SideState);
+@@ -392,7 +393,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedInt32Properties);
+- def(HeapLocation(HasIndexedPropertyLoc, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++ def(HeapLocation(locationKind, IndexedInt32Properties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ return;
+ }
+ break;
+@@ -402,7 +403,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedDoubleProperties);
+- def(HeapLocation(HasIndexedPropertyLoc, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++ def(HeapLocation(locationKind, IndexedDoubleProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ return;
+ }
+ break;
+@@ -412,7 +413,7 @@ void clobberize(Graph& graph, Node* node, const ReadFunctor& read, const WriteFu
+ if (mode.isInBounds()) {
+ read(Butterfly_publicLength);
+ read(IndexedContiguousProperties);
+- def(HeapLocation(HasIndexedPropertyLoc, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
++ def(HeapLocation(locationKind, IndexedContiguousProperties, graph.varArgChild(node, 0), graph.varArgChild(node, 1)), LazyNode(node));
+ return;
+ }
+ break;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+index 0661e5b826b7..698a6d4b6062 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.cpp
+@@ -134,6 +134,10 @@ void printInternal(PrintStream& out, LocationKind kind)
+ out.print("HasIndexedPorpertyLoc");
+ return;
+
++ case EnumeratorNextUpdateIndexAndModeLoc:
++ out.print("EnumeratorNextUpdateIndexAndModeLoc");
++ return;
++
+ case IndexedPropertyDoubleLoc:
+ out.print("IndexedPropertyDoubleLoc");
+ return;
+diff --git a/Source/JavaScriptCore/dfg/DFGHeapLocation.h b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+index 40fb71673284..7238491b02c9 100644
+--- a/Source/JavaScriptCore/dfg/DFGHeapLocation.h
++++ b/Source/JavaScriptCore/dfg/DFGHeapLocation.h
+@@ -46,6 +46,7 @@ enum LocationKind {
+ DirectArgumentsLoc,
+ GetterLoc,
+ GlobalVariableLoc,
++ EnumeratorNextUpdateIndexAndModeLoc,
+ HasIndexedPropertyLoc,
+ IndexedPropertyDoubleLoc,
+ IndexedPropertyDoubleSaneChainLoc,
+--
+2.34.1
+
@@ -14,6 +14,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BPN}-${PV}.tar.xz \
file://reproducibility.patch \
file://0d3344e17d258106617b0e6d783d073b188a2548.patch \
file://d318bb461f040b90453bc4e100dcf967243ecd98.patch \
+ file://CVE-2023-32439.patch \
"
SRC_URI[sha256sum] = "1c614c9589389db1a79ea9ba4293bbe8ac3ab0a2234cac700935fae0724ad48b"