new file mode 100644
@@ -0,0 +1,65 @@
+CVE: CVE-2023-23529
+Upstream-Status: Backport [https://github.com/WebKit/WebKit/commit/6cc943c]
+
+With the help from webkit maillist, backport and rebase patch to fix
+CVE-2023-23529.
+
+https://lists.webkit.org/pipermail/webkit-gtk/2023-August/003931.html
+
+Signed-off-by: Kai Kang <kai.kang@windriver.com>
+
+From 6cc943c3323a1a1368934c812e5e8ec08f54dcd4 Mon Sep 17 00:00:00 2001
+From: Yusuke Suzuki <ysuzuki@apple.com>
+Date: Fri, 17 Feb 2023 10:39:19 -0800
+Subject: [PATCH] Cherry-pick 259548.63@safari-7615-branch (1b2eb138ef92).
+ rdar://105598149
+
+ [JSC] ToThis object folding should check if AbstractValue is always an object
+ https://bugs.webkit.org/show_bug.cgi?id=251944
+ rdar://105175786
+
+ Reviewed by Geoffrey Garen and Mark Lam.
+
+ ToThis can become Identity for strict mode if it is just primitive values or its object does not have toThis function overriding.
+ This is correct, but folding ToThis to Undefined etc. (not Identity) needs to check that an input only contains objects.
+ This patch adds appropriate checks to prevent from converting ToThis(GlobalObject | Int32) to Undefined for example.
+
+ * Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h:
+ (JSC::DFG::isToThisAnIdentity):
+
+ Canonical link: https://commits.webkit.org/259548.63@safari-7615-branch
+
+Canonical link: https://commits.webkit.org/260455@main
+---
+ .../JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h | 9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+diff --git a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+index 928328ffab826..82481455e651d 100644
+--- a/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
++++ b/Source/JavaScriptCore/dfg/DFGAbstractInterpreterInlines.h
+@@ -209,7 +209,8 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+ }
+ }
+
+- if ((ecmaMode.isStrict() || (valueForNode.m_type && !(valueForNode.m_type & ~SpecObject))) && valueForNode.m_structure.isFinite()) {
++ bool onlyObjects = valueForNode.m_type && !(valueForNode.m_type & ~SpecObject);
++ if ((ecmaMode.isStrict() || onlyObjects) && valueForNode.m_structure.isFinite()) {
+ bool allStructuresAreJSScope = !valueForNode.m_structure.isClear();
+ bool overridesToThis = false;
+ valueForNode.m_structure.forEach([&](RegisteredStructure structure) {
+@@ -226,9 +227,13 @@ inline ToThisResult isToThisAnIdentity(VM& vm, ECMAMode ecmaMode, AbstractValue&
+ // If all the structures are JSScope's ones, we know the details of JSScope::toThis() operation.
+ allStructuresAreJSScope &= structure->classInfo()->methodTable.toThis == JSScope::info()->methodTable.toThis;
+ });
++
++ // This is correct for strict mode even if this can have non objects, since the right semantics is Identity.
+ if (!overridesToThis)
+ return ToThisResult::Identity;
+- if (allStructuresAreJSScope) {
++
++ // But this folding is available only if input is always an object.
++ if (onlyObjects && allStructuresAreJSScope) {
+ if (ecmaMode.isStrict())
+ return ToThisResult::Undefined;
+ return ToThisResult::GlobalThis;
@@ -21,6 +21,7 @@ SRC_URI = "https://www.webkitgtk.org/releases/${BP}.tar.xz \
file://CVE-2022-46699.patch \
file://CVE-2022-42867.patch \
file://CVE-2022-46700.patch \
+ file://CVE-2023-23529.patch \
"
SRC_URI[sha256sum] = "0ad9fb6bf28308fe3889faf184bd179d13ac1b46835d2136edbab2c133d00437"