diff options
Diffstat (limited to 'www/qt5-webengine/files/patch-security-rollup')
| -rw-r--r-- | www/qt5-webengine/files/patch-security-rollup | 891 |
1 files changed, 0 insertions, 891 deletions
diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup deleted file mode 100644 index b27b8cec77c9..000000000000 --- a/www/qt5-webengine/files/patch-security-rollup +++ /dev/null @@ -1,891 +0,0 @@ -Add security patches to this file. - -Addresses the following security issues: - -- Security bug 329674887 -- CVE-2024-3157 -- CVE-2024-3516 -- CVE-2024-3839 -- CVE-2024-3837 -- Security bug 40940917 -- CVE-2024-4058 -- Security bug 327698060 -- CVE-2024-4558 -- CVE-2024-3914 -- Security bug 329699609 - -From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 -From: Marco Paniconi <marpan@google.com> -Date: Wed, 13 Mar 2024 10:58:17 -0700 -Subject: [PATCH] [Backport] Security bug 329674887 (1/2) - -Cherry-pick of patch orignally reviewed on -https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: -Fix to buffer alloc for vp9_bitstream_worker_data - -The code was using the bitstream_worker_data when it -wasn't allocated for big enough size. This is because -the existing condition was to only re-alloc the -bitstream_worker_data when current dest_size was larger -than the current frame_size. But under resolution change -where frame_size is increased, beyond the current dest_size, -we need to allow re-alloc to the new size. - -The existing condition to re-alloc when dest_size is -larger than frame_size (which is not required) is kept -for now. - -Also increase the dest_size to account for image format. - -Added tests, for both ROW_MT=0 and 1, that reproduce -the failures in the bugs below. - -Note: this issue only affects the REALTIME encoding path. - -Bug: b/329088759, b/329674887, b/329179808 - -Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -index 3eff4ce830d1..22db39714922 100644 ---- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { - } - } - -+static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { -+ VP9_COMMON *const cm = &cpi->common; -+ const int image_bps = -+ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * -+ (1 + (cm->bit_depth > 8)); -+ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; -+} -+ - static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { - int i; - const size_t worker_data_size = -@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { - if (!cpi->vp9_bitstream_worker_data) return 1; - for (i = 1; i < cpi->num_workers; ++i) { - cpi->vp9_bitstream_worker_data[i].dest_size = -- cpi->oxcf.width * cpi->oxcf.height; -+ encode_tiles_buffer_alloc_size(cpi); - cpi->vp9_bitstream_worker_data[i].dest = - vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); - if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; -@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { - int tile_col = 0; - - if (!cpi->vp9_bitstream_worker_data || -- cpi->vp9_bitstream_worker_data[1].dest_size > -- (cpi->oxcf.width * cpi->oxcf.height)) { -+ cpi->vp9_bitstream_worker_data[1].dest_size != -+ encode_tiles_buffer_alloc_size(cpi)) { - vp9_bitstream_encode_tiles_buffer_dealloc(cpi); - if (encode_tiles_buffer_alloc(cpi)) return 0; - } -From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 -From: Marco Paniconi <marpan@google.com> -Date: Sat, 16 Mar 2024 10:39:28 -0700 -Subject: [PATCH] [Backport] Security bug 329674887 (2/2) - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: -vp9: fix to integer overflow test - -failure for the 16k test: issue introduced -in: c29e637283 - -Bug: b/329088759, b/329674887, b/329179808 - -Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -index 22db3971492..645ba6ebb3a 100644 ---- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c -@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { - const int image_bps = - (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * - (1 + (cm->bit_depth > 8)); -- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; -+ const int64_t size = -+ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; -+ return (int)size; - } - - static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { -From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 -From: kylechar <kylechar@chromium.org> -Date: Tue, 9 Apr 2024 17:14:26 +0000 -Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5420432: -Validate buffer length - -The BitmapInSharedMemory mojo traits were only validating row length and -not total buffer length. - -(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) - -(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) - -Bug: 331237485 -Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 -Commit-Queue: Kyle Charbonneau <kylechar@chromium.org> -Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 -Commit-Queue: danakj <danakj@chromium.org> -Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} -Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 -Reviewed-by: danakj <danakj@chromium.org> -Reviewed-by: Kyle Charbonneau <kylechar@chromium.org> -Cr-Commit-Position: refs/branch-heads/6099@{#2003} -Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc -index f602fa100477..c6d84002b3e4 100644 ---- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc -+++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc -@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read( - if (!mapping_ptr->IsValid()) - return false; - -+ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { -+ return false; -+ } -+ - if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), - data.row_bytes(), &DeleteSharedMemoryMapping, - mapping_ptr.get())) { -From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Mon, 25 Mar 2024 14:46:56 -0400 -Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5391986: -Translator: Disallow samplers in structs in interface blocks - -As disallowed by the spec: - -> Types and declarators are the same as for other uniform variable -> declarations outside blocks, with these exceptions: -> -> * opaque types are not allowed - -Bug: chromium:328859176 -Change-Id: Ib94977860102329e520e635c3757827c93ca2163 -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 -Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-by: Geoff Lang <geofflang@chromium.org> -Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- - 1 file changed, 21 insertions(+), 12 deletions(-) - -diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -index 84a0c8fd9e0d..3e8a4a71ff67 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -@@ -34,27 +34,39 @@ namespace - - const int kWebGLMaxStructNesting = 4; - --bool ContainsSampler(const TStructure *structType); -+struct IsSamplerFunc -+{ -+ bool operator()(TBasicType type) { return IsSampler(type); } -+}; -+struct IsOpaqueFunc -+{ -+ bool operator()(TBasicType type) { return IsOpaqueType(type); } -+}; -+ -+template <typename OpaqueFunc> -+bool ContainsOpaque(const TStructure *structType); - --bool ContainsSampler(const TType &type) -+template <typename OpaqueFunc> -+bool ContainsOpaque(const TType &type) - { -- if (IsSampler(type.getBasicType())) -+ if (OpaqueFunc{}(type.getBasicType())) - { - return true; - } - if (type.getBasicType() == EbtStruct) - { -- return ContainsSampler(type.getStruct()); -+ return ContainsOpaque<OpaqueFunc>(type.getStruct()); - } - - return false; - } - --bool ContainsSampler(const TStructure *structType) -+template <typename OpaqueFunc> -+bool ContainsOpaque(const TStructure *structType) - { - for (const auto &field : structType->fields()) - { -- if (ContainsSampler(*field->type())) -+ if (ContainsOpaque<OpaqueFunc>(*field->type())) - return true; - } - return false; -@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, - { - if (pType.type == EbtStruct) - { -- if (ContainsSampler(pType.userDef)) -+ if (ContainsOpaque<IsSamplerFunc>(pType.userDef)) - { - std::stringstream reasonStream = sh::InitializeStream<std::stringstream>(); - reasonStream << reason << " (structure contains a sampler)"; -@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( - { - TField *field = (*fieldList)[memberIndex]; - TType *fieldType = field->type(); -- if (IsOpaqueType(fieldType->getBasicType())) -+ if (ContainsOpaque<IsOpaqueFunc>(*fieldType)) - { -- std::string reason("unsupported type - "); -- reason += fieldType->getBasicString(); -- reason += " types are not allowed in interface blocks"; -- error(field->line(), reason.c_str(), fieldType->getBasicString()); -+ error(field->line(), "Opaque types are not allowed in interface blocks", blockName); - } - - const TQualifier qualifier = fieldType->getQualifier(); -From 2c61d151bd3fab48c7e03a4cbfca22fa09c9022c Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org> -Date: Thu, 14 Mar 2024 12:48:18 +0000 -Subject: [PATCH] [Backport] CVE-2024-3839: Out of bounds read in Fonts -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5361874: -Disable STAT sanitization/checks through OTS - -Due to issues in upstream, OTS STAT sanitization does not provide an -added security benefit. Pass-through the STAT table. - -Bug: chromium:41491859 -Change-Id: I19dcd87376af553afe242452396b951a74691f3c -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361874 -Commit-Queue: Dominik Röttsches <drott@chromium.org> -Reviewed-by: Koji Ishii <kojii@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1272710} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560661 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../blink/renderer/platform/fonts/web_font_decoder.cc | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc b/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc -index e72f801016a3..dfae30c22c22 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc -@@ -97,6 +97,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { - const uint32_t kCpalTag = OTS_TAG('C', 'P', 'A', 'L'); - const uint32_t kCff2Tag = OTS_TAG('C', 'F', 'F', '2'); - const uint32_t kSbixTag = OTS_TAG('s', 'b', 'i', 'x'); -+ const uint32_t kStatTag = OTS_TAG('S', 'T', 'A', 'T'); - #if HB_VERSION_ATLEAST(1, 0, 0) - const uint32_t kGdefTag = OTS_TAG('G', 'D', 'E', 'F'); - const uint32_t kGposTag = OTS_TAG('G', 'P', 'O', 'S'); -@@ -123,6 +124,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { - case kCpalTag: - case kCff2Tag: - case kSbixTag: -+ case kStatTag: - #if HB_VERSION_ATLEAST(1, 0, 0) - // Let HarfBuzz handle how to deal with broken tables. - case kAvarTag: -From 0594d0383b46e78d33fde62258ffb49b53d3c429 Mon Sep 17 00:00:00 2001 -From: Liza Burakova <liza@chromium.org> -Date: Wed, 21 Feb 2024 19:02:15 +0000 -Subject: [PATCH] [Backport] CVE-2024-3837: Use after free in QUIC - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5268864: -Check if session is going away in Handle::RequestStream. - -This CL adds an extra check in the QuicChromiumClientSession -handle's RequestSession to make sure the session is not -marked as going away before creating a new StreamRequest. - -Bug: 41491379 -Change-Id: I687dfc23131871cdba345d3cf78dbbbd2e619ce9 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5268864 -Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> -Commit-Queue: Liza Burakova <liza@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1263483} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560662 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/net/quic/quic_chromium_client_session.cc | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc -index 6e08826bbb0d..4bca38bd10db 100644 ---- src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc -+++ src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc -@@ -500,7 +500,8 @@ int QuicChromiumClientSession::Handle::RequestStream( - const NetworkTrafficAnnotationTag& traffic_annotation) { - DCHECK(!stream_request_); - -- if (!session_) -+ // TODO(crbug.com/41491379): Add a regression test. -+ if (!session_ || session_->going_away_) - return ERR_CONNECTION_CLOSED; - - requires_confirmation |= session_->gquic_zero_rtt_disabled(); -From 28c3af39d3bdaea88865f901d19862bf7d44199d Mon Sep 17 00:00:00 2001 -From: Pete Williamson <petewil@chromium.org> -Date: Tue, 27 Feb 2024 00:19:05 +0000 -Subject: [PATCH] [Backport] Security bug 40940917 - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5293726: -Fix misalligned address in hunspell::NodeReader::ReaderForLookupAt - -With the Hunspell spell checking library, we are using a custom wrapper -to read the dictionaries from files. In that custom wrapper, we were -reading by using reinterpret_cast to interpret an offset into a pointer, -and then reading the bytes at that pointer for the child_offset. - -The spell checking code appears to have been working properly in the -field. However, the current code caused fuzzing test failures, and -those failures are blocking other tests, so we need to fix this to -unblock other tests. - -It turns out that we were casting a value to a pointer that did not -have proper alignment (for instance, a pointer to a 32 bit int needs -to be 4 byte allinged, but this pointer was not). While it has often -worked in older compilers, it turns out this is undefined behavior. - -Instead of relying on undefined behavior, the right thing to do is to -use std::memcpy to copy the bytes from the misalligned address into -their final destination (either an int32 or an int16 in this case). - -Bug: 40940917 -Change-Id: I8aeba9ee8000b51e98863813235d8dceb1c41ceb -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5293726 -Commit-Queue: Peter Williamson <petewil@chromium.org> -Reviewed-by: Trevor Perrier <perrier@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1265552} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560663 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../hunspell/google/bdict_reader.cc | 27 ++++++++++++++----- - 1 file changed, 21 insertions(+), 6 deletions(-) - -diff --git a/chromium/third_party/hunspell/google/bdict_reader.cc b/chromium/third_party/hunspell/google/bdict_reader.cc -index 70416a7c9048..70e4d4977ad5 100644 ---- src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc -+++ src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc -@@ -5,6 +5,8 @@ - #include "third_party/hunspell/google/bdict_reader.h" - - #include <stdint.h> -+#include <cstdint> -+#include <cstring> - - #include "base/check.h" - -@@ -413,19 +415,32 @@ NodeReader::FindResult NodeReader::ReaderForLookupAt( - if (index >= static_cast<size_t>(lookup_num_chars()) || !is_valid_) - return FIND_DONE; - -- size_t child_offset; -+ size_t child_offset = 0; - if (is_lookup_32()) { - // Table contains 32-bit absolute offsets. -- child_offset = -- reinterpret_cast<const unsigned int*>(table_begin)[index]; -+ -+ // We need to use memcpy here instead of just casting the offset into a -+ // pointer to an int because the cast can cause undefined behavior if -+ // the pointer is not alligned, and in this case it is not. -+ int byte_offset = index * sizeof(uint32_t); -+ std::memcpy(&child_offset, -+ reinterpret_cast<const void*>(table_begin + byte_offset), -+ sizeof(uint32_t)); - if (!child_offset) - return FIND_NOTHING; // This entry in the table is empty. - } else { - // Table contains 16-bit offsets relative to the current node. -- child_offset = -- reinterpret_cast<const unsigned short*>(table_begin)[index]; -- if (!child_offset) -+ -+ // We need to use memcpy here instead of just casting the offset into a -+ // pointer to an int because the cast can cause undefined behavior if -+ // the pointer is not alligned, and in this case it is not. -+ int byte_offset = index * sizeof(uint16_t); -+ std::memcpy(&child_offset, -+ reinterpret_cast<const void*>(table_begin + byte_offset), -+ sizeof(uint16_t)); -+ if (!child_offset) { - return FIND_NOTHING; // This entry in the table is empty. -+ } - child_offset += node_offset_; - } - -From b4d43a76e4c334084400402c09620ef24870704e Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Mon, 8 Apr 2024 10:14:45 -0400 -Subject: [PATCH] [Backport] CVE-2024-4058: Type Confusion in ANGLE - -Partial manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5466390: -SPIR-V: Fix const constructors with single scalar - -These constructors may be generated because of -RemoveArrayLengthTraverser. - -Bug: chromium:332546345 -Change-Id: I2b2bf3728ef5bae148abc2a8518f8f3f42850025 -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5462388 -(cherry picked from commit 0b776d32f69a932acb61963d9daad9e13f610944) -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5466390 -Commit-Queue: Zakhar Voit <voit@google.com> -Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-by: Geoff Lang <geofflang@chromium.org> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560664 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../third_party/angle/src/compiler/translator/Compiler.cpp | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -index 27975887086a..435d3b41b3a3 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -@@ -757,6 +757,11 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root, - { - return false; - } -+ // Fold the expressions again, because |RemoveArrayLengthMethod| can introduce new constants. -+ if (!FoldExpressions(this, root, &mDiagnostics)) -+ { -+ return false; -+ } - - if (!RemoveUnreferencedVariables(this, root, &mSymbolTable)) - { -From dceba69334080559303f92fc4a6c6d01e7dcd00c Mon Sep 17 00:00:00 2001 -From: Brendon Tiszka <tiszka@chromium.org> -Date: Sun, 3 Mar 2024 21:30:59 +0100 -Subject: [PATCH] [Backport] Security bug 327698060 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5337387: -PaintOpReader: Harden PaintImage deserialization - -Add missing validity check after `Read` - -Bug: 327698060 -Change-Id: I0aa5120296009998af3235a01304a1f597a82a33 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5337387 -Commit-Queue: Khushal Sagar <khushalsagar@chromium.org> -Reviewed-by: Khushal Sagar <khushalsagar@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1267636} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560665 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - chromium/cc/paint/paint_op_reader.cc | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc -index 0979f6630175..b6a9d8ca3641 100644 ---- src/3rdparty/chromium/cc/paint/paint_op_reader.cc -+++ src/3rdparty/chromium/cc/paint/paint_op_reader.cc -@@ -309,6 +309,10 @@ void PaintOpReader::Read(PaintImage* image) { - case PaintOp::SerializedImageType::kImageData: { - SkColorType color_type; - Read(&color_type); -+ if (!valid_) { -+ return; -+ } -+ - uint32_t width; - Read(&width); - uint32_t height; -From 2b188075ed5f01cc9c09b5273b5e6177d7252a0e Mon Sep 17 00:00:00 2001 -From: Geoff Lang <geofflang@chromium.org> -Date: Mon, 29 Apr 2024 15:27:36 -0400 -Subject: [PATCH] [Backport] CVE-2024-4558: Use after free in ANGLE - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5498735: -GL: Sync unpack state for glCompressedTexSubImage3D - -Unpack state is supposed to be ignored for compressed tex image calls -but some drivers use it anyways and read incorrect data. - -Texture3DTestES3.PixelUnpackStateTexSubImage covers this case. - -Bug: chromium:337766133 -Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22 -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735 -Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> - -Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org> -Change-Id: I0736ceb1e3165f571358ae06a0287b3f5a98d425 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560666 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp -index 035d4520b13b..0cfd21621bb3 100644 ---- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp -+++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp -@@ -579,6 +579,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context, - nativegl::GetCompressedSubTexImageFormat(functions, features, format); - - stateManager->bindTexture(getType(), mTextureID); -+ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack)); - if (nativegl::UseTexImage2D(getType())) - { - ASSERT(area.z == 0 && area.depth == 1); -From d553c9366aedad5701852427f8e1910381c4ff8b Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com> -Date: Tue, 26 Mar 2024 13:53:21 +0000 -Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (1/2) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5387887: -[M120-LTS] Fix DOMArrayBuffer::IsDetached() - -M120 merge issues: - third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc: - - Conflicting types for variable worlds - - Conflicting AllWorldsInIsolate() call (M120 doesn't use the last argument) - -A DOMArrayBuffer was maintaining its own "is_detached_" state, and -would consider itself non-detached even if the corresponding -JSArrayBuffer (or, all of them, in case there are several) was -detached. - -Piping in the v8::Isolate would be a too big change for this fix, so this is using v8::Isolate::GetCurrent() for now. - -Bug: 330759272 -Change-Id: I1e98ebd2066d2e59658db12f1bb419b6ebc1d706 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5387887 -Commit-Queue: Marja Hölttä <marja@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1278283} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562706 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../core/typed_arrays/dom_array_buffer.cc | 50 +++++++++++++++++++ - .../core/typed_arrays/dom_array_buffer.h | 13 +++++ - .../core/typed_arrays/dom_array_buffer_base.h | 2 +- - 3 files changed, 64 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -index c456d15f2f50..38dcd3a35737 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -@@ -18,6 +18,15 @@ static void AccumulateArrayBuffersForAllWorlds( - v8::Isolate* isolate, - DOMArrayBuffer* object, - Vector<v8::Local<v8::ArrayBuffer>, 4>& buffers) { -+ if (!object->has_non_main_world_wrappers() && IsMainThread()) { -+ const DOMWrapperWorld& world = DOMWrapperWorld::MainWorld(); -+ v8::Local<v8::Object> wrapper = world.DomDataStore().Get(object, isolate); -+ if (!wrapper.IsEmpty()) { -+ buffers.push_back(v8::Local<v8::ArrayBuffer>::Cast(wrapper)); -+ } -+ return; -+ } -+ - Vector<scoped_refptr<DOMWrapperWorld>> worlds; - DOMWrapperWorld::AllWorldsInCurrentThread(worlds); - for (const auto& world : worlds) { -@@ -155,6 +164,47 @@ DOMArrayBuffer* DOMArrayBuffer::Create( - return Create(std::move(contents)); - } - -+bool DOMArrayBuffer::IsDetached() const { -+ if (contents_.BackingStore() == nullptr) { -+ return is_detached_; -+ } -+ if (is_detached_) { -+ return true; -+ } -+ -+ v8::Isolate* isolate = v8::Isolate::GetCurrent(); -+ v8::HandleScope handle_scope(isolate); -+ Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles; -+ AccumulateArrayBuffersForAllWorlds(isolate, const_cast<DOMArrayBuffer*>(this), buffer_handles); -+ -+ // There may be several v8::ArrayBuffers corresponding to the DOMArrayBuffer, -+ // but at most one of them may be non-detached. -+ int nondetached_count = 0; -+ int detached_count = 0; -+ -+ for (const auto& buffer_handle : buffer_handles) { -+ if (buffer_handle->WasDetached()) { -+ ++detached_count; -+ } else { -+ ++nondetached_count; -+ } -+ } -+ CHECK_LE(nondetached_count, 1); -+ -+ return nondetached_count == 0 && detached_count > 0; -+} -+ -+v8::Local<v8::Object> DOMArrayBuffer::AssociateWithWrapper( -+ v8::Isolate* isolate, -+ const WrapperTypeInfo* wrapper_type_info, -+ v8::Local<v8::Object> wrapper) { -+ if (!DOMWrapperWorld::Current(isolate).IsMainWorld()) { -+ has_non_main_world_wrappers_ = true; -+ } -+ return ScriptWrappable::AssociateWithWrapper(isolate, wrapper_type_info, -+ wrapper); -+} -+ - DOMArrayBuffer* DOMArrayBuffer::Slice(size_t begin, size_t end) const { - begin = std::min(begin, ByteLengthAsSizeT()); - end = std::min(end, ByteLengthAsSizeT()); -diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h -index e9a85d38d4d4..b1820dfa8408 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h -+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h -@@ -79,8 +79,21 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase { - v8::Local<v8::Value> Wrap(v8::Isolate*, - v8::Local<v8::Object> creation_context) override; - -+ bool IsDetached() const override; -+ -+ v8::Local<v8::Object> AssociateWithWrapper( -+ v8::Isolate* isolate, -+ const WrapperTypeInfo* wrapper_type_info, -+ v8::Local<v8::Object> wrapper) override; -+ -+ bool has_non_main_world_wrappers() const { -+ return has_non_main_world_wrappers_; -+ } -+ - private: - bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result); -+ -+ bool has_non_main_world_wrappers_ = false; - }; - - } // namespace blink -diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h -index e99cce60dd7f..3ae9a4360e85 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h -+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h -@@ -33,7 +33,7 @@ class CORE_EXPORT DOMArrayBufferBase : public ScriptWrappable { - return base::checked_cast<unsigned>(contents_.DataLength()); - } - -- bool IsDetached() const { return is_detached_; } -+ virtual bool IsDetached() const { return is_detached_; } - - void Detach() { is_detached_ = true; } - -From efda8125f55049957e196995dffafb6dc171eadf Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com> -Date: Thu, 4 Apr 2024 09:43:42 +0200 -Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (2/2) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5419329: -[M120-LTS] Comment out a CHECK that a DOMAB has maximally one non-detached JSAB - -Based on crash reports, this assumption is not true and has to be -investigated. - -Removing this newly introduced CHECK to be able to merge fixes in this -area - we still violate this invariant but the fixes are a step into -the right direction. - -Fix in question: -https://chromium-review.googlesource.com/5387887 -which also introduced this CHECK. - -Bug: 330759272 -Change-Id: I4ba52fee7ed8f45e352efd347e87df03d896ac3d -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5419329 -Commit-Queue: Marja Hölttä <marja@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1282379} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562707 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - .../blink/renderer/core/typed_arrays/dom_array_buffer.cc | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -index 38dcd3a3573..69e332272dd 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc -@@ -189,7 +189,11 @@ bool DOMArrayBuffer::IsDetached() const { - ++nondetached_count; - } - } -- CHECK_LE(nondetached_count, 1); -+ // This CHECK fires even though it should not. TODO(330759272): Investigate -+ // under which conditions we end up with multiple non-detached JSABs for the -+ // same DOMAB and potentially restore this check. -+ -+ // CHECK_LE(nondetached_count, 1); - - return nondetached_count == 0 && detached_count > 0; - } -From 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 Mon Sep 17 00:00:00 2001 -From: Victor Gomes <victorgomes@chromium.org> -Date: Thu, 21 Mar 2024 09:59:19 +0100 -Subject: [PATCH] [Backport] Security bug 329699609 - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/5378286: -Deal with large strings in NoSideEffectsErrorToString - -If name is too big, StringBuilder will fail to even add -"<a very large string>" suffix. - -In this case, we truncate name first. - -Bug: 329699609 -Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5 -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286 -Commit-Queue: Victor Gomes <victorgomes@chromium.org> -Reviewed-by: Patrick Thier <pthier@chromium.org> -Auto-Submit: Victor Gomes <victorgomes@chromium.org> -Cr-Commit-Position: refs/heads/main@{#92932} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - chromium/v8/src/objects/objects.cc | 25 +++++++++++++++++++------ - 1 file changed, 19 insertions(+), 6 deletions(-) - -diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc -index 7b38609e347..7820c7e8e58 100644 ---- src/3rdparty/chromium/v8/src/objects/objects.cc -+++ src/3rdparty/chromium/v8/src/objects/objects.cc -@@ -425,14 +425,27 @@ Handle<String> NoSideEffectsErrorToString(Isolate* isolate, - if (name_str->length() == 0) return msg_str; - if (msg_str->length() == 0) return name_str; - -- IncrementalStringBuilder builder(isolate); -- builder.AppendString(name_str); -- builder.AppendCString(": "); -+ constexpr const char error_suffix[] = "<a very large string>"; -+ constexpr int error_suffix_size = sizeof(error_suffix); -+ int suffix_size = std::min(error_suffix_size, msg_str->length()); - -- if (builder.Length() + msg_str->length() <= String::kMaxLength) { -- builder.AppendString(msg_str); -+ IncrementalStringBuilder builder(isolate); -+ if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) { -+ constexpr const char connector[] = "... : "; -+ int connector_size = sizeof(connector); -+ Handle<String> truncated_name = isolate->factory()->NewProperSubString( -+ name_str, 0, name_str->length() - error_suffix_size - connector_size); -+ builder.AppendString(truncated_name); -+ builder.AppendCString(connector); -+ builder.AppendCString(error_suffix); - } else { -- builder.AppendCString("<a very large string>"); -+ builder.AppendString(name_str); -+ builder.AppendCString(": "); -+ if (builder.Length() + msg_str->length() <= String::kMaxLength) { -+ builder.AppendString(msg_str); -+ } else { -+ builder.AppendCString(error_suffix); -+ } - } - - return builder.Finish().ToHandleChecked(); -From d3cb500c1d4b0508f3f21bb568c095984c614fcf Mon Sep 17 00:00:00 2001 -From: "Jason E. Hale" <jhale@FreeBSD.org> -Date: Thu, 20 Jun 2024 23:42:33 -0400 -Subject: [PATCH] [Backport] Fixup CVE-2024-3914: Use after free in V8 (1/2) - -Manual backport of requisite method WasDetached() in V8. ---- - chromium/v8/include/v8.h | 8 ++++++++ - chromium/v8/src/api/api.cc | 4 ++++ - 2 files changed, 12 insertions(+) - -diff --git a/chromium/v8/include/v8.h b/chromium/v8/include/v8.h -index 32687d90b5f..8a1b437bb06 100644 ---- src/3rdparty/chromium/v8/include/v8.h -+++ src/3rdparty/chromium/v8/include/v8.h -@@ -5299,6 +5299,11 @@ class V8_EXPORT ArrayBuffer : public Object { - */ - bool IsDetachable() const; - -+ /** -+ * Returns true if this ArrayBuffer has been detached. -+ */ -+ bool WasDetached() const; -+ - /** - * Detaches this ArrayBuffer and all its views (typed arrays). - * Detaching sets the byte length of the buffer and all typed arrays to zero, -@@ -5349,6 +5354,9 @@ class V8_EXPORT ArrayBuffer : public Object { - * should not attempt to manage lifetime of the storage through other means. - * - * This function replaces both Externalize() and GetContents(). -+ * -+ * The returned shared pointer will not be empty, even if the ArrayBuffer has -+ * been detached. Use |WasDetached| to tell if it has been detached instead. - */ - std::shared_ptr<BackingStore> GetBackingStore(); - -diff --git a/chromium/v8/src/api/api.cc b/chromium/v8/src/api/api.cc -index b6f9d12769e..05d31a7cedf 100644 ---- src/3rdparty/chromium/v8/src/api/api.cc -+++ src/3rdparty/chromium/v8/src/api/api.cc -@@ -7386,6 +7386,10 @@ bool v8::ArrayBuffer::IsDetachable() const { - return Utils::OpenHandle(this)->is_detachable(); - } - -+bool v8::ArrayBuffer::WasDetached() const { -+ return Utils::OpenHandle(this)->was_detached(); -+} -+ - namespace { - // The backing store deleter just deletes the indirection, which downrefs - // the shared pointer. It will get collected normally. |