path: root/www/qt5-webengine/files/patch-security-rollup

Add security patches to this file.

Addresses the following security issues:

- Security bug 329674887
- CVE-2024-3157
- CVE-2024-3516
- CVE-2024-3839
- CVE-2024-3837
- Security bug 40940917
- CVE-2024-4058
- Security bug 327698060
- CVE-2024-4558
- CVE-2024-3914
- Security bug 329699609

From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001
From: Marco Paniconi <marpan@google.com>
Date: Wed, 13 Mar 2024 10:58:17 -0700
Subject: [PATCH] [Backport] Security bug 329674887 (1/2)

Cherry-pick of patch orignally reviewed on
https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376:
Fix to buffer alloc for vp9_bitstream_worker_data

The code was using the bitstream_worker_data when it
wasn't allocated for big enough size. This is because
the existing condition was to only re-alloc the
bitstream_worker_data when current dest_size was larger
than the current frame_size. But under resolution change
where frame_size is increased, beyond the current dest_size,
we need to allow re-alloc to the new size.

The existing condition to re-alloc when dest_size is
larger than frame_size (which is not required) is kept
for now.

Also increase the dest_size to account for image format.

Added tests, for both ROW_MT=0 and 1, that reproduce
the failures in the bugs below.

Note: this issue only affects the REALTIME encoding path.

Bug: b/329088759, b/329674887, b/329179808

Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../source/libvpx/vp9/encoder/vp9_bitstream.c      | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
index 3eff4ce830d1..22db39714922 100644
--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) {
   }
 }
 
+static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
+  VP9_COMMON *const cm = &cpi->common;
+  const int image_bps =
+      (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
+      (1 + (cm->bit_depth > 8));
+  return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+}
+
 static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
   int i;
   const size_t worker_data_size =
@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
   if (!cpi->vp9_bitstream_worker_data) return 1;
   for (i = 1; i < cpi->num_workers; ++i) {
     cpi->vp9_bitstream_worker_data[i].dest_size =
-        cpi->oxcf.width * cpi->oxcf.height;
+        encode_tiles_buffer_alloc_size(cpi);
     cpi->vp9_bitstream_worker_data[i].dest =
         vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size);
     if (!cpi->vp9_bitstream_worker_data[i].dest) return 1;
@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) {
   int tile_col = 0;
 
   if (!cpi->vp9_bitstream_worker_data ||
-      cpi->vp9_bitstream_worker_data[1].dest_size >
-          (cpi->oxcf.width * cpi->oxcf.height)) {
+      cpi->vp9_bitstream_worker_data[1].dest_size !=
+          encode_tiles_buffer_alloc_size(cpi)) {
     vp9_bitstream_encode_tiles_buffer_dealloc(cpi);
     if (encode_tiles_buffer_alloc(cpi)) return 0;
   }
From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001
From: Marco Paniconi <marpan@google.com>
Date: Sat, 16 Mar 2024 10:39:28 -0700
Subject: [PATCH] [Backport] Security bug 329674887 (2/2)

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794:
vp9: fix to integer overflow test

failure for the 16k test: issue introduced
in: c29e637283

Bug: b/329088759, b/329674887, b/329179808

Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c          | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
index 22db3971492..645ba6ebb3a 100644
--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
   const int image_bps =
       (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
       (1 + (cm->bit_depth > 8));
-  return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+  const int64_t size =
+      (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+  return (int)size;
 }
 
 static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001
From: kylechar <kylechar@chromium.org>
Date: Tue, 9 Apr 2024 17:14:26 +0000
Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5420432:
Validate buffer length

The BitmapInSharedMemory mojo traits were only validating row length and
not total buffer length.

(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746)

(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f)

Bug: 331237485
Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796
Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432
Commit-Queue: danakj <danakj@chromium.org>
Cr-Original-Commit-Position: refs/branch-heads/6312@{#786}
Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678
Reviewed-by: danakj <danakj@chromium.org>
Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
Cr-Commit-Position: refs/branch-heads/6099@{#2003}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc   | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
index f602fa100477..c6d84002b3e4 100644
--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read(
   if (!mapping_ptr->IsValid())
     return false;
 
+  if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) {
+    return false;
+  }
+
   if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(),
                                 data.row_bytes(), &DeleteSharedMemoryMapping,
                                 mapping_ptr.get())) {
From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001
From: Shahbaz Youssefi <syoussefi@chromium.org>
Date: Mon, 25 Mar 2024 14:46:56 -0400
Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/5391986:
Translator: Disallow samplers in structs in interface blocks

As disallowed by the spec:

> Types and declarators are the same as for other uniform variable
> declarations outside blocks, with these exceptions:
>
> * opaque types are not allowed

Bug: chromium:328859176
Change-Id: Ib94977860102329e520e635c3757827c93ca2163
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986
Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../src/compiler/translator/ParseContext.cpp  | 33 ++++++++++++-------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
index 84a0c8fd9e0d..3e8a4a71ff67 100644
--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
@@ -34,27 +34,39 @@ namespace
 
 const int kWebGLMaxStructNesting = 4;
 
-bool ContainsSampler(const TStructure *structType);
+struct IsSamplerFunc
+{
+    bool operator()(TBasicType type) { return IsSampler(type); }
+};
+struct IsOpaqueFunc
+{
+    bool operator()(TBasicType type) { return IsOpaqueType(type); }
+};
+
+template <typename OpaqueFunc>
+bool ContainsOpaque(const TStructure *structType);
 
-bool ContainsSampler(const TType &type)
+template <typename OpaqueFunc>
+bool ContainsOpaque(const TType &type)
 {
-    if (IsSampler(type.getBasicType()))
+    if (OpaqueFunc{}(type.getBasicType()))
     {
         return true;
     }
     if (type.getBasicType() == EbtStruct)
     {
-        return ContainsSampler(type.getStruct());
+        return ContainsOpaque<OpaqueFunc>(type.getStruct());
     }
 
     return false;
 }
 
-bool ContainsSampler(const TStructure *structType)
+template <typename OpaqueFunc>
+bool ContainsOpaque(const TStructure *structType)
 {
     for (const auto &field : structType->fields())
     {
-        if (ContainsSampler(*field->type()))
+        if (ContainsOpaque<OpaqueFunc>(*field->type()))
             return true;
     }
     return false;
@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line,
 {
     if (pType.type == EbtStruct)
     {
-        if (ContainsSampler(pType.userDef))
+        if (ContainsOpaque<IsSamplerFunc>(pType.userDef))
         {
             std::stringstream reasonStream = sh::InitializeStream<std::stringstream>();
             reasonStream << reason << " (structure contains a sampler)";
@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock(
     {
         TField *field    = (*fieldList)[memberIndex];
         TType *fieldType = field->type();
-        if (IsOpaqueType(fieldType->getBasicType()))
+        if (ContainsOpaque<IsOpaqueFunc>(*fieldType))
         {
-            std::string reason("unsupported type - ");
-            reason += fieldType->getBasicString();
-            reason += " types are not allowed in interface blocks";
-            error(field->line(), reason.c_str(), fieldType->getBasicString());
+            error(field->line(), "Opaque types are not allowed in interface blocks", blockName);
         }
 
         const TQualifier qualifier = fieldType->getQualifier();
From 2c61d151bd3fab48c7e03a4cbfca22fa09c9022c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
Date: Thu, 14 Mar 2024 12:48:18 +0000
Subject: [PATCH] [Backport] CVE-2024-3839: Out of bounds read in Fonts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5361874:
Disable STAT sanitization/checks through OTS

Due to issues in upstream, OTS STAT sanitization does not provide an
added security benefit. Pass-through the STAT table.

Bug: chromium:41491859
Change-Id: I19dcd87376af553afe242452396b951a74691f3c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361874
Commit-Queue: Dominik Röttsches <drott@chromium.org>
Reviewed-by: Koji Ishii <kojii@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1272710}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560661
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../blink/renderer/platform/fonts/web_font_decoder.cc           | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc b/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
index e72f801016a3..dfae30c22c22 100644
--- src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
+++ src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
@@ -97,6 +97,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) {
   const uint32_t kCpalTag = OTS_TAG('C', 'P', 'A', 'L');
   const uint32_t kCff2Tag = OTS_TAG('C', 'F', 'F', '2');
   const uint32_t kSbixTag = OTS_TAG('s', 'b', 'i', 'x');
+  const uint32_t kStatTag = OTS_TAG('S', 'T', 'A', 'T');
 #if HB_VERSION_ATLEAST(1, 0, 0)
   const uint32_t kGdefTag = OTS_TAG('G', 'D', 'E', 'F');
   const uint32_t kGposTag = OTS_TAG('G', 'P', 'O', 'S');
@@ -123,6 +124,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) {
     case kCpalTag:
     case kCff2Tag:
     case kSbixTag:
+    case kStatTag:
 #if HB_VERSION_ATLEAST(1, 0, 0)
     // Let HarfBuzz handle how to deal with broken tables.
     case kAvarTag:
From 0594d0383b46e78d33fde62258ffb49b53d3c429 Mon Sep 17 00:00:00 2001
From: Liza Burakova <liza@chromium.org>
Date: Wed, 21 Feb 2024 19:02:15 +0000
Subject: [PATCH] [Backport] CVE-2024-3837: Use after free in QUIC

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5268864:
Check if session is going away in Handle::RequestStream.

This CL adds an extra check in the QuicChromiumClientSession
handle's RequestSession to make sure the session is not
marked as going away before creating a new StreamRequest.

Bug: 41491379
Change-Id: I687dfc23131871cdba345d3cf78dbbbd2e619ce9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5268864
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Liza Burakova <liza@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1263483}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560662
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 chromium/net/quic/quic_chromium_client_session.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc
index 6e08826bbb0d..4bca38bd10db 100644
--- src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc
+++ src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc
@@ -500,7 +500,8 @@ int QuicChromiumClientSession::Handle::RequestStream(
     const NetworkTrafficAnnotationTag& traffic_annotation) {
   DCHECK(!stream_request_);
 
-  if (!session_)
+  // TODO(crbug.com/41491379): Add a regression test.
+  if (!session_ || session_->going_away_)
     return ERR_CONNECTION_CLOSED;
 
   requires_confirmation |= session_->gquic_zero_rtt_disabled();
From 28c3af39d3bdaea88865f901d19862bf7d44199d Mon Sep 17 00:00:00 2001
From: Pete Williamson <petewil@chromium.org>
Date: Tue, 27 Feb 2024 00:19:05 +0000
Subject: [PATCH] [Backport] Security bug 40940917

Cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5293726:
Fix misalligned address in hunspell::NodeReader::ReaderForLookupAt

With the Hunspell spell checking library, we are using a custom wrapper
to read the dictionaries from files.  In that custom wrapper, we were
reading by using reinterpret_cast to interpret an offset into a pointer,
and then reading the bytes at that pointer for the child_offset.

The spell checking code appears to have been working properly in the
field.  However, the current code caused fuzzing test failures, and
those failures are blocking other tests, so we need to fix this to
unblock other tests.

It turns out that we were casting a value to a pointer that did not
have proper alignment (for instance, a pointer to a 32 bit int needs
to be 4 byte allinged, but this pointer was not). While it has often
worked in older compilers, it turns out this is undefined behavior.

Instead of relying on undefined behavior, the right thing to do is to
use std::memcpy to copy the bytes from the misalligned address into
their final destination (either an int32 or an int16 in this case).

Bug: 40940917
Change-Id: I8aeba9ee8000b51e98863813235d8dceb1c41ceb
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5293726
Commit-Queue: Peter Williamson <petewil@chromium.org>
Reviewed-by: Trevor Perrier <perrier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1265552}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560663
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../hunspell/google/bdict_reader.cc           | 27 ++++++++++++++-----
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/chromium/third_party/hunspell/google/bdict_reader.cc b/chromium/third_party/hunspell/google/bdict_reader.cc
index 70416a7c9048..70e4d4977ad5 100644
--- src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc
+++ src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc
@@ -5,6 +5,8 @@
 #include "third_party/hunspell/google/bdict_reader.h"
 
 #include <stdint.h>
+#include <cstdint>
+#include <cstring>
 
 #include "base/check.h"
 
@@ -413,19 +415,32 @@ NodeReader::FindResult NodeReader::ReaderForLookupAt(
   if (index >= static_cast<size_t>(lookup_num_chars()) || !is_valid_)
     return FIND_DONE;
 
-  size_t child_offset;
+  size_t child_offset = 0;
   if (is_lookup_32()) {
     // Table contains 32-bit absolute offsets.
-    child_offset =
-        reinterpret_cast<const unsigned int*>(table_begin)[index];
+
+    // We need to use memcpy here instead of just casting the offset into a
+    // pointer to an int because the cast can cause undefined behavior if
+    // the pointer is not alligned, and in this case it is not.
+    int byte_offset = index * sizeof(uint32_t);
+    std::memcpy(&child_offset,
+                reinterpret_cast<const void*>(table_begin + byte_offset),
+                sizeof(uint32_t));
     if (!child_offset)
       return FIND_NOTHING;  // This entry in the table is empty.
   } else {
     // Table contains 16-bit offsets relative to the current node.
-    child_offset =
-        reinterpret_cast<const unsigned short*>(table_begin)[index];
-    if (!child_offset)
+
+    // We need to use memcpy here instead of just casting the offset into a
+    // pointer to an int because the cast can cause undefined behavior if
+    // the pointer is not alligned, and in this case it is not.
+    int byte_offset = index * sizeof(uint16_t);
+    std::memcpy(&child_offset,
+                reinterpret_cast<const void*>(table_begin + byte_offset),
+                sizeof(uint16_t));
+    if (!child_offset) {
       return FIND_NOTHING;  // This entry in the table is empty.
+    }
     child_offset += node_offset_;
   }
 
From b4d43a76e4c334084400402c09620ef24870704e Mon Sep 17 00:00:00 2001
From: Shahbaz Youssefi <syoussefi@chromium.org>
Date: Mon, 8 Apr 2024 10:14:45 -0400
Subject: [PATCH] [Backport] CVE-2024-4058: Type Confusion in ANGLE

Partial manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/5466390:
SPIR-V: Fix const constructors with single scalar

These constructors may be generated because of
RemoveArrayLengthTraverser.

Bug: chromium:332546345
Change-Id: I2b2bf3728ef5bae148abc2a8518f8f3f42850025
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5462388
(cherry picked from commit 0b776d32f69a932acb61963d9daad9e13f610944)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5466390
Commit-Queue: Zakhar Voit <voit@google.com>
Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Reviewed-by: Geoff Lang <geofflang@chromium.org>
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560664
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../third_party/angle/src/compiler/translator/Compiler.cpp   | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
index 27975887086a..435d3b41b3a3 100644
--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
@@ -757,6 +757,11 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root,
     {
         return false;
     }
+    // Fold the expressions again, because |RemoveArrayLengthMethod| can introduce new constants.
+    if (!FoldExpressions(this, root, &mDiagnostics))
+    {
+        return false;
+    }
 
     if (!RemoveUnreferencedVariables(this, root, &mSymbolTable))
     {
From dceba69334080559303f92fc4a6c6d01e7dcd00c Mon Sep 17 00:00:00 2001
From: Brendon Tiszka <tiszka@chromium.org>
Date: Sun, 3 Mar 2024 21:30:59 +0100
Subject: [PATCH] [Backport] Security bug 327698060

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5337387:
PaintOpReader: Harden PaintImage deserialization

Add missing validity check after `Read`

Bug: 327698060
Change-Id: I0aa5120296009998af3235a01304a1f597a82a33
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5337387
Commit-Queue: Khushal Sagar <khushalsagar@chromium.org>
Reviewed-by: Khushal Sagar <khushalsagar@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1267636}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560665
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/cc/paint/paint_op_reader.cc | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc
index 0979f6630175..b6a9d8ca3641 100644
--- src/3rdparty/chromium/cc/paint/paint_op_reader.cc
+++ src/3rdparty/chromium/cc/paint/paint_op_reader.cc
@@ -309,6 +309,10 @@ void PaintOpReader::Read(PaintImage* image) {
       case PaintOp::SerializedImageType::kImageData: {
         SkColorType color_type;
         Read(&color_type);
+        if (!valid_) {
+          return;
+        }
+
         uint32_t width;
         Read(&width);
         uint32_t height;
From 2b188075ed5f01cc9c09b5273b5e6177d7252a0e Mon Sep 17 00:00:00 2001
From: Geoff Lang <geofflang@chromium.org>
Date: Mon, 29 Apr 2024 15:27:36 -0400
Subject: [PATCH] [Backport] CVE-2024-4558: Use after free in ANGLE

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/angle/angle/+/5498735:
GL: Sync unpack state for glCompressedTexSubImage3D

Unpack state is supposed to be ignored for compressed tex image calls
but some drivers use it anyways and read incorrect data.

Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.

Bug: chromium:337766133
Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>

Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
Change-Id: I0736ceb1e3165f571358ae06a0287b3f5a98d425
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560666
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
 .../third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp     | 1 +
 1 file changed, 1 insertion(+)

diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
index 035d4520b13b..0cfd21621bb3 100644
--- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
+++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
@@ -579,6 +579,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
         nativegl::GetCompressedSubTexImageFormat(functions, features, format);
 
     stateManager->bindTexture(getType(), mTextureID);
+    ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
     if (nativegl::UseTexImage2D(getType()))
     {
         ASSERT(area.z == 0 && area.depth == 1);
From d553c9366aedad5701852427f8e1910381c4ff8b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com>
Date: Tue, 26 Mar 2024 13:53:21 +0000
Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (1/2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5387887:
[M120-LTS] Fix DOMArrayBuffer::IsDetached()

M120 merge issues:
  third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc:
    - Conflicting types for variable worlds
    - Conflicting AllWorldsInIsolate() call (M120 doesn't use the last argument)

A DOMArrayBuffer was maintaining its own "is_detached_" state, and
would consider itself non-detached even if the corresponding
JSArrayBuffer (or, all of them, in case there are several) was
detached.

Piping in the v8::Isolate would be a too big change for this fix, so this is using v8::Isolate::GetCurrent() for now.

Bug: 330759272
Change-Id: I1e98ebd2066d2e59658db12f1bb419b6ebc1d706
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5387887
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1278283}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562706
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../core/typed_arrays/dom_array_buffer.cc     | 50 +++++++++++++++++++
 .../core/typed_arrays/dom_array_buffer.h      | 13 +++++
 .../core/typed_arrays/dom_array_buffer_base.h |  2 +-
 3 files changed, 64 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
index c456d15f2f50..38dcd3a35737 100644
--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
@@ -18,6 +18,15 @@ static void AccumulateArrayBuffersForAllWorlds(
     v8::Isolate* isolate,
     DOMArrayBuffer* object,
     Vector<v8::Local<v8::ArrayBuffer>, 4>& buffers) {
+  if (!object->has_non_main_world_wrappers() && IsMainThread()) {
+    const DOMWrapperWorld& world = DOMWrapperWorld::MainWorld();
+    v8::Local<v8::Object> wrapper = world.DomDataStore().Get(object, isolate);
+    if (!wrapper.IsEmpty()) {
+      buffers.push_back(v8::Local<v8::ArrayBuffer>::Cast(wrapper));
+    }
+    return;
+  }
+
   Vector<scoped_refptr<DOMWrapperWorld>> worlds;
   DOMWrapperWorld::AllWorldsInCurrentThread(worlds);
   for (const auto& world : worlds) {
@@ -155,6 +164,47 @@ DOMArrayBuffer* DOMArrayBuffer::Create(
   return Create(std::move(contents));
 }
 
+bool DOMArrayBuffer::IsDetached() const {
+  if (contents_.BackingStore() == nullptr) {
+    return is_detached_;
+  }
+  if (is_detached_) {
+    return true;
+  }
+
+  v8::Isolate* isolate = v8::Isolate::GetCurrent();
+  v8::HandleScope handle_scope(isolate);
+  Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles;
+  AccumulateArrayBuffersForAllWorlds(isolate, const_cast<DOMArrayBuffer*>(this),  buffer_handles);
+
+  // There may be several v8::ArrayBuffers corresponding to the DOMArrayBuffer,
+  // but at most one of them may be non-detached.
+  int nondetached_count = 0;
+  int detached_count = 0;
+
+  for (const auto& buffer_handle : buffer_handles) {
+    if (buffer_handle->WasDetached()) {
+      ++detached_count;
+    } else {
+      ++nondetached_count;
+    }
+  }
+  CHECK_LE(nondetached_count, 1);
+
+  return nondetached_count == 0 && detached_count > 0;
+}
+
+v8::Local<v8::Object> DOMArrayBuffer::AssociateWithWrapper(
+    v8::Isolate* isolate,
+    const WrapperTypeInfo* wrapper_type_info,
+    v8::Local<v8::Object> wrapper) {
+  if (!DOMWrapperWorld::Current(isolate).IsMainWorld()) {
+    has_non_main_world_wrappers_ = true;
+  }
+  return ScriptWrappable::AssociateWithWrapper(isolate, wrapper_type_info,
+                                               wrapper);
+}
+
 DOMArrayBuffer* DOMArrayBuffer::Slice(size_t begin, size_t end) const {
   begin = std::min(begin, ByteLengthAsSizeT());
   end = std::min(end, ByteLengthAsSizeT());
diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
index e9a85d38d4d4..b1820dfa8408 100644
--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
@@ -79,8 +79,21 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase {
   v8::Local<v8::Value> Wrap(v8::Isolate*,
                             v8::Local<v8::Object> creation_context) override;
 
+  bool IsDetached() const override;
+
+  v8::Local<v8::Object> AssociateWithWrapper(
+      v8::Isolate* isolate,
+      const WrapperTypeInfo* wrapper_type_info,
+      v8::Local<v8::Object> wrapper) override;
+
+  bool has_non_main_world_wrappers() const {
+    return has_non_main_world_wrappers_;
+  }
+
  private:
   bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result);
+
+  bool has_non_main_world_wrappers_ = false;
 };
 
 }  // namespace blink
diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
index e99cce60dd7f..3ae9a4360e85 100644
--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
@@ -33,7 +33,7 @@ class CORE_EXPORT DOMArrayBufferBase : public ScriptWrappable {
     return base::checked_cast<unsigned>(contents_.DataLength());
   }
 
-  bool IsDetached() const { return is_detached_; }
+  virtual bool IsDetached() const { return is_detached_; }
 
   void Detach() { is_detached_ = true; }
 
From efda8125f55049957e196995dffafb6dc171eadf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com>
Date: Thu, 4 Apr 2024 09:43:42 +0200
Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (2/2)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Manual cherry-pick of patch originally reviewed on
https://chromium-review.googlesource.com/c/chromium/src/+/5419329:
[M120-LTS] Comment out a CHECK that a DOMAB has maximally one non-detached JSAB

Based on crash reports, this assumption is not true and has to be
investigated.

Removing this newly introduced CHECK to be able to merge fixes in this
area - we still violate this invariant but the fixes are a step into
the right direction.

Fix in question:
https://chromium-review.googlesource.com/5387887
which also introduced this CHECK.

Bug: 330759272
Change-Id: I4ba52fee7ed8f45e352efd347e87df03d896ac3d
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5419329
Commit-Queue: Marja Hölttä <marja@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1282379}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562707
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 .../blink/renderer/core/typed_arrays/dom_array_buffer.cc    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
index 38dcd3a3573..69e332272dd 100644
--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
@@ -189,7 +189,11 @@ bool DOMArrayBuffer::IsDetached() const {
       ++nondetached_count;
     }
   }
-  CHECK_LE(nondetached_count, 1);
+  // This CHECK fires even though it should not. TODO(330759272): Investigate
+  // under which conditions we end up with multiple non-detached JSABs for the
+  // same DOMAB and potentially restore this check.
+
+  // CHECK_LE(nondetached_count, 1);
 
   return nondetached_count == 0 && detached_count > 0;
 }
From 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 Mon Sep 17 00:00:00 2001
From: Victor Gomes <victorgomes@chromium.org>
Date: Thu, 21 Mar 2024 09:59:19 +0100
Subject: [PATCH] [Backport] Security bug 329699609

Manual backport of patch originally reviewed on
https://chromium-review.googlesource.com/c/v8/v8/+/5378286:
Deal with large strings in NoSideEffectsErrorToString

If name is too big, StringBuilder will fail to even add
"<a very large string>" suffix.

In this case, we truncate name first.

Bug: 329699609
Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Patrick Thier <pthier@chromium.org>
Auto-Submit: Victor Gomes <victorgomes@chromium.org>
Cr-Commit-Position: refs/heads/main@{#92932}
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
 chromium/v8/src/objects/objects.cc | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
index 7b38609e347..7820c7e8e58 100644
--- src/3rdparty/chromium/v8/src/objects/objects.cc
+++ src/3rdparty/chromium/v8/src/objects/objects.cc
@@ -425,14 +425,27 @@ Handle<String> NoSideEffectsErrorToString(Isolate* isolate,
   if (name_str->length() == 0) return msg_str;
   if (msg_str->length() == 0) return name_str;
 
-  IncrementalStringBuilder builder(isolate);
-  builder.AppendString(name_str);
-  builder.AppendCString(": ");
+  constexpr const char error_suffix[] = "<a very large string>";
+  constexpr int error_suffix_size = sizeof(error_suffix);
+  int suffix_size = std::min(error_suffix_size, msg_str->length());
 
-  if (builder.Length() + msg_str->length() <= String::kMaxLength) {
-    builder.AppendString(msg_str);
+  IncrementalStringBuilder builder(isolate);
+  if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) {
+    constexpr const char connector[] = "... : ";
+    int connector_size = sizeof(connector);
+    Handle<String> truncated_name = isolate->factory()->NewProperSubString(
+        name_str, 0, name_str->length() - error_suffix_size - connector_size);
+    builder.AppendString(truncated_name);
+    builder.AppendCString(connector);
+    builder.AppendCString(error_suffix);
   } else {
-    builder.AppendCString("<a very large string>");
+    builder.AppendString(name_str);
+    builder.AppendCString(": ");
+    if (builder.Length() + msg_str->length() <= String::kMaxLength) {
+      builder.AppendString(msg_str);
+    } else {
+      builder.AppendCString(error_suffix);
+    }
   }
 
   return builder.Finish().ToHandleChecked();
From d3cb500c1d4b0508f3f21bb568c095984c614fcf Mon Sep 17 00:00:00 2001
From: "Jason E. Hale" <jhale@FreeBSD.org>
Date: Thu, 20 Jun 2024 23:42:33 -0400
Subject: [PATCH] [Backport] Fixup CVE-2024-3914: Use after free in V8 (1/2)

Manual backport of requisite method WasDetached() in V8.
---
 chromium/v8/include/v8.h   | 8 ++++++++
 chromium/v8/src/api/api.cc | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/chromium/v8/include/v8.h b/chromium/v8/include/v8.h
index 32687d90b5f..8a1b437bb06 100644
--- src/3rdparty/chromium/v8/include/v8.h
+++ src/3rdparty/chromium/v8/include/v8.h
@@ -5299,6 +5299,11 @@ class V8_EXPORT ArrayBuffer : public Object {
    */
   bool IsDetachable() const;
 
+  /**
+   * Returns true if this ArrayBuffer has been detached.
+   */
+  bool WasDetached() const;
+
   /**
    * Detaches this ArrayBuffer and all its views (typed arrays).
    * Detaching sets the byte length of the buffer and all typed arrays to zero,
@@ -5349,6 +5354,9 @@ class V8_EXPORT ArrayBuffer : public Object {
    * should not attempt to manage lifetime of the storage through other means.
    *
    * This function replaces both Externalize() and GetContents().
+   *
+   * The returned shared pointer will not be empty, even if the ArrayBuffer has
+   * been detached. Use |WasDetached| to tell if it has been detached instead.
    */
   std::shared_ptr<BackingStore> GetBackingStore();
 
diff --git a/chromium/v8/src/api/api.cc b/chromium/v8/src/api/api.cc
index b6f9d12769e..05d31a7cedf 100644
--- src/3rdparty/chromium/v8/src/api/api.cc
+++ src/3rdparty/chromium/v8/src/api/api.cc
@@ -7386,6 +7386,10 @@ bool v8::ArrayBuffer::IsDetachable() const {
   return Utils::OpenHandle(this)->is_detachable();
 }
 
+bool v8::ArrayBuffer::WasDetached() const {
+  return Utils::OpenHandle(this)->was_detached();
+}
+
 namespace {
 // The backing store deleter just deletes the indirection, which downrefs
 // the shared pointer. It will get collected normally.