diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile index 261a0f2559f3..9b1dbab6880c 100644 --- a/www/qt5-webengine/Makefile +++ b/www/qt5-webengine/Makefile @@ -1,172 +1,173 @@ # QtWebEngine itself is a very thin layer of Qt code on top of a large part of # Chromium (everything up to the content/ layer). As such, most of the work in # this port revolves around taming Chromium and getting it to build on FreeBSD. # While it does build at the moment, there are several items that should be # investigated or improved: # - We are using several stub files, especially in Chromium's base/ and net/ # layers. We should look at implementing the missing bits instead. # - We are currently not using any sandboxing mechanism. # - We need to see if more "use_system_" flags can be passed. # - The process of porting QtWebEngine needs to be documented so we can move to # newer releases more easily. # # Also note that, due to the insane amount of patches this port needs, it tends # to lag behind the rest of the official Qt5 ones, which is why we set # QT5_VERSION and DISTINFO_FILE here. # In order to successfully build this port in poudriere you need to add # MAX_FILES_qt5_webengine=4096 to /usr/local/etc/poudriere.conf PORTNAME= webengine DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} +PORTREVISION= 1 CATEGORIES= www PKGNAMEPREFIX= qt5- MAINTAINER= kde@FreeBSD.org COMMENT= Qt 5 library to render web content BUILD_DEPENDS= bison:devel/bison \ ${LOCALBASE}/include/linux/input.h:devel/evdev-proto \ ${LOCALBASE}/include/linux/videodev2.h:multimedia/v4l_compat \ ${PYTHON_PKGNAMEPREFIX}html5lib>0:www/py-html5lib@${PY_FLAVOR} LIB_DEPENDS= libavcodec.so:multimedia/ffmpeg \ libdbus-1.so:devel/dbus \ libdouble-conversion.so:devel/double-conversion \ libevent.so:devel/libevent \ libfontconfig.so:x11-fonts/fontconfig \ libfreetype.so:print/freetype2 \ libharfbuzz.so:print/harfbuzz \ libjsoncpp.so:devel/jsoncpp \ liblcms2.so:graphics/lcms2 \ libnspr4.so:devel/nspr \ libnss3.so:security/nss \ libopenh264.so:multimedia/openh264 \ libopus.so:audio/opus \ libpci.so:devel/libpci \ libpng.so:graphics/png \ libre2.so:devel/re2 \ libsnappy.so:archivers/snappy \ libvpx.so:multimedia/libvpx \ libwebp.so:graphics/webp DISTINFO_FILE= ${.CURDIR}/distinfo QT5_VERSION= ${_KDE_webengine_VERSION} OPTIONS_SINGLE= AUDIO OPTIONS_SINGLE_AUDIO= ALSA PULSEAUDIO SNDIO OPTIONS_DEFAULT= ALSA AUDIO_DESC= Audio backend # Need the alsa plugins to get sound at runtime, otherwise messages # that the pcm_oss plugin can't be opened. ALSA_LIB_DEPENDS= libasound.so:audio/alsa-lib ALSA_RUN_DEPENDS= alsa-plugins>=0:audio/alsa-plugins ALSA_VARS= QMAKE_CONFIGURE_ARGS+=-alsa ALSA_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-alsa PULSEAUDIO_LIB_DEPENDS= libpulse.so:audio/pulseaudio PULSEAUDIO_VARS= QMAKE_CONFIGURE_ARGS+=-pulseaudio PULSEAUDIO_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-pulseaudio SNDIO_LIB_DEPENDS= libsndio.so:audio/sndio SNDIO_VARS= QMAKE_CONFIGURE_ARGS+=-sndio SNDIO_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-sndio # We pass `norecursive' to USES=qmake because src/plugins/plugins.pro checks # whether webenginewidgets is available, which fails when qmake processes all # .pro files at once. USES= gl gnome gperf jpeg minizip ninja:build nodejs:build,lts \ perl5 pkgconfig python:build qmake:norecursive,outsource \ qt-dist:5,webengine shebangfix xorg USE_GL= gl USE_GNOME= glib20 libxml2 libxslt USE_PERL5= build USE_QT= core declarative gui location network printsupport \ webchannel widgets \ buildtools:build designer:build qmake:build USE_XORG= x11 xcb xcomposite xcursor xdamage xext xfixes xi xkbfile \ xorgproto xrandr xrender xscrnsaver xtst QMAKE_CONFIGURE_ARGS= -proprietary-codecs -system-ffmpeg # We could just set it to an empty string as well. "all" does not account for # dependencies correctly in the generated Makefiles, use the right target here. ALL_TARGET= first # We need ar(1) from ports because the Chromium code uses the @file syntax. # We then need to ensure ld(1) from ports is used because of the archives ar(1) # generated. USE_BINUTILS= yes CC+= "-B${LOCALBASE}/bin" CXX+= "-B${LOCALBASE}/bin" # The build system reads the environment variable $NINJA_PATH to decide whether # to boostrap ninja or not (and also to invoke it afterwards). CC and CXX are # read by some Chromium code to determine which compiler to invoke when running # some configuration tests. # Since we use USES=qmake:norecursive, we also need to pass some variables to # MAKE_ENV because part of the configuration process happens during the build. CONFIGURE_ENV+= NINJAFLAGS="-j${MAKE_JOBS_NUMBER}" \ NINJA_PATH="${LOCALBASE}/bin/ninja" \ PATH=${CONFIGURE_WRKSRC}/bin:${LOCALBASE}/bin:${PATH} MAKE_ENV+= CC="${CC}" CXX="${CXX}" \ C_INCLUDE_PATH=${LOCALBASE}/include \ CPLUS_INCLUDE_PATH=${LOCALBASE}/include \ ${CONFIGURE_ENV} QT_BINARIES= yes .include .if ${ARCH:Mmips*} || ${ARCH:Mpowerpc*} PLIST_SUB+= BE="" LE="@comment " .else PLIST_SUB+= BE="@comment " LE="" .endif post-extract: # Install FreeBSD's freebsd.pri file. ${CP} ${FILESDIR}/freebsd.pri ${WRKSRC}/src/buildtools/config/freebsd.pri post-extract-SNDIO-on: @cd ${WRKSRC}/src/3rdparty/chromium/media/audio && ${MKDIR} sndio openbsd @${CP} ${FILESDIR}/sndio_*put.* \ ${WRKSRC}/src/3rdparty/chromium/media/audio/sndio @${CP} ${FILESDIR}/audio_manager_openbsd.* \ ${WRKSRC}/src/3rdparty/chromium/media/audio/openbsd post-patch: @${REINPLACE_CMD} -e 's|%%LOCALBASE%%|${LOCALBASE}|' \ ${WRKSRC}/src/3rdparty/chromium/base/linux_util.cc \ ${WRKSRC}/src/3rdparty/chromium/base/test/BUILD.gn \ ${WRKSRC}/src/3rdparty/chromium/build/toolchain/gcc_toolchain.gni \ ${WRKSRC}/src/3rdparty/chromium/chrome/common/chrome_paths.cc \ ${WRKSRC}/src/3rdparty/chromium/third_party/pdfium/core/fxge/fx_ge_linux.cpp \ ${WRKSRC}/src/3rdparty/gn/build/gen.py @${REINPLACE_CMD} -E -e 's|^(MODULE_VERSION = ).*|\1${QT5_VERSION}|' \ ${WRKSRC}/.qmake.conf .if ${ARCH:Mmips*} || ${ARCH:Mpowerpc*} @${REINPLACE_CMD} -e 's/icudtl.dat/icudtb.dat/' \ ${WRKSRC}/src/core/core_module.pro .endif pre-configure: # Link in ${PYTHON_CMD} to ${CONFIGURE_WRKSRC}/bin -- the scripts hardcode 'python' # in too many places to reasonably patch. So just link in ${PYTHON_CMD} to work around # $LOCALBASE/bin/python being python3 if the default versions is set to 3.x. ${MKDIR} ${CONFIGURE_WRKSRC}/bin && ${LN} -s ${PYTHON_CMD} ${CONFIGURE_WRKSRC}/bin/python # Unbundle a few dependencies. cd ${WRKSRC}/src/3rdparty/chromium && ${SETENV} ${CONFIGURE_ENV} ${PYTHON_CMD} \ ./build/linux/unbundle/replace_gn_files.py --system-libraries\ fontconfig freetype harfbuzz-ng libdrm libevent libpng libwebp libxml libxslt openh264 opus || ${FALSE} # Rerun syncqt.pl -- otherwise the resulting package misses some forwarding headers. cd ${WRKSRC} && ${QT_BINDIR}/syncqt.pl -version ${QT5_VERSION} post-build: # Fix version mismatches for CMake .for module in Pdf PdfWidgets WebEngine WebEngineCore WebEngineWidgets @${REINPLACE_CMD} -e '/${QT5_VERSION} $${_Qt5${module}_FIND_VERSION_EXACT}/s|${QT5_VERSION}|'"$$(${MAKE} -C ../../devel/qt5-core -VQT5_VERSION)"'|' \ ${BUILD_WRKSRC}/lib/cmake/Qt5${module}/Qt5${module}Config.cmake .endfor .include diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup index e0554d3d7c61..b27b8cec77c9 100644 --- a/www/qt5-webengine/files/patch-security-rollup +++ b/www/qt5-webengine/files/patch-security-rollup @@ -1,273 +1,891 @@ Add security patches to this file. Addresses the following security issues: - Security bug 329674887 - CVE-2024-3157 - CVE-2024-3516 +- CVE-2024-3839 +- CVE-2024-3837 +- Security bug 40940917 +- CVE-2024-4058 +- Security bug 327698060 +- CVE-2024-4558 +- CVE-2024-3914 +- Security bug 329699609 From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 From: Marco Paniconi Date: Wed, 13 Mar 2024 10:58:17 -0700 Subject: [PATCH] [Backport] Security bug 329674887 (1/2) Cherry-pick of patch orignally reviewed on https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: Fix to buffer alloc for vp9_bitstream_worker_data The code was using the bitstream_worker_data when it wasn't allocated for big enough size. This is because the existing condition was to only re-alloc the bitstream_worker_data when current dest_size was larger than the current frame_size. But under resolution change where frame_size is increased, beyond the current dest_size, we need to allow re-alloc to the new size. The existing condition to re-alloc when dest_size is larger than frame_size (which is not required) is kept for now. Also increase the dest_size to account for image format. Added tests, for both ROW_MT=0 and 1, that reproduce the failures in the bugs below. Note: this issue only affects the REALTIME encoding path. Bug: b/329088759, b/329674887, b/329179808 Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 Reviewed-by: Allan Sandfeld Jensen --- .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c index 3eff4ce830d1..22db39714922 100644 --- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c @@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { } } +static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { + VP9_COMMON *const cm = &cpi->common; + const int image_bps = + (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * + (1 + (cm->bit_depth > 8)); + return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; +} + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { int i; const size_t worker_data_size = @@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { if (!cpi->vp9_bitstream_worker_data) return 1; for (i = 1; i < cpi->num_workers; ++i) { cpi->vp9_bitstream_worker_data[i].dest_size = - cpi->oxcf.width * cpi->oxcf.height; + encode_tiles_buffer_alloc_size(cpi); cpi->vp9_bitstream_worker_data[i].dest = vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; @@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { int tile_col = 0; if (!cpi->vp9_bitstream_worker_data || - cpi->vp9_bitstream_worker_data[1].dest_size > - (cpi->oxcf.width * cpi->oxcf.height)) { + cpi->vp9_bitstream_worker_data[1].dest_size != + encode_tiles_buffer_alloc_size(cpi)) { vp9_bitstream_encode_tiles_buffer_dealloc(cpi); if (encode_tiles_buffer_alloc(cpi)) return 0; } From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 From: Marco Paniconi Date: Sat, 16 Mar 2024 10:39:28 -0700 Subject: [PATCH] [Backport] Security bug 329674887 (2/2) Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: vp9: fix to integer overflow test failure for the 16k test: issue introduced in: c29e637283 Bug: b/329088759, b/329674887, b/329179808 Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 Reviewed-by: Allan Sandfeld Jensen --- .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c index 22db3971492..645ba6ebb3a 100644 --- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c @@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { const int image_bps = (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * (1 + (cm->bit_depth > 8)); - return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; + const int64_t size = + (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; + return (int)size; } static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 From: kylechar Date: Tue, 9 Apr 2024 17:14:26 +0000 Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/5420432: Validate buffer length The BitmapInSharedMemory mojo traits were only validating row length and not total buffer length. (cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) (cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) Bug: 331237485 Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 Commit-Queue: Kyle Charbonneau Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 Commit-Queue: danakj Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 Reviewed-by: danakj Reviewed-by: Kyle Charbonneau Cr-Commit-Position: refs/branch-heads/6099@{#2003} Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 Reviewed-by: Allan Sandfeld Jensen --- .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc index f602fa100477..c6d84002b3e4 100644 --- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc @@ -69,6 +69,10 @@ bool StructTraits::Read( if (!mapping_ptr->IsValid()) return false; + if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { + return false; + } + if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), data.row_bytes(), &DeleteSharedMemoryMapping, mapping_ptr.get())) { From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 From: Shahbaz Youssefi Date: Mon, 25 Mar 2024 14:46:56 -0400 Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE Cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/angle/angle/+/5391986: Translator: Disallow samplers in structs in interface blocks As disallowed by the spec: > Types and declarators are the same as for other uniform variable > declarations outside blocks, with these exceptions: > > * opaque types are not allowed Bug: chromium:328859176 Change-Id: Ib94977860102329e520e635c3757827c93ca2163 Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 Auto-Submit: Shahbaz Youssefi Reviewed-by: Geoff Lang Commit-Queue: Shahbaz Youssefi Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 Reviewed-by: Allan Sandfeld Jensen --- .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- 1 file changed, 21 insertions(+), 12 deletions(-) diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp index 84a0c8fd9e0d..3e8a4a71ff67 100644 --- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp @@ -34,27 +34,39 @@ namespace const int kWebGLMaxStructNesting = 4; -bool ContainsSampler(const TStructure *structType); +struct IsSamplerFunc +{ + bool operator()(TBasicType type) { return IsSampler(type); } +}; +struct IsOpaqueFunc +{ + bool operator()(TBasicType type) { return IsOpaqueType(type); } +}; + +template +bool ContainsOpaque(const TStructure *structType); -bool ContainsSampler(const TType &type) +template +bool ContainsOpaque(const TType &type) { - if (IsSampler(type.getBasicType())) + if (OpaqueFunc{}(type.getBasicType())) { return true; } if (type.getBasicType() == EbtStruct) { - return ContainsSampler(type.getStruct()); + return ContainsOpaque(type.getStruct()); } return false; } -bool ContainsSampler(const TStructure *structType) +template +bool ContainsOpaque(const TStructure *structType) { for (const auto &field : structType->fields()) { - if (ContainsSampler(*field->type())) + if (ContainsOpaque(*field->type())) return true; } return false; @@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, { if (pType.type == EbtStruct) { - if (ContainsSampler(pType.userDef)) + if (ContainsOpaque(pType.userDef)) { std::stringstream reasonStream = sh::InitializeStream(); reasonStream << reason << " (structure contains a sampler)"; @@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( { TField *field = (*fieldList)[memberIndex]; TType *fieldType = field->type(); - if (IsOpaqueType(fieldType->getBasicType())) + if (ContainsOpaque(*fieldType)) { - std::string reason("unsupported type - "); - reason += fieldType->getBasicString(); - reason += " types are not allowed in interface blocks"; - error(field->line(), reason.c_str(), fieldType->getBasicString()); + error(field->line(), "Opaque types are not allowed in interface blocks", blockName); } const TQualifier qualifier = fieldType->getQualifier(); +From 2c61d151bd3fab48c7e03a4cbfca22fa09c9022c Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= +Date: Thu, 14 Mar 2024 12:48:18 +0000 +Subject: [PATCH] [Backport] CVE-2024-3839: Out of bounds read in Fonts +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5361874: +Disable STAT sanitization/checks through OTS + +Due to issues in upstream, OTS STAT sanitization does not provide an +added security benefit. Pass-through the STAT table. + +Bug: chromium:41491859 +Change-Id: I19dcd87376af553afe242452396b951a74691f3c +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361874 +Commit-Queue: Dominik Röttsches +Reviewed-by: Koji Ishii +Cr-Commit-Position: refs/heads/main@{#1272710} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560661 +Reviewed-by: Michal Klocek +--- + .../blink/renderer/platform/fonts/web_font_decoder.cc | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc b/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc +index e72f801016a3..dfae30c22c22 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc +@@ -97,6 +97,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { + const uint32_t kCpalTag = OTS_TAG('C', 'P', 'A', 'L'); + const uint32_t kCff2Tag = OTS_TAG('C', 'F', 'F', '2'); + const uint32_t kSbixTag = OTS_TAG('s', 'b', 'i', 'x'); ++ const uint32_t kStatTag = OTS_TAG('S', 'T', 'A', 'T'); + #if HB_VERSION_ATLEAST(1, 0, 0) + const uint32_t kGdefTag = OTS_TAG('G', 'D', 'E', 'F'); + const uint32_t kGposTag = OTS_TAG('G', 'P', 'O', 'S'); +@@ -123,6 +124,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) { + case kCpalTag: + case kCff2Tag: + case kSbixTag: ++ case kStatTag: + #if HB_VERSION_ATLEAST(1, 0, 0) + // Let HarfBuzz handle how to deal with broken tables. + case kAvarTag: +From 0594d0383b46e78d33fde62258ffb49b53d3c429 Mon Sep 17 00:00:00 2001 +From: Liza Burakova +Date: Wed, 21 Feb 2024 19:02:15 +0000 +Subject: [PATCH] [Backport] CVE-2024-3837: Use after free in QUIC + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5268864: +Check if session is going away in Handle::RequestStream. + +This CL adds an extra check in the QuicChromiumClientSession +handle's RequestSession to make sure the session is not +marked as going away before creating a new StreamRequest. + +Bug: 41491379 +Change-Id: I687dfc23131871cdba345d3cf78dbbbd2e619ce9 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5268864 +Reviewed-by: Kenichi Ishibashi +Commit-Queue: Liza Burakova +Cr-Commit-Position: refs/heads/main@{#1263483} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560662 +Reviewed-by: Michal Klocek +--- + chromium/net/quic/quic_chromium_client_session.cc | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc +index 6e08826bbb0d..4bca38bd10db 100644 +--- src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc ++++ src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc +@@ -500,7 +500,8 @@ int QuicChromiumClientSession::Handle::RequestStream( + const NetworkTrafficAnnotationTag& traffic_annotation) { + DCHECK(!stream_request_); + +- if (!session_) ++ // TODO(crbug.com/41491379): Add a regression test. ++ if (!session_ || session_->going_away_) + return ERR_CONNECTION_CLOSED; + + requires_confirmation |= session_->gquic_zero_rtt_disabled(); +From 28c3af39d3bdaea88865f901d19862bf7d44199d Mon Sep 17 00:00:00 2001 +From: Pete Williamson +Date: Tue, 27 Feb 2024 00:19:05 +0000 +Subject: [PATCH] [Backport] Security bug 40940917 + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5293726: +Fix misalligned address in hunspell::NodeReader::ReaderForLookupAt + +With the Hunspell spell checking library, we are using a custom wrapper +to read the dictionaries from files. In that custom wrapper, we were +reading by using reinterpret_cast to interpret an offset into a pointer, +and then reading the bytes at that pointer for the child_offset. + +The spell checking code appears to have been working properly in the +field. However, the current code caused fuzzing test failures, and +those failures are blocking other tests, so we need to fix this to +unblock other tests. + +It turns out that we were casting a value to a pointer that did not +have proper alignment (for instance, a pointer to a 32 bit int needs +to be 4 byte allinged, but this pointer was not). While it has often +worked in older compilers, it turns out this is undefined behavior. + +Instead of relying on undefined behavior, the right thing to do is to +use std::memcpy to copy the bytes from the misalligned address into +their final destination (either an int32 or an int16 in this case). + +Bug: 40940917 +Change-Id: I8aeba9ee8000b51e98863813235d8dceb1c41ceb +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5293726 +Commit-Queue: Peter Williamson +Reviewed-by: Trevor Perrier +Cr-Commit-Position: refs/heads/main@{#1265552} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560663 +Reviewed-by: Michal Klocek +--- + .../hunspell/google/bdict_reader.cc | 27 ++++++++++++++----- + 1 file changed, 21 insertions(+), 6 deletions(-) + +diff --git a/chromium/third_party/hunspell/google/bdict_reader.cc b/chromium/third_party/hunspell/google/bdict_reader.cc +index 70416a7c9048..70e4d4977ad5 100644 +--- src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc ++++ src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc +@@ -5,6 +5,8 @@ + #include "third_party/hunspell/google/bdict_reader.h" + + #include ++#include ++#include + + #include "base/check.h" + +@@ -413,19 +415,32 @@ NodeReader::FindResult NodeReader::ReaderForLookupAt( + if (index >= static_cast(lookup_num_chars()) || !is_valid_) + return FIND_DONE; + +- size_t child_offset; ++ size_t child_offset = 0; + if (is_lookup_32()) { + // Table contains 32-bit absolute offsets. +- child_offset = +- reinterpret_cast(table_begin)[index]; ++ ++ // We need to use memcpy here instead of just casting the offset into a ++ // pointer to an int because the cast can cause undefined behavior if ++ // the pointer is not alligned, and in this case it is not. ++ int byte_offset = index * sizeof(uint32_t); ++ std::memcpy(&child_offset, ++ reinterpret_cast(table_begin + byte_offset), ++ sizeof(uint32_t)); + if (!child_offset) + return FIND_NOTHING; // This entry in the table is empty. + } else { + // Table contains 16-bit offsets relative to the current node. +- child_offset = +- reinterpret_cast(table_begin)[index]; +- if (!child_offset) ++ ++ // We need to use memcpy here instead of just casting the offset into a ++ // pointer to an int because the cast can cause undefined behavior if ++ // the pointer is not alligned, and in this case it is not. ++ int byte_offset = index * sizeof(uint16_t); ++ std::memcpy(&child_offset, ++ reinterpret_cast(table_begin + byte_offset), ++ sizeof(uint16_t)); ++ if (!child_offset) { + return FIND_NOTHING; // This entry in the table is empty. ++ } + child_offset += node_offset_; + } + +From b4d43a76e4c334084400402c09620ef24870704e Mon Sep 17 00:00:00 2001 +From: Shahbaz Youssefi +Date: Mon, 8 Apr 2024 10:14:45 -0400 +Subject: [PATCH] [Backport] CVE-2024-4058: Type Confusion in ANGLE + +Partial manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5466390: +SPIR-V: Fix const constructors with single scalar + +These constructors may be generated because of +RemoveArrayLengthTraverser. + +Bug: chromium:332546345 +Change-Id: I2b2bf3728ef5bae148abc2a8518f8f3f42850025 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5462388 +(cherry picked from commit 0b776d32f69a932acb61963d9daad9e13f610944) +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5466390 +Commit-Queue: Zakhar Voit +Reviewed-by: Shahbaz Youssefi +Reviewed-by: Geoff Lang +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560664 +Reviewed-by: Michal Klocek +--- + .../third_party/angle/src/compiler/translator/Compiler.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp +index 27975887086a..435d3b41b3a3 100644 +--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp ++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp +@@ -757,6 +757,11 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root, + { + return false; + } ++ // Fold the expressions again, because |RemoveArrayLengthMethod| can introduce new constants. ++ if (!FoldExpressions(this, root, &mDiagnostics)) ++ { ++ return false; ++ } + + if (!RemoveUnreferencedVariables(this, root, &mSymbolTable)) + { +From dceba69334080559303f92fc4a6c6d01e7dcd00c Mon Sep 17 00:00:00 2001 +From: Brendon Tiszka +Date: Sun, 3 Mar 2024 21:30:59 +0100 +Subject: [PATCH] [Backport] Security bug 327698060 + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5337387: +PaintOpReader: Harden PaintImage deserialization + +Add missing validity check after `Read` + +Bug: 327698060 +Change-Id: I0aa5120296009998af3235a01304a1f597a82a33 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5337387 +Commit-Queue: Khushal Sagar +Reviewed-by: Khushal Sagar +Cr-Commit-Position: refs/heads/main@{#1267636} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560665 +Reviewed-by: Michal Klocek +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/cc/paint/paint_op_reader.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc +index 0979f6630175..b6a9d8ca3641 100644 +--- src/3rdparty/chromium/cc/paint/paint_op_reader.cc ++++ src/3rdparty/chromium/cc/paint/paint_op_reader.cc +@@ -309,6 +309,10 @@ void PaintOpReader::Read(PaintImage* image) { + case PaintOp::SerializedImageType::kImageData: { + SkColorType color_type; + Read(&color_type); ++ if (!valid_) { ++ return; ++ } ++ + uint32_t width; + Read(&width); + uint32_t height; +From 2b188075ed5f01cc9c09b5273b5e6177d7252a0e Mon Sep 17 00:00:00 2001 +From: Geoff Lang +Date: Mon, 29 Apr 2024 15:27:36 -0400 +Subject: [PATCH] [Backport] CVE-2024-4558: Use after free in ANGLE + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5498735: +GL: Sync unpack state for glCompressedTexSubImage3D + +Unpack state is supposed to be ignored for compressed tex image calls +but some drivers use it anyways and read incorrect data. + +Texture3DTestES3.PixelUnpackStateTexSubImage covers this case. + +Bug: chromium:337766133 +Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735 +Commit-Queue: Shahbaz Youssefi + +Reviewed-by: Shahbaz Youssefi +Change-Id: I0736ceb1e3165f571358ae06a0287b3f5a98d425 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560666 +Reviewed-by: Michal Klocek +--- + .../third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp +index 035d4520b13b..0cfd21621bb3 100644 +--- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp ++++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp +@@ -579,6 +579,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context, + nativegl::GetCompressedSubTexImageFormat(functions, features, format); + + stateManager->bindTexture(getType(), mTextureID); ++ ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack)); + if (nativegl::UseTexImage2D(getType())) + { + ASSERT(area.z == 0 && area.depth == 1); +From d553c9366aedad5701852427f8e1910381c4ff8b Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= +Date: Tue, 26 Mar 2024 13:53:21 +0000 +Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (1/2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Manual backport of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5387887: +[M120-LTS] Fix DOMArrayBuffer::IsDetached() + +M120 merge issues: + third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc: + - Conflicting types for variable worlds + - Conflicting AllWorldsInIsolate() call (M120 doesn't use the last argument) + +A DOMArrayBuffer was maintaining its own "is_detached_" state, and +would consider itself non-detached even if the corresponding +JSArrayBuffer (or, all of them, in case there are several) was +detached. + +Piping in the v8::Isolate would be a too big change for this fix, so this is using v8::Isolate::GetCurrent() for now. + +Bug: 330759272 +Change-Id: I1e98ebd2066d2e59658db12f1bb419b6ebc1d706 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5387887 +Commit-Queue: Marja Hölttä +Cr-Commit-Position: refs/heads/main@{#1278283} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562706 +Reviewed-by: Allan Sandfeld Jensen +--- + .../core/typed_arrays/dom_array_buffer.cc | 50 +++++++++++++++++++ + .../core/typed_arrays/dom_array_buffer.h | 13 +++++ + .../core/typed_arrays/dom_array_buffer_base.h | 2 +- + 3 files changed, 64 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +index c456d15f2f50..38dcd3a35737 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +@@ -18,6 +18,15 @@ static void AccumulateArrayBuffersForAllWorlds( + v8::Isolate* isolate, + DOMArrayBuffer* object, + Vector, 4>& buffers) { ++ if (!object->has_non_main_world_wrappers() && IsMainThread()) { ++ const DOMWrapperWorld& world = DOMWrapperWorld::MainWorld(); ++ v8::Local wrapper = world.DomDataStore().Get(object, isolate); ++ if (!wrapper.IsEmpty()) { ++ buffers.push_back(v8::Local::Cast(wrapper)); ++ } ++ return; ++ } ++ + Vector> worlds; + DOMWrapperWorld::AllWorldsInCurrentThread(worlds); + for (const auto& world : worlds) { +@@ -155,6 +164,47 @@ DOMArrayBuffer* DOMArrayBuffer::Create( + return Create(std::move(contents)); + } + ++bool DOMArrayBuffer::IsDetached() const { ++ if (contents_.BackingStore() == nullptr) { ++ return is_detached_; ++ } ++ if (is_detached_) { ++ return true; ++ } ++ ++ v8::Isolate* isolate = v8::Isolate::GetCurrent(); ++ v8::HandleScope handle_scope(isolate); ++ Vector, 4> buffer_handles; ++ AccumulateArrayBuffersForAllWorlds(isolate, const_cast(this), buffer_handles); ++ ++ // There may be several v8::ArrayBuffers corresponding to the DOMArrayBuffer, ++ // but at most one of them may be non-detached. ++ int nondetached_count = 0; ++ int detached_count = 0; ++ ++ for (const auto& buffer_handle : buffer_handles) { ++ if (buffer_handle->WasDetached()) { ++ ++detached_count; ++ } else { ++ ++nondetached_count; ++ } ++ } ++ CHECK_LE(nondetached_count, 1); ++ ++ return nondetached_count == 0 && detached_count > 0; ++} ++ ++v8::Local DOMArrayBuffer::AssociateWithWrapper( ++ v8::Isolate* isolate, ++ const WrapperTypeInfo* wrapper_type_info, ++ v8::Local wrapper) { ++ if (!DOMWrapperWorld::Current(isolate).IsMainWorld()) { ++ has_non_main_world_wrappers_ = true; ++ } ++ return ScriptWrappable::AssociateWithWrapper(isolate, wrapper_type_info, ++ wrapper); ++} ++ + DOMArrayBuffer* DOMArrayBuffer::Slice(size_t begin, size_t end) const { + begin = std::min(begin, ByteLengthAsSizeT()); + end = std::min(end, ByteLengthAsSizeT()); +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h +index e9a85d38d4d4..b1820dfa8408 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h +@@ -79,8 +79,21 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase { + v8::Local Wrap(v8::Isolate*, + v8::Local creation_context) override; + ++ bool IsDetached() const override; ++ ++ v8::Local AssociateWithWrapper( ++ v8::Isolate* isolate, ++ const WrapperTypeInfo* wrapper_type_info, ++ v8::Local wrapper) override; ++ ++ bool has_non_main_world_wrappers() const { ++ return has_non_main_world_wrappers_; ++ } ++ + private: + bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result); ++ ++ bool has_non_main_world_wrappers_ = false; + }; + + } // namespace blink +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h +index e99cce60dd7f..3ae9a4360e85 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h +@@ -33,7 +33,7 @@ class CORE_EXPORT DOMArrayBufferBase : public ScriptWrappable { + return base::checked_cast(contents_.DataLength()); + } + +- bool IsDetached() const { return is_detached_; } ++ virtual bool IsDetached() const { return is_detached_; } + + void Detach() { is_detached_ = true; } + +From efda8125f55049957e196995dffafb6dc171eadf Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= +Date: Thu, 4 Apr 2024 09:43:42 +0200 +Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (2/2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5419329: +[M120-LTS] Comment out a CHECK that a DOMAB has maximally one non-detached JSAB + +Based on crash reports, this assumption is not true and has to be +investigated. + +Removing this newly introduced CHECK to be able to merge fixes in this +area - we still violate this invariant but the fixes are a step into +the right direction. + +Fix in question: +https://chromium-review.googlesource.com/5387887 +which also introduced this CHECK. + +Bug: 330759272 +Change-Id: I4ba52fee7ed8f45e352efd347e87df03d896ac3d +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5419329 +Commit-Queue: Marja Hölttä +Cr-Commit-Position: refs/heads/main@{#1282379} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562707 +Reviewed-by: Allan Sandfeld Jensen +--- + .../blink/renderer/core/typed_arrays/dom_array_buffer.cc | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +index 38dcd3a3573..69e332272dd 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc +@@ -189,7 +189,11 @@ bool DOMArrayBuffer::IsDetached() const { + ++nondetached_count; + } + } +- CHECK_LE(nondetached_count, 1); ++ // This CHECK fires even though it should not. TODO(330759272): Investigate ++ // under which conditions we end up with multiple non-detached JSABs for the ++ // same DOMAB and potentially restore this check. ++ ++ // CHECK_LE(nondetached_count, 1); + + return nondetached_count == 0 && detached_count > 0; + } +From 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 Mon Sep 17 00:00:00 2001 +From: Victor Gomes +Date: Thu, 21 Mar 2024 09:59:19 +0100 +Subject: [PATCH] [Backport] Security bug 329699609 + +Manual backport of patch originally reviewed on +https://chromium-review.googlesource.com/c/v8/v8/+/5378286: +Deal with large strings in NoSideEffectsErrorToString + +If name is too big, StringBuilder will fail to even add +"" suffix. + +In this case, we truncate name first. + +Bug: 329699609 +Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286 +Commit-Queue: Victor Gomes +Reviewed-by: Patrick Thier +Auto-Submit: Victor Gomes +Cr-Commit-Position: refs/heads/main@{#92932} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708 +Reviewed-by: Allan Sandfeld Jensen +--- + chromium/v8/src/objects/objects.cc | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc +index 7b38609e347..7820c7e8e58 100644 +--- src/3rdparty/chromium/v8/src/objects/objects.cc ++++ src/3rdparty/chromium/v8/src/objects/objects.cc +@@ -425,14 +425,27 @@ Handle NoSideEffectsErrorToString(Isolate* isolate, + if (name_str->length() == 0) return msg_str; + if (msg_str->length() == 0) return name_str; + +- IncrementalStringBuilder builder(isolate); +- builder.AppendString(name_str); +- builder.AppendCString(": "); ++ constexpr const char error_suffix[] = ""; ++ constexpr int error_suffix_size = sizeof(error_suffix); ++ int suffix_size = std::min(error_suffix_size, msg_str->length()); + +- if (builder.Length() + msg_str->length() <= String::kMaxLength) { +- builder.AppendString(msg_str); ++ IncrementalStringBuilder builder(isolate); ++ if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) { ++ constexpr const char connector[] = "... : "; ++ int connector_size = sizeof(connector); ++ Handle truncated_name = isolate->factory()->NewProperSubString( ++ name_str, 0, name_str->length() - error_suffix_size - connector_size); ++ builder.AppendString(truncated_name); ++ builder.AppendCString(connector); ++ builder.AppendCString(error_suffix); + } else { +- builder.AppendCString(""); ++ builder.AppendString(name_str); ++ builder.AppendCString(": "); ++ if (builder.Length() + msg_str->length() <= String::kMaxLength) { ++ builder.AppendString(msg_str); ++ } else { ++ builder.AppendCString(error_suffix); ++ } + } + + return builder.Finish().ToHandleChecked(); +From d3cb500c1d4b0508f3f21bb568c095984c614fcf Mon Sep 17 00:00:00 2001 +From: "Jason E. Hale" +Date: Thu, 20 Jun 2024 23:42:33 -0400 +Subject: [PATCH] [Backport] Fixup CVE-2024-3914: Use after free in V8 (1/2) + +Manual backport of requisite method WasDetached() in V8. +--- + chromium/v8/include/v8.h | 8 ++++++++ + chromium/v8/src/api/api.cc | 4 ++++ + 2 files changed, 12 insertions(+) + +diff --git a/chromium/v8/include/v8.h b/chromium/v8/include/v8.h +index 32687d90b5f..8a1b437bb06 100644 +--- src/3rdparty/chromium/v8/include/v8.h ++++ src/3rdparty/chromium/v8/include/v8.h +@@ -5299,6 +5299,11 @@ class V8_EXPORT ArrayBuffer : public Object { + */ + bool IsDetachable() const; + ++ /** ++ * Returns true if this ArrayBuffer has been detached. ++ */ ++ bool WasDetached() const; ++ + /** + * Detaches this ArrayBuffer and all its views (typed arrays). + * Detaching sets the byte length of the buffer and all typed arrays to zero, +@@ -5349,6 +5354,9 @@ class V8_EXPORT ArrayBuffer : public Object { + * should not attempt to manage lifetime of the storage through other means. + * + * This function replaces both Externalize() and GetContents(). ++ * ++ * The returned shared pointer will not be empty, even if the ArrayBuffer has ++ * been detached. Use |WasDetached| to tell if it has been detached instead. + */ + std::shared_ptr GetBackingStore(); + +diff --git a/chromium/v8/src/api/api.cc b/chromium/v8/src/api/api.cc +index b6f9d12769e..05d31a7cedf 100644 +--- src/3rdparty/chromium/v8/src/api/api.cc ++++ src/3rdparty/chromium/v8/src/api/api.cc +@@ -7386,6 +7386,10 @@ bool v8::ArrayBuffer::IsDetachable() const { + return Utils::OpenHandle(this)->is_detachable(); + } + ++bool v8::ArrayBuffer::WasDetached() const { ++ return Utils::OpenHandle(this)->was_detached(); ++} ++ + namespace { + // The backing store deleter just deletes the indirection, which downrefs + // the shared pointer. It will get collected normally.