diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile index 9b1dbab6880c..0f6a5f3dca02 100644 --- a/www/qt5-webengine/Makefile +++ b/www/qt5-webengine/Makefile @@ -1,173 +1,173 @@ # QtWebEngine itself is a very thin layer of Qt code on top of a large part of # Chromium (everything up to the content/ layer). As such, most of the work in # this port revolves around taming Chromium and getting it to build on FreeBSD. # While it does build at the moment, there are several items that should be # investigated or improved: # - We are using several stub files, especially in Chromium's base/ and net/ # layers. We should look at implementing the missing bits instead. # - We are currently not using any sandboxing mechanism. # - We need to see if more "use_system_" flags can be passed. # - The process of porting QtWebEngine needs to be documented so we can move to # newer releases more easily. # # Also note that, due to the insane amount of patches this port needs, it tends # to lag behind the rest of the official Qt5 ones, which is why we set # QT5_VERSION and DISTINFO_FILE here. # In order to successfully build this port in poudriere you need to add # MAX_FILES_qt5_webengine=4096 to /usr/local/etc/poudriere.conf PORTNAME= webengine DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www PKGNAMEPREFIX= qt5- MAINTAINER= kde@FreeBSD.org COMMENT= Qt 5 library to render web content BUILD_DEPENDS= bison:devel/bison \ ${LOCALBASE}/include/linux/input.h:devel/evdev-proto \ ${LOCALBASE}/include/linux/videodev2.h:multimedia/v4l_compat \ ${PYTHON_PKGNAMEPREFIX}html5lib>0:www/py-html5lib@${PY_FLAVOR} LIB_DEPENDS= libavcodec.so:multimedia/ffmpeg \ libdbus-1.so:devel/dbus \ libdouble-conversion.so:devel/double-conversion \ libevent.so:devel/libevent \ libfontconfig.so:x11-fonts/fontconfig \ libfreetype.so:print/freetype2 \ libharfbuzz.so:print/harfbuzz \ libjsoncpp.so:devel/jsoncpp \ liblcms2.so:graphics/lcms2 \ libnspr4.so:devel/nspr \ libnss3.so:security/nss \ libopenh264.so:multimedia/openh264 \ libopus.so:audio/opus \ libpci.so:devel/libpci \ libpng.so:graphics/png \ libre2.so:devel/re2 \ libsnappy.so:archivers/snappy \ libvpx.so:multimedia/libvpx \ libwebp.so:graphics/webp DISTINFO_FILE= ${.CURDIR}/distinfo QT5_VERSION= ${_KDE_webengine_VERSION} OPTIONS_SINGLE= AUDIO OPTIONS_SINGLE_AUDIO= ALSA PULSEAUDIO SNDIO OPTIONS_DEFAULT= ALSA AUDIO_DESC= Audio backend # Need the alsa plugins to get sound at runtime, otherwise messages # that the pcm_oss plugin can't be opened. ALSA_LIB_DEPENDS= libasound.so:audio/alsa-lib ALSA_RUN_DEPENDS= alsa-plugins>=0:audio/alsa-plugins ALSA_VARS= QMAKE_CONFIGURE_ARGS+=-alsa ALSA_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-alsa PULSEAUDIO_LIB_DEPENDS= libpulse.so:audio/pulseaudio PULSEAUDIO_VARS= QMAKE_CONFIGURE_ARGS+=-pulseaudio PULSEAUDIO_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-pulseaudio SNDIO_LIB_DEPENDS= libsndio.so:audio/sndio SNDIO_VARS= QMAKE_CONFIGURE_ARGS+=-sndio SNDIO_VARS_OFF= QMAKE_CONFIGURE_ARGS+=-no-sndio # We pass `norecursive' to USES=qmake because src/plugins/plugins.pro checks # whether webenginewidgets is available, which fails when qmake processes all # .pro files at once. USES= gl gnome gperf jpeg minizip ninja:build nodejs:build,lts \ perl5 pkgconfig python:build qmake:norecursive,outsource \ qt-dist:5,webengine shebangfix xorg USE_GL= gl USE_GNOME= glib20 libxml2 libxslt USE_PERL5= build USE_QT= core declarative gui location network printsupport \ webchannel widgets \ buildtools:build designer:build qmake:build USE_XORG= x11 xcb xcomposite xcursor xdamage xext xfixes xi xkbfile \ xorgproto xrandr xrender xscrnsaver xtst QMAKE_CONFIGURE_ARGS= -proprietary-codecs -system-ffmpeg # We could just set it to an empty string as well. "all" does not account for # dependencies correctly in the generated Makefiles, use the right target here. ALL_TARGET= first # We need ar(1) from ports because the Chromium code uses the @file syntax. # We then need to ensure ld(1) from ports is used because of the archives ar(1) # generated. USE_BINUTILS= yes CC+= "-B${LOCALBASE}/bin" CXX+= "-B${LOCALBASE}/bin" # The build system reads the environment variable $NINJA_PATH to decide whether # to boostrap ninja or not (and also to invoke it afterwards). CC and CXX are # read by some Chromium code to determine which compiler to invoke when running # some configuration tests. # Since we use USES=qmake:norecursive, we also need to pass some variables to # MAKE_ENV because part of the configuration process happens during the build. CONFIGURE_ENV+= NINJAFLAGS="-j${MAKE_JOBS_NUMBER}" \ NINJA_PATH="${LOCALBASE}/bin/ninja" \ PATH=${CONFIGURE_WRKSRC}/bin:${LOCALBASE}/bin:${PATH} MAKE_ENV+= CC="${CC}" CXX="${CXX}" \ C_INCLUDE_PATH=${LOCALBASE}/include \ CPLUS_INCLUDE_PATH=${LOCALBASE}/include \ ${CONFIGURE_ENV} QT_BINARIES= yes .include .if ${ARCH:Mmips*} || ${ARCH:Mpowerpc*} PLIST_SUB+= BE="" LE="@comment " .else PLIST_SUB+= BE="@comment " LE="" .endif post-extract: # Install FreeBSD's freebsd.pri file. ${CP} ${FILESDIR}/freebsd.pri ${WRKSRC}/src/buildtools/config/freebsd.pri post-extract-SNDIO-on: @cd ${WRKSRC}/src/3rdparty/chromium/media/audio && ${MKDIR} sndio openbsd @${CP} ${FILESDIR}/sndio_*put.* \ ${WRKSRC}/src/3rdparty/chromium/media/audio/sndio @${CP} ${FILESDIR}/audio_manager_openbsd.* \ ${WRKSRC}/src/3rdparty/chromium/media/audio/openbsd post-patch: @${REINPLACE_CMD} -e 's|%%LOCALBASE%%|${LOCALBASE}|' \ ${WRKSRC}/src/3rdparty/chromium/base/linux_util.cc \ ${WRKSRC}/src/3rdparty/chromium/base/test/BUILD.gn \ ${WRKSRC}/src/3rdparty/chromium/build/toolchain/gcc_toolchain.gni \ ${WRKSRC}/src/3rdparty/chromium/chrome/common/chrome_paths.cc \ ${WRKSRC}/src/3rdparty/chromium/third_party/pdfium/core/fxge/fx_ge_linux.cpp \ ${WRKSRC}/src/3rdparty/gn/build/gen.py @${REINPLACE_CMD} -E -e 's|^(MODULE_VERSION = ).*|\1${QT5_VERSION}|' \ ${WRKSRC}/.qmake.conf .if ${ARCH:Mmips*} || ${ARCH:Mpowerpc*} @${REINPLACE_CMD} -e 's/icudtl.dat/icudtb.dat/' \ ${WRKSRC}/src/core/core_module.pro .endif pre-configure: # Link in ${PYTHON_CMD} to ${CONFIGURE_WRKSRC}/bin -- the scripts hardcode 'python' # in too many places to reasonably patch. So just link in ${PYTHON_CMD} to work around # $LOCALBASE/bin/python being python3 if the default versions is set to 3.x. ${MKDIR} ${CONFIGURE_WRKSRC}/bin && ${LN} -s ${PYTHON_CMD} ${CONFIGURE_WRKSRC}/bin/python # Unbundle a few dependencies. cd ${WRKSRC}/src/3rdparty/chromium && ${SETENV} ${CONFIGURE_ENV} ${PYTHON_CMD} \ ./build/linux/unbundle/replace_gn_files.py --system-libraries\ fontconfig freetype harfbuzz-ng libdrm libevent libpng libwebp libxml libxslt openh264 opus || ${FALSE} # Rerun syncqt.pl -- otherwise the resulting package misses some forwarding headers. cd ${WRKSRC} && ${QT_BINDIR}/syncqt.pl -version ${QT5_VERSION} post-build: # Fix version mismatches for CMake .for module in Pdf PdfWidgets WebEngine WebEngineCore WebEngineWidgets @${REINPLACE_CMD} -e '/${QT5_VERSION} $${_Qt5${module}_FIND_VERSION_EXACT}/s|${QT5_VERSION}|'"$$(${MAKE} -C ../../devel/qt5-core -VQT5_VERSION)"'|' \ ${BUILD_WRKSRC}/lib/cmake/Qt5${module}/Qt5${module}Config.cmake .endfor .include diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup new file mode 100644 index 000000000000..e0554d3d7c61 --- /dev/null +++ b/www/qt5-webengine/files/patch-security-rollup @@ -0,0 +1,273 @@ +Add security patches to this file. + +Addresses the following security issues: + +- Security bug 329674887 +- CVE-2024-3157 +- CVE-2024-3516 + +From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 +From: Marco Paniconi +Date: Wed, 13 Mar 2024 10:58:17 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (1/2) + +Cherry-pick of patch orignally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: +Fix to buffer alloc for vp9_bitstream_worker_data + +The code was using the bitstream_worker_data when it +wasn't allocated for big enough size. This is because +the existing condition was to only re-alloc the +bitstream_worker_data when current dest_size was larger +than the current frame_size. But under resolution change +where frame_size is increased, beyond the current dest_size, +we need to allow re-alloc to the new size. + +The existing condition to re-alloc when dest_size is +larger than frame_size (which is not required) is kept +for now. + +Also increase the dest_size to account for image format. + +Added tests, for both ROW_MT=0 and 1, that reproduce +the failures in the bugs below. + +Note: this issue only affects the REALTIME encoding path. + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 +Reviewed-by: Allan Sandfeld Jensen +--- + .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 3eff4ce830d1..22db39714922 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { + } + } + ++static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { ++ VP9_COMMON *const cm = &cpi->common; ++ const int image_bps = ++ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * ++ (1 + (cm->bit_depth > 8)); ++ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++} ++ + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + int i; + const size_t worker_data_size = +@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + if (!cpi->vp9_bitstream_worker_data) return 1; + for (i = 1; i < cpi->num_workers; ++i) { + cpi->vp9_bitstream_worker_data[i].dest_size = +- cpi->oxcf.width * cpi->oxcf.height; ++ encode_tiles_buffer_alloc_size(cpi); + cpi->vp9_bitstream_worker_data[i].dest = + vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); + if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; +@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { + int tile_col = 0; + + if (!cpi->vp9_bitstream_worker_data || +- cpi->vp9_bitstream_worker_data[1].dest_size > +- (cpi->oxcf.width * cpi->oxcf.height)) { ++ cpi->vp9_bitstream_worker_data[1].dest_size != ++ encode_tiles_buffer_alloc_size(cpi)) { + vp9_bitstream_encode_tiles_buffer_dealloc(cpi); + if (encode_tiles_buffer_alloc(cpi)) return 0; + } +From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 +From: Marco Paniconi +Date: Sat, 16 Mar 2024 10:39:28 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (2/2) + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: +vp9: fix to integer overflow test + +failure for the 16k test: issue introduced +in: c29e637283 + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 +Reviewed-by: Allan Sandfeld Jensen +--- + .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 22db3971492..645ba6ebb3a 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { + const int image_bps = + (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * + (1 + (cm->bit_depth > 8)); +- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ const int64_t size = ++ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ return (int)size; + } + + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { +From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 +From: kylechar +Date: Tue, 9 Apr 2024 17:14:26 +0000 +Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5420432: +Validate buffer length + +The BitmapInSharedMemory mojo traits were only validating row length and +not total buffer length. + +(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) + +(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) + +Bug: 331237485 +Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 +Commit-Queue: Kyle Charbonneau +Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 +Commit-Queue: danakj +Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} +Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 +Reviewed-by: danakj +Reviewed-by: Kyle Charbonneau +Cr-Commit-Position: refs/branch-heads/6099@{#2003} +Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 +Reviewed-by: Allan Sandfeld Jensen +--- + .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +index f602fa100477..c6d84002b3e4 100644 +--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc ++++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +@@ -69,6 +69,10 @@ bool StructTraits::Read( + if (!mapping_ptr->IsValid()) + return false; + ++ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { ++ return false; ++ } ++ + if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), + data.row_bytes(), &DeleteSharedMemoryMapping, + mapping_ptr.get())) { +From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 +From: Shahbaz Youssefi +Date: Mon, 25 Mar 2024 14:46:56 -0400 +Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5391986: +Translator: Disallow samplers in structs in interface blocks + +As disallowed by the spec: + +> Types and declarators are the same as for other uniform variable +> declarations outside blocks, with these exceptions: +> +> * opaque types are not allowed + +Bug: chromium:328859176 +Change-Id: Ib94977860102329e520e635c3757827c93ca2163 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 +Auto-Submit: Shahbaz Youssefi +Reviewed-by: Geoff Lang +Commit-Queue: Shahbaz Youssefi +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 +Reviewed-by: Allan Sandfeld Jensen +--- + .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +index 84a0c8fd9e0d..3e8a4a71ff67 100644 +--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp ++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +@@ -34,27 +34,39 @@ namespace + + const int kWebGLMaxStructNesting = 4; + +-bool ContainsSampler(const TStructure *structType); ++struct IsSamplerFunc ++{ ++ bool operator()(TBasicType type) { return IsSampler(type); } ++}; ++struct IsOpaqueFunc ++{ ++ bool operator()(TBasicType type) { return IsOpaqueType(type); } ++}; ++ ++template ++bool ContainsOpaque(const TStructure *structType); + +-bool ContainsSampler(const TType &type) ++template ++bool ContainsOpaque(const TType &type) + { +- if (IsSampler(type.getBasicType())) ++ if (OpaqueFunc{}(type.getBasicType())) + { + return true; + } + if (type.getBasicType() == EbtStruct) + { +- return ContainsSampler(type.getStruct()); ++ return ContainsOpaque(type.getStruct()); + } + + return false; + } + +-bool ContainsSampler(const TStructure *structType) ++template ++bool ContainsOpaque(const TStructure *structType) + { + for (const auto &field : structType->fields()) + { +- if (ContainsSampler(*field->type())) ++ if (ContainsOpaque(*field->type())) + return true; + } + return false; +@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, + { + if (pType.type == EbtStruct) + { +- if (ContainsSampler(pType.userDef)) ++ if (ContainsOpaque(pType.userDef)) + { + std::stringstream reasonStream = sh::InitializeStream(); + reasonStream << reason << " (structure contains a sampler)"; +@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( + { + TField *field = (*fieldList)[memberIndex]; + TType *fieldType = field->type(); +- if (IsOpaqueType(fieldType->getBasicType())) ++ if (ContainsOpaque(*fieldType)) + { +- std::string reason("unsupported type - "); +- reason += fieldType->getBasicString(); +- reason += " types are not allowed in interface blocks"; +- error(field->line(), reason.c_str(), fieldType->getBasicString()); ++ error(field->line(), "Opaque types are not allowed in interface blocks", blockName); + } + + const TQualifier qualifier = fieldType->getQualifier();