aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJason E. Hale <jhale@FreeBSD.org>2024-01-31 19:45:55 +0000
committerJason E. Hale <jhale@FreeBSD.org>2024-01-31 20:09:49 +0000
commitd4aaa430d08417fb216e5ee98f8db322b64e82e4 (patch)
treeff680191b9178ffc570f2e37004cfb28c79cf246
parent7e75892bfdb98efc1497b71e8e4549a8f3132262 (diff)
downloadports-d4aaa430d08417fb216e5ee98f8db322b64e82e4.tar.gz
ports-d4aaa430d08417fb216e5ee98f8db322b64e82e4.zip
www/qt6-webengine: Address security vulnerabilities
Add speculative build fix for armv7. MFH: 2024Q1 Security: bbcb1584-c068-11ee-bdd6-4ccc6adda413 (cherry picked from commit 214eb4d92c6739ef0da1eba2cdc10a97bdf6af30)
-rw-r--r--www/qt6-webengine/Makefile2
-rw-r--r--www/qt6-webengine/files/patch-security-rollup1179
-rw-r--r--www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc24
3 files changed, 1203 insertions, 2 deletions
diff --git a/www/qt6-webengine/Makefile b/www/qt6-webengine/Makefile
index d7371916a4f4..b62f3f3a255b 100644
--- a/www/qt6-webengine/Makefile
+++ b/www/qt6-webengine/Makefile
@@ -12,7 +12,7 @@
PORTNAME?= webengine
DISTVERSION= ${QT6_VERSION}
-PORTREVISION?= 3 # Master port for print/qt6-pdf. Please keep this line.
+PORTREVISION?= 4 # Master port for print/qt6-pdf. Please keep this line.
CATEGORIES?= www
PKGNAMEPREFIX= qt6-
diff --git a/www/qt6-webengine/files/patch-security-rollup b/www/qt6-webengine/files/patch-security-rollup
index bb16a291c80d..3f67e42ad06b 100644
--- a/www/qt6-webengine/files/patch-security-rollup
+++ b/www/qt6-webengine/files/patch-security-rollup
@@ -23,8 +23,13 @@ Addresses the following security issues:
- CVE-2024-0222
- Security bug 1511689
- CVE-2024-0519
-- CVE-2025-0518
+- CVE-2024-0518
- Security bug 1506535
+- CVE-2024-0808
+- CVE-2024-0807
+- Security bug 1511389
+- CVE-2024-0810
+- Security bug 1407197
From 669506a53474e3d7637666d3c53f6101fb94d96f Mon Sep 17 00:00:00 2001
From: Nidhi Jaju <nidhijaju@chromium.org>
@@ -3260,3 +3265,1175 @@ index 59bbb727e6b..8b3f7055430 100644
if (keyboard_lock_widget_)
delegate_->CancelKeyboardLockRequest(this);
+From 8ab0eb9f07be8cd735e03b5536fc2e361e70a5cf Mon Sep 17 00:00:00 2001
+From: Lyra Rebane <rebane2001@gmail.com>
+Date: Mon, 8 Jan 2024 13:39:46 +0000
+Subject: [PATCH] [Backport] CVE-2024-0808: Integer underflow in WebUI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5177426:
+Verify resource order in data pack files
+
+This CL adds a resource order check when loading a data pack or calling DataPack::GetStringPiece to make sure the resources are ordered sequentially in memory.
+
+Bug: 1504936
+Change-Id: Ie3bf1d9dbac937407355935a859a5daa9ce84350
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059113
+Commit-Queue: Peter Boström <pbos@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1238675}
+(cherry picked from commit c4b2e6246ad0e95eaf0727bb25a2e4969155e989)
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535516
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ chromium/AUTHORS | 1 +
+ chromium/ui/base/resource/data_pack.cc | 19 ++++++++++++++++++-
+ .../ui/base/resource/data_pack_literal.cc | 12 ++++++++++++
+ chromium/ui/base/resource/data_pack_literal.h | 2 ++
+ .../ui/base/resource/data_pack_unittest.cc | 7 +++++++
+ 5 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/AUTHORS b/chromium/AUTHORS
+index ff6abe8d1135..772aab22c671 100644
+--- src/3rdparty/chromium/AUTHORS
++++ src/3rdparty/chromium/AUTHORS
+@@ -769,6 +769,7 @@ Luke Seunghoe Gu <gulukesh@gmail.com>
+ Luke Zarko <lukezarko@gmail.com>
+ Luoxi Pan <l.panpax@gmail.com>
+ Lu Yahan <yahan@iscas.ac.cn>
++Lyra Rebane <rebane2001@gmail.com>
+ Ma Aiguo <imaiguo@gmail.com>
+ Maarten Lankhorst <m.b.lankhorst@gmail.com>
+ Maciej Pawlowski <m.pawlowski@eyeo.com>
+diff --git a/chromium/ui/base/resource/data_pack.cc b/chromium/ui/base/resource/data_pack.cc
+index 74069c99d00a..6dc0985b78dd 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack.cc
+@@ -310,7 +310,16 @@ bool DataPack::SanityCheckFileAndRegisterResources(size_t margin_to_skip,
+ }
+ }
+
+- // 3) Verify the aliases are within the appropriate bounds.
++ // 3) Verify the entries are ordered correctly.
++ for (size_t i = 0; i < resource_count_; ++i) {
++ if (resource_table_[i].file_offset > resource_table_[i + 1].file_offset) {
++ LOG(ERROR) << "Data pack file corruption: "
++ << "Entry #" << i + 1 << " before Entry #" << i << ".";
++ return false;
++ }
++ }
++
++ // 4) Verify the aliases are within the appropriate bounds.
+ for (size_t i = 0; i < alias_count_; ++i) {
+ if (alias_table_[i].entry_index >= resource_count_) {
+ LOG(ERROR) << "Data pack file corruption: "
+@@ -428,6 +437,14 @@ bool DataPack::GetStringPiece(uint16_t resource_id,
+ << "file modified?";
+ return false;
+ }
++ if (target->file_offset > next_entry->file_offset) {
++ size_t entry_index = target - resource_table_;
++ size_t next_index = next_entry - resource_table_;
++ LOG(ERROR) << "Entry #" << next_index << " in data pack is before Entry #"
++ << entry_index << ". This should have been caught when loading. "
++ << "Was the file modified?";
++ return false;
++ }
+
+ MaybePrintResourceId(resource_id);
+ GetStringPieceFromOffset(target->file_offset, next_entry->file_offset,
+diff --git a/chromium/ui/base/resource/data_pack_literal.cc b/chromium/ui/base/resource/data_pack_literal.cc
+index caac0709b42b..4197ea03fd68 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc
+@@ -89,6 +89,18 @@ const uint8_t kSampleCorruptPakContents[] = {
+
+ const size_t kSampleCorruptPakSize = sizeof(kSampleCorruptPakContents);
+
++const uint8_t kSampleMisorderedPakContents[] = {
++ 0x05, 0x00, 0x00, 0x00, // version
++ 0x01, 0x00, 0x00, 0x00, // encoding + padding
++ 0x02, 0x00, 0x00, 0x00, // num_resources, num_aliases
++ 0x06, 0x00, 0x2a, 0x00, 0x00, 0x00, // index entry 6 (wrong order)
++ 0x04, 0x00, 0x1e, 0x00, 0x00, 0x00, // index entry 4
++ 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, // extra entry for the size of last
++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '4',
++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '6'};
++
++const size_t kSampleMisorderedPakSize = sizeof(kSampleMisorderedPakContents);
++
+ const uint8_t kSamplePakContents2x[] = {
+ 0x04, 0x00, 0x00, 0x00, // header(version
+ 0x01, 0x00, 0x00, 0x00, // no. entries
+diff --git a/chromium/ui/base/resource/data_pack_literal.h b/chromium/ui/base/resource/data_pack_literal.h
+index eb5a94895f2d..9173ce149935 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.h
++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.h
+@@ -22,6 +22,8 @@ extern const uint8_t kEmptyPakContents[];
+ extern const size_t kEmptyPakSize;
+ extern const uint8_t kSampleCorruptPakContents[];
+ extern const size_t kSampleCorruptPakSize;
++extern const uint8_t kSampleMisorderedPakContents[];
++extern const size_t kSampleMisorderedPakSize;
+
+ } // namespace ui
+
+diff --git a/chromium/ui/base/resource/data_pack_unittest.cc b/chromium/ui/base/resource/data_pack_unittest.cc
+index 25b33b813ac4..0a4a169ca225 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc
+@@ -366,4 +366,11 @@ TEST(DataPackTest, ModifiedWhileUsed) {
+ }
+ #endif
+
++TEST(DataPackTest, Misordered) {
++ DataPack pack(k100Percent);
++
++ ASSERT_FALSE(pack.LoadFromBuffer(
++ {kSampleMisorderedPakContents, kSampleMisorderedPakSize}));
++}
++
+ } // namespace ui
+From 46069ff72f6e1d6fe75bd2c04350bcd74b308923 Mon Sep 17 00:00:00 2001
+From: Hongchan Choi <hongchan@chromium.org>
+Date: Fri, 12 Jan 2024 22:57:22 +0000
+Subject: [PATCH] [Backport] CVE-2024-0807: Use after free in WebAudio
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5225523:
+Update rendering state of automatic pull nodes before graph rendering
+
+M114 merge issues:
+ third_party/blink/renderer/modules/webaudio/analyser_handler.cc:
+ PullInputs/CheckNumberOfChannelsForInput not present in 114.
+
+In rare cases, the rendering fan out count of automatic pull node
+does not match the main thread fan out count after recreating
+a platform destination followed by disconnection.
+
+This CL forces the update of the rendering state of automatic
+pull nodes before graph rendering to make sure that fan out counts
+are synchronized before executing the audio processing function call.
+
+NOTE: This change makes 2 WPTs fail. The follow-up work is planned
+to address them once this patch is merged.
+
+Bug: 1505080
+Test: Locally confirmed that ASAN doesn't crash on all repro cases.
+Change-Id: I6768cd8bc64525ea9d56a19b9c58439e9cdab9a8
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5131958
+Commit-Queue: Hongchan Choi <hongchan@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1246718}
+(cherry picked from commit f4bffa09b46c21147431179e1e6dd2b27bc35fbc)
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535517
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../renderer/modules/webaudio/analyser_handler.cc | 14 ++++++++++++--
+ .../modules/webaudio/audio_worklet_handler.cc | 7 +++++--
+ .../modules/webaudio/audio_worklet_processor.cc | 6 ++++++
+ .../modules/webaudio/deferred_task_handler.cc | 10 ++++++++++
+ 4 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
+index c823c923a1cc..87a1f109a28c 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
+@@ -39,9 +39,14 @@ AnalyserHandler::~AnalyserHandler() {
+ }
+
+ void AnalyserHandler::Process(uint32_t frames_to_process) {
+- AudioBus* output_bus = Output(0).Bus();
++ DCHECK(Context()->IsAudioThread());
+
+- if (!IsInitialized()) {
++ // It's possible that output is not connected. Assign nullptr to indicate
++ // such case.
++ AudioBus* output_bus =
++ Output(0).RenderingFanOutCount() > 0 ? Output(0).Bus() : nullptr;
++
++ if (!IsInitialized() && output_bus) {
+ output_bus->Zero();
+ return;
+ }
+@@ -53,6 +58,11 @@ void AnalyserHandler::Process(uint32_t frames_to_process) {
+ // Analyser reflects the current input.
+ analyser_.WriteInput(input_bus.get(), frames_to_process);
+
++ // Subsequent steps require `output_bus` to be valid.
++ if (!output_bus) {
++ return;
++ }
++
+ if (!Input(0).IsConnected()) {
+ // No inputs, so clear the output, and propagate the silence hint.
+ output_bus->Zero();
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
+index 7f591531ad6f..b2b1500d3aab 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
+@@ -114,12 +114,15 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) {
+ // We also need to check if the global scope is valid before we request
+ // the rendering in the AudioWorkletGlobalScope.
+ if (processor_ && !processor_->hasErrorOccurred()) {
+- // If the input is not connected, inform the processor with nullptr.
++ // If the input or the output is not connected, inform the processor with
++ // nullptr.
+ for (unsigned i = 0; i < NumberOfInputs(); ++i) {
+ inputs_[i] = Input(i).IsConnected() ? Input(i).Bus() : nullptr;
+ }
+ for (unsigned i = 0; i < NumberOfOutputs(); ++i) {
+- outputs_[i] = WrapRefCounted(Output(i).Bus());
++ outputs_[i] = Output(i).RenderingFanOutCount() > 0
++ ? WrapRefCounted(Output(i).Bus())
++ : nullptr;
+ }
+
+ for (const auto& param_name : param_value_map_.Keys()) {
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
+index 1f884cb12b43..c47e39effa40 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
+@@ -367,6 +367,12 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort(
+
+ for (uint32_t bus_index = 0; bus_index < audio_port.size(); ++bus_index) {
+ const scoped_refptr<AudioBus>& audio_bus = audio_port[bus_index];
++
++ // nullptr indicates the output bus is not connected. Do not proceed.
++ if (!audio_bus) {
++ break;
++ }
++
+ for (uint32_t channel_index = 0;
+ channel_index < audio_bus->NumberOfChannels(); ++channel_index) {
+ auto backing_store = array_buffers[bus_index][channel_index]
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
+index fa1de8f37b9b..4730383dafa9 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
+@@ -172,6 +172,16 @@ void DeferredTaskHandler::UpdateAutomaticPullNodes() {
+ base::AutoTryLock try_locker(automatic_pull_handlers_lock_);
+ if (try_locker.is_acquired()) {
+ rendering_automatic_pull_handlers_.assign(automatic_pull_handlers_);
++
++ // In rare cases, it is possible for automatic pull nodes' output bus
++ // to become stale. Make sure update their rendering output counts.
++ // crbug.com/1505080.
++ for (auto& handler : rendering_automatic_pull_handlers_) {
++ for (unsigned i = 0; i < handler->NumberOfOutputs(); ++i) {
++ handler->Output(i).UpdateRenderingState();
++ }
++ }
++
+ automatic_pull_handlers_need_updating_ = false;
+ }
+ }
+From 0801943eea5309d1912bac96ed15af49b9f4e532 Mon Sep 17 00:00:00 2001
+From: Cheng Chen <chengchen@google.com>
+Date: Thu, 7 Dec 2023 12:17:23 -0800
+Subject: [PATCH] [Backport] Security bug 1511389 (1/2)
+
+Manual partial cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/184763:
+Do not use adaptive error estimate
+
+When the reference frame size is different than the current,
+we will not use adaptive error estimate.
+
+STATS_CHANGED
+
+Bug: b:314858909
+Change-Id: Ic64d9b4a1d94889d7283c044b17ffc24627478d7
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535518
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/encoder/ratectrl.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
+index 4ea1c9a3e33..c7b503d80a2 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
+@@ -187,8 +187,7 @@ int av1_rc_bits_per_mb(const AV1_COMP *cpi, FRAME_TYPE frame_type, int qindex,
+ assert(correction_factor <= MAX_BPB_FACTOR &&
+ correction_factor >= MIN_BPB_FACTOR);
+
+- if (frame_type != KEY_FRAME && accurate_estimate) {
+- assert(cpi->rec_sse != UINT64_MAX);
++ if (frame_type != KEY_FRAME && accurate_estimate && cpi->rec_sse != UINT64_MAX) {
+ const int mbs = cm->mi_params.MBs;
+ const double sse_sqrt =
+ (double)((int)sqrt((double)(cpi->rec_sse)) << BPER_MB_NORMBITS) /
+@@ -2021,6 +2020,13 @@ static void rc_compute_variance_onepass_rt(AV1_COMP *cpi) {
+ // TODO(yunqing): support scaled reference frames.
+ if (cpi->scaled_ref_buf[LAST_FRAME - 1]) return;
+
++ for (int i = 0; i < 2; ++i) {
++ if (unscaled_src->widths[i] != yv12->widths[i] ||
++ unscaled_src->heights[i] != yv12->heights[i]) {
++ return;
++ }
++ }
++
+ const int num_mi_cols = cm->mi_params.mi_cols;
+ const int num_mi_rows = cm->mi_params.mi_rows;
+ const BLOCK_SIZE bsize = BLOCK_64X64;
+From 1a76ec5bc55594a7feada7c510949450d489996b Mon Sep 17 00:00:00 2001
+From: Remya Prakasan <remya.prakasan@ittiam.com>
+Date: Mon, 8 May 2023 15:03:27 +0530
+Subject: [PATCH] [Backport] Dependency for security bug 1511389 (1/1)
+
+Manual cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/175041:
+Add support for dynamic allocation of thread data
+
+Added support for reallocation of thread data when the
+workers for multi-threading in encode stage changes with
+frame resizing. Also modified TestExternalResizeWorks
+of ResizeRealtimeTest to test this scenario.
+
+BUG=aomedia:3429
+
+Change-Id: Ieee94b229274e942203c9fc7dffd59a9a3fb5c26
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535519
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/av1_cx_iface.c | 14 ++++++++
+ .../source/libaom/av1/encoder/encoder.c | 34 -------------------
+ .../source/libaom/av1/encoder/encoder.h | 5 +++
+ .../source/libaom/av1/encoder/encoder_alloc.h | 34 +++++++++++++++++++
+ .../source/libaom/av1/encoder/ethread.c | 5 +++
+ 5 files changed, 58 insertions(+), 34 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+index 3e764dd6ca6..1d114779c83 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+@@ -25,6 +25,7 @@
+ #include "av1/av1_iface_common.h"
+ #include "av1/encoder/bitstream.h"
+ #include "av1/encoder/encoder.h"
++#include "av1/encoder/encoder_alloc.h"
+ #include "av1/encoder/encoder_utils.h"
+ #include "av1/encoder/ethread.h"
+ #include "av1/encoder/external_partition.h"
+@@ -3095,6 +3096,19 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx,
+ }
+ #endif // CONFIG_MULTITHREAD
+ }
++
++ // Re-allocate thread data if workers for encoder multi-threading stage
++ // exceeds prev_num_enc_workers.
++ const int num_enc_workers =
++ av1_get_num_mod_workers_for_alloc(&ppi->p_mt_info, MOD_ENC);
++ if (ppi->p_mt_info.prev_num_enc_workers < num_enc_workers &&
++ num_enc_workers <= ppi->p_mt_info.num_workers) {
++ free_thread_data(ppi);
++ for (int j = 0; j < ppi->num_fp_contexts; j++)
++ aom_free(ppi->parallel_cpi[j]->td.tctx);
++ av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS);
++ }
++
+ for (int i = 0; i < ppi->num_fp_contexts; i++) {
+ av1_init_frame_mt(ppi, ppi->parallel_cpi[i]);
+ }
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+index 72cb92bbb22..c2bf5b9b344 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+@@ -1569,40 +1569,6 @@ static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) {
+ }
+ }
+
+-// Deallocate allocated thread_data.
+-static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) {
+- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+- for (int t = 1; t < p_mt_info->num_workers; ++t) {
+- EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t];
+- thread_data->td = thread_data->original_td;
+- aom_free(thread_data->td->tctx);
+- aom_free(thread_data->td->palette_buffer);
+- aom_free(thread_data->td->tmp_conv_dst);
+- release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer);
+- for (int j = 0; j < 2; ++j) {
+- aom_free(thread_data->td->tmp_pred_bufs[j]);
+- }
+- aom_free(thread_data->td->pixel_gradient_info);
+- aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks);
+- release_obmc_buffers(&thread_data->td->obmc_buffer);
+- aom_free(thread_data->td->vt64x64);
+-
+- for (int x = 0; x < 2; x++) {
+- for (int y = 0; y < 2; y++) {
+- aom_free(thread_data->td->hash_value_buffer[x][y]);
+- thread_data->td->hash_value_buffer[x][y] = NULL;
+- }
+- }
+- aom_free(thread_data->td->counts);
+- av1_free_pmc(thread_data->td->firstpass_ctx,
+- ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE);
+- thread_data->td->firstpass_ctx = NULL;
+- av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf);
+- av1_free_sms_tree(thread_data->td);
+- aom_free(thread_data->td);
+- }
+-}
+-
+ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+ if (!ppi) return;
+ #if !CONFIG_REALTIME_ONLY
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
+index a95ea2505d7..153b3665f23 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
+@@ -1631,6 +1631,11 @@ typedef struct PrimaryMultiThreadInfo {
+ * Number of primary workers created for multi-threading.
+ */
+ int p_num_workers;
++
++ /*!
++ * Tracks the number of workers in encode stage multi-threading.
++ */
++ int prev_num_enc_workers;
+ } PrimaryMultiThreadInfo;
+
+ /*!
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
+index a4aef85aedb..27b5546371a 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
+@@ -398,6 +398,40 @@ static AOM_INLINE YV12_BUFFER_CONFIG *realloc_and_scale_source(
+ return &cpi->scaled_source;
+ }
+
++// Deallocate allocated thread_data.
++static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) {
++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
++ for (int t = 1; t < p_mt_info->num_workers; ++t) {
++ EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t];
++ thread_data->td = thread_data->original_td;
++ aom_free(thread_data->td->tctx);
++ aom_free(thread_data->td->palette_buffer);
++ aom_free(thread_data->td->tmp_conv_dst);
++ release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer);
++ for (int j = 0; j < 2; ++j) {
++ aom_free(thread_data->td->tmp_pred_bufs[j]);
++ }
++ aom_free(thread_data->td->pixel_gradient_info);
++ aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks);
++ release_obmc_buffers(&thread_data->td->obmc_buffer);
++ aom_free(thread_data->td->vt64x64);
++
++ for (int x = 0; x < 2; x++) {
++ for (int y = 0; y < 2; y++) {
++ aom_free(thread_data->td->hash_value_buffer[x][y]);
++ thread_data->td->hash_value_buffer[x][y] = NULL;
++ }
++ }
++ aom_free(thread_data->td->counts);
++ av1_free_pmc(thread_data->td->firstpass_ctx,
++ ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE);
++ thread_data->td->firstpass_ctx = NULL;
++ av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf);
++ av1_free_sms_tree(thread_data->td);
++ aom_free(thread_data->td);
++ }
++}
++
+ #ifdef __cplusplus
+ } // extern "C"
+ #endif
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+index 1c8631ae1fd..8c62b2107c3 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+@@ -777,6 +777,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+
+ int num_workers = p_mt_info->num_workers;
+ int num_enc_workers = av1_get_num_mod_workers_for_alloc(p_mt_info, MOD_ENC);
++ assert(num_enc_workers <= num_workers);
+ for (int i = num_workers - 1; i >= 0; i--) {
+ EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[i];
+
+@@ -886,6 +887,10 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+ }
+ }
+ }
++
++ // Record the number of workers in encode stage multi-threading for which
++ // allocation is done.
++ p_mt_info->prev_num_enc_workers = num_enc_workers;
+ }
+
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+From 9e80e8bff6bd41a61b589ecb6b006c1711e83431 Mon Sep 17 00:00:00 2001
+From: Cheng Chen <chengchen@google.com>
+Date: Tue, 5 Dec 2023 16:34:43 -0800
+Subject: [PATCH] [Backport] Security bug 1511389 (2/2)
+
+Manual cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/184761:
+Recreate workers if necessary
+
+As shown in the unit test, if the number of workers increases,
+we need to propoerly recreate new workers.
+
+Bug: b:310455204
+
+Change-Id: I0fafb11c10ffba209a4c49f4a531cfbf09c9c2b4
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535520
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/av1_cx_iface.c | 15 ++++++++++++++-
+ .../libaom/source/libaom/av1/encoder/encoder.c | 16 ++++------------
+ .../libaom/source/libaom/av1/encoder/ethread.c | 12 ++++++++++++
+ .../libaom/source/libaom/av1/encoder/ethread.h | 2 ++
+ 4 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+index 1d114779c83..618021a768d 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+@@ -3078,12 +3078,25 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx,
+ av1_compute_num_workers_for_mt(cpi);
+ num_workers = av1_get_max_num_workers(cpi);
+ }
+- if ((num_workers > 1) && (ppi->p_mt_info.num_workers == 0)) {
++ if (num_workers > 1 && ppi->p_mt_info.num_workers < num_workers) {
+ // Obtain the maximum no. of frames that can be supported in a parallel
+ // encode set.
+ if (is_stat_consumption_stage(cpi)) {
+ ppi->num_fp_contexts = av1_compute_num_fp_contexts(ppi, &cpi->oxcf);
+ }
++ if (ppi->p_mt_info.num_workers > 0) {
++ av1_terminate_workers(ppi);
++ free_thread_data(ppi);
++ aom_free(ppi->p_mt_info.tile_thr_data);
++ ppi->p_mt_info.tile_thr_data = NULL;
++ aom_free(ppi->p_mt_info.workers);
++ ppi->p_mt_info.workers = NULL;
++ ppi->p_mt_info.num_workers = 0;
++ for (int j = 0; j < ppi->num_fp_contexts; j++) {
++ aom_free(ppi->parallel_cpi[j]->td.tctx);
++ ppi->parallel_cpi[j]->td.tctx = NULL;
++ }
++ }
+ av1_create_workers(ppi, num_workers);
+ av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS);
+ #if CONFIG_MULTITHREAD
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+index c2bf5b9b344..5825ee00f76 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+@@ -1558,17 +1558,6 @@ AV1_COMP *av1_create_compressor(AV1_PRIMARY *ppi, const AV1EncoderConfig *oxcf,
+ snprintf((H) + strlen(H), sizeof(H) - strlen(H), (T), (V))
+ #endif // CONFIG_INTERNAL_STATS
+
+-// This function will change the state and free the mutex of corresponding
+-// workers and terminate the object. The object can not be re-used unless a call
+-// to reset() is made.
+-static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) {
+- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+- for (int t = p_mt_info->num_workers - 1; t >= 0; --t) {
+- AVxWorker *const worker = &p_mt_info->workers[t];
+- aom_get_worker_interface()->end(worker);
+- }
+-}
+-
+ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+ if (!ppi) return;
+ #if !CONFIG_REALTIME_ONLY
+@@ -1596,11 +1585,14 @@ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+ av1_tpl_dealloc(&tpl_data->tpl_mt_sync);
+ #endif
+
+- terminate_worker_data(ppi);
++ av1_terminate_workers(ppi);
+ free_thread_data(ppi);
+
+ aom_free(ppi->p_mt_info.tile_thr_data);
++ ppi->p_mt_info.tile_thr_data = NULL;
+ aom_free(ppi->p_mt_info.workers);
++ ppi->p_mt_info.workers = NULL;
++ ppi->p_mt_info.num_workers = 0;
+
+ aom_free(ppi);
+ }
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+index 8c62b2107c3..d59c4f1d57e 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+@@ -896,6 +896,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+ const AVxWorkerInterface *const winterface = aom_get_worker_interface();
++ assert(p_mt_info->num_workers == 0);
+
+ AOM_CHECK_MEM_ERROR(&ppi->error, p_mt_info->workers,
+ aom_malloc(num_workers * sizeof(*p_mt_info->workers)));
+@@ -927,6 +928,17 @@ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+ }
+ }
+
++// This function will change the state and free the mutex of corresponding
++// workers and terminate the object. The object can not be re-used unless a call
++// to reset() is made.
++void av1_terminate_workers(AV1_PRIMARY *ppi) {
++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
++ for (int t = 0; t < p_mt_info->num_workers; ++t) {
++ AVxWorker *const worker = &p_mt_info->workers[t];
++ aom_get_worker_interface()->end(worker);
++ }
++}
++
+ // This function returns 1 if frame parallel encode is supported for
+ // the current configuration. Returns 0 otherwise.
+ static AOM_INLINE int is_fpmt_config(AV1_PRIMARY *ppi, AV1EncoderConfig *oxcf) {
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
+index 6c4bce4db57..942ed64510b 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
+@@ -87,6 +87,8 @@ int av1_get_max_num_workers(const AV1_COMP *cpi);
+
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers);
+
++void av1_terminate_workers(AV1_PRIMARY *ppi);
++
+ void av1_init_frame_mt(AV1_PRIMARY *ppi, AV1_COMP *cpi);
+
+ void av1_init_cdef_worker(AV1_COMP *cpi);
+From da29c7f0b3e2044a7e597498a6fb62a306661f03 Mon Sep 17 00:00:00 2001
+From: Andrey Kosyakov <caseq@chromium.org>
+Date: Fri, 17 Nov 2023 17:48:22 +0000
+Subject: [PATCH] [Backport] CVE-2024-0810: Insufficient policy enforcement in
+ DevTools
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5039174:
+Do not let chrome.debugger extensions invoke Network.getAllCookies
+
+Network.getAllCookies is deprecated in favor of Storage.getCookies
+and the latter is not allowed for extensions, so we shouldn't let
+extensions use the former either.
+
+Bug: 1496250
+Change-Id: I3e97e9249dbba61d1f7951ed22ef9b1bef9f2355
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5039174
+Reviewed-by: Danil Somsikov <dsv@chromium.org>
+Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1226203}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535521
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../browser/devtools/protocol/network_handler.cc | 14 ++++++++++----
+ .../browser/devtools/protocol/network_handler.h | 6 ++++--
+ .../devtools/render_frame_devtools_agent_host.cc | 3 ++-
+ .../devtools/service_worker_devtools_agent_host.cc | 3 ++-
+ .../devtools/shared_worker_devtools_agent_host.cc | 3 ++-
+ .../browser/devtools/worker_devtools_agent_host.cc | 3 ++-
+ 6 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/chromium/content/browser/devtools/protocol/network_handler.cc b/chromium/content/browser/devtools/protocol/network_handler.cc
+index cfab47157112..7de14e0e4b95 100644
+--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc
++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc
+@@ -109,7 +109,8 @@ using DeleteCookiesCallback = Network::Backend::DeleteCookiesCallback;
+ using ClearBrowserCookiesCallback =
+ Network::Backend::ClearBrowserCookiesCallback;
+
+-const char kInvalidCookieFields[] = "Invalid cookie fields";
++static constexpr char kInvalidCookieFields[] = "Invalid cookie fields";
++static constexpr char kNotAllowedError[] = "Not allowed";
+
+ Network::CertificateTransparencyCompliance SerializeCTPolicyCompliance(
+ net::ct::CTPolicyCompliance ct_compliance) {
+@@ -1027,11 +1028,14 @@ NetworkHandler::NetworkHandler(
+ const base::UnguessableToken& devtools_token,
+ DevToolsIOContext* io_context,
+ base::RepeatingClosure update_loader_factories_callback,
+- bool allow_file_access)
++ bool allow_file_access,
++ bool client_is_trusted)
+ : DevToolsDomainHandler(Network::Metainfo::domainName),
+ host_id_(host_id),
+ devtools_token_(devtools_token),
+ io_context_(io_context),
++ allow_file_access_(allow_file_access),
++ client_is_trusted_(client_is_trusted),
+ browser_context_(nullptr),
+ storage_partition_(nullptr),
+ host_(nullptr),
+@@ -1042,8 +1046,7 @@ NetworkHandler::NetworkHandler(
+ bypass_service_worker_(false),
+ cache_disabled_(false),
+ update_loader_factories_callback_(
+- std::move(update_loader_factories_callback)),
+- allow_file_access_(allow_file_access) {
++ std::move(update_loader_factories_callback)) {
+ DCHECK(io_context_);
+ static bool have_configured_service_worker_context = false;
+ if (have_configured_service_worker_context)
+@@ -1505,6 +1508,9 @@ void NetworkHandler::GetCookies(Maybe<Array<String>> protocol_urls,
+
+ void NetworkHandler::GetAllCookies(
+ std::unique_ptr<GetAllCookiesCallback> callback) {
++ if (!client_is_trusted_) {
++ callback->sendFailure(Response::ServerError(kNotAllowedError));
++ }
+ if (!storage_partition_) {
+ callback->sendFailure(Response::InternalError());
+ return;
+diff --git a/chromium/content/browser/devtools/protocol/network_handler.h b/chromium/content/browser/devtools/protocol/network_handler.h
+index 6cbb0098e892..81636185d04f 100644
+--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h
++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h
+@@ -72,7 +72,8 @@ class NetworkHandler : public DevToolsDomainHandler,
+ const base::UnguessableToken& devtools_token,
+ DevToolsIOContext* io_context,
+ base::RepeatingClosure update_loader_factories_callback,
+- bool allow_file_access);
++ bool allow_file_access,
++ bool client_is_trusted);
+
+ NetworkHandler(const NetworkHandler&) = delete;
+ NetworkHandler& operator=(const NetworkHandler&) = delete;
+@@ -337,6 +338,8 @@ class NetworkHandler : public DevToolsDomainHandler,
+
+ const base::UnguessableToken devtools_token_;
+ DevToolsIOContext* const io_context_;
++ const bool allow_file_access_;
++ const bool client_is_trusted_;
+
+ std::unique_ptr<Network::Frontend> frontend_;
+ BrowserContext* browser_context_;
+@@ -358,7 +361,6 @@ class NetworkHandler : public DevToolsDomainHandler,
+ loaders_;
+ absl::optional<std::set<net::SourceStream::SourceType>>
+ accepted_stream_types_;
+- const bool allow_file_access_;
+ std::unordered_map<String, std::pair<String, bool>> received_body_data_;
+ base::WeakPtrFactory<NetworkHandler> weak_factory_{this};
+ };
+diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+index fe726068dee4..425eded3f56b 100644
+--- src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+@@ -336,7 +336,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session,
+ base::BindRepeating(
+ &RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories,
+ base::Unretained(this)),
+- session->GetClient()->MayReadLocalFiles());
++ session->GetClient()->MayReadLocalFiles(),
++ session->GetClient()->IsTrusted());
+ session->CreateAndAddHandler<protocol::FetchHandler>(
+ GetIOContext(), base::BindRepeating(
+ [](RenderFrameDevToolsAgentHost* self,
+diff --git a/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
+index d2b307373ea1..7278a116ec78 100644
+--- src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
+@@ -230,7 +230,8 @@ bool ServiceWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+ session->CreateAndAddHandler<protocol::InspectorHandler>();
+ session->CreateAndAddHandler<protocol::NetworkHandler>(
+ GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(),
+- session->GetClient()->MayReadLocalFiles());
++ session->GetClient()->MayReadLocalFiles(),
++ session->GetClient()->IsTrusted());
+
+ session->CreateAndAddHandler<protocol::FetchHandler>(
+ GetIOContext(),
+diff --git a/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
+index 6cfb49a9cb63..da9c8a3d18a4 100644
+--- src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
+@@ -91,7 +91,8 @@ bool SharedWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+ session->CreateAndAddHandler<protocol::InspectorHandler>();
+ session->CreateAndAddHandler<protocol::NetworkHandler>(
+ GetId(), devtools_worker_token_, GetIOContext(),
+- base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles());
++ base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles(),
++ session->GetClient()->IsTrusted());
+ // TODO(crbug.com/1143100): support pushing updated loader factories down to
+ // renderer.
+ session->CreateAndAddHandler<protocol::FetchHandler>(
+diff --git a/chromium/content/browser/devtools/worker_devtools_agent_host.cc b/chromium/content/browser/devtools/worker_devtools_agent_host.cc
+index 5bca24a4bb16..dbce6e066adb 100644
+--- src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc
+@@ -137,7 +137,8 @@ bool WorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+ auto_attacher_.get(), session);
+ session->CreateAndAddHandler<protocol::NetworkHandler>(
+ GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(),
+- session->GetClient()->MayReadLocalFiles());
++ session->GetClient()->MayReadLocalFiles(),
++ session->GetClient()->IsTrusted());
+ return true;
+ }
+
+From 9b72e2301892ea6619fb6e64f67812238ad56830 Mon Sep 17 00:00:00 2001
+From: Bo Liu <boliu@chromium.org>
+Date: Mon, 18 Sep 2023 21:17:14 +0000
+Subject: [PATCH] [Backport] Security bug 1407197 (1/2)
+
+Partial manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/4869854:
+Tag WebContents ownership for debugging
+
+Tag WebContents owner and add it as a CrashKey for the
+DumpWithoutCrashing in ~WebContentsOfBrowserContext.
+
+The actual tags in this CL is more focused on android and is not
+exhaustive. Can keep adding new ones in the future as needed.
+
+Bug: 1407197
+Change-Id: I6c0261ae5967fdb01ff2a5f3d0d6fe07f572bd20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4869854
+Reviewed-by: Ted Choc <tedchoc@chromium.org>
+Commit-Queue: Bo Liu <boliu@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: Finnur Thorarinsson <finnur@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1198010}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535707
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../browser/distiller_page_web_contents.cc | 6 +++-
+ .../guest_view/browser/guest_view_base.cc | 6 ++++
+ .../browser/no_state_prefetch_contents.cc | 1 +
+ .../browser/no_state_prefetch_manager.cc | 5 +++
+ .../background_loader_contents.cc | 1 +
+ chromium/content/browser/portal/portal.cc | 3 ++
+ chromium/content/browser/portal/portal.h | 3 ++
+ .../browser/web_contents/web_contents_impl.cc | 31 +++++++++++++++++--
+ .../browser/web_contents/web_contents_impl.h | 8 +++++
+ .../content/public/browser/web_contents.h | 6 ++++
+ chromium/extensions/browser/extension_host.cc | 3 +-
+ 11 files changed, 69 insertions(+), 4 deletions(-)
+
+diff --git a/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc b/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
+index e4025f7bc94c..78abc76a6bf2 100644
+--- src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
++++ src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
+@@ -30,7 +30,11 @@ namespace dom_distiller {
+ SourcePageHandleWebContents::SourcePageHandleWebContents(
+ content::WebContents* web_contents,
+ bool owned)
+- : web_contents_(web_contents), owned_(owned) {}
++ : web_contents_(web_contents), owned_(owned) {
++ if (web_contents_ && owned) {
++ web_contents_->SetOwnerLocationForDebug(FROM_HERE);
++ }
++}
+
+ SourcePageHandleWebContents::~SourcePageHandleWebContents() {
+ if (owned_) {
+diff --git a/chromium/components/guest_view/browser/guest_view_base.cc b/chromium/components/guest_view/browser/guest_view_base.cc
+index d2ea8b7ce3fd..06ba6ab1c7fc 100644
+--- src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc
++++ src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc
+@@ -480,6 +480,9 @@ void GuestViewBase::WillAttach(
+ std::unique_ptr<WebContents> owned_guest_contents =
+ std::move(owned_guest_contents_);
+ DCHECK_EQ(owned_guest_contents.get(), web_contents());
++ if (owned_guest_contents) {
++ owned_guest_contents->SetOwnerLocationForDebug(absl::nullopt);
++ }
+
+ // Since this inner WebContents is created from the browser side we do
+ // not have RemoteFrame mojo channels so we pass in
+@@ -774,6 +777,9 @@ void GuestViewBase::TakeGuestContentsOwnership(
+ std::unique_ptr<WebContents> guest_web_contents) {
+ DCHECK(!owned_guest_contents_);
+ owned_guest_contents_ = std::move(guest_web_contents);
++ if (owned_guest_contents_) {
++ owned_guest_contents_->SetOwnerLocationForDebug(FROM_HERE);
++ }
+ }
+
+ void GuestViewBase::ClearOwnedGuestContents() {
+diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
+index f2f8dc5ff921..35fac905dc1f 100644
+--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
+@@ -271,6 +271,7 @@ void NoStatePrefetchContents::StartPrerendering(
+ attempt_.get(), content::PreloadingTriggeringOutcome::kRunning);
+
+ no_state_prefetch_contents_ = CreateWebContents(session_storage_namespace);
++ no_state_prefetch_contents_->SetOwnerLocationForDebug(FROM_HERE);
+ content::WebContentsObserver::Observe(no_state_prefetch_contents_.get());
+ delegate_->OnNoStatePrefetchContentsCreated(
+ no_state_prefetch_contents_.get());
+diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
+index 3403fa8d1342..7397d1aa5de5 100644
+--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
+@@ -118,6 +118,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter
+ OnCloseWebContentsDeleter(NoStatePrefetchManager* manager,
+ std::unique_ptr<WebContents> tab)
+ : manager_(manager), tab_(std::move(tab)) {
++ tab_->SetOwnerLocationForDebug(FROM_HERE);
+ tab_->SetDelegate(this);
+ base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
+ FROM_HERE,
+@@ -140,6 +141,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter
+ void ScheduleWebContentsForDeletion(bool timeout) {
+ UMA_HISTOGRAM_BOOLEAN("Prerender.TabContentsDeleterTimeout", timeout);
+ tab_->SetDelegate(nullptr);
++ tab_->SetOwnerLocationForDebug(absl::nullopt);
+ manager_->ScheduleDeleteOldWebContents(std::move(tab_), this);
+ // |this| is deleted at this point.
+ }
+@@ -981,6 +983,9 @@ void NoStatePrefetchManager::CleanUpOldNavigations(
+ void NoStatePrefetchManager::ScheduleDeleteOldWebContents(
+ std::unique_ptr<WebContents> tab,
+ OnCloseWebContentsDeleter* deleter) {
++ if (tab) {
++ tab->SetOwnerLocationForDebug(FROM_HERE);
++ }
+ old_web_contents_list_.push_back(std::move(tab));
+ PostCleanupTask();
+
+diff --git a/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc b/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc
+index e055852342ae..524b71f68bc0 100644
+--- src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc
++++ src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc
+@@ -23,6 +23,7 @@ BackgroundLoaderContents::BackgroundLoaderContents(
+ // could kill the background offliner while it was running.
+ web_contents_ = content::WebContents::Create(
+ content::WebContents::CreateParams(browser_context_));
++ web_contents_->SetOwnerLocationForDebug(FROM_HERE);
+ web_contents_->SetAudioMuted(true);
+ web_contents_->SetDelegate(this);
+ }
+diff --git a/chromium/content/browser/portal/portal.cc b/chromium/content/browser/portal/portal.cc
+index f9b06fbab8df..b0c8b201db29 100644
+--- src/3rdparty/chromium/content/browser/portal/portal.cc
++++ src/3rdparty/chromium/content/browser/portal/portal.cc
+@@ -731,6 +731,9 @@ void Portal::WebContentsHolder::SetOwned(
+ std::unique_ptr<WebContents> web_contents) {
+ SetUnowned(static_cast<WebContentsImpl*>(web_contents.get()));
+ owned_contents_ = std::move(web_contents);
++ if (owned_contents_) {
++ owned_contents_->SetOwnerLocationForDebug(FROM_HERE);
++ }
+ }
+
+ void Portal::WebContentsHolder::Clear() {
+diff --git a/chromium/content/browser/portal/portal.h b/chromium/content/browser/portal/portal.h
+index 055d8e4f0cf5..aecf381ed594 100644
+--- src/3rdparty/chromium/content/browser/portal/portal.h
++++ src/3rdparty/chromium/content/browser/portal/portal.h
+@@ -177,6 +177,9 @@ class CONTENT_EXPORT Portal : public blink::mojom::Portal,
+ // caller.
+ std::unique_ptr<WebContents> ReleaseOwnership() {
+ DCHECK(OwnsContents());
++ if (owned_contents_) {
++ owned_contents_->SetOwnerLocationForDebug(absl::nullopt);
++ }
+ return std::move(owned_contents_);
+ }
+
+diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc
+index 8b3f7055430c..d8b3ad83bbb6 100644
+--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc
++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc
+@@ -795,6 +795,9 @@ void WebContentsImpl::WebContentsTreeNode::AttachInnerWebContents(
+ inner_web_contents_node.outer_contents_frame_tree_node_id_ =
+ render_frame_host->frame_tree_node()->frame_tree_node_id();
+
++ if (inner_web_contents) {
++ inner_web_contents->SetOwnerLocationForDebug(FROM_HERE);
++ }
+ inner_web_contents_.push_back(std::move(inner_web_contents));
+
+ render_frame_host->frame_tree_node()->AddObserver(&inner_web_contents_node);
+@@ -814,6 +817,9 @@ WebContentsImpl::WebContentsTreeNode::DetachInnerWebContents(
+ std::swap(web_contents, inner_web_contents_.back());
+ inner_web_contents_.pop_back();
+ current_web_contents_->InnerWebContentsDetached(inner_web_contents);
++ if (detached_contents) {
++ detached_contents->SetOwnerLocationForDebug(absl::nullopt);
++ }
+ return detached_contents;
+ }
+ }
+@@ -922,13 +928,29 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data {
+ // RenderFrameHosts, SiteInstances, etc.) risk causing
+ // use-after-free bugs. For more discussion about managing the
+ // lifetime of WebContents please see https://crbug.com/1376879#c44.
+- for (WebContents* web_contents_with_dangling_ptr_to_browser_context :
++ for (WebContentsImpl* web_contents_with_dangling_ptr_to_browser_context :
+ web_contents_set_) {
+ std::string creator = web_contents_with_dangling_ptr_to_browser_context
+ ->GetCreatorLocation()
+ .ToString();
+ SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/creator", creator);
+
++ const absl::optional<base::Location>& ownership_location =
++ web_contents_with_dangling_ptr_to_browser_context
++ ->ownership_location();
++ std::string owner;
++ if (ownership_location) {
++ if (ownership_location->has_source_info()) {
++ owner = std::string(ownership_location->function_name()) + "@" +
++ ownership_location->file_name();
++ } else {
++ owner = "no_source_info";
++ }
++ } else {
++ owner = "unknown";
++ }
++ SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/owner", owner);
++
+ #if BUILDFLAG(IS_ANDROID)
+ // On Android, also report the Java stack trace from WebContents's
+ // creation.
+@@ -974,7 +996,7 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data {
+ // Usage of `raw_ptr` below is okay (i.e. it shouldn't dangle), because
+ // when `WebContentsImpl`'s destructor runs, then it removes the set entry
+ // (by calling `Detach`).
+- std::set<raw_ptr<WebContents>> web_contents_set_;
++ std::set<raw_ptr<WebContentsImpl>> web_contents_set_;
+ };
+
+ } // namespace
+@@ -9697,6 +9719,11 @@ std::unique_ptr<PrerenderHandle> WebContentsImpl::StartPrerendering(
+ return nullptr;
+ }
+
++void WebContentsImpl::SetOwnerLocationForDebug(
++ absl::optional<base::Location> owner_location) {
++ ownership_location_ = owner_location;
++}
++
+ void WebContentsImpl::AboutToBeDiscarded(WebContents* new_contents) {
+ observers_.NotifyObservers(&WebContentsObserver::AboutToBeDiscarded,
+ new_contents);
+diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h
+index bc3dc3d00a39..815694c05b18 100644
+--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h
++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h
+@@ -858,6 +858,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+ PreloadingAttempt* preloading_attempt,
+ absl::optional<base::RepeatingCallback<bool(const GURL&)>>
+ url_match_predicate = absl::nullopt) override;
++ void SetOwnerLocationForDebug(
++ absl::optional<base::Location> owner_location) override;
+
+ // NavigatorDelegate ---------------------------------------------------------
+
+@@ -1346,6 +1348,10 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+
+ ui::mojom::VirtualKeyboardMode GetVirtualKeyboardMode() const;
+
++ const absl::optional<base::Location>& ownership_location() const {
++ return ownership_location_;
++ }
++
+ private:
+ using FrameTreeIterationCallback = base::RepeatingCallback<void(FrameTree&)>;
+ using RenderViewHostIterationCallback =
+@@ -2370,6 +2376,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents,
+
+ base::WeakPtr<FileChooserImpl> active_file_chooser_;
+
++ absl::optional<base::Location> ownership_location_;
++
+ base::WeakPtrFactory<WebContentsImpl> loading_weak_factory_{this};
+ base::WeakPtrFactory<WebContentsImpl> weak_factory_{this};
+ };
+diff --git a/chromium/content/public/browser/web_contents.h b/chromium/content/public/browser/web_contents.h
+index bdd18c6c4ed8..6490fefaa940 100644
+--- src/3rdparty/chromium/content/public/browser/web_contents.h
++++ src/3rdparty/chromium/content/public/browser/web_contents.h
+@@ -1393,6 +1393,12 @@ class WebContents : public PageNavigator,
+ absl::optional<base::RepeatingCallback<bool(const GURL&)>>
+ url_match_predicate = absl::nullopt) = 0;
+
++ // Tag `WebContents` with its owner. Used purely for debugging purposes so it
++ // does not need to be exhaustive or perfectly correct.
++ // TODO(crbug.com/1407197): Remove after bug is fixed.
++ virtual void SetOwnerLocationForDebug(
++ absl::optional<base::Location> owner_location) = 0;
++
+ private:
+ // This interface should only be implemented inside content.
+ friend class WebContentsImpl;
+diff --git a/chromium/extensions/browser/extension_host.cc b/chromium/extensions/browser/extension_host.cc
+index 91928c8b7811..42c92939788b 100644
+--- src/3rdparty/chromium/extensions/browser/extension_host.cc
++++ src/3rdparty/chromium/extensions/browser/extension_host.cc
+@@ -63,7 +63,8 @@ ExtensionHost::ExtensionHost(const Extension* extension,
+ host_type == mojom::ViewType::kExtensionPopup ||
+ host_type == mojom::ViewType::kExtensionSidePanel);
+ host_contents_ = WebContents::Create(
+- WebContents::CreateParams(browser_context_, site_instance)),
++ WebContents::CreateParams(browser_context_, site_instance));
++ host_contents_->SetOwnerLocationForDebug(FROM_HERE);
+ content::WebContentsObserver::Observe(host_contents_.get());
+ host_contents_->SetDelegate(this);
+ SetViewType(host_contents_.get(), host_type);
+From e257d6513927fa24df48075bce9b33c4b5f546ff Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io>
+Date: Tue, 30 Jan 2024 11:51:16 +0100
+Subject: [PATCH] [Backport] Security bug 1407197 (2/2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5080603:
+Safely crash on dangling profile
+
+Bug: 1407197
+Change-Id: Idcafd8f0ba2f980d06338e573489a3456e3823c1
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5080603
+Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org>
+Commit-Queue: Bo Liu <boliu@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1232704}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535708
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../browser/web_contents/web_contents_impl.cc | 22 ++++++++++++++-----
+ 1 file changed, 17 insertions(+), 5 deletions(-)
+
+diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc
+index d8b3ad83bbb..3087f9c3e0b 100644
+--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc
++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc
+@@ -220,6 +220,11 @@ namespace {
+ // The window which we dobounce load info updates in.
+ constexpr auto kUpdateLoadStatesInterval = base::Milliseconds(250);
+
++// Kill switch for crash immediately on dangling BrowserContext.
++BASE_FEATURE(kCrashOnDanglingBrowserContext,
++ "CrashOnDanglingBrowserContext",
++ base::FEATURE_ENABLED_BY_DEFAULT);
++
+ using LifecycleState = RenderFrameHost::LifecycleState;
+ using LifecycleStateImpl = RenderFrameHostImpl::LifecycleStateImpl;
+
+@@ -958,11 +963,18 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data {
+ env, web_contents_with_dangling_ptr_to_browser_context);
+ #endif // BUILDFLAG(IS_ANDROID)
+
+- NOTREACHED()
+- << "BrowserContext is getting destroyed without first closing all "
+- << "WebContents (for more info see https://crbug.com/1376879#c44); "
+- << "creator = " << creator;
+- base::debug::DumpWithoutCrashing();
++ if (base::FeatureList::IsEnabled(kCrashOnDanglingBrowserContext)) {
++ LOG(FATAL)
++ << "BrowserContext is getting destroyed without first closing all "
++ << "WebContents (for more info see https://crbug.com/1376879#c44); "
++ << "creator = " << creator;
++ } else {
++ NOTREACHED()
++ << "BrowserContext is getting destroyed without first closing all "
++ << "WebContents (for more info see https://crbug.com/1376879#c44); "
++ << "creator = " << creator;
++ base::debug::DumpWithoutCrashing();
++ }
+ }
+ }
+
diff --git a/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc b/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc
new file mode 100644
index 000000000000..e9c6528415ac
--- /dev/null
+++ b/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc
@@ -0,0 +1,24 @@
+--- src/3rdparty/chromium/v8/src/codegen/arm/cpu-arm.cc.orig 2023-11-20 16:08:07 UTC
++++ src/3rdparty/chromium/v8/src/codegen/arm/cpu-arm.cc
+@@ -3,6 +3,10 @@
+ // found in the LICENSE file.
+
+ // CPU specific code for arm independent of OS goes here.
++#if V8_TARGET_ARCH_ARM
++
++#include "src/codegen/cpu-features.h"
++
+ #ifdef __arm__
+ #ifdef __QNXNTO__
+ #include <sys/mman.h> // for cache flushing.
+@@ -16,10 +20,6 @@
+ #include <sys/syscall.h> // for cache flushing.
+ #endif
+ #endif
+-
+-#if V8_TARGET_ARCH_ARM
+-
+-#include "src/codegen/cpu-features.h"
+
+ namespace v8 {
+ namespace internal {