diff options
| author | Jason E. Hale <jhale@FreeBSD.org> | 2024-01-31 19:45:55 +0000 |
|---|---|---|
| committer | Jason E. Hale <jhale@FreeBSD.org> | 2024-01-31 20:09:49 +0000 |
| commit | d4aaa430d08417fb216e5ee98f8db322b64e82e4 (patch) | |
| tree | ff680191b9178ffc570f2e37004cfb28c79cf246 | |
| parent | 7e75892bfdb98efc1497b71e8e4549a8f3132262 (diff) | |
| download | ports-d4aaa430d08417fb216e5ee98f8db322b64e82e4.tar.gz ports-d4aaa430d08417fb216e5ee98f8db322b64e82e4.zip | |
www/qt6-webengine: Address security vulnerabilities
Add speculative build fix for armv7.
MFH: 2024Q1
Security: bbcb1584-c068-11ee-bdd6-4ccc6adda413
(cherry picked from commit 214eb4d92c6739ef0da1eba2cdc10a97bdf6af30)
| -rw-r--r-- | www/qt6-webengine/Makefile | 2 | ||||
| -rw-r--r-- | www/qt6-webengine/files/patch-security-rollup | 1179 | ||||
| -rw-r--r-- | www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc | 24 |
3 files changed, 1203 insertions, 2 deletions
diff --git a/www/qt6-webengine/Makefile b/www/qt6-webengine/Makefile index d7371916a4f4..b62f3f3a255b 100644 --- a/www/qt6-webengine/Makefile +++ b/www/qt6-webengine/Makefile @@ -12,7 +12,7 @@ PORTNAME?= webengine DISTVERSION= ${QT6_VERSION} -PORTREVISION?= 3 # Master port for print/qt6-pdf. Please keep this line. +PORTREVISION?= 4 # Master port for print/qt6-pdf. Please keep this line. CATEGORIES?= www PKGNAMEPREFIX= qt6- diff --git a/www/qt6-webengine/files/patch-security-rollup b/www/qt6-webengine/files/patch-security-rollup index bb16a291c80d..3f67e42ad06b 100644 --- a/www/qt6-webengine/files/patch-security-rollup +++ b/www/qt6-webengine/files/patch-security-rollup @@ -23,8 +23,13 @@ Addresses the following security issues: - CVE-2024-0222 - Security bug 1511689 - CVE-2024-0519 -- CVE-2025-0518 +- CVE-2024-0518 - Security bug 1506535 +- CVE-2024-0808 +- CVE-2024-0807 +- Security bug 1511389 +- CVE-2024-0810 +- Security bug 1407197 From 669506a53474e3d7637666d3c53f6101fb94d96f Mon Sep 17 00:00:00 2001 From: Nidhi Jaju <nidhijaju@chromium.org> @@ -3260,3 +3265,1175 @@ index 59bbb727e6b..8b3f7055430 100644 if (keyboard_lock_widget_) delegate_->CancelKeyboardLockRequest(this); +From 8ab0eb9f07be8cd735e03b5536fc2e361e70a5cf Mon Sep 17 00:00:00 2001 +From: Lyra Rebane <rebane2001@gmail.com> +Date: Mon, 8 Jan 2024 13:39:46 +0000 +Subject: [PATCH] [Backport] CVE-2024-0808: Integer underflow in WebUI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5177426: +Verify resource order in data pack files + +This CL adds a resource order check when loading a data pack or calling DataPack::GetStringPiece to make sure the resources are ordered sequentially in memory. + +Bug: 1504936 +Change-Id: Ie3bf1d9dbac937407355935a859a5daa9ce84350 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059113 +Commit-Queue: Peter Boström <pbos@chromium.org> +Cr-Commit-Position: refs/heads/main@{#1238675} +(cherry picked from commit c4b2e6246ad0e95eaf0727bb25a2e4969155e989) +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535516 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + chromium/AUTHORS | 1 + + chromium/ui/base/resource/data_pack.cc | 19 ++++++++++++++++++- + .../ui/base/resource/data_pack_literal.cc | 12 ++++++++++++ + chromium/ui/base/resource/data_pack_literal.h | 2 ++ + .../ui/base/resource/data_pack_unittest.cc | 7 +++++++ + 5 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/chromium/AUTHORS b/chromium/AUTHORS +index ff6abe8d1135..772aab22c671 100644 +--- src/3rdparty/chromium/AUTHORS ++++ src/3rdparty/chromium/AUTHORS +@@ -769,6 +769,7 @@ Luke Seunghoe Gu <gulukesh@gmail.com> + Luke Zarko <lukezarko@gmail.com> + Luoxi Pan <l.panpax@gmail.com> + Lu Yahan <yahan@iscas.ac.cn> ++Lyra Rebane <rebane2001@gmail.com> + Ma Aiguo <imaiguo@gmail.com> + Maarten Lankhorst <m.b.lankhorst@gmail.com> + Maciej Pawlowski <m.pawlowski@eyeo.com> +diff --git a/chromium/ui/base/resource/data_pack.cc b/chromium/ui/base/resource/data_pack.cc +index 74069c99d00a..6dc0985b78dd 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack.cc +@@ -310,7 +310,16 @@ bool DataPack::SanityCheckFileAndRegisterResources(size_t margin_to_skip, + } + } + +- // 3) Verify the aliases are within the appropriate bounds. ++ // 3) Verify the entries are ordered correctly. ++ for (size_t i = 0; i < resource_count_; ++i) { ++ if (resource_table_[i].file_offset > resource_table_[i + 1].file_offset) { ++ LOG(ERROR) << "Data pack file corruption: " ++ << "Entry #" << i + 1 << " before Entry #" << i << "."; ++ return false; ++ } ++ } ++ ++ // 4) Verify the aliases are within the appropriate bounds. + for (size_t i = 0; i < alias_count_; ++i) { + if (alias_table_[i].entry_index >= resource_count_) { + LOG(ERROR) << "Data pack file corruption: " +@@ -428,6 +437,14 @@ bool DataPack::GetStringPiece(uint16_t resource_id, + << "file modified?"; + return false; + } ++ if (target->file_offset > next_entry->file_offset) { ++ size_t entry_index = target - resource_table_; ++ size_t next_index = next_entry - resource_table_; ++ LOG(ERROR) << "Entry #" << next_index << " in data pack is before Entry #" ++ << entry_index << ". This should have been caught when loading. " ++ << "Was the file modified?"; ++ return false; ++ } + + MaybePrintResourceId(resource_id); + GetStringPieceFromOffset(target->file_offset, next_entry->file_offset, +diff --git a/chromium/ui/base/resource/data_pack_literal.cc b/chromium/ui/base/resource/data_pack_literal.cc +index caac0709b42b..4197ea03fd68 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc +@@ -89,6 +89,18 @@ const uint8_t kSampleCorruptPakContents[] = { + + const size_t kSampleCorruptPakSize = sizeof(kSampleCorruptPakContents); + ++const uint8_t kSampleMisorderedPakContents[] = { ++ 0x05, 0x00, 0x00, 0x00, // version ++ 0x01, 0x00, 0x00, 0x00, // encoding + padding ++ 0x02, 0x00, 0x00, 0x00, // num_resources, num_aliases ++ 0x06, 0x00, 0x2a, 0x00, 0x00, 0x00, // index entry 6 (wrong order) ++ 0x04, 0x00, 0x1e, 0x00, 0x00, 0x00, // index entry 4 ++ 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, // extra entry for the size of last ++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '4', ++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '6'}; ++ ++const size_t kSampleMisorderedPakSize = sizeof(kSampleMisorderedPakContents); ++ + const uint8_t kSamplePakContents2x[] = { + 0x04, 0x00, 0x00, 0x00, // header(version + 0x01, 0x00, 0x00, 0x00, // no. entries +diff --git a/chromium/ui/base/resource/data_pack_literal.h b/chromium/ui/base/resource/data_pack_literal.h +index eb5a94895f2d..9173ce149935 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.h ++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.h +@@ -22,6 +22,8 @@ extern const uint8_t kEmptyPakContents[]; + extern const size_t kEmptyPakSize; + extern const uint8_t kSampleCorruptPakContents[]; + extern const size_t kSampleCorruptPakSize; ++extern const uint8_t kSampleMisorderedPakContents[]; ++extern const size_t kSampleMisorderedPakSize; + + } // namespace ui + +diff --git a/chromium/ui/base/resource/data_pack_unittest.cc b/chromium/ui/base/resource/data_pack_unittest.cc +index 25b33b813ac4..0a4a169ca225 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc +@@ -366,4 +366,11 @@ TEST(DataPackTest, ModifiedWhileUsed) { + } + #endif + ++TEST(DataPackTest, Misordered) { ++ DataPack pack(k100Percent); ++ ++ ASSERT_FALSE(pack.LoadFromBuffer( ++ {kSampleMisorderedPakContents, kSampleMisorderedPakSize})); ++} ++ + } // namespace ui +From 46069ff72f6e1d6fe75bd2c04350bcd74b308923 Mon Sep 17 00:00:00 2001 +From: Hongchan Choi <hongchan@chromium.org> +Date: Fri, 12 Jan 2024 22:57:22 +0000 +Subject: [PATCH] [Backport] CVE-2024-0807: Use after free in WebAudio + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5225523: +Update rendering state of automatic pull nodes before graph rendering + +M114 merge issues: + third_party/blink/renderer/modules/webaudio/analyser_handler.cc: + PullInputs/CheckNumberOfChannelsForInput not present in 114. + +In rare cases, the rendering fan out count of automatic pull node +does not match the main thread fan out count after recreating +a platform destination followed by disconnection. + +This CL forces the update of the rendering state of automatic +pull nodes before graph rendering to make sure that fan out counts +are synchronized before executing the audio processing function call. + +NOTE: This change makes 2 WPTs fail. The follow-up work is planned +to address them once this patch is merged. + +Bug: 1505080 +Test: Locally confirmed that ASAN doesn't crash on all repro cases. +Change-Id: I6768cd8bc64525ea9d56a19b9c58439e9cdab9a8 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5131958 +Commit-Queue: Hongchan Choi <hongchan@chromium.org> +Cr-Commit-Position: refs/heads/main@{#1246718} +(cherry picked from commit f4bffa09b46c21147431179e1e6dd2b27bc35fbc) +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535517 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../renderer/modules/webaudio/analyser_handler.cc | 14 ++++++++++++-- + .../modules/webaudio/audio_worklet_handler.cc | 7 +++++-- + .../modules/webaudio/audio_worklet_processor.cc | 6 ++++++ + .../modules/webaudio/deferred_task_handler.cc | 10 ++++++++++ + 4 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc +index c823c923a1cc..87a1f109a28c 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc +@@ -39,9 +39,14 @@ AnalyserHandler::~AnalyserHandler() { + } + + void AnalyserHandler::Process(uint32_t frames_to_process) { +- AudioBus* output_bus = Output(0).Bus(); ++ DCHECK(Context()->IsAudioThread()); + +- if (!IsInitialized()) { ++ // It's possible that output is not connected. Assign nullptr to indicate ++ // such case. ++ AudioBus* output_bus = ++ Output(0).RenderingFanOutCount() > 0 ? Output(0).Bus() : nullptr; ++ ++ if (!IsInitialized() && output_bus) { + output_bus->Zero(); + return; + } +@@ -53,6 +58,11 @@ void AnalyserHandler::Process(uint32_t frames_to_process) { + // Analyser reflects the current input. + analyser_.WriteInput(input_bus.get(), frames_to_process); + ++ // Subsequent steps require `output_bus` to be valid. ++ if (!output_bus) { ++ return; ++ } ++ + if (!Input(0).IsConnected()) { + // No inputs, so clear the output, and propagate the silence hint. + output_bus->Zero(); +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc +index 7f591531ad6f..b2b1500d3aab 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc +@@ -114,12 +114,15 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) { + // We also need to check if the global scope is valid before we request + // the rendering in the AudioWorkletGlobalScope. + if (processor_ && !processor_->hasErrorOccurred()) { +- // If the input is not connected, inform the processor with nullptr. ++ // If the input or the output is not connected, inform the processor with ++ // nullptr. + for (unsigned i = 0; i < NumberOfInputs(); ++i) { + inputs_[i] = Input(i).IsConnected() ? Input(i).Bus() : nullptr; + } + for (unsigned i = 0; i < NumberOfOutputs(); ++i) { +- outputs_[i] = WrapRefCounted(Output(i).Bus()); ++ outputs_[i] = Output(i).RenderingFanOutCount() > 0 ++ ? WrapRefCounted(Output(i).Bus()) ++ : nullptr; + } + + for (const auto& param_name : param_value_map_.Keys()) { +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc +index 1f884cb12b43..c47e39effa40 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc +@@ -367,6 +367,12 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort( + + for (uint32_t bus_index = 0; bus_index < audio_port.size(); ++bus_index) { + const scoped_refptr<AudioBus>& audio_bus = audio_port[bus_index]; ++ ++ // nullptr indicates the output bus is not connected. Do not proceed. ++ if (!audio_bus) { ++ break; ++ } ++ + for (uint32_t channel_index = 0; + channel_index < audio_bus->NumberOfChannels(); ++channel_index) { + auto backing_store = array_buffers[bus_index][channel_index] +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +index fa1de8f37b9b..4730383dafa9 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +@@ -172,6 +172,16 @@ void DeferredTaskHandler::UpdateAutomaticPullNodes() { + base::AutoTryLock try_locker(automatic_pull_handlers_lock_); + if (try_locker.is_acquired()) { + rendering_automatic_pull_handlers_.assign(automatic_pull_handlers_); ++ ++ // In rare cases, it is possible for automatic pull nodes' output bus ++ // to become stale. Make sure update their rendering output counts. ++ // crbug.com/1505080. ++ for (auto& handler : rendering_automatic_pull_handlers_) { ++ for (unsigned i = 0; i < handler->NumberOfOutputs(); ++i) { ++ handler->Output(i).UpdateRenderingState(); ++ } ++ } ++ + automatic_pull_handlers_need_updating_ = false; + } + } +From 0801943eea5309d1912bac96ed15af49b9f4e532 Mon Sep 17 00:00:00 2001 +From: Cheng Chen <chengchen@google.com> +Date: Thu, 7 Dec 2023 12:17:23 -0800 +Subject: [PATCH] [Backport] Security bug 1511389 (1/2) + +Manual partial cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/184763: +Do not use adaptive error estimate + +When the reference frame size is different than the current, +we will not use adaptive error estimate. + +STATS_CHANGED + +Bug: b:314858909 +Change-Id: Ic64d9b4a1d94889d7283c044b17ffc24627478d7 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535518 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../libaom/source/libaom/av1/encoder/ratectrl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c +index 4ea1c9a3e33..c7b503d80a2 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c +@@ -187,8 +187,7 @@ int av1_rc_bits_per_mb(const AV1_COMP *cpi, FRAME_TYPE frame_type, int qindex, + assert(correction_factor <= MAX_BPB_FACTOR && + correction_factor >= MIN_BPB_FACTOR); + +- if (frame_type != KEY_FRAME && accurate_estimate) { +- assert(cpi->rec_sse != UINT64_MAX); ++ if (frame_type != KEY_FRAME && accurate_estimate && cpi->rec_sse != UINT64_MAX) { + const int mbs = cm->mi_params.MBs; + const double sse_sqrt = + (double)((int)sqrt((double)(cpi->rec_sse)) << BPER_MB_NORMBITS) / +@@ -2021,6 +2020,13 @@ static void rc_compute_variance_onepass_rt(AV1_COMP *cpi) { + // TODO(yunqing): support scaled reference frames. + if (cpi->scaled_ref_buf[LAST_FRAME - 1]) return; + ++ for (int i = 0; i < 2; ++i) { ++ if (unscaled_src->widths[i] != yv12->widths[i] || ++ unscaled_src->heights[i] != yv12->heights[i]) { ++ return; ++ } ++ } ++ + const int num_mi_cols = cm->mi_params.mi_cols; + const int num_mi_rows = cm->mi_params.mi_rows; + const BLOCK_SIZE bsize = BLOCK_64X64; +From 1a76ec5bc55594a7feada7c510949450d489996b Mon Sep 17 00:00:00 2001 +From: Remya Prakasan <remya.prakasan@ittiam.com> +Date: Mon, 8 May 2023 15:03:27 +0530 +Subject: [PATCH] [Backport] Dependency for security bug 1511389 (1/1) + +Manual cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/175041: +Add support for dynamic allocation of thread data + +Added support for reallocation of thread data when the +workers for multi-threading in encode stage changes with +frame resizing. Also modified TestExternalResizeWorks +of ResizeRealtimeTest to test this scenario. + +BUG=aomedia:3429 + +Change-Id: Ieee94b229274e942203c9fc7dffd59a9a3fb5c26 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535519 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../libaom/source/libaom/av1/av1_cx_iface.c | 14 ++++++++ + .../source/libaom/av1/encoder/encoder.c | 34 ------------------- + .../source/libaom/av1/encoder/encoder.h | 5 +++ + .../source/libaom/av1/encoder/encoder_alloc.h | 34 +++++++++++++++++++ + .../source/libaom/av1/encoder/ethread.c | 5 +++ + 5 files changed, 58 insertions(+), 34 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +index 3e764dd6ca6..1d114779c83 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +@@ -25,6 +25,7 @@ + #include "av1/av1_iface_common.h" + #include "av1/encoder/bitstream.h" + #include "av1/encoder/encoder.h" ++#include "av1/encoder/encoder_alloc.h" + #include "av1/encoder/encoder_utils.h" + #include "av1/encoder/ethread.h" + #include "av1/encoder/external_partition.h" +@@ -3095,6 +3096,19 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, + } + #endif // CONFIG_MULTITHREAD + } ++ ++ // Re-allocate thread data if workers for encoder multi-threading stage ++ // exceeds prev_num_enc_workers. ++ const int num_enc_workers = ++ av1_get_num_mod_workers_for_alloc(&ppi->p_mt_info, MOD_ENC); ++ if (ppi->p_mt_info.prev_num_enc_workers < num_enc_workers && ++ num_enc_workers <= ppi->p_mt_info.num_workers) { ++ free_thread_data(ppi); ++ for (int j = 0; j < ppi->num_fp_contexts; j++) ++ aom_free(ppi->parallel_cpi[j]->td.tctx); ++ av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); ++ } ++ + for (int i = 0; i < ppi->num_fp_contexts; i++) { + av1_init_frame_mt(ppi, ppi->parallel_cpi[i]); + } +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +index 72cb92bbb22..c2bf5b9b344 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +@@ -1569,40 +1569,6 @@ static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { + } + } + +-// Deallocate allocated thread_data. +-static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { +- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; +- for (int t = 1; t < p_mt_info->num_workers; ++t) { +- EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; +- thread_data->td = thread_data->original_td; +- aom_free(thread_data->td->tctx); +- aom_free(thread_data->td->palette_buffer); +- aom_free(thread_data->td->tmp_conv_dst); +- release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); +- for (int j = 0; j < 2; ++j) { +- aom_free(thread_data->td->tmp_pred_bufs[j]); +- } +- aom_free(thread_data->td->pixel_gradient_info); +- aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); +- release_obmc_buffers(&thread_data->td->obmc_buffer); +- aom_free(thread_data->td->vt64x64); +- +- for (int x = 0; x < 2; x++) { +- for (int y = 0; y < 2; y++) { +- aom_free(thread_data->td->hash_value_buffer[x][y]); +- thread_data->td->hash_value_buffer[x][y] = NULL; +- } +- } +- aom_free(thread_data->td->counts); +- av1_free_pmc(thread_data->td->firstpass_ctx, +- ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); +- thread_data->td->firstpass_ctx = NULL; +- av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); +- av1_free_sms_tree(thread_data->td); +- aom_free(thread_data->td); +- } +-} +- + void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + if (!ppi) return; + #if !CONFIG_REALTIME_ONLY +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h +index a95ea2505d7..153b3665f23 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h +@@ -1631,6 +1631,11 @@ typedef struct PrimaryMultiThreadInfo { + * Number of primary workers created for multi-threading. + */ + int p_num_workers; ++ ++ /*! ++ * Tracks the number of workers in encode stage multi-threading. ++ */ ++ int prev_num_enc_workers; + } PrimaryMultiThreadInfo; + + /*! +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h +index a4aef85aedb..27b5546371a 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h +@@ -398,6 +398,40 @@ static AOM_INLINE YV12_BUFFER_CONFIG *realloc_and_scale_source( + return &cpi->scaled_source; + } + ++// Deallocate allocated thread_data. ++static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { ++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; ++ for (int t = 1; t < p_mt_info->num_workers; ++t) { ++ EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; ++ thread_data->td = thread_data->original_td; ++ aom_free(thread_data->td->tctx); ++ aom_free(thread_data->td->palette_buffer); ++ aom_free(thread_data->td->tmp_conv_dst); ++ release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); ++ for (int j = 0; j < 2; ++j) { ++ aom_free(thread_data->td->tmp_pred_bufs[j]); ++ } ++ aom_free(thread_data->td->pixel_gradient_info); ++ aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); ++ release_obmc_buffers(&thread_data->td->obmc_buffer); ++ aom_free(thread_data->td->vt64x64); ++ ++ for (int x = 0; x < 2; x++) { ++ for (int y = 0; y < 2; y++) { ++ aom_free(thread_data->td->hash_value_buffer[x][y]); ++ thread_data->td->hash_value_buffer[x][y] = NULL; ++ } ++ } ++ aom_free(thread_data->td->counts); ++ av1_free_pmc(thread_data->td->firstpass_ctx, ++ ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); ++ thread_data->td->firstpass_ctx = NULL; ++ av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); ++ av1_free_sms_tree(thread_data->td); ++ aom_free(thread_data->td); ++ } ++} ++ + #ifdef __cplusplus + } // extern "C" + #endif +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +index 1c8631ae1fd..8c62b2107c3 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +@@ -777,6 +777,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + + int num_workers = p_mt_info->num_workers; + int num_enc_workers = av1_get_num_mod_workers_for_alloc(p_mt_info, MOD_ENC); ++ assert(num_enc_workers <= num_workers); + for (int i = num_workers - 1; i >= 0; i--) { + EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[i]; + +@@ -886,6 +887,10 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + } + } + } ++ ++ // Record the number of workers in encode stage multi-threading for which ++ // allocation is done. ++ p_mt_info->prev_num_enc_workers = num_enc_workers; + } + + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { +From 9e80e8bff6bd41a61b589ecb6b006c1711e83431 Mon Sep 17 00:00:00 2001 +From: Cheng Chen <chengchen@google.com> +Date: Tue, 5 Dec 2023 16:34:43 -0800 +Subject: [PATCH] [Backport] Security bug 1511389 (2/2) + +Manual cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/184761: +Recreate workers if necessary + +As shown in the unit test, if the number of workers increases, +we need to propoerly recreate new workers. + +Bug: b:310455204 + +Change-Id: I0fafb11c10ffba209a4c49f4a531cfbf09c9c2b4 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535520 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../libaom/source/libaom/av1/av1_cx_iface.c | 15 ++++++++++++++- + .../libaom/source/libaom/av1/encoder/encoder.c | 16 ++++------------ + .../libaom/source/libaom/av1/encoder/ethread.c | 12 ++++++++++++ + .../libaom/source/libaom/av1/encoder/ethread.h | 2 ++ + 4 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +index 1d114779c83..618021a768d 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +@@ -3078,12 +3078,25 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, + av1_compute_num_workers_for_mt(cpi); + num_workers = av1_get_max_num_workers(cpi); + } +- if ((num_workers > 1) && (ppi->p_mt_info.num_workers == 0)) { ++ if (num_workers > 1 && ppi->p_mt_info.num_workers < num_workers) { + // Obtain the maximum no. of frames that can be supported in a parallel + // encode set. + if (is_stat_consumption_stage(cpi)) { + ppi->num_fp_contexts = av1_compute_num_fp_contexts(ppi, &cpi->oxcf); + } ++ if (ppi->p_mt_info.num_workers > 0) { ++ av1_terminate_workers(ppi); ++ free_thread_data(ppi); ++ aom_free(ppi->p_mt_info.tile_thr_data); ++ ppi->p_mt_info.tile_thr_data = NULL; ++ aom_free(ppi->p_mt_info.workers); ++ ppi->p_mt_info.workers = NULL; ++ ppi->p_mt_info.num_workers = 0; ++ for (int j = 0; j < ppi->num_fp_contexts; j++) { ++ aom_free(ppi->parallel_cpi[j]->td.tctx); ++ ppi->parallel_cpi[j]->td.tctx = NULL; ++ } ++ } + av1_create_workers(ppi, num_workers); + av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); + #if CONFIG_MULTITHREAD +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +index c2bf5b9b344..5825ee00f76 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +@@ -1558,17 +1558,6 @@ AV1_COMP *av1_create_compressor(AV1_PRIMARY *ppi, const AV1EncoderConfig *oxcf, + snprintf((H) + strlen(H), sizeof(H) - strlen(H), (T), (V)) + #endif // CONFIG_INTERNAL_STATS + +-// This function will change the state and free the mutex of corresponding +-// workers and terminate the object. The object can not be re-used unless a call +-// to reset() is made. +-static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { +- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; +- for (int t = p_mt_info->num_workers - 1; t >= 0; --t) { +- AVxWorker *const worker = &p_mt_info->workers[t]; +- aom_get_worker_interface()->end(worker); +- } +-} +- + void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + if (!ppi) return; + #if !CONFIG_REALTIME_ONLY +@@ -1596,11 +1585,14 @@ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + av1_tpl_dealloc(&tpl_data->tpl_mt_sync); + #endif + +- terminate_worker_data(ppi); ++ av1_terminate_workers(ppi); + free_thread_data(ppi); + + aom_free(ppi->p_mt_info.tile_thr_data); ++ ppi->p_mt_info.tile_thr_data = NULL; + aom_free(ppi->p_mt_info.workers); ++ ppi->p_mt_info.workers = NULL; ++ ppi->p_mt_info.num_workers = 0; + + aom_free(ppi); + } +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +index 8c62b2107c3..d59c4f1d57e 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +@@ -896,6 +896,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { + PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; + const AVxWorkerInterface *const winterface = aom_get_worker_interface(); ++ assert(p_mt_info->num_workers == 0); + + AOM_CHECK_MEM_ERROR(&ppi->error, p_mt_info->workers, + aom_malloc(num_workers * sizeof(*p_mt_info->workers))); +@@ -927,6 +928,17 @@ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { + } + } + ++// This function will change the state and free the mutex of corresponding ++// workers and terminate the object. The object can not be re-used unless a call ++// to reset() is made. ++void av1_terminate_workers(AV1_PRIMARY *ppi) { ++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; ++ for (int t = 0; t < p_mt_info->num_workers; ++t) { ++ AVxWorker *const worker = &p_mt_info->workers[t]; ++ aom_get_worker_interface()->end(worker); ++ } ++} ++ + // This function returns 1 if frame parallel encode is supported for + // the current configuration. Returns 0 otherwise. + static AOM_INLINE int is_fpmt_config(AV1_PRIMARY *ppi, AV1EncoderConfig *oxcf) { +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h +index 6c4bce4db57..942ed64510b 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h +@@ -87,6 +87,8 @@ int av1_get_max_num_workers(const AV1_COMP *cpi); + + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers); + ++void av1_terminate_workers(AV1_PRIMARY *ppi); ++ + void av1_init_frame_mt(AV1_PRIMARY *ppi, AV1_COMP *cpi); + + void av1_init_cdef_worker(AV1_COMP *cpi); +From da29c7f0b3e2044a7e597498a6fb62a306661f03 Mon Sep 17 00:00:00 2001 +From: Andrey Kosyakov <caseq@chromium.org> +Date: Fri, 17 Nov 2023 17:48:22 +0000 +Subject: [PATCH] [Backport] CVE-2024-0810: Insufficient policy enforcement in + DevTools + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5039174: +Do not let chrome.debugger extensions invoke Network.getAllCookies + +Network.getAllCookies is deprecated in favor of Storage.getCookies +and the latter is not allowed for extensions, so we shouldn't let +extensions use the former either. + +Bug: 1496250 +Change-Id: I3e97e9249dbba61d1f7951ed22ef9b1bef9f2355 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5039174 +Reviewed-by: Danil Somsikov <dsv@chromium.org> +Commit-Queue: Andrey Kosyakov <caseq@chromium.org> +Cr-Commit-Position: refs/heads/main@{#1226203} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535521 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../browser/devtools/protocol/network_handler.cc | 14 ++++++++++---- + .../browser/devtools/protocol/network_handler.h | 6 ++++-- + .../devtools/render_frame_devtools_agent_host.cc | 3 ++- + .../devtools/service_worker_devtools_agent_host.cc | 3 ++- + .../devtools/shared_worker_devtools_agent_host.cc | 3 ++- + .../browser/devtools/worker_devtools_agent_host.cc | 3 ++- + 6 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/chromium/content/browser/devtools/protocol/network_handler.cc b/chromium/content/browser/devtools/protocol/network_handler.cc +index cfab47157112..7de14e0e4b95 100644 +--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc ++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc +@@ -109,7 +109,8 @@ using DeleteCookiesCallback = Network::Backend::DeleteCookiesCallback; + using ClearBrowserCookiesCallback = + Network::Backend::ClearBrowserCookiesCallback; + +-const char kInvalidCookieFields[] = "Invalid cookie fields"; ++static constexpr char kInvalidCookieFields[] = "Invalid cookie fields"; ++static constexpr char kNotAllowedError[] = "Not allowed"; + + Network::CertificateTransparencyCompliance SerializeCTPolicyCompliance( + net::ct::CTPolicyCompliance ct_compliance) { +@@ -1027,11 +1028,14 @@ NetworkHandler::NetworkHandler( + const base::UnguessableToken& devtools_token, + DevToolsIOContext* io_context, + base::RepeatingClosure update_loader_factories_callback, +- bool allow_file_access) ++ bool allow_file_access, ++ bool client_is_trusted) + : DevToolsDomainHandler(Network::Metainfo::domainName), + host_id_(host_id), + devtools_token_(devtools_token), + io_context_(io_context), ++ allow_file_access_(allow_file_access), ++ client_is_trusted_(client_is_trusted), + browser_context_(nullptr), + storage_partition_(nullptr), + host_(nullptr), +@@ -1042,8 +1046,7 @@ NetworkHandler::NetworkHandler( + bypass_service_worker_(false), + cache_disabled_(false), + update_loader_factories_callback_( +- std::move(update_loader_factories_callback)), +- allow_file_access_(allow_file_access) { ++ std::move(update_loader_factories_callback)) { + DCHECK(io_context_); + static bool have_configured_service_worker_context = false; + if (have_configured_service_worker_context) +@@ -1505,6 +1508,9 @@ void NetworkHandler::GetCookies(Maybe<Array<String>> protocol_urls, + + void NetworkHandler::GetAllCookies( + std::unique_ptr<GetAllCookiesCallback> callback) { ++ if (!client_is_trusted_) { ++ callback->sendFailure(Response::ServerError(kNotAllowedError)); ++ } + if (!storage_partition_) { + callback->sendFailure(Response::InternalError()); + return; +diff --git a/chromium/content/browser/devtools/protocol/network_handler.h b/chromium/content/browser/devtools/protocol/network_handler.h +index 6cbb0098e892..81636185d04f 100644 +--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h ++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h +@@ -72,7 +72,8 @@ class NetworkHandler : public DevToolsDomainHandler, + const base::UnguessableToken& devtools_token, + DevToolsIOContext* io_context, + base::RepeatingClosure update_loader_factories_callback, +- bool allow_file_access); ++ bool allow_file_access, ++ bool client_is_trusted); + + NetworkHandler(const NetworkHandler&) = delete; + NetworkHandler& operator=(const NetworkHandler&) = delete; +@@ -337,6 +338,8 @@ class NetworkHandler : public DevToolsDomainHandler, + + const base::UnguessableToken devtools_token_; + DevToolsIOContext* const io_context_; ++ const bool allow_file_access_; ++ const bool client_is_trusted_; + + std::unique_ptr<Network::Frontend> frontend_; + BrowserContext* browser_context_; +@@ -358,7 +361,6 @@ class NetworkHandler : public DevToolsDomainHandler, + loaders_; + absl::optional<std::set<net::SourceStream::SourceType>> + accepted_stream_types_; +- const bool allow_file_access_; + std::unordered_map<String, std::pair<String, bool>> received_body_data_; + base::WeakPtrFactory<NetworkHandler> weak_factory_{this}; + }; +diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +index fe726068dee4..425eded3f56b 100644 +--- src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +@@ -336,7 +336,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session, + base::BindRepeating( + &RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories, + base::Unretained(this)), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + session->CreateAndAddHandler<protocol::FetchHandler>( + GetIOContext(), base::BindRepeating( + [](RenderFrameDevToolsAgentHost* self, +diff --git a/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc +index d2b307373ea1..7278a116ec78 100644 +--- src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc +@@ -230,7 +230,8 @@ bool ServiceWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + session->CreateAndAddHandler<protocol::InspectorHandler>(); + session->CreateAndAddHandler<protocol::NetworkHandler>( + GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + + session->CreateAndAddHandler<protocol::FetchHandler>( + GetIOContext(), +diff --git a/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc +index 6cfb49a9cb63..da9c8a3d18a4 100644 +--- src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc +@@ -91,7 +91,8 @@ bool SharedWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + session->CreateAndAddHandler<protocol::InspectorHandler>(); + session->CreateAndAddHandler<protocol::NetworkHandler>( + GetId(), devtools_worker_token_, GetIOContext(), +- base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles()); ++ base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + // TODO(crbug.com/1143100): support pushing updated loader factories down to + // renderer. + session->CreateAndAddHandler<protocol::FetchHandler>( +diff --git a/chromium/content/browser/devtools/worker_devtools_agent_host.cc b/chromium/content/browser/devtools/worker_devtools_agent_host.cc +index 5bca24a4bb16..dbce6e066adb 100644 +--- src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc +@@ -137,7 +137,8 @@ bool WorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + auto_attacher_.get(), session); + session->CreateAndAddHandler<protocol::NetworkHandler>( + GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + return true; + } + +From 9b72e2301892ea6619fb6e64f67812238ad56830 Mon Sep 17 00:00:00 2001 +From: Bo Liu <boliu@chromium.org> +Date: Mon, 18 Sep 2023 21:17:14 +0000 +Subject: [PATCH] [Backport] Security bug 1407197 (1/2) + +Partial manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/4869854: +Tag WebContents ownership for debugging + +Tag WebContents owner and add it as a CrashKey for the +DumpWithoutCrashing in ~WebContentsOfBrowserContext. + +The actual tags in this CL is more focused on android and is not +exhaustive. Can keep adding new ones in the future as needed. + +Bug: 1407197 +Change-Id: I6c0261ae5967fdb01ff2a5f3d0d6fe07f572bd20 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4869854 +Reviewed-by: Ted Choc <tedchoc@chromium.org> +Commit-Queue: Bo Liu <boliu@chromium.org> +Reviewed-by: Avi Drissman <avi@chromium.org> +Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> +Cr-Commit-Position: refs/heads/main@{#1198010} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535707 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../browser/distiller_page_web_contents.cc | 6 +++- + .../guest_view/browser/guest_view_base.cc | 6 ++++ + .../browser/no_state_prefetch_contents.cc | 1 + + .../browser/no_state_prefetch_manager.cc | 5 +++ + .../background_loader_contents.cc | 1 + + chromium/content/browser/portal/portal.cc | 3 ++ + chromium/content/browser/portal/portal.h | 3 ++ + .../browser/web_contents/web_contents_impl.cc | 31 +++++++++++++++++-- + .../browser/web_contents/web_contents_impl.h | 8 +++++ + .../content/public/browser/web_contents.h | 6 ++++ + chromium/extensions/browser/extension_host.cc | 3 +- + 11 files changed, 69 insertions(+), 4 deletions(-) + +diff --git a/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc b/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc +index e4025f7bc94c..78abc76a6bf2 100644 +--- src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc ++++ src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc +@@ -30,7 +30,11 @@ namespace dom_distiller { + SourcePageHandleWebContents::SourcePageHandleWebContents( + content::WebContents* web_contents, + bool owned) +- : web_contents_(web_contents), owned_(owned) {} ++ : web_contents_(web_contents), owned_(owned) { ++ if (web_contents_ && owned) { ++ web_contents_->SetOwnerLocationForDebug(FROM_HERE); ++ } ++} + + SourcePageHandleWebContents::~SourcePageHandleWebContents() { + if (owned_) { +diff --git a/chromium/components/guest_view/browser/guest_view_base.cc b/chromium/components/guest_view/browser/guest_view_base.cc +index d2ea8b7ce3fd..06ba6ab1c7fc 100644 +--- src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc ++++ src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc +@@ -480,6 +480,9 @@ void GuestViewBase::WillAttach( + std::unique_ptr<WebContents> owned_guest_contents = + std::move(owned_guest_contents_); + DCHECK_EQ(owned_guest_contents.get(), web_contents()); ++ if (owned_guest_contents) { ++ owned_guest_contents->SetOwnerLocationForDebug(absl::nullopt); ++ } + + // Since this inner WebContents is created from the browser side we do + // not have RemoteFrame mojo channels so we pass in +@@ -774,6 +777,9 @@ void GuestViewBase::TakeGuestContentsOwnership( + std::unique_ptr<WebContents> guest_web_contents) { + DCHECK(!owned_guest_contents_); + owned_guest_contents_ = std::move(guest_web_contents); ++ if (owned_guest_contents_) { ++ owned_guest_contents_->SetOwnerLocationForDebug(FROM_HERE); ++ } + } + + void GuestViewBase::ClearOwnedGuestContents() { +diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc +index f2f8dc5ff921..35fac905dc1f 100644 +--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc ++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc +@@ -271,6 +271,7 @@ void NoStatePrefetchContents::StartPrerendering( + attempt_.get(), content::PreloadingTriggeringOutcome::kRunning); + + no_state_prefetch_contents_ = CreateWebContents(session_storage_namespace); ++ no_state_prefetch_contents_->SetOwnerLocationForDebug(FROM_HERE); + content::WebContentsObserver::Observe(no_state_prefetch_contents_.get()); + delegate_->OnNoStatePrefetchContentsCreated( + no_state_prefetch_contents_.get()); +diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc +index 3403fa8d1342..7397d1aa5de5 100644 +--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc ++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc +@@ -118,6 +118,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter + OnCloseWebContentsDeleter(NoStatePrefetchManager* manager, + std::unique_ptr<WebContents> tab) + : manager_(manager), tab_(std::move(tab)) { ++ tab_->SetOwnerLocationForDebug(FROM_HERE); + tab_->SetDelegate(this); + base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask( + FROM_HERE, +@@ -140,6 +141,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter + void ScheduleWebContentsForDeletion(bool timeout) { + UMA_HISTOGRAM_BOOLEAN("Prerender.TabContentsDeleterTimeout", timeout); + tab_->SetDelegate(nullptr); ++ tab_->SetOwnerLocationForDebug(absl::nullopt); + manager_->ScheduleDeleteOldWebContents(std::move(tab_), this); + // |this| is deleted at this point. + } +@@ -981,6 +983,9 @@ void NoStatePrefetchManager::CleanUpOldNavigations( + void NoStatePrefetchManager::ScheduleDeleteOldWebContents( + std::unique_ptr<WebContents> tab, + OnCloseWebContentsDeleter* deleter) { ++ if (tab) { ++ tab->SetOwnerLocationForDebug(FROM_HERE); ++ } + old_web_contents_list_.push_back(std::move(tab)); + PostCleanupTask(); + +diff --git a/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc b/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc +index e055852342ae..524b71f68bc0 100644 +--- src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc ++++ src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc +@@ -23,6 +23,7 @@ BackgroundLoaderContents::BackgroundLoaderContents( + // could kill the background offliner while it was running. + web_contents_ = content::WebContents::Create( + content::WebContents::CreateParams(browser_context_)); ++ web_contents_->SetOwnerLocationForDebug(FROM_HERE); + web_contents_->SetAudioMuted(true); + web_contents_->SetDelegate(this); + } +diff --git a/chromium/content/browser/portal/portal.cc b/chromium/content/browser/portal/portal.cc +index f9b06fbab8df..b0c8b201db29 100644 +--- src/3rdparty/chromium/content/browser/portal/portal.cc ++++ src/3rdparty/chromium/content/browser/portal/portal.cc +@@ -731,6 +731,9 @@ void Portal::WebContentsHolder::SetOwned( + std::unique_ptr<WebContents> web_contents) { + SetUnowned(static_cast<WebContentsImpl*>(web_contents.get())); + owned_contents_ = std::move(web_contents); ++ if (owned_contents_) { ++ owned_contents_->SetOwnerLocationForDebug(FROM_HERE); ++ } + } + + void Portal::WebContentsHolder::Clear() { +diff --git a/chromium/content/browser/portal/portal.h b/chromium/content/browser/portal/portal.h +index 055d8e4f0cf5..aecf381ed594 100644 +--- src/3rdparty/chromium/content/browser/portal/portal.h ++++ src/3rdparty/chromium/content/browser/portal/portal.h +@@ -177,6 +177,9 @@ class CONTENT_EXPORT Portal : public blink::mojom::Portal, + // caller. + std::unique_ptr<WebContents> ReleaseOwnership() { + DCHECK(OwnsContents()); ++ if (owned_contents_) { ++ owned_contents_->SetOwnerLocationForDebug(absl::nullopt); ++ } + return std::move(owned_contents_); + } + +diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc +index 8b3f7055430c..d8b3ad83bbb6 100644 +--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc ++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc +@@ -795,6 +795,9 @@ void WebContentsImpl::WebContentsTreeNode::AttachInnerWebContents( + inner_web_contents_node.outer_contents_frame_tree_node_id_ = + render_frame_host->frame_tree_node()->frame_tree_node_id(); + ++ if (inner_web_contents) { ++ inner_web_contents->SetOwnerLocationForDebug(FROM_HERE); ++ } + inner_web_contents_.push_back(std::move(inner_web_contents)); + + render_frame_host->frame_tree_node()->AddObserver(&inner_web_contents_node); +@@ -814,6 +817,9 @@ WebContentsImpl::WebContentsTreeNode::DetachInnerWebContents( + std::swap(web_contents, inner_web_contents_.back()); + inner_web_contents_.pop_back(); + current_web_contents_->InnerWebContentsDetached(inner_web_contents); ++ if (detached_contents) { ++ detached_contents->SetOwnerLocationForDebug(absl::nullopt); ++ } + return detached_contents; + } + } +@@ -922,13 +928,29 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { + // RenderFrameHosts, SiteInstances, etc.) risk causing + // use-after-free bugs. For more discussion about managing the + // lifetime of WebContents please see https://crbug.com/1376879#c44. +- for (WebContents* web_contents_with_dangling_ptr_to_browser_context : ++ for (WebContentsImpl* web_contents_with_dangling_ptr_to_browser_context : + web_contents_set_) { + std::string creator = web_contents_with_dangling_ptr_to_browser_context + ->GetCreatorLocation() + .ToString(); + SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/creator", creator); + ++ const absl::optional<base::Location>& ownership_location = ++ web_contents_with_dangling_ptr_to_browser_context ++ ->ownership_location(); ++ std::string owner; ++ if (ownership_location) { ++ if (ownership_location->has_source_info()) { ++ owner = std::string(ownership_location->function_name()) + "@" + ++ ownership_location->file_name(); ++ } else { ++ owner = "no_source_info"; ++ } ++ } else { ++ owner = "unknown"; ++ } ++ SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/owner", owner); ++ + #if BUILDFLAG(IS_ANDROID) + // On Android, also report the Java stack trace from WebContents's + // creation. +@@ -974,7 +996,7 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { + // Usage of `raw_ptr` below is okay (i.e. it shouldn't dangle), because + // when `WebContentsImpl`'s destructor runs, then it removes the set entry + // (by calling `Detach`). +- std::set<raw_ptr<WebContents>> web_contents_set_; ++ std::set<raw_ptr<WebContentsImpl>> web_contents_set_; + }; + + } // namespace +@@ -9697,6 +9719,11 @@ std::unique_ptr<PrerenderHandle> WebContentsImpl::StartPrerendering( + return nullptr; + } + ++void WebContentsImpl::SetOwnerLocationForDebug( ++ absl::optional<base::Location> owner_location) { ++ ownership_location_ = owner_location; ++} ++ + void WebContentsImpl::AboutToBeDiscarded(WebContents* new_contents) { + observers_.NotifyObservers(&WebContentsObserver::AboutToBeDiscarded, + new_contents); +diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h +index bc3dc3d00a39..815694c05b18 100644 +--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h ++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h +@@ -858,6 +858,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, + PreloadingAttempt* preloading_attempt, + absl::optional<base::RepeatingCallback<bool(const GURL&)>> + url_match_predicate = absl::nullopt) override; ++ void SetOwnerLocationForDebug( ++ absl::optional<base::Location> owner_location) override; + + // NavigatorDelegate --------------------------------------------------------- + +@@ -1346,6 +1348,10 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, + + ui::mojom::VirtualKeyboardMode GetVirtualKeyboardMode() const; + ++ const absl::optional<base::Location>& ownership_location() const { ++ return ownership_location_; ++ } ++ + private: + using FrameTreeIterationCallback = base::RepeatingCallback<void(FrameTree&)>; + using RenderViewHostIterationCallback = +@@ -2370,6 +2376,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, + + base::WeakPtr<FileChooserImpl> active_file_chooser_; + ++ absl::optional<base::Location> ownership_location_; ++ + base::WeakPtrFactory<WebContentsImpl> loading_weak_factory_{this}; + base::WeakPtrFactory<WebContentsImpl> weak_factory_{this}; + }; +diff --git a/chromium/content/public/browser/web_contents.h b/chromium/content/public/browser/web_contents.h +index bdd18c6c4ed8..6490fefaa940 100644 +--- src/3rdparty/chromium/content/public/browser/web_contents.h ++++ src/3rdparty/chromium/content/public/browser/web_contents.h +@@ -1393,6 +1393,12 @@ class WebContents : public PageNavigator, + absl::optional<base::RepeatingCallback<bool(const GURL&)>> + url_match_predicate = absl::nullopt) = 0; + ++ // Tag `WebContents` with its owner. Used purely for debugging purposes so it ++ // does not need to be exhaustive or perfectly correct. ++ // TODO(crbug.com/1407197): Remove after bug is fixed. ++ virtual void SetOwnerLocationForDebug( ++ absl::optional<base::Location> owner_location) = 0; ++ + private: + // This interface should only be implemented inside content. + friend class WebContentsImpl; +diff --git a/chromium/extensions/browser/extension_host.cc b/chromium/extensions/browser/extension_host.cc +index 91928c8b7811..42c92939788b 100644 +--- src/3rdparty/chromium/extensions/browser/extension_host.cc ++++ src/3rdparty/chromium/extensions/browser/extension_host.cc +@@ -63,7 +63,8 @@ ExtensionHost::ExtensionHost(const Extension* extension, + host_type == mojom::ViewType::kExtensionPopup || + host_type == mojom::ViewType::kExtensionSidePanel); + host_contents_ = WebContents::Create( +- WebContents::CreateParams(browser_context_, site_instance)), ++ WebContents::CreateParams(browser_context_, site_instance)); ++ host_contents_->SetOwnerLocationForDebug(FROM_HERE); + content::WebContentsObserver::Observe(host_contents_.get()); + host_contents_->SetDelegate(this); + SetViewType(host_contents_.get(), host_type); +From e257d6513927fa24df48075bce9b33c4b5f546ff Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io> +Date: Tue, 30 Jan 2024 11:51:16 +0100 +Subject: [PATCH] [Backport] Security bug 1407197 (2/2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5080603: +Safely crash on dangling profile + +Bug: 1407197 +Change-Id: Idcafd8f0ba2f980d06338e573489a3456e3823c1 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5080603 +Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> +Commit-Queue: Bo Liu <boliu@chromium.org> +Cr-Commit-Position: refs/heads/main@{#1232704} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535708 +Reviewed-by: Michal Klocek <michal.klocek@qt.io> +--- + .../browser/web_contents/web_contents_impl.cc | 22 ++++++++++++++----- + 1 file changed, 17 insertions(+), 5 deletions(-) + +diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc +index d8b3ad83bbb..3087f9c3e0b 100644 +--- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc ++++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc +@@ -220,6 +220,11 @@ namespace { + // The window which we dobounce load info updates in. + constexpr auto kUpdateLoadStatesInterval = base::Milliseconds(250); + ++// Kill switch for crash immediately on dangling BrowserContext. ++BASE_FEATURE(kCrashOnDanglingBrowserContext, ++ "CrashOnDanglingBrowserContext", ++ base::FEATURE_ENABLED_BY_DEFAULT); ++ + using LifecycleState = RenderFrameHost::LifecycleState; + using LifecycleStateImpl = RenderFrameHostImpl::LifecycleStateImpl; + +@@ -958,11 +963,18 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { + env, web_contents_with_dangling_ptr_to_browser_context); + #endif // BUILDFLAG(IS_ANDROID) + +- NOTREACHED() +- << "BrowserContext is getting destroyed without first closing all " +- << "WebContents (for more info see https://crbug.com/1376879#c44); " +- << "creator = " << creator; +- base::debug::DumpWithoutCrashing(); ++ if (base::FeatureList::IsEnabled(kCrashOnDanglingBrowserContext)) { ++ LOG(FATAL) ++ << "BrowserContext is getting destroyed without first closing all " ++ << "WebContents (for more info see https://crbug.com/1376879#c44); " ++ << "creator = " << creator; ++ } else { ++ NOTREACHED() ++ << "BrowserContext is getting destroyed without first closing all " ++ << "WebContents (for more info see https://crbug.com/1376879#c44); " ++ << "creator = " << creator; ++ base::debug::DumpWithoutCrashing(); ++ } + } + } + diff --git a/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc b/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc new file mode 100644 index 000000000000..e9c6528415ac --- /dev/null +++ b/www/qt6-webengine/files/patch-src_3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc @@ -0,0 +1,24 @@ +--- src/3rdparty/chromium/v8/src/codegen/arm/cpu-arm.cc.orig 2023-11-20 16:08:07 UTC ++++ src/3rdparty/chromium/v8/src/codegen/arm/cpu-arm.cc +@@ -3,6 +3,10 @@ + // found in the LICENSE file. + + // CPU specific code for arm independent of OS goes here. ++#if V8_TARGET_ARCH_ARM ++ ++#include "src/codegen/cpu-features.h" ++ + #ifdef __arm__ + #ifdef __QNXNTO__ + #include <sys/mman.h> // for cache flushing. +@@ -16,10 +20,6 @@ + #include <sys/syscall.h> // for cache flushing. + #endif + #endif +- +-#if V8_TARGET_ARCH_ARM +- +-#include "src/codegen/cpu-features.h" + + namespace v8 { + namespace internal { |