From nobody Wed Jan 31 20:08:58 2024 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4TQCmC0rQgz58Btr; Wed, 31 Jan 2024 20:08:59 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4TQCmB5t0Vz4gMY; Wed, 31 Jan 2024 20:08:58 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706731738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yB9Z89+qE6GLlUh5l9wvQ5hgg4Civ2Z4ZL8YYAQWlU4=; b=pvB1pnFWcuPRLzUTjak8skW7OIkJI8bys+3y7e2BranEWB1DYzMELlRVzYvKxjKYWV3SET xWKgn/cDyrgd/9pkbyWKXFvrs0VtNYROcOCHW1ORmZdlmi87/6/PhYyd072VeBBktKpzXS DmJrH65/sv3L/a6+PZ5l0oedYPsKrUn4kOvIu5bA97p0hbVONLJ0G6e3O9Irt97DhYIPzg d7NSXBlR0mTa9OXqRrE450shWpPGgx1rQusTy3UcHwhRAUlV5DsZ2Td+flBUV0d4WLs0W+ vFUwVsLU+fuBqfxhIIhFazAaleWAs4A0CMGmMPGomLPzF9eQEYugV2JvM9j9sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1706731738; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=yB9Z89+qE6GLlUh5l9wvQ5hgg4Civ2Z4ZL8YYAQWlU4=; b=FcnmIqOfZZPjL2BMzckqoQ3Kl/sYPPrMkjbrmPPwa6HTa8Sb2fA4M5VWVSRFcplIKXd/+1 rjOoSt7fY1zw5AUA08KLwEhN9lL9MDtBHn+kTZ5S4P6pqqXsU1yhih19hb6YQJ0mAJ1E6I 1O83g3GSahCkhfI3+TWaqZM60KHBWTBJcI8plldW0Lc17wR4Vel6LS2PD5uYg1qnd7rG4P 08SrEj5te5dONN7pQOutJ3+AaHpsXOExLo0S2gyHBTFs2F1xz9QkpkoQQ72RP6Garj7jHr HCSIYvuxj6cBX8sjZF2wm7uGLDi6iOV/0IXj9c+AAY4lVImYvHexqufk0iXYAA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1706731738; a=rsa-sha256; cv=none; b=xAcQ4iVQ8t0ZzpyCHMdubggBgnjzZN0iMnJqy8bhpwLm0KNtkol1hEejOCGdtyO3l4aQYn m3q6HtYipM85O/x2bjeGCmlUdzoadd3CSWyLIn90ahFgmPW4zkt3NsB250r+aIrp3MzNq9 efl7vWeb4bRM8crZC5TBD8KSmjeLhmDxxMr9/5GxgT3GE4sK7T46CNAPSun9WK2rTVeAnU E+cnEdnvdzZN0cbQ4BHpqcXX1HegQYyo0Shng8ntbq2OnIu4atnKupofsa2NEMfApvYMSj 86mFMGKSb5t6pZhyGvWcbARJim4DNIdAeH0rk5Gaub6hgAKJL3pODy927lojwA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4TQCmB4m85zYFZ; Wed, 31 Jan 2024 20:08:58 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 40VK8w1j017311; Wed, 31 Jan 2024 20:08:58 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 40VK8wdR017308; Wed, 31 Jan 2024 20:08:58 GMT (envelope-from git) Date: Wed, 31 Jan 2024 20:08:58 GMT Message-Id: <202401312008.40VK8wdR017308@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Jason E. Hale" Subject: git: 214eb4d92c67 - main - www/qt6-webengine: Address security vulnerabilities List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: jhale X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: 214eb4d92c6739ef0da1eba2cdc10a97bdf6af30 Auto-Submitted: auto-generated The branch main has been updated by jhale: URL: https://cgit.FreeBSD.org/ports/commit/?id=214eb4d92c6739ef0da1eba2cdc10a97bdf6af30 commit 214eb4d92c6739ef0da1eba2cdc10a97bdf6af30 Author: Jason E. Hale AuthorDate: 2024-01-31 19:45:55 +0000 Commit: Jason E. Hale CommitDate: 2024-01-31 20:07:24 +0000 www/qt6-webengine: Address security vulnerabilities Add speculative build fix for armv7. MFH: 2024Q1 Security: bbcb1584-c068-11ee-bdd6-4ccc6adda413 --- www/qt6-webengine/Makefile | 2 +- www/qt6-webengine/files/patch-security-rollup | 1179 +++++++++++++++++++- ...3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc | 24 + 3 files changed, 1203 insertions(+), 2 deletions(-) diff --git a/www/qt6-webengine/Makefile b/www/qt6-webengine/Makefile index d7371916a4f4..b62f3f3a255b 100644 --- a/www/qt6-webengine/Makefile +++ b/www/qt6-webengine/Makefile @@ -12,7 +12,7 @@ PORTNAME?= webengine DISTVERSION= ${QT6_VERSION} -PORTREVISION?= 3 # Master port for print/qt6-pdf. Please keep this line. +PORTREVISION?= 4 # Master port for print/qt6-pdf. Please keep this line. CATEGORIES?= www PKGNAMEPREFIX= qt6- diff --git a/www/qt6-webengine/files/patch-security-rollup b/www/qt6-webengine/files/patch-security-rollup index bb16a291c80d..3f67e42ad06b 100644 --- a/www/qt6-webengine/files/patch-security-rollup +++ b/www/qt6-webengine/files/patch-security-rollup @@ -23,8 +23,13 @@ Addresses the following security issues: - CVE-2024-0222 - Security bug 1511689 - CVE-2024-0519 -- CVE-2025-0518 +- CVE-2024-0518 - Security bug 1506535 +- CVE-2024-0808 +- CVE-2024-0807 +- Security bug 1511389 +- CVE-2024-0810 +- Security bug 1407197 From 669506a53474e3d7637666d3c53f6101fb94d96f Mon Sep 17 00:00:00 2001 From: Nidhi Jaju @@ -3260,3 +3265,1175 @@ index 59bbb727e6b..8b3f7055430 100644 if (keyboard_lock_widget_) delegate_->CancelKeyboardLockRequest(this); +From 8ab0eb9f07be8cd735e03b5536fc2e361e70a5cf Mon Sep 17 00:00:00 2001 +From: Lyra Rebane +Date: Mon, 8 Jan 2024 13:39:46 +0000 +Subject: [PATCH] [Backport] CVE-2024-0808: Integer underflow in WebUI +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5177426: +Verify resource order in data pack files + +This CL adds a resource order check when loading a data pack or calling DataPack::GetStringPiece to make sure the resources are ordered sequentially in memory. + +Bug: 1504936 +Change-Id: Ie3bf1d9dbac937407355935a859a5daa9ce84350 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059113 +Commit-Queue: Peter Boström +Cr-Commit-Position: refs/heads/main@{#1238675} +(cherry picked from commit c4b2e6246ad0e95eaf0727bb25a2e4969155e989) +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535516 +Reviewed-by: Michal Klocek +--- + chromium/AUTHORS | 1 + + chromium/ui/base/resource/data_pack.cc | 19 ++++++++++++++++++- + .../ui/base/resource/data_pack_literal.cc | 12 ++++++++++++ + chromium/ui/base/resource/data_pack_literal.h | 2 ++ + .../ui/base/resource/data_pack_unittest.cc | 7 +++++++ + 5 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/chromium/AUTHORS b/chromium/AUTHORS +index ff6abe8d1135..772aab22c671 100644 +--- src/3rdparty/chromium/AUTHORS ++++ src/3rdparty/chromium/AUTHORS +@@ -769,6 +769,7 @@ Luke Seunghoe Gu + Luke Zarko + Luoxi Pan + Lu Yahan ++Lyra Rebane + Ma Aiguo + Maarten Lankhorst + Maciej Pawlowski +diff --git a/chromium/ui/base/resource/data_pack.cc b/chromium/ui/base/resource/data_pack.cc +index 74069c99d00a..6dc0985b78dd 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack.cc +@@ -310,7 +310,16 @@ bool DataPack::SanityCheckFileAndRegisterResources(size_t margin_to_skip, + } + } + +- // 3) Verify the aliases are within the appropriate bounds. ++ // 3) Verify the entries are ordered correctly. ++ for (size_t i = 0; i < resource_count_; ++i) { ++ if (resource_table_[i].file_offset > resource_table_[i + 1].file_offset) { ++ LOG(ERROR) << "Data pack file corruption: " ++ << "Entry #" << i + 1 << " before Entry #" << i << "."; ++ return false; ++ } ++ } ++ ++ // 4) Verify the aliases are within the appropriate bounds. + for (size_t i = 0; i < alias_count_; ++i) { + if (alias_table_[i].entry_index >= resource_count_) { + LOG(ERROR) << "Data pack file corruption: " +@@ -428,6 +437,14 @@ bool DataPack::GetStringPiece(uint16_t resource_id, + << "file modified?"; + return false; + } ++ if (target->file_offset > next_entry->file_offset) { ++ size_t entry_index = target - resource_table_; ++ size_t next_index = next_entry - resource_table_; ++ LOG(ERROR) << "Entry #" << next_index << " in data pack is before Entry #" ++ << entry_index << ". This should have been caught when loading. " ++ << "Was the file modified?"; ++ return false; ++ } + + MaybePrintResourceId(resource_id); + GetStringPieceFromOffset(target->file_offset, next_entry->file_offset, +diff --git a/chromium/ui/base/resource/data_pack_literal.cc b/chromium/ui/base/resource/data_pack_literal.cc +index caac0709b42b..4197ea03fd68 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc +@@ -89,6 +89,18 @@ const uint8_t kSampleCorruptPakContents[] = { + + const size_t kSampleCorruptPakSize = sizeof(kSampleCorruptPakContents); + ++const uint8_t kSampleMisorderedPakContents[] = { ++ 0x05, 0x00, 0x00, 0x00, // version ++ 0x01, 0x00, 0x00, 0x00, // encoding + padding ++ 0x02, 0x00, 0x00, 0x00, // num_resources, num_aliases ++ 0x06, 0x00, 0x2a, 0x00, 0x00, 0x00, // index entry 6 (wrong order) ++ 0x04, 0x00, 0x1e, 0x00, 0x00, 0x00, // index entry 4 ++ 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, // extra entry for the size of last ++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '4', ++ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '6'}; ++ ++const size_t kSampleMisorderedPakSize = sizeof(kSampleMisorderedPakContents); ++ + const uint8_t kSamplePakContents2x[] = { + 0x04, 0x00, 0x00, 0x00, // header(version + 0x01, 0x00, 0x00, 0x00, // no. entries +diff --git a/chromium/ui/base/resource/data_pack_literal.h b/chromium/ui/base/resource/data_pack_literal.h +index eb5a94895f2d..9173ce149935 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.h ++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.h +@@ -22,6 +22,8 @@ extern const uint8_t kEmptyPakContents[]; + extern const size_t kEmptyPakSize; + extern const uint8_t kSampleCorruptPakContents[]; + extern const size_t kSampleCorruptPakSize; ++extern const uint8_t kSampleMisorderedPakContents[]; ++extern const size_t kSampleMisorderedPakSize; + + } // namespace ui + +diff --git a/chromium/ui/base/resource/data_pack_unittest.cc b/chromium/ui/base/resource/data_pack_unittest.cc +index 25b33b813ac4..0a4a169ca225 100644 +--- src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc ++++ src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc +@@ -366,4 +366,11 @@ TEST(DataPackTest, ModifiedWhileUsed) { + } + #endif + ++TEST(DataPackTest, Misordered) { ++ DataPack pack(k100Percent); ++ ++ ASSERT_FALSE(pack.LoadFromBuffer( ++ {kSampleMisorderedPakContents, kSampleMisorderedPakSize})); ++} ++ + } // namespace ui +From 46069ff72f6e1d6fe75bd2c04350bcd74b308923 Mon Sep 17 00:00:00 2001 +From: Hongchan Choi +Date: Fri, 12 Jan 2024 22:57:22 +0000 +Subject: [PATCH] [Backport] CVE-2024-0807: Use after free in WebAudio + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5225523: +Update rendering state of automatic pull nodes before graph rendering + +M114 merge issues: + third_party/blink/renderer/modules/webaudio/analyser_handler.cc: + PullInputs/CheckNumberOfChannelsForInput not present in 114. + +In rare cases, the rendering fan out count of automatic pull node +does not match the main thread fan out count after recreating +a platform destination followed by disconnection. + +This CL forces the update of the rendering state of automatic +pull nodes before graph rendering to make sure that fan out counts +are synchronized before executing the audio processing function call. + +NOTE: This change makes 2 WPTs fail. The follow-up work is planned +to address them once this patch is merged. + +Bug: 1505080 +Test: Locally confirmed that ASAN doesn't crash on all repro cases. +Change-Id: I6768cd8bc64525ea9d56a19b9c58439e9cdab9a8 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5131958 +Commit-Queue: Hongchan Choi +Cr-Commit-Position: refs/heads/main@{#1246718} +(cherry picked from commit f4bffa09b46c21147431179e1e6dd2b27bc35fbc) +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535517 +Reviewed-by: Michal Klocek +--- + .../renderer/modules/webaudio/analyser_handler.cc | 14 ++++++++++++-- + .../modules/webaudio/audio_worklet_handler.cc | 7 +++++-- + .../modules/webaudio/audio_worklet_processor.cc | 6 ++++++ + .../modules/webaudio/deferred_task_handler.cc | 10 ++++++++++ + 4 files changed, 33 insertions(+), 4 deletions(-) + +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc +index c823c923a1cc..87a1f109a28c 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc +@@ -39,9 +39,14 @@ AnalyserHandler::~AnalyserHandler() { + } + + void AnalyserHandler::Process(uint32_t frames_to_process) { +- AudioBus* output_bus = Output(0).Bus(); ++ DCHECK(Context()->IsAudioThread()); + +- if (!IsInitialized()) { ++ // It's possible that output is not connected. Assign nullptr to indicate ++ // such case. ++ AudioBus* output_bus = ++ Output(0).RenderingFanOutCount() > 0 ? Output(0).Bus() : nullptr; ++ ++ if (!IsInitialized() && output_bus) { + output_bus->Zero(); + return; + } +@@ -53,6 +58,11 @@ void AnalyserHandler::Process(uint32_t frames_to_process) { + // Analyser reflects the current input. + analyser_.WriteInput(input_bus.get(), frames_to_process); + ++ // Subsequent steps require `output_bus` to be valid. ++ if (!output_bus) { ++ return; ++ } ++ + if (!Input(0).IsConnected()) { + // No inputs, so clear the output, and propagate the silence hint. + output_bus->Zero(); +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc +index 7f591531ad6f..b2b1500d3aab 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc +@@ -114,12 +114,15 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) { + // We also need to check if the global scope is valid before we request + // the rendering in the AudioWorkletGlobalScope. + if (processor_ && !processor_->hasErrorOccurred()) { +- // If the input is not connected, inform the processor with nullptr. ++ // If the input or the output is not connected, inform the processor with ++ // nullptr. + for (unsigned i = 0; i < NumberOfInputs(); ++i) { + inputs_[i] = Input(i).IsConnected() ? Input(i).Bus() : nullptr; + } + for (unsigned i = 0; i < NumberOfOutputs(); ++i) { +- outputs_[i] = WrapRefCounted(Output(i).Bus()); ++ outputs_[i] = Output(i).RenderingFanOutCount() > 0 ++ ? WrapRefCounted(Output(i).Bus()) ++ : nullptr; + } + + for (const auto& param_name : param_value_map_.Keys()) { +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc +index 1f884cb12b43..c47e39effa40 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc +@@ -367,6 +367,12 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort( + + for (uint32_t bus_index = 0; bus_index < audio_port.size(); ++bus_index) { + const scoped_refptr& audio_bus = audio_port[bus_index]; ++ ++ // nullptr indicates the output bus is not connected. Do not proceed. ++ if (!audio_bus) { ++ break; ++ } ++ + for (uint32_t channel_index = 0; + channel_index < audio_bus->NumberOfChannels(); ++channel_index) { + auto backing_store = array_buffers[bus_index][channel_index] +diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +index fa1de8f37b9b..4730383dafa9 100644 +--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc ++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc +@@ -172,6 +172,16 @@ void DeferredTaskHandler::UpdateAutomaticPullNodes() { + base::AutoTryLock try_locker(automatic_pull_handlers_lock_); + if (try_locker.is_acquired()) { + rendering_automatic_pull_handlers_.assign(automatic_pull_handlers_); ++ ++ // In rare cases, it is possible for automatic pull nodes' output bus ++ // to become stale. Make sure update their rendering output counts. ++ // crbug.com/1505080. ++ for (auto& handler : rendering_automatic_pull_handlers_) { ++ for (unsigned i = 0; i < handler->NumberOfOutputs(); ++i) { ++ handler->Output(i).UpdateRenderingState(); ++ } ++ } ++ + automatic_pull_handlers_need_updating_ = false; + } + } +From 0801943eea5309d1912bac96ed15af49b9f4e532 Mon Sep 17 00:00:00 2001 +From: Cheng Chen +Date: Thu, 7 Dec 2023 12:17:23 -0800 +Subject: [PATCH] [Backport] Security bug 1511389 (1/2) + +Manual partial cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/184763: +Do not use adaptive error estimate + +When the reference frame size is different than the current, +we will not use adaptive error estimate. + +STATS_CHANGED + +Bug: b:314858909 +Change-Id: Ic64d9b4a1d94889d7283c044b17ffc24627478d7 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535518 +Reviewed-by: Michal Klocek +--- + .../libaom/source/libaom/av1/encoder/ratectrl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c +index 4ea1c9a3e33..c7b503d80a2 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c +@@ -187,8 +187,7 @@ int av1_rc_bits_per_mb(const AV1_COMP *cpi, FRAME_TYPE frame_type, int qindex, + assert(correction_factor <= MAX_BPB_FACTOR && + correction_factor >= MIN_BPB_FACTOR); + +- if (frame_type != KEY_FRAME && accurate_estimate) { +- assert(cpi->rec_sse != UINT64_MAX); ++ if (frame_type != KEY_FRAME && accurate_estimate && cpi->rec_sse != UINT64_MAX) { + const int mbs = cm->mi_params.MBs; + const double sse_sqrt = + (double)((int)sqrt((double)(cpi->rec_sse)) << BPER_MB_NORMBITS) / +@@ -2021,6 +2020,13 @@ static void rc_compute_variance_onepass_rt(AV1_COMP *cpi) { + // TODO(yunqing): support scaled reference frames. + if (cpi->scaled_ref_buf[LAST_FRAME - 1]) return; + ++ for (int i = 0; i < 2; ++i) { ++ if (unscaled_src->widths[i] != yv12->widths[i] || ++ unscaled_src->heights[i] != yv12->heights[i]) { ++ return; ++ } ++ } ++ + const int num_mi_cols = cm->mi_params.mi_cols; + const int num_mi_rows = cm->mi_params.mi_rows; + const BLOCK_SIZE bsize = BLOCK_64X64; +From 1a76ec5bc55594a7feada7c510949450d489996b Mon Sep 17 00:00:00 2001 +From: Remya Prakasan +Date: Mon, 8 May 2023 15:03:27 +0530 +Subject: [PATCH] [Backport] Dependency for security bug 1511389 (1/1) + +Manual cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/175041: +Add support for dynamic allocation of thread data + +Added support for reallocation of thread data when the +workers for multi-threading in encode stage changes with +frame resizing. Also modified TestExternalResizeWorks +of ResizeRealtimeTest to test this scenario. + +BUG=aomedia:3429 + +Change-Id: Ieee94b229274e942203c9fc7dffd59a9a3fb5c26 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535519 +Reviewed-by: Michal Klocek +--- + .../libaom/source/libaom/av1/av1_cx_iface.c | 14 ++++++++ + .../source/libaom/av1/encoder/encoder.c | 34 ------------------- + .../source/libaom/av1/encoder/encoder.h | 5 +++ + .../source/libaom/av1/encoder/encoder_alloc.h | 34 +++++++++++++++++++ + .../source/libaom/av1/encoder/ethread.c | 5 +++ + 5 files changed, 58 insertions(+), 34 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +index 3e764dd6ca6..1d114779c83 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +@@ -25,6 +25,7 @@ + #include "av1/av1_iface_common.h" + #include "av1/encoder/bitstream.h" + #include "av1/encoder/encoder.h" ++#include "av1/encoder/encoder_alloc.h" + #include "av1/encoder/encoder_utils.h" + #include "av1/encoder/ethread.h" + #include "av1/encoder/external_partition.h" +@@ -3095,6 +3096,19 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, + } + #endif // CONFIG_MULTITHREAD + } ++ ++ // Re-allocate thread data if workers for encoder multi-threading stage ++ // exceeds prev_num_enc_workers. ++ const int num_enc_workers = ++ av1_get_num_mod_workers_for_alloc(&ppi->p_mt_info, MOD_ENC); ++ if (ppi->p_mt_info.prev_num_enc_workers < num_enc_workers && ++ num_enc_workers <= ppi->p_mt_info.num_workers) { ++ free_thread_data(ppi); ++ for (int j = 0; j < ppi->num_fp_contexts; j++) ++ aom_free(ppi->parallel_cpi[j]->td.tctx); ++ av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); ++ } ++ + for (int i = 0; i < ppi->num_fp_contexts; i++) { + av1_init_frame_mt(ppi, ppi->parallel_cpi[i]); + } +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +index 72cb92bbb22..c2bf5b9b344 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +@@ -1569,40 +1569,6 @@ static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { + } + } + +-// Deallocate allocated thread_data. +-static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { +- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; +- for (int t = 1; t < p_mt_info->num_workers; ++t) { +- EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; +- thread_data->td = thread_data->original_td; +- aom_free(thread_data->td->tctx); +- aom_free(thread_data->td->palette_buffer); +- aom_free(thread_data->td->tmp_conv_dst); +- release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); +- for (int j = 0; j < 2; ++j) { +- aom_free(thread_data->td->tmp_pred_bufs[j]); +- } +- aom_free(thread_data->td->pixel_gradient_info); +- aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); +- release_obmc_buffers(&thread_data->td->obmc_buffer); +- aom_free(thread_data->td->vt64x64); +- +- for (int x = 0; x < 2; x++) { +- for (int y = 0; y < 2; y++) { +- aom_free(thread_data->td->hash_value_buffer[x][y]); +- thread_data->td->hash_value_buffer[x][y] = NULL; +- } +- } +- aom_free(thread_data->td->counts); +- av1_free_pmc(thread_data->td->firstpass_ctx, +- ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); +- thread_data->td->firstpass_ctx = NULL; +- av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); +- av1_free_sms_tree(thread_data->td); +- aom_free(thread_data->td); +- } +-} +- + void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + if (!ppi) return; + #if !CONFIG_REALTIME_ONLY +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h +index a95ea2505d7..153b3665f23 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h +@@ -1631,6 +1631,11 @@ typedef struct PrimaryMultiThreadInfo { + * Number of primary workers created for multi-threading. + */ + int p_num_workers; ++ ++ /*! ++ * Tracks the number of workers in encode stage multi-threading. ++ */ ++ int prev_num_enc_workers; + } PrimaryMultiThreadInfo; + + /*! +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h +index a4aef85aedb..27b5546371a 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h +@@ -398,6 +398,40 @@ static AOM_INLINE YV12_BUFFER_CONFIG *realloc_and_scale_source( + return &cpi->scaled_source; + } + ++// Deallocate allocated thread_data. ++static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { ++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; ++ for (int t = 1; t < p_mt_info->num_workers; ++t) { ++ EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; ++ thread_data->td = thread_data->original_td; ++ aom_free(thread_data->td->tctx); ++ aom_free(thread_data->td->palette_buffer); ++ aom_free(thread_data->td->tmp_conv_dst); ++ release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); ++ for (int j = 0; j < 2; ++j) { ++ aom_free(thread_data->td->tmp_pred_bufs[j]); ++ } ++ aom_free(thread_data->td->pixel_gradient_info); ++ aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); ++ release_obmc_buffers(&thread_data->td->obmc_buffer); ++ aom_free(thread_data->td->vt64x64); ++ ++ for (int x = 0; x < 2; x++) { ++ for (int y = 0; y < 2; y++) { ++ aom_free(thread_data->td->hash_value_buffer[x][y]); ++ thread_data->td->hash_value_buffer[x][y] = NULL; ++ } ++ } ++ aom_free(thread_data->td->counts); ++ av1_free_pmc(thread_data->td->firstpass_ctx, ++ ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); ++ thread_data->td->firstpass_ctx = NULL; ++ av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); ++ av1_free_sms_tree(thread_data->td); ++ aom_free(thread_data->td); ++ } ++} ++ + #ifdef __cplusplus + } // extern "C" + #endif +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +index 1c8631ae1fd..8c62b2107c3 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +@@ -777,6 +777,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + + int num_workers = p_mt_info->num_workers; + int num_enc_workers = av1_get_num_mod_workers_for_alloc(p_mt_info, MOD_ENC); ++ assert(num_enc_workers <= num_workers); + for (int i = num_workers - 1; i >= 0; i--) { + EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[i]; + +@@ -886,6 +887,10 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + } + } + } ++ ++ // Record the number of workers in encode stage multi-threading for which ++ // allocation is done. ++ p_mt_info->prev_num_enc_workers = num_enc_workers; + } + + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { +From 9e80e8bff6bd41a61b589ecb6b006c1711e83431 Mon Sep 17 00:00:00 2001 +From: Cheng Chen +Date: Tue, 5 Dec 2023 16:34:43 -0800 +Subject: [PATCH] [Backport] Security bug 1511389 (2/2) + +Manual cherry-pick of patch originally reviewed on +https://aomedia-review.googlesource.com/c/aom/+/184761: +Recreate workers if necessary + +As shown in the unit test, if the number of workers increases, +we need to propoerly recreate new workers. + +Bug: b:310455204 + +Change-Id: I0fafb11c10ffba209a4c49f4a531cfbf09c9c2b4 +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535520 +Reviewed-by: Michal Klocek +--- + .../libaom/source/libaom/av1/av1_cx_iface.c | 15 ++++++++++++++- + .../libaom/source/libaom/av1/encoder/encoder.c | 16 ++++------------ + .../libaom/source/libaom/av1/encoder/ethread.c | 12 ++++++++++++ + .../libaom/source/libaom/av1/encoder/ethread.h | 2 ++ + 4 files changed, 32 insertions(+), 13 deletions(-) + +diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +index 1d114779c83..618021a768d 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c +@@ -3078,12 +3078,25 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, + av1_compute_num_workers_for_mt(cpi); + num_workers = av1_get_max_num_workers(cpi); + } +- if ((num_workers > 1) && (ppi->p_mt_info.num_workers == 0)) { ++ if (num_workers > 1 && ppi->p_mt_info.num_workers < num_workers) { + // Obtain the maximum no. of frames that can be supported in a parallel + // encode set. + if (is_stat_consumption_stage(cpi)) { + ppi->num_fp_contexts = av1_compute_num_fp_contexts(ppi, &cpi->oxcf); + } ++ if (ppi->p_mt_info.num_workers > 0) { ++ av1_terminate_workers(ppi); ++ free_thread_data(ppi); ++ aom_free(ppi->p_mt_info.tile_thr_data); ++ ppi->p_mt_info.tile_thr_data = NULL; ++ aom_free(ppi->p_mt_info.workers); ++ ppi->p_mt_info.workers = NULL; ++ ppi->p_mt_info.num_workers = 0; ++ for (int j = 0; j < ppi->num_fp_contexts; j++) { ++ aom_free(ppi->parallel_cpi[j]->td.tctx); ++ ppi->parallel_cpi[j]->td.tctx = NULL; ++ } ++ } + av1_create_workers(ppi, num_workers); + av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); + #if CONFIG_MULTITHREAD +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +index c2bf5b9b344..5825ee00f76 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c +@@ -1558,17 +1558,6 @@ AV1_COMP *av1_create_compressor(AV1_PRIMARY *ppi, const AV1EncoderConfig *oxcf, + snprintf((H) + strlen(H), sizeof(H) - strlen(H), (T), (V)) + #endif // CONFIG_INTERNAL_STATS + +-// This function will change the state and free the mutex of corresponding +-// workers and terminate the object. The object can not be re-used unless a call +-// to reset() is made. +-static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { +- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; +- for (int t = p_mt_info->num_workers - 1; t >= 0; --t) { +- AVxWorker *const worker = &p_mt_info->workers[t]; +- aom_get_worker_interface()->end(worker); +- } +-} +- + void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + if (!ppi) return; + #if !CONFIG_REALTIME_ONLY +@@ -1596,11 +1585,14 @@ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { + av1_tpl_dealloc(&tpl_data->tpl_mt_sync); + #endif + +- terminate_worker_data(ppi); ++ av1_terminate_workers(ppi); + free_thread_data(ppi); + + aom_free(ppi->p_mt_info.tile_thr_data); ++ ppi->p_mt_info.tile_thr_data = NULL; + aom_free(ppi->p_mt_info.workers); ++ ppi->p_mt_info.workers = NULL; ++ ppi->p_mt_info.num_workers = 0; + + aom_free(ppi); + } +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +index 8c62b2107c3..d59c4f1d57e 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c +@@ -896,6 +896,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { + PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; + const AVxWorkerInterface *const winterface = aom_get_worker_interface(); ++ assert(p_mt_info->num_workers == 0); + + AOM_CHECK_MEM_ERROR(&ppi->error, p_mt_info->workers, + aom_malloc(num_workers * sizeof(*p_mt_info->workers))); +@@ -927,6 +928,17 @@ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { + } + } + ++// This function will change the state and free the mutex of corresponding ++// workers and terminate the object. The object can not be re-used unless a call ++// to reset() is made. ++void av1_terminate_workers(AV1_PRIMARY *ppi) { ++ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; ++ for (int t = 0; t < p_mt_info->num_workers; ++t) { ++ AVxWorker *const worker = &p_mt_info->workers[t]; ++ aom_get_worker_interface()->end(worker); ++ } ++} ++ + // This function returns 1 if frame parallel encode is supported for + // the current configuration. Returns 0 otherwise. + static AOM_INLINE int is_fpmt_config(AV1_PRIMARY *ppi, AV1EncoderConfig *oxcf) { +diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h +index 6c4bce4db57..942ed64510b 100644 +--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h ++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h +@@ -87,6 +87,8 @@ int av1_get_max_num_workers(const AV1_COMP *cpi); + + void av1_create_workers(AV1_PRIMARY *ppi, int num_workers); + ++void av1_terminate_workers(AV1_PRIMARY *ppi); ++ + void av1_init_frame_mt(AV1_PRIMARY *ppi, AV1_COMP *cpi); + + void av1_init_cdef_worker(AV1_COMP *cpi); +From da29c7f0b3e2044a7e597498a6fb62a306661f03 Mon Sep 17 00:00:00 2001 +From: Andrey Kosyakov +Date: Fri, 17 Nov 2023 17:48:22 +0000 +Subject: [PATCH] [Backport] CVE-2024-0810: Insufficient policy enforcement in + DevTools + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5039174: +Do not let chrome.debugger extensions invoke Network.getAllCookies + +Network.getAllCookies is deprecated in favor of Storage.getCookies +and the latter is not allowed for extensions, so we shouldn't let +extensions use the former either. + +Bug: 1496250 +Change-Id: I3e97e9249dbba61d1f7951ed22ef9b1bef9f2355 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5039174 +Reviewed-by: Danil Somsikov +Commit-Queue: Andrey Kosyakov +Cr-Commit-Position: refs/heads/main@{#1226203} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535521 +Reviewed-by: Michal Klocek +--- + .../browser/devtools/protocol/network_handler.cc | 14 ++++++++++---- + .../browser/devtools/protocol/network_handler.h | 6 ++++-- + .../devtools/render_frame_devtools_agent_host.cc | 3 ++- + .../devtools/service_worker_devtools_agent_host.cc | 3 ++- + .../devtools/shared_worker_devtools_agent_host.cc | 3 ++- + .../browser/devtools/worker_devtools_agent_host.cc | 3 ++- + 6 files changed, 22 insertions(+), 10 deletions(-) + +diff --git a/chromium/content/browser/devtools/protocol/network_handler.cc b/chromium/content/browser/devtools/protocol/network_handler.cc +index cfab47157112..7de14e0e4b95 100644 +--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc ++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc +@@ -109,7 +109,8 @@ using DeleteCookiesCallback = Network::Backend::DeleteCookiesCallback; + using ClearBrowserCookiesCallback = + Network::Backend::ClearBrowserCookiesCallback; + +-const char kInvalidCookieFields[] = "Invalid cookie fields"; ++static constexpr char kInvalidCookieFields[] = "Invalid cookie fields"; ++static constexpr char kNotAllowedError[] = "Not allowed"; + + Network::CertificateTransparencyCompliance SerializeCTPolicyCompliance( + net::ct::CTPolicyCompliance ct_compliance) { +@@ -1027,11 +1028,14 @@ NetworkHandler::NetworkHandler( + const base::UnguessableToken& devtools_token, + DevToolsIOContext* io_context, + base::RepeatingClosure update_loader_factories_callback, +- bool allow_file_access) ++ bool allow_file_access, ++ bool client_is_trusted) + : DevToolsDomainHandler(Network::Metainfo::domainName), + host_id_(host_id), + devtools_token_(devtools_token), + io_context_(io_context), ++ allow_file_access_(allow_file_access), ++ client_is_trusted_(client_is_trusted), + browser_context_(nullptr), + storage_partition_(nullptr), + host_(nullptr), +@@ -1042,8 +1046,7 @@ NetworkHandler::NetworkHandler( + bypass_service_worker_(false), + cache_disabled_(false), + update_loader_factories_callback_( +- std::move(update_loader_factories_callback)), +- allow_file_access_(allow_file_access) { ++ std::move(update_loader_factories_callback)) { + DCHECK(io_context_); + static bool have_configured_service_worker_context = false; + if (have_configured_service_worker_context) +@@ -1505,6 +1508,9 @@ void NetworkHandler::GetCookies(Maybe> protocol_urls, + + void NetworkHandler::GetAllCookies( + std::unique_ptr callback) { ++ if (!client_is_trusted_) { ++ callback->sendFailure(Response::ServerError(kNotAllowedError)); ++ } + if (!storage_partition_) { + callback->sendFailure(Response::InternalError()); + return; +diff --git a/chromium/content/browser/devtools/protocol/network_handler.h b/chromium/content/browser/devtools/protocol/network_handler.h +index 6cbb0098e892..81636185d04f 100644 +--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h ++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h +@@ -72,7 +72,8 @@ class NetworkHandler : public DevToolsDomainHandler, + const base::UnguessableToken& devtools_token, + DevToolsIOContext* io_context, + base::RepeatingClosure update_loader_factories_callback, +- bool allow_file_access); ++ bool allow_file_access, ++ bool client_is_trusted); + + NetworkHandler(const NetworkHandler&) = delete; + NetworkHandler& operator=(const NetworkHandler&) = delete; +@@ -337,6 +338,8 @@ class NetworkHandler : public DevToolsDomainHandler, + + const base::UnguessableToken devtools_token_; + DevToolsIOContext* const io_context_; ++ const bool allow_file_access_; ++ const bool client_is_trusted_; + + std::unique_ptr frontend_; + BrowserContext* browser_context_; +@@ -358,7 +361,6 @@ class NetworkHandler : public DevToolsDomainHandler, + loaders_; + absl::optional> + accepted_stream_types_; +- const bool allow_file_access_; + std::unordered_map> received_body_data_; + base::WeakPtrFactory weak_factory_{this}; + }; +diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +index fe726068dee4..425eded3f56b 100644 +--- src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc +@@ -336,7 +336,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session, + base::BindRepeating( + &RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories, + base::Unretained(this)), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + session->CreateAndAddHandler( + GetIOContext(), base::BindRepeating( + [](RenderFrameDevToolsAgentHost* self, +diff --git a/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc +index d2b307373ea1..7278a116ec78 100644 +--- src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc +@@ -230,7 +230,8 @@ bool ServiceWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + session->CreateAndAddHandler(); + session->CreateAndAddHandler( + GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + + session->CreateAndAddHandler( + GetIOContext(), +diff --git a/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc +index 6cfb49a9cb63..da9c8a3d18a4 100644 +--- src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc +@@ -91,7 +91,8 @@ bool SharedWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + session->CreateAndAddHandler(); + session->CreateAndAddHandler( + GetId(), devtools_worker_token_, GetIOContext(), +- base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles()); ++ base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + // TODO(crbug.com/1143100): support pushing updated loader factories down to + // renderer. + session->CreateAndAddHandler( +diff --git a/chromium/content/browser/devtools/worker_devtools_agent_host.cc b/chromium/content/browser/devtools/worker_devtools_agent_host.cc +index 5bca24a4bb16..dbce6e066adb 100644 +--- src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc ++++ src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc +@@ -137,7 +137,8 @@ bool WorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, + auto_attacher_.get(), session); + session->CreateAndAddHandler( + GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), +- session->GetClient()->MayReadLocalFiles()); ++ session->GetClient()->MayReadLocalFiles(), ++ session->GetClient()->IsTrusted()); + return true; + } + +From 9b72e2301892ea6619fb6e64f67812238ad56830 Mon Sep 17 00:00:00 2001 +From: Bo Liu +Date: Mon, 18 Sep 2023 21:17:14 +0000 +Subject: [PATCH] [Backport] Security bug 1407197 (1/2) + +Partial manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/4869854: +Tag WebContents ownership for debugging + +Tag WebContents owner and add it as a CrashKey for the +DumpWithoutCrashing in ~WebContentsOfBrowserContext. + +The actual tags in this CL is more focused on android and is not +exhaustive. Can keep adding new ones in the future as needed. + +Bug: 1407197 +Change-Id: I6c0261ae5967fdb01ff2a5f3d0d6fe07f572bd20 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4869854 +Reviewed-by: Ted Choc +Commit-Queue: Bo Liu +Reviewed-by: Avi Drissman +Reviewed-by: Finnur Thorarinsson +Cr-Commit-Position: refs/heads/main@{#1198010} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535707 +Reviewed-by: Michal Klocek +--- + .../browser/distiller_page_web_contents.cc | 6 +++- + .../guest_view/browser/guest_view_base.cc | 6 ++++ + .../browser/no_state_prefetch_contents.cc | 1 + + .../browser/no_state_prefetch_manager.cc | 5 +++ + .../background_loader_contents.cc | 1 + + chromium/content/browser/portal/portal.cc | 3 ++ + chromium/content/browser/portal/portal.h | 3 ++ + .../browser/web_contents/web_contents_impl.cc | 31 +++++++++++++++++-- + .../browser/web_contents/web_contents_impl.h | 8 +++++ + .../content/public/browser/web_contents.h | 6 ++++ + chromium/extensions/browser/extension_host.cc | 3 +- + 11 files changed, 69 insertions(+), 4 deletions(-) + +diff --git a/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc b/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc +index e4025f7bc94c..78abc76a6bf2 100644 +--- src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc ++++ src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc +@@ -30,7 +30,11 @@ namespace dom_distiller { + SourcePageHandleWebContents::SourcePageHandleWebContents( + content::WebContents* web_contents, + bool owned) +- : web_contents_(web_contents), owned_(owned) {} ++ : web_contents_(web_contents), owned_(owned) { ++ if (web_contents_ && owned) { ++ web_contents_->SetOwnerLocationForDebug(FROM_HERE); ++ } ++} + + SourcePageHandleWebContents::~SourcePageHandleWebContents() { + if (owned_) { +diff --git a/chromium/components/guest_view/browser/guest_view_base.cc b/chromium/components/guest_view/browser/guest_view_base.cc +index d2ea8b7ce3fd..06ba6ab1c7fc 100644 +--- src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc ++++ src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc +@@ -480,6 +480,9 @@ void GuestViewBase::WillAttach( + std::unique_ptr owned_guest_contents = + std::move(owned_guest_contents_); + DCHECK_EQ(owned_guest_contents.get(), web_contents()); ++ if (owned_guest_contents) { ++ owned_guest_contents->SetOwnerLocationForDebug(absl::nullopt); ++ } + + // Since this inner WebContents is created from the browser side we do + // not have RemoteFrame mojo channels so we pass in +@@ -774,6 +777,9 @@ void GuestViewBase::TakeGuestContentsOwnership( + std::unique_ptr guest_web_contents) { + DCHECK(!owned_guest_contents_); + owned_guest_contents_ = std::move(guest_web_contents); ++ if (owned_guest_contents_) { ++ owned_guest_contents_->SetOwnerLocationForDebug(FROM_HERE); ++ } + } + + void GuestViewBase::ClearOwnedGuestContents() { +diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc +index f2f8dc5ff921..35fac905dc1f 100644 +--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc ++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc +@@ -271,6 +271,7 @@ void NoStatePrefetchContents::StartPrerendering( + attempt_.get(), content::PreloadingTriggeringOutcome::kRunning); + + no_state_prefetch_contents_ = CreateWebContents(session_storage_namespace); ++ no_state_prefetch_contents_->SetOwnerLocationForDebug(FROM_HERE); + content::WebContentsObserver::Observe(no_state_prefetch_contents_.get()); + delegate_->OnNoStatePrefetchContentsCreated( + no_state_prefetch_contents_.get()); +diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc +index 3403fa8d1342..7397d1aa5de5 100644 +--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc ++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc +@@ -118,6 +118,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter + OnCloseWebContentsDeleter(NoStatePrefetchManager* manager, + std::unique_ptr tab) + : manager_(manager), tab_(std::move(tab)) { ++ tab_->SetOwnerLocationForDebug(FROM_HERE); + tab_->SetDelegate(this); + base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask( + FROM_HERE, +@@ -140,6 +141,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter + void ScheduleWebContentsForDeletion(bool timeout) { + UMA_HISTOGRAM_BOOLEAN("Prerender.TabContentsDeleterTimeout", timeout); + tab_->SetDelegate(nullptr); ++ tab_->SetOwnerLocationForDebug(absl::nullopt); + manager_->ScheduleDeleteOldWebContents(std::move(tab_), this); + // |this| is deleted at this point. + } +@@ -981,6 +983,9 @@ void NoStatePrefetchManager::CleanUpOldNavigations( + void NoStatePrefetchManager::ScheduleDeleteOldWebContents( + std::unique_ptr tab, + OnCloseWebContentsDeleter* deleter) { ++ if (tab) { ++ tab->SetOwnerLocationForDebug(FROM_HERE); ++ } + old_web_contents_list_.push_back(std::move(tab)); + PostCleanupTask(); + *** 274 LINES SKIPPED ***