Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Jan 2024 20:09:59 GMT
From:      "Jason E. Hale" <jhale@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org
Subject:   git: d4aaa430d084 - 2024Q1 - www/qt6-webengine: Address security vulnerabilities
Message-ID:  <202401312009.40VK9xfe017599@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch 2024Q1 has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=d4aaa430d08417fb216e5ee98f8db322b64e82e4

commit d4aaa430d08417fb216e5ee98f8db322b64e82e4
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-01-31 19:45:55 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-01-31 20:09:49 +0000

    www/qt6-webengine: Address security vulnerabilities
    
    Add speculative build fix for armv7.
    
    MFH:            2024Q1
    Security:       bbcb1584-c068-11ee-bdd6-4ccc6adda413
    (cherry picked from commit 214eb4d92c6739ef0da1eba2cdc10a97bdf6af30)
---
 www/qt6-webengine/Makefile                         |    2 +-
 www/qt6-webengine/files/patch-security-rollup      | 1179 +++++++++++++++++++-
 ...3rdparty_chromium_v8_src_codegen_arm_cpu-arm.cc |   24 +
 3 files changed, 1203 insertions(+), 2 deletions(-)

diff --git a/www/qt6-webengine/Makefile b/www/qt6-webengine/Makefile
index d7371916a4f4..b62f3f3a255b 100644
--- a/www/qt6-webengine/Makefile
+++ b/www/qt6-webengine/Makefile
@@ -12,7 +12,7 @@
 
 PORTNAME?=	webengine
 DISTVERSION=	${QT6_VERSION}
-PORTREVISION?=	3 # Master port for print/qt6-pdf. Please keep this line.
+PORTREVISION?=	4 # Master port for print/qt6-pdf. Please keep this line.
 CATEGORIES?=	www
 PKGNAMEPREFIX=	qt6-
 
diff --git a/www/qt6-webengine/files/patch-security-rollup b/www/qt6-webengine/files/patch-security-rollup
index bb16a291c80d..3f67e42ad06b 100644
--- a/www/qt6-webengine/files/patch-security-rollup
+++ b/www/qt6-webengine/files/patch-security-rollup
@@ -23,8 +23,13 @@ Addresses the following security issues:
 - CVE-2024-0222
 - Security bug 1511689
 - CVE-2024-0519
-- CVE-2025-0518
+- CVE-2024-0518
 - Security bug 1506535
+- CVE-2024-0808
+- CVE-2024-0807
+- Security bug 1511389
+- CVE-2024-0810
+- Security bug 1407197
 
 From 669506a53474e3d7637666d3c53f6101fb94d96f Mon Sep 17 00:00:00 2001
 From: Nidhi Jaju <nidhijaju@chromium.org>
@@ -3260,3 +3265,1175 @@ index 59bbb727e6b..8b3f7055430 100644
  
      if (keyboard_lock_widget_)
        delegate_->CancelKeyboardLockRequest(this);
+From 8ab0eb9f07be8cd735e03b5536fc2e361e70a5cf Mon Sep 17 00:00:00 2001
+From: Lyra Rebane <rebane2001@gmail.com>
+Date: Mon, 8 Jan 2024 13:39:46 +0000
+Subject: [PATCH] [Backport] CVE-2024-0808: Integer underflow in WebUI
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5177426:
+Verify resource order in data pack files
+
+This CL adds a resource order check when loading a data pack or calling DataPack::GetStringPiece to make sure the resources are ordered sequentially in memory.
+
+Bug: 1504936
+Change-Id: Ie3bf1d9dbac937407355935a859a5daa9ce84350
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059113
+Commit-Queue: Peter Boström <pbos@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1238675}
+(cherry picked from commit c4b2e6246ad0e95eaf0727bb25a2e4969155e989)
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535516
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ chromium/AUTHORS                              |  1 +
+ chromium/ui/base/resource/data_pack.cc        | 19 ++++++++++++++++++-
+ .../ui/base/resource/data_pack_literal.cc     | 12 ++++++++++++
+ chromium/ui/base/resource/data_pack_literal.h |  2 ++
+ .../ui/base/resource/data_pack_unittest.cc    |  7 +++++++
+ 5 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/AUTHORS b/chromium/AUTHORS
+index ff6abe8d1135..772aab22c671 100644
+--- src/3rdparty/chromium/AUTHORS
++++ src/3rdparty/chromium/AUTHORS
+@@ -769,6 +769,7 @@ Luke Seunghoe Gu <gulukesh@gmail.com>
+ Luke Zarko <lukezarko@gmail.com>
+ Luoxi Pan <l.panpax@gmail.com>
+ Lu Yahan <yahan@iscas.ac.cn>
++Lyra Rebane <rebane2001@gmail.com>
+ Ma Aiguo <imaiguo@gmail.com>
+ Maarten Lankhorst <m.b.lankhorst@gmail.com>
+ Maciej Pawlowski <m.pawlowski@eyeo.com>
+diff --git a/chromium/ui/base/resource/data_pack.cc b/chromium/ui/base/resource/data_pack.cc
+index 74069c99d00a..6dc0985b78dd 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack.cc
+@@ -310,7 +310,16 @@ bool DataPack::SanityCheckFileAndRegisterResources(size_t margin_to_skip,
+     }
+   }
+ 
+-  // 3) Verify the aliases are within the appropriate bounds.
++  // 3) Verify the entries are ordered correctly.
++  for (size_t i = 0; i < resource_count_; ++i) {
++    if (resource_table_[i].file_offset > resource_table_[i + 1].file_offset) {
++      LOG(ERROR) << "Data pack file corruption: "
++                 << "Entry #" << i + 1 << " before Entry #" << i << ".";
++      return false;
++    }
++  }
++
++  // 4) Verify the aliases are within the appropriate bounds.
+   for (size_t i = 0; i < alias_count_; ++i) {
+     if (alias_table_[i].entry_index >= resource_count_) {
+       LOG(ERROR) << "Data pack file corruption: "
+@@ -428,6 +437,14 @@ bool DataPack::GetStringPiece(uint16_t resource_id,
+                << "file modified?";
+     return false;
+   }
++  if (target->file_offset > next_entry->file_offset) {
++    size_t entry_index = target - resource_table_;
++    size_t next_index = next_entry - resource_table_;
++    LOG(ERROR) << "Entry #" << next_index << " in data pack is before Entry #"
++               << entry_index << ". This should have been caught when loading. "
++               << "Was the file modified?";
++    return false;
++  }
+ 
+   MaybePrintResourceId(resource_id);
+   GetStringPieceFromOffset(target->file_offset, next_entry->file_offset,
+diff --git a/chromium/ui/base/resource/data_pack_literal.cc b/chromium/ui/base/resource/data_pack_literal.cc
+index caac0709b42b..4197ea03fd68 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc
+@@ -89,6 +89,18 @@ const uint8_t kSampleCorruptPakContents[] = {
+ 
+ const size_t kSampleCorruptPakSize = sizeof(kSampleCorruptPakContents);
+ 
++const uint8_t kSampleMisorderedPakContents[] = {
++    0x05, 0x00, 0x00, 0x00,              // version
++    0x01, 0x00, 0x00, 0x00,              // encoding + padding
++    0x02, 0x00, 0x00, 0x00,              // num_resources, num_aliases
++    0x06, 0x00, 0x2a, 0x00, 0x00, 0x00,  // index entry 6 (wrong order)
++    0x04, 0x00, 0x1e, 0x00, 0x00, 0x00,  // index entry 4
++    0x00, 0x00, 0x36, 0x00, 0x00, 0x00,  // extra entry for the size of last
++    't',  'h',  'i',  's',  ' ',  'i',  's', ' ', 'i', 'd', ' ', '4',
++    't',  'h',  'i',  's',  ' ',  'i',  's', ' ', 'i', 'd', ' ', '6'};
++
++const size_t kSampleMisorderedPakSize = sizeof(kSampleMisorderedPakContents);
++
+ const uint8_t kSamplePakContents2x[] = {
+     0x04, 0x00, 0x00, 0x00,              // header(version
+     0x01, 0x00, 0x00, 0x00,              //        no. entries
+diff --git a/chromium/ui/base/resource/data_pack_literal.h b/chromium/ui/base/resource/data_pack_literal.h
+index eb5a94895f2d..9173ce149935 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_literal.h
++++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.h
+@@ -22,6 +22,8 @@ extern const uint8_t kEmptyPakContents[];
+ extern const size_t kEmptyPakSize;
+ extern const uint8_t kSampleCorruptPakContents[];
+ extern const size_t kSampleCorruptPakSize;
++extern const uint8_t kSampleMisorderedPakContents[];
++extern const size_t kSampleMisorderedPakSize;
+ 
+ }  // namespace ui
+ 
+diff --git a/chromium/ui/base/resource/data_pack_unittest.cc b/chromium/ui/base/resource/data_pack_unittest.cc
+index 25b33b813ac4..0a4a169ca225 100644
+--- src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc
++++ src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc
+@@ -366,4 +366,11 @@ TEST(DataPackTest, ModifiedWhileUsed) {
+ }
+ #endif
+ 
++TEST(DataPackTest, Misordered) {
++  DataPack pack(k100Percent);
++
++  ASSERT_FALSE(pack.LoadFromBuffer(
++      {kSampleMisorderedPakContents, kSampleMisorderedPakSize}));
++}
++
+ }  // namespace ui
+From 46069ff72f6e1d6fe75bd2c04350bcd74b308923 Mon Sep 17 00:00:00 2001
+From: Hongchan Choi <hongchan@chromium.org>
+Date: Fri, 12 Jan 2024 22:57:22 +0000
+Subject: [PATCH] [Backport] CVE-2024-0807: Use after free in WebAudio
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5225523:
+Update rendering state of automatic pull nodes before graph rendering
+
+M114 merge issues:
+  third_party/blink/renderer/modules/webaudio/analyser_handler.cc:
+    PullInputs/CheckNumberOfChannelsForInput not present in 114.
+
+In rare cases, the rendering fan out count of automatic pull node
+does not match the main thread fan out count after recreating
+a platform destination followed by disconnection.
+
+This CL forces the update of the rendering state of automatic
+pull nodes before graph rendering to make sure that fan out counts
+are synchronized before executing the audio processing function call.
+
+NOTE: This change makes 2 WPTs fail. The follow-up work is planned
+to address them once this patch is merged.
+
+Bug: 1505080
+Test: Locally confirmed that ASAN doesn't crash on all repro cases.
+Change-Id: I6768cd8bc64525ea9d56a19b9c58439e9cdab9a8
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5131958
+Commit-Queue: Hongchan Choi <hongchan@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1246718}
+(cherry picked from commit f4bffa09b46c21147431179e1e6dd2b27bc35fbc)
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535517
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../renderer/modules/webaudio/analyser_handler.cc  | 14 ++++++++++++--
+ .../modules/webaudio/audio_worklet_handler.cc      |  7 +++++--
+ .../modules/webaudio/audio_worklet_processor.cc    |  6 ++++++
+ .../modules/webaudio/deferred_task_handler.cc      | 10 ++++++++++
+ 4 files changed, 33 insertions(+), 4 deletions(-)
+
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
+index c823c923a1cc..87a1f109a28c 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc
+@@ -39,9 +39,14 @@ AnalyserHandler::~AnalyserHandler() {
+ }
+ 
+ void AnalyserHandler::Process(uint32_t frames_to_process) {
+-  AudioBus* output_bus = Output(0).Bus();
++  DCHECK(Context()->IsAudioThread());
+ 
+-  if (!IsInitialized()) {
++  // It's possible that output is not connected. Assign nullptr to indicate
++  // such case.
++  AudioBus* output_bus =
++      Output(0).RenderingFanOutCount() > 0 ? Output(0).Bus() : nullptr;
++
++  if (!IsInitialized() && output_bus) {
+     output_bus->Zero();
+     return;
+   }
+@@ -53,6 +58,11 @@ void AnalyserHandler::Process(uint32_t frames_to_process) {
+   // Analyser reflects the current input.
+   analyser_.WriteInput(input_bus.get(), frames_to_process);
+ 
++  // Subsequent steps require `output_bus` to be valid.
++  if (!output_bus) {
++    return;
++  }
++
+   if (!Input(0).IsConnected()) {
+     // No inputs, so clear the output, and propagate the silence hint.
+     output_bus->Zero();
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
+index 7f591531ad6f..b2b1500d3aab 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc
+@@ -114,12 +114,15 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) {
+   // We also need to check if the global scope is valid before we request
+   // the rendering in the AudioWorkletGlobalScope.
+   if (processor_ && !processor_->hasErrorOccurred()) {
+-    // If the input is not connected, inform the processor with nullptr.
++    // If the input or the output  is not connected, inform the processor with
++    // nullptr.
+     for (unsigned i = 0; i < NumberOfInputs(); ++i) {
+       inputs_[i] = Input(i).IsConnected() ? Input(i).Bus() : nullptr;
+     }
+     for (unsigned i = 0; i < NumberOfOutputs(); ++i) {
+-      outputs_[i] = WrapRefCounted(Output(i).Bus());
++      outputs_[i] = Output(i).RenderingFanOutCount() > 0
++                        ? WrapRefCounted(Output(i).Bus())
++                        : nullptr;
+     }
+ 
+     for (const auto& param_name : param_value_map_.Keys()) {
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
+index 1f884cb12b43..c47e39effa40 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc
+@@ -367,6 +367,12 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort(
+ 
+   for (uint32_t bus_index = 0; bus_index < audio_port.size(); ++bus_index) {
+     const scoped_refptr<AudioBus>& audio_bus = audio_port[bus_index];
++
++    // nullptr indicates the output bus is not connected. Do not proceed.
++    if (!audio_bus) {
++      break;
++    }
++
+     for (uint32_t channel_index = 0;
+          channel_index < audio_bus->NumberOfChannels(); ++channel_index) {
+       auto backing_store = array_buffers[bus_index][channel_index]
+diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
+index fa1de8f37b9b..4730383dafa9 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc
+@@ -172,6 +172,16 @@ void DeferredTaskHandler::UpdateAutomaticPullNodes() {
+     base::AutoTryLock try_locker(automatic_pull_handlers_lock_);
+     if (try_locker.is_acquired()) {
+       rendering_automatic_pull_handlers_.assign(automatic_pull_handlers_);
++
++      // In rare cases, it is possible for automatic pull nodes' output bus
++      // to become stale. Make sure update their rendering output counts.
++      // crbug.com/1505080.
++      for (auto& handler : rendering_automatic_pull_handlers_) {
++        for (unsigned i = 0; i < handler->NumberOfOutputs(); ++i) {
++          handler->Output(i).UpdateRenderingState();
++        }
++      }
++
+       automatic_pull_handlers_need_updating_ = false;
+     }
+   }
+From 0801943eea5309d1912bac96ed15af49b9f4e532 Mon Sep 17 00:00:00 2001
+From: Cheng Chen <chengchen@google.com>
+Date: Thu, 7 Dec 2023 12:17:23 -0800
+Subject: [PATCH] [Backport] Security bug 1511389 (1/2)
+
+Manual partial cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/184763:
+Do not use adaptive error estimate
+
+When the reference frame size is different than the current,
+we will not use adaptive error estimate.
+
+STATS_CHANGED
+
+Bug: b:314858909
+Change-Id: Ic64d9b4a1d94889d7283c044b17ffc24627478d7
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535518
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/encoder/ratectrl.c        | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
+index 4ea1c9a3e33..c7b503d80a2 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c
+@@ -187,8 +187,7 @@ int av1_rc_bits_per_mb(const AV1_COMP *cpi, FRAME_TYPE frame_type, int qindex,
+   assert(correction_factor <= MAX_BPB_FACTOR &&
+          correction_factor >= MIN_BPB_FACTOR);
+ 
+-  if (frame_type != KEY_FRAME && accurate_estimate) {
+-    assert(cpi->rec_sse != UINT64_MAX);
++  if (frame_type != KEY_FRAME && accurate_estimate && cpi->rec_sse != UINT64_MAX) {
+     const int mbs = cm->mi_params.MBs;
+     const double sse_sqrt =
+         (double)((int)sqrt((double)(cpi->rec_sse)) << BPER_MB_NORMBITS) /
+@@ -2021,6 +2020,13 @@ static void rc_compute_variance_onepass_rt(AV1_COMP *cpi) {
+   // TODO(yunqing): support scaled reference frames.
+   if (cpi->scaled_ref_buf[LAST_FRAME - 1]) return;
+ 
++  for (int i = 0; i < 2; ++i) {
++    if (unscaled_src->widths[i] != yv12->widths[i] ||
++        unscaled_src->heights[i] != yv12->heights[i]) {
++      return;
++    }
++  }
++
+   const int num_mi_cols = cm->mi_params.mi_cols;
+   const int num_mi_rows = cm->mi_params.mi_rows;
+   const BLOCK_SIZE bsize = BLOCK_64X64;
+From 1a76ec5bc55594a7feada7c510949450d489996b Mon Sep 17 00:00:00 2001
+From: Remya Prakasan <remya.prakasan@ittiam.com>
+Date: Mon, 8 May 2023 15:03:27 +0530
+Subject: [PATCH] [Backport] Dependency for security bug 1511389 (1/1)
+
+Manual cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/175041:
+Add support for dynamic allocation of thread data
+
+Added support for reallocation of thread data when the
+workers for multi-threading in encode stage changes with
+frame resizing. Also modified TestExternalResizeWorks
+of ResizeRealtimeTest to test this scenario.
+
+BUG=aomedia:3429
+
+Change-Id: Ieee94b229274e942203c9fc7dffd59a9a3fb5c26
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535519
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/av1_cx_iface.c   | 14 ++++++++
+ .../source/libaom/av1/encoder/encoder.c       | 34 -------------------
+ .../source/libaom/av1/encoder/encoder.h       |  5 +++
+ .../source/libaom/av1/encoder/encoder_alloc.h | 34 +++++++++++++++++++
+ .../source/libaom/av1/encoder/ethread.c       |  5 +++
+ 5 files changed, 58 insertions(+), 34 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+index 3e764dd6ca6..1d114779c83 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+@@ -25,6 +25,7 @@
+ #include "av1/av1_iface_common.h"
+ #include "av1/encoder/bitstream.h"
+ #include "av1/encoder/encoder.h"
++#include "av1/encoder/encoder_alloc.h"
+ #include "av1/encoder/encoder_utils.h"
+ #include "av1/encoder/ethread.h"
+ #include "av1/encoder/external_partition.h"
+@@ -3095,6 +3096,19 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx,
+       }
+ #endif  // CONFIG_MULTITHREAD
+     }
++
++    // Re-allocate thread data if workers for encoder multi-threading stage
++    // exceeds prev_num_enc_workers.
++    const int num_enc_workers =
++        av1_get_num_mod_workers_for_alloc(&ppi->p_mt_info, MOD_ENC);
++    if (ppi->p_mt_info.prev_num_enc_workers < num_enc_workers &&
++        num_enc_workers <= ppi->p_mt_info.num_workers) {
++      free_thread_data(ppi);
++      for (int j = 0; j < ppi->num_fp_contexts; j++)
++        aom_free(ppi->parallel_cpi[j]->td.tctx);
++      av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS);
++    }
++
+     for (int i = 0; i < ppi->num_fp_contexts; i++) {
+       av1_init_frame_mt(ppi, ppi->parallel_cpi[i]);
+     }
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+index 72cb92bbb22..c2bf5b9b344 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+@@ -1569,40 +1569,6 @@ static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) {
+   }
+ }
+ 
+-// Deallocate allocated thread_data.
+-static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) {
+-  PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+-  for (int t = 1; t < p_mt_info->num_workers; ++t) {
+-    EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t];
+-    thread_data->td = thread_data->original_td;
+-    aom_free(thread_data->td->tctx);
+-    aom_free(thread_data->td->palette_buffer);
+-    aom_free(thread_data->td->tmp_conv_dst);
+-    release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer);
+-    for (int j = 0; j < 2; ++j) {
+-      aom_free(thread_data->td->tmp_pred_bufs[j]);
+-    }
+-    aom_free(thread_data->td->pixel_gradient_info);
+-    aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks);
+-    release_obmc_buffers(&thread_data->td->obmc_buffer);
+-    aom_free(thread_data->td->vt64x64);
+-
+-    for (int x = 0; x < 2; x++) {
+-      for (int y = 0; y < 2; y++) {
+-        aom_free(thread_data->td->hash_value_buffer[x][y]);
+-        thread_data->td->hash_value_buffer[x][y] = NULL;
+-      }
+-    }
+-    aom_free(thread_data->td->counts);
+-    av1_free_pmc(thread_data->td->firstpass_ctx,
+-                 ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE);
+-    thread_data->td->firstpass_ctx = NULL;
+-    av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf);
+-    av1_free_sms_tree(thread_data->td);
+-    aom_free(thread_data->td);
+-  }
+-}
+-
+ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+   if (!ppi) return;
+ #if !CONFIG_REALTIME_ONLY
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
+index a95ea2505d7..153b3665f23 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h
+@@ -1631,6 +1631,11 @@ typedef struct PrimaryMultiThreadInfo {
+    * Number of primary workers created for multi-threading.
+    */
+   int p_num_workers;
++
++  /*!
++   * Tracks the number of workers in encode stage multi-threading.
++   */
++  int prev_num_enc_workers;
+ } PrimaryMultiThreadInfo;
+ 
+ /*!
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
+index a4aef85aedb..27b5546371a 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h
+@@ -398,6 +398,40 @@ static AOM_INLINE YV12_BUFFER_CONFIG *realloc_and_scale_source(
+   return &cpi->scaled_source;
+ }
+ 
++// Deallocate allocated thread_data.
++static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) {
++  PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
++  for (int t = 1; t < p_mt_info->num_workers; ++t) {
++    EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t];
++    thread_data->td = thread_data->original_td;
++    aom_free(thread_data->td->tctx);
++    aom_free(thread_data->td->palette_buffer);
++    aom_free(thread_data->td->tmp_conv_dst);
++    release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer);
++    for (int j = 0; j < 2; ++j) {
++      aom_free(thread_data->td->tmp_pred_bufs[j]);
++    }
++    aom_free(thread_data->td->pixel_gradient_info);
++    aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks);
++    release_obmc_buffers(&thread_data->td->obmc_buffer);
++    aom_free(thread_data->td->vt64x64);
++
++    for (int x = 0; x < 2; x++) {
++      for (int y = 0; y < 2; y++) {
++        aom_free(thread_data->td->hash_value_buffer[x][y]);
++        thread_data->td->hash_value_buffer[x][y] = NULL;
++      }
++    }
++    aom_free(thread_data->td->counts);
++    av1_free_pmc(thread_data->td->firstpass_ctx,
++                 ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE);
++    thread_data->td->firstpass_ctx = NULL;
++    av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf);
++    av1_free_sms_tree(thread_data->td);
++    aom_free(thread_data->td);
++  }
++}
++
+ #ifdef __cplusplus
+ }  // extern "C"
+ #endif
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+index 1c8631ae1fd..8c62b2107c3 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+@@ -777,6 +777,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+ 
+   int num_workers = p_mt_info->num_workers;
+   int num_enc_workers = av1_get_num_mod_workers_for_alloc(p_mt_info, MOD_ENC);
++  assert(num_enc_workers <= num_workers);
+   for (int i = num_workers - 1; i >= 0; i--) {
+     EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[i];
+ 
+@@ -886,6 +887,10 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+       }
+     }
+   }
++
++  // Record the number of workers in encode stage multi-threading for which
++  // allocation is done.
++  p_mt_info->prev_num_enc_workers = num_enc_workers;
+ }
+ 
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+From 9e80e8bff6bd41a61b589ecb6b006c1711e83431 Mon Sep 17 00:00:00 2001
+From: Cheng Chen <chengchen@google.com>
+Date: Tue, 5 Dec 2023 16:34:43 -0800
+Subject: [PATCH] [Backport] Security bug 1511389 (2/2)
+
+Manual cherry-pick of patch originally reviewed on
+https://aomedia-review.googlesource.com/c/aom/+/184761:
+Recreate workers if necessary
+
+As shown in the unit test, if the number of workers increases,
+we need to propoerly recreate new workers.
+
+Bug: b:310455204
+
+Change-Id: I0fafb11c10ffba209a4c49f4a531cfbf09c9c2b4
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535520
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../libaom/source/libaom/av1/av1_cx_iface.c      | 15 ++++++++++++++-
+ .../libaom/source/libaom/av1/encoder/encoder.c   | 16 ++++------------
+ .../libaom/source/libaom/av1/encoder/ethread.c   | 12 ++++++++++++
+ .../libaom/source/libaom/av1/encoder/ethread.h   |  2 ++
+ 4 files changed, 32 insertions(+), 13 deletions(-)
+
+diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+index 1d114779c83..618021a768d 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c
+@@ -3078,12 +3078,25 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx,
+       av1_compute_num_workers_for_mt(cpi);
+       num_workers = av1_get_max_num_workers(cpi);
+     }
+-    if ((num_workers > 1) && (ppi->p_mt_info.num_workers == 0)) {
++    if (num_workers > 1 && ppi->p_mt_info.num_workers < num_workers) {
+       // Obtain the maximum no. of frames that can be supported in a parallel
+       // encode set.
+       if (is_stat_consumption_stage(cpi)) {
+         ppi->num_fp_contexts = av1_compute_num_fp_contexts(ppi, &cpi->oxcf);
+       }
++      if (ppi->p_mt_info.num_workers > 0) {
++        av1_terminate_workers(ppi);
++        free_thread_data(ppi);
++        aom_free(ppi->p_mt_info.tile_thr_data);
++        ppi->p_mt_info.tile_thr_data = NULL;
++        aom_free(ppi->p_mt_info.workers);
++        ppi->p_mt_info.workers = NULL;
++        ppi->p_mt_info.num_workers = 0;
++        for (int j = 0; j < ppi->num_fp_contexts; j++) {
++          aom_free(ppi->parallel_cpi[j]->td.tctx);
++          ppi->parallel_cpi[j]->td.tctx = NULL;
++        }
++      }
+       av1_create_workers(ppi, num_workers);
+       av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS);
+ #if CONFIG_MULTITHREAD
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+index c2bf5b9b344..5825ee00f76 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c
+@@ -1558,17 +1558,6 @@ AV1_COMP *av1_create_compressor(AV1_PRIMARY *ppi, const AV1EncoderConfig *oxcf,
+   snprintf((H) + strlen(H), sizeof(H) - strlen(H), (T), (V))
+ #endif  // CONFIG_INTERNAL_STATS
+ 
+-// This function will change the state and free the mutex of corresponding
+-// workers and terminate the object. The object can not be re-used unless a call
+-// to reset() is made.
+-static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) {
+-  PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+-  for (int t = p_mt_info->num_workers - 1; t >= 0; --t) {
+-    AVxWorker *const worker = &p_mt_info->workers[t];
+-    aom_get_worker_interface()->end(worker);
+-  }
+-}
+-
+ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+   if (!ppi) return;
+ #if !CONFIG_REALTIME_ONLY
+@@ -1596,11 +1585,14 @@ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) {
+   av1_tpl_dealloc(&tpl_data->tpl_mt_sync);
+ #endif
+ 
+-  terminate_worker_data(ppi);
++  av1_terminate_workers(ppi);
+   free_thread_data(ppi);
+ 
+   aom_free(ppi->p_mt_info.tile_thr_data);
++  ppi->p_mt_info.tile_thr_data = NULL;
+   aom_free(ppi->p_mt_info.workers);
++  ppi->p_mt_info.workers = NULL;
++  ppi->p_mt_info.num_workers = 0;
+ 
+   aom_free(ppi);
+ }
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+index 8c62b2107c3..d59c4f1d57e 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c
+@@ -896,6 +896,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) {
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+   PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
+   const AVxWorkerInterface *const winterface = aom_get_worker_interface();
++  assert(p_mt_info->num_workers == 0);
+ 
+   AOM_CHECK_MEM_ERROR(&ppi->error, p_mt_info->workers,
+                       aom_malloc(num_workers * sizeof(*p_mt_info->workers)));
+@@ -927,6 +928,17 @@ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) {
+   }
+ }
+ 
++// This function will change the state and free the mutex of corresponding
++// workers and terminate the object. The object can not be re-used unless a call
++// to reset() is made.
++void av1_terminate_workers(AV1_PRIMARY *ppi) {
++  PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info;
++  for (int t = 0; t < p_mt_info->num_workers; ++t) {
++    AVxWorker *const worker = &p_mt_info->workers[t];
++    aom_get_worker_interface()->end(worker);
++  }
++}
++
+ // This function returns 1 if frame parallel encode is supported for
+ // the current configuration. Returns 0 otherwise.
+ static AOM_INLINE int is_fpmt_config(AV1_PRIMARY *ppi, AV1EncoderConfig *oxcf) {
+diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
+index 6c4bce4db57..942ed64510b 100644
+--- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
++++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h
+@@ -87,6 +87,8 @@ int av1_get_max_num_workers(const AV1_COMP *cpi);
+ 
+ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers);
+ 
++void av1_terminate_workers(AV1_PRIMARY *ppi);
++
+ void av1_init_frame_mt(AV1_PRIMARY *ppi, AV1_COMP *cpi);
+ 
+ void av1_init_cdef_worker(AV1_COMP *cpi);
+From da29c7f0b3e2044a7e597498a6fb62a306661f03 Mon Sep 17 00:00:00 2001
+From: Andrey Kosyakov <caseq@chromium.org>
+Date: Fri, 17 Nov 2023 17:48:22 +0000
+Subject: [PATCH] [Backport] CVE-2024-0810: Insufficient policy enforcement in
+ DevTools
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5039174:
+Do not let chrome.debugger extensions invoke Network.getAllCookies
+
+Network.getAllCookies is deprecated in favor of Storage.getCookies
+and the latter is not allowed for extensions, so we shouldn't let
+extensions use the former either.
+
+Bug: 1496250
+Change-Id: I3e97e9249dbba61d1f7951ed22ef9b1bef9f2355
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5039174
+Reviewed-by: Danil Somsikov <dsv@chromium.org>
+Commit-Queue: Andrey Kosyakov <caseq@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1226203}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535521
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../browser/devtools/protocol/network_handler.cc   | 14 ++++++++++----
+ .../browser/devtools/protocol/network_handler.h    |  6 ++++--
+ .../devtools/render_frame_devtools_agent_host.cc   |  3 ++-
+ .../devtools/service_worker_devtools_agent_host.cc |  3 ++-
+ .../devtools/shared_worker_devtools_agent_host.cc  |  3 ++-
+ .../browser/devtools/worker_devtools_agent_host.cc |  3 ++-
+ 6 files changed, 22 insertions(+), 10 deletions(-)
+
+diff --git a/chromium/content/browser/devtools/protocol/network_handler.cc b/chromium/content/browser/devtools/protocol/network_handler.cc
+index cfab47157112..7de14e0e4b95 100644
+--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc
++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc
+@@ -109,7 +109,8 @@ using DeleteCookiesCallback = Network::Backend::DeleteCookiesCallback;
+ using ClearBrowserCookiesCallback =
+     Network::Backend::ClearBrowserCookiesCallback;
+ 
+-const char kInvalidCookieFields[] = "Invalid cookie fields";
++static constexpr char kInvalidCookieFields[] = "Invalid cookie fields";
++static constexpr char kNotAllowedError[] = "Not allowed";
+ 
+ Network::CertificateTransparencyCompliance SerializeCTPolicyCompliance(
+     net::ct::CTPolicyCompliance ct_compliance) {
+@@ -1027,11 +1028,14 @@ NetworkHandler::NetworkHandler(
+     const base::UnguessableToken& devtools_token,
+     DevToolsIOContext* io_context,
+     base::RepeatingClosure update_loader_factories_callback,
+-    bool allow_file_access)
++    bool allow_file_access,
++    bool client_is_trusted)
+     : DevToolsDomainHandler(Network::Metainfo::domainName),
+       host_id_(host_id),
+       devtools_token_(devtools_token),
+       io_context_(io_context),
++      allow_file_access_(allow_file_access),
++      client_is_trusted_(client_is_trusted),
+       browser_context_(nullptr),
+       storage_partition_(nullptr),
+       host_(nullptr),
+@@ -1042,8 +1046,7 @@ NetworkHandler::NetworkHandler(
+       bypass_service_worker_(false),
+       cache_disabled_(false),
+       update_loader_factories_callback_(
+-          std::move(update_loader_factories_callback)),
+-      allow_file_access_(allow_file_access) {
++          std::move(update_loader_factories_callback)) {
+   DCHECK(io_context_);
+   static bool have_configured_service_worker_context = false;
+   if (have_configured_service_worker_context)
+@@ -1505,6 +1508,9 @@ void NetworkHandler::GetCookies(Maybe<Array<String>> protocol_urls,
+ 
+ void NetworkHandler::GetAllCookies(
+     std::unique_ptr<GetAllCookiesCallback> callback) {
++  if (!client_is_trusted_) {
++    callback->sendFailure(Response::ServerError(kNotAllowedError));
++  }
+   if (!storage_partition_) {
+     callback->sendFailure(Response::InternalError());
+     return;
+diff --git a/chromium/content/browser/devtools/protocol/network_handler.h b/chromium/content/browser/devtools/protocol/network_handler.h
+index 6cbb0098e892..81636185d04f 100644
+--- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h
++++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h
+@@ -72,7 +72,8 @@ class NetworkHandler : public DevToolsDomainHandler,
+                  const base::UnguessableToken& devtools_token,
+                  DevToolsIOContext* io_context,
+                  base::RepeatingClosure update_loader_factories_callback,
+-                 bool allow_file_access);
++                 bool allow_file_access,
++                 bool client_is_trusted);
+ 
+   NetworkHandler(const NetworkHandler&) = delete;
+   NetworkHandler& operator=(const NetworkHandler&) = delete;
+@@ -337,6 +338,8 @@ class NetworkHandler : public DevToolsDomainHandler,
+ 
+   const base::UnguessableToken devtools_token_;
+   DevToolsIOContext* const io_context_;
++  const bool allow_file_access_;
++  const bool client_is_trusted_;
+ 
+   std::unique_ptr<Network::Frontend> frontend_;
+   BrowserContext* browser_context_;
+@@ -358,7 +361,6 @@ class NetworkHandler : public DevToolsDomainHandler,
+       loaders_;
+   absl::optional<std::set<net::SourceStream::SourceType>>
+       accepted_stream_types_;
+-  const bool allow_file_access_;
+   std::unordered_map<String, std::pair<String, bool>> received_body_data_;
+   base::WeakPtrFactory<NetworkHandler> weak_factory_{this};
+ };
+diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+index fe726068dee4..425eded3f56b 100644
+--- src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc
+@@ -336,7 +336,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session,
+       base::BindRepeating(
+           &RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories,
+           base::Unretained(this)),
+-      session->GetClient()->MayReadLocalFiles());
++      session->GetClient()->MayReadLocalFiles(),
++      session->GetClient()->IsTrusted());
+   session->CreateAndAddHandler<protocol::FetchHandler>(
+       GetIOContext(), base::BindRepeating(
+                           [](RenderFrameDevToolsAgentHost* self,
+diff --git a/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
+index d2b307373ea1..7278a116ec78 100644
+--- src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc
+@@ -230,7 +230,8 @@ bool ServiceWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+   session->CreateAndAddHandler<protocol::InspectorHandler>();
+   session->CreateAndAddHandler<protocol::NetworkHandler>(
+       GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(),
+-      session->GetClient()->MayReadLocalFiles());
++      session->GetClient()->MayReadLocalFiles(),
++      session->GetClient()->IsTrusted());
+ 
+   session->CreateAndAddHandler<protocol::FetchHandler>(
+       GetIOContext(),
+diff --git a/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
+index 6cfb49a9cb63..da9c8a3d18a4 100644
+--- src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc
+@@ -91,7 +91,8 @@ bool SharedWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+   session->CreateAndAddHandler<protocol::InspectorHandler>();
+   session->CreateAndAddHandler<protocol::NetworkHandler>(
+       GetId(), devtools_worker_token_, GetIOContext(),
+-      base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles());
++      base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles(),
++      session->GetClient()->IsTrusted());
+   // TODO(crbug.com/1143100): support pushing updated loader factories down to
+   // renderer.
+   session->CreateAndAddHandler<protocol::FetchHandler>(
+diff --git a/chromium/content/browser/devtools/worker_devtools_agent_host.cc b/chromium/content/browser/devtools/worker_devtools_agent_host.cc
+index 5bca24a4bb16..dbce6e066adb 100644
+--- src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc
++++ src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc
+@@ -137,7 +137,8 @@ bool WorkerDevToolsAgentHost::AttachSession(DevToolsSession* session,
+       auto_attacher_.get(), session);
+   session->CreateAndAddHandler<protocol::NetworkHandler>(
+       GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(),
+-      session->GetClient()->MayReadLocalFiles());
++      session->GetClient()->MayReadLocalFiles(),
++      session->GetClient()->IsTrusted());
+   return true;
+ }
+ 
+From 9b72e2301892ea6619fb6e64f67812238ad56830 Mon Sep 17 00:00:00 2001
+From: Bo Liu <boliu@chromium.org>
+Date: Mon, 18 Sep 2023 21:17:14 +0000
+Subject: [PATCH] [Backport] Security bug 1407197 (1/2)
+
+Partial manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/4869854:
+Tag WebContents ownership for debugging
+
+Tag WebContents owner and add it as a CrashKey for the
+DumpWithoutCrashing in ~WebContentsOfBrowserContext.
+
+The actual tags in this CL is more focused on android and is not
+exhaustive. Can keep adding new ones in the future as needed.
+
+Bug: 1407197
+Change-Id: I6c0261ae5967fdb01ff2a5f3d0d6fe07f572bd20
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4869854
+Reviewed-by: Ted Choc <tedchoc@chromium.org>
+Commit-Queue: Bo Liu <boliu@chromium.org>
+Reviewed-by: Avi Drissman <avi@chromium.org>
+Reviewed-by: Finnur Thorarinsson <finnur@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1198010}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535707
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../browser/distiller_page_web_contents.cc    |  6 +++-
+ .../guest_view/browser/guest_view_base.cc     |  6 ++++
+ .../browser/no_state_prefetch_contents.cc     |  1 +
+ .../browser/no_state_prefetch_manager.cc      |  5 +++
+ .../background_loader_contents.cc             |  1 +
+ chromium/content/browser/portal/portal.cc     |  3 ++
+ chromium/content/browser/portal/portal.h      |  3 ++
+ .../browser/web_contents/web_contents_impl.cc | 31 +++++++++++++++++--
+ .../browser/web_contents/web_contents_impl.h  |  8 +++++
+ .../content/public/browser/web_contents.h     |  6 ++++
+ chromium/extensions/browser/extension_host.cc |  3 +-
+ 11 files changed, 69 insertions(+), 4 deletions(-)
+
+diff --git a/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc b/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
+index e4025f7bc94c..78abc76a6bf2 100644
+--- src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
++++ src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc
+@@ -30,7 +30,11 @@ namespace dom_distiller {
+ SourcePageHandleWebContents::SourcePageHandleWebContents(
+     content::WebContents* web_contents,
+     bool owned)
+-    : web_contents_(web_contents), owned_(owned) {}
++    : web_contents_(web_contents), owned_(owned) {
++  if (web_contents_ && owned) {
++    web_contents_->SetOwnerLocationForDebug(FROM_HERE);
++  }
++}
+ 
+ SourcePageHandleWebContents::~SourcePageHandleWebContents() {
+   if (owned_) {
+diff --git a/chromium/components/guest_view/browser/guest_view_base.cc b/chromium/components/guest_view/browser/guest_view_base.cc
+index d2ea8b7ce3fd..06ba6ab1c7fc 100644
+--- src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc
++++ src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc
+@@ -480,6 +480,9 @@ void GuestViewBase::WillAttach(
+   std::unique_ptr<WebContents> owned_guest_contents =
+       std::move(owned_guest_contents_);
+   DCHECK_EQ(owned_guest_contents.get(), web_contents());
++  if (owned_guest_contents) {
++    owned_guest_contents->SetOwnerLocationForDebug(absl::nullopt);
++  }
+ 
+   // Since this inner WebContents is created from the browser side we do
+   // not have RemoteFrame mojo channels so we pass in
+@@ -774,6 +777,9 @@ void GuestViewBase::TakeGuestContentsOwnership(
+     std::unique_ptr<WebContents> guest_web_contents) {
+   DCHECK(!owned_guest_contents_);
+   owned_guest_contents_ = std::move(guest_web_contents);
++  if (owned_guest_contents_) {
++    owned_guest_contents_->SetOwnerLocationForDebug(FROM_HERE);
++  }
+ }
+ 
+ void GuestViewBase::ClearOwnedGuestContents() {
+diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
+index f2f8dc5ff921..35fac905dc1f 100644
+--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc
+@@ -271,6 +271,7 @@ void NoStatePrefetchContents::StartPrerendering(
+       attempt_.get(), content::PreloadingTriggeringOutcome::kRunning);
+ 
+   no_state_prefetch_contents_ = CreateWebContents(session_storage_namespace);
++  no_state_prefetch_contents_->SetOwnerLocationForDebug(FROM_HERE);
+   content::WebContentsObserver::Observe(no_state_prefetch_contents_.get());
+   delegate_->OnNoStatePrefetchContentsCreated(
+       no_state_prefetch_contents_.get());
+diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
+index 3403fa8d1342..7397d1aa5de5 100644
+--- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
++++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc
+@@ -118,6 +118,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter
+   OnCloseWebContentsDeleter(NoStatePrefetchManager* manager,
+                             std::unique_ptr<WebContents> tab)
+       : manager_(manager), tab_(std::move(tab)) {
++    tab_->SetOwnerLocationForDebug(FROM_HERE);
+     tab_->SetDelegate(this);
+     base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask(
+         FROM_HERE,
+@@ -140,6 +141,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter
+   void ScheduleWebContentsForDeletion(bool timeout) {
+     UMA_HISTOGRAM_BOOLEAN("Prerender.TabContentsDeleterTimeout", timeout);
+     tab_->SetDelegate(nullptr);
++    tab_->SetOwnerLocationForDebug(absl::nullopt);
+     manager_->ScheduleDeleteOldWebContents(std::move(tab_), this);
+     // |this| is deleted at this point.
+   }
+@@ -981,6 +983,9 @@ void NoStatePrefetchManager::CleanUpOldNavigations(
+ void NoStatePrefetchManager::ScheduleDeleteOldWebContents(
+     std::unique_ptr<WebContents> tab,
+     OnCloseWebContentsDeleter* deleter) {
++  if (tab) {
++    tab->SetOwnerLocationForDebug(FROM_HERE);
++  }
+   old_web_contents_list_.push_back(std::move(tab));
+   PostCleanupTask();
*** 275 LINES SKIPPED ***



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202401312009.40VK9xfe017599>