Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 21 Jun 2024 06:28:37 GMT
From:      "Jason E. Hale" <jhale@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-branches@FreeBSD.org
Subject:   git: 2254fd4c24b9 - 2024Q2 - www/qt5-webengine: Address a few CVEs in chromium
Message-ID:  <202406210628.45L6Sbhd035539@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help
The branch 2024Q2 has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=2254fd4c24b94d3a45db4c3e59097e89fad525c0

commit 2254fd4c24b94d3a45db4c3e59097e89fad525c0
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-06-21 06:17:16 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-06-21 06:28:09 +0000

    www/qt5-webengine: Address a few CVEs in chromium
    
    MFH:            2024Q2
    Security:       aa2b65e4-2f63-11ef-9cab-4ccc6adda413
    (cherry picked from commit 0f4290c640f535b5fe7c9248c4c4ce7990ed4e1c)
---
 www/qt5-webengine/Makefile                    |   1 +
 www/qt5-webengine/files/patch-security-rollup | 618 ++++++++++++++++++++++++++
 2 files changed, 619 insertions(+)

diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile
index 261a0f2559f3..9b1dbab6880c 100644
--- a/www/qt5-webengine/Makefile
+++ b/www/qt5-webengine/Makefile
@@ -19,6 +19,7 @@
 
 PORTNAME=	webengine
 DISTVERSION=	${QT5_VERSION}${QT5_KDE_PATCH}
+PORTREVISION=	1
 CATEGORIES=	www
 PKGNAMEPREFIX=	qt5-
 
diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup
index e0554d3d7c61..b27b8cec77c9 100644
--- a/www/qt5-webengine/files/patch-security-rollup
+++ b/www/qt5-webengine/files/patch-security-rollup
@@ -5,6 +5,14 @@ Addresses the following security issues:
 - Security bug 329674887
 - CVE-2024-3157
 - CVE-2024-3516
+- CVE-2024-3839
+- CVE-2024-3837
+- Security bug 40940917
+- CVE-2024-4058
+- Security bug 327698060
+- CVE-2024-4558
+- CVE-2024-3914
+- Security bug 329699609
 
 From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001
 From: Marco Paniconi <marpan@google.com>
@@ -271,3 +279,613 @@ index 84a0c8fd9e0d..3e8a4a71ff67 100644
          }
  
          const TQualifier qualifier = fieldType->getQualifier();
+From 2c61d151bd3fab48c7e03a4cbfca22fa09c9022c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dominik=20R=C3=B6ttsches?= <drott@chromium.org>
+Date: Thu, 14 Mar 2024 12:48:18 +0000
+Subject: [PATCH] [Backport] CVE-2024-3839: Out of bounds read in Fonts
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5361874:
+Disable STAT sanitization/checks through OTS
+
+Due to issues in upstream, OTS STAT sanitization does not provide an
+added security benefit. Pass-through the STAT table.
+
+Bug: chromium:41491859
+Change-Id: I19dcd87376af553afe242452396b951a74691f3c
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5361874
+Commit-Queue: Dominik Röttsches <drott@chromium.org>
+Reviewed-by: Koji Ishii <kojii@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1272710}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560661
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../blink/renderer/platform/fonts/web_font_decoder.cc           | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc b/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
+index e72f801016a3..dfae30c22c22 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/platform/fonts/web_font_decoder.cc
+@@ -97,6 +97,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) {
+   const uint32_t kCpalTag = OTS_TAG('C', 'P', 'A', 'L');
+   const uint32_t kCff2Tag = OTS_TAG('C', 'F', 'F', '2');
+   const uint32_t kSbixTag = OTS_TAG('s', 'b', 'i', 'x');
++  const uint32_t kStatTag = OTS_TAG('S', 'T', 'A', 'T');
+ #if HB_VERSION_ATLEAST(1, 0, 0)
+   const uint32_t kGdefTag = OTS_TAG('G', 'D', 'E', 'F');
+   const uint32_t kGposTag = OTS_TAG('G', 'P', 'O', 'S');
+@@ -123,6 +124,7 @@ ots::TableAction BlinkOTSContext::GetTableAction(uint32_t tag) {
+     case kCpalTag:
+     case kCff2Tag:
+     case kSbixTag:
++    case kStatTag:
+ #if HB_VERSION_ATLEAST(1, 0, 0)
+     // Let HarfBuzz handle how to deal with broken tables.
+     case kAvarTag:
+From 0594d0383b46e78d33fde62258ffb49b53d3c429 Mon Sep 17 00:00:00 2001
+From: Liza Burakova <liza@chromium.org>
+Date: Wed, 21 Feb 2024 19:02:15 +0000
+Subject: [PATCH] [Backport] CVE-2024-3837: Use after free in QUIC
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5268864:
+Check if session is going away in Handle::RequestStream.
+
+This CL adds an extra check in the QuicChromiumClientSession
+handle's RequestSession to make sure the session is not
+marked as going away before creating a new StreamRequest.
+
+Bug: 41491379
+Change-Id: I687dfc23131871cdba345d3cf78dbbbd2e619ce9
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5268864
+Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
+Commit-Queue: Liza Burakova <liza@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1263483}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560662
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ chromium/net/quic/quic_chromium_client_session.cc | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/net/quic/quic_chromium_client_session.cc b/chromium/net/quic/quic_chromium_client_session.cc
+index 6e08826bbb0d..4bca38bd10db 100644
+--- src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc
++++ src/3rdparty/chromium/net/quic/quic_chromium_client_session.cc
+@@ -500,7 +500,8 @@ int QuicChromiumClientSession::Handle::RequestStream(
+     const NetworkTrafficAnnotationTag& traffic_annotation) {
+   DCHECK(!stream_request_);
+ 
+-  if (!session_)
++  // TODO(crbug.com/41491379): Add a regression test.
++  if (!session_ || session_->going_away_)
+     return ERR_CONNECTION_CLOSED;
+ 
+   requires_confirmation |= session_->gquic_zero_rtt_disabled();
+From 28c3af39d3bdaea88865f901d19862bf7d44199d Mon Sep 17 00:00:00 2001
+From: Pete Williamson <petewil@chromium.org>
+Date: Tue, 27 Feb 2024 00:19:05 +0000
+Subject: [PATCH] [Backport] Security bug 40940917
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5293726:
+Fix misalligned address in hunspell::NodeReader::ReaderForLookupAt
+
+With the Hunspell spell checking library, we are using a custom wrapper
+to read the dictionaries from files.  In that custom wrapper, we were
+reading by using reinterpret_cast to interpret an offset into a pointer,
+and then reading the bytes at that pointer for the child_offset.
+
+The spell checking code appears to have been working properly in the
+field.  However, the current code caused fuzzing test failures, and
+those failures are blocking other tests, so we need to fix this to
+unblock other tests.
+
+It turns out that we were casting a value to a pointer that did not
+have proper alignment (for instance, a pointer to a 32 bit int needs
+to be 4 byte allinged, but this pointer was not). While it has often
+worked in older compilers, it turns out this is undefined behavior.
+
+Instead of relying on undefined behavior, the right thing to do is to
+use std::memcpy to copy the bytes from the misalligned address into
+their final destination (either an int32 or an int16 in this case).
+
+Bug: 40940917
+Change-Id: I8aeba9ee8000b51e98863813235d8dceb1c41ceb
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5293726
+Commit-Queue: Peter Williamson <petewil@chromium.org>
+Reviewed-by: Trevor Perrier <perrier@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1265552}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560663
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../hunspell/google/bdict_reader.cc           | 27 ++++++++++++++-----
+ 1 file changed, 21 insertions(+), 6 deletions(-)
+
+diff --git a/chromium/third_party/hunspell/google/bdict_reader.cc b/chromium/third_party/hunspell/google/bdict_reader.cc
+index 70416a7c9048..70e4d4977ad5 100644
+--- src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc
++++ src/3rdparty/chromium/third_party/hunspell/google/bdict_reader.cc
+@@ -5,6 +5,8 @@
+ #include "third_party/hunspell/google/bdict_reader.h"
+ 
+ #include <stdint.h>
++#include <cstdint>
++#include <cstring>
+ 
+ #include "base/check.h"
+ 
+@@ -413,19 +415,32 @@ NodeReader::FindResult NodeReader::ReaderForLookupAt(
+   if (index >= static_cast<size_t>(lookup_num_chars()) || !is_valid_)
+     return FIND_DONE;
+ 
+-  size_t child_offset;
++  size_t child_offset = 0;
+   if (is_lookup_32()) {
+     // Table contains 32-bit absolute offsets.
+-    child_offset =
+-        reinterpret_cast<const unsigned int*>(table_begin)[index];
++
++    // We need to use memcpy here instead of just casting the offset into a
++    // pointer to an int because the cast can cause undefined behavior if
++    // the pointer is not alligned, and in this case it is not.
++    int byte_offset = index * sizeof(uint32_t);
++    std::memcpy(&child_offset,
++                reinterpret_cast<const void*>(table_begin + byte_offset),
++                sizeof(uint32_t));
+     if (!child_offset)
+       return FIND_NOTHING;  // This entry in the table is empty.
+   } else {
+     // Table contains 16-bit offsets relative to the current node.
+-    child_offset =
+-        reinterpret_cast<const unsigned short*>(table_begin)[index];
+-    if (!child_offset)
++
++    // We need to use memcpy here instead of just casting the offset into a
++    // pointer to an int because the cast can cause undefined behavior if
++    // the pointer is not alligned, and in this case it is not.
++    int byte_offset = index * sizeof(uint16_t);
++    std::memcpy(&child_offset,
++                reinterpret_cast<const void*>(table_begin + byte_offset),
++                sizeof(uint16_t));
++    if (!child_offset) {
+       return FIND_NOTHING;  // This entry in the table is empty.
++    }
+     child_offset += node_offset_;
+   }
+ 
+From b4d43a76e4c334084400402c09620ef24870704e Mon Sep 17 00:00:00 2001
+From: Shahbaz Youssefi <syoussefi@chromium.org>
+Date: Mon, 8 Apr 2024 10:14:45 -0400
+Subject: [PATCH] [Backport] CVE-2024-4058: Type Confusion in ANGLE
+
+Partial manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/angle/angle/+/5466390:
+SPIR-V: Fix const constructors with single scalar
+
+These constructors may be generated because of
+RemoveArrayLengthTraverser.
+
+Bug: chromium:332546345
+Change-Id: I2b2bf3728ef5bae148abc2a8518f8f3f42850025
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5462388
+(cherry picked from commit 0b776d32f69a932acb61963d9daad9e13f610944)
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5466390
+Commit-Queue: Zakhar Voit <voit@google.com>
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560664
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../third_party/angle/src/compiler/translator/Compiler.cpp   | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
+index 27975887086a..435d3b41b3a3 100644
+--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp
+@@ -757,6 +757,11 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root,
+     {
+         return false;
+     }
++    // Fold the expressions again, because |RemoveArrayLengthMethod| can introduce new constants.
++    if (!FoldExpressions(this, root, &mDiagnostics))
++    {
++        return false;
++    }
+ 
+     if (!RemoveUnreferencedVariables(this, root, &mSymbolTable))
+     {
+From dceba69334080559303f92fc4a6c6d01e7dcd00c Mon Sep 17 00:00:00 2001
+From: Brendon Tiszka <tiszka@chromium.org>
+Date: Sun, 3 Mar 2024 21:30:59 +0100
+Subject: [PATCH] [Backport] Security bug 327698060
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5337387:
+PaintOpReader: Harden PaintImage deserialization
+
+Add missing validity check after `Read`
+
+Bug: 327698060
+Change-Id: I0aa5120296009998af3235a01304a1f597a82a33
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5337387
+Commit-Queue: Khushal Sagar <khushalsagar@chromium.org>
+Reviewed-by: Khushal Sagar <khushalsagar@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1267636}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560665
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ chromium/cc/paint/paint_op_reader.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/chromium/cc/paint/paint_op_reader.cc b/chromium/cc/paint/paint_op_reader.cc
+index 0979f6630175..b6a9d8ca3641 100644
+--- src/3rdparty/chromium/cc/paint/paint_op_reader.cc
++++ src/3rdparty/chromium/cc/paint/paint_op_reader.cc
+@@ -309,6 +309,10 @@ void PaintOpReader::Read(PaintImage* image) {
+       case PaintOp::SerializedImageType::kImageData: {
+         SkColorType color_type;
+         Read(&color_type);
++        if (!valid_) {
++          return;
++        }
++
+         uint32_t width;
+         Read(&width);
+         uint32_t height;
+From 2b188075ed5f01cc9c09b5273b5e6177d7252a0e Mon Sep 17 00:00:00 2001
+From: Geoff Lang <geofflang@chromium.org>
+Date: Mon, 29 Apr 2024 15:27:36 -0400
+Subject: [PATCH] [Backport] CVE-2024-4558: Use after free in ANGLE
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/angle/angle/+/5498735:
+GL: Sync unpack state for glCompressedTexSubImage3D
+
+Unpack state is supposed to be ignored for compressed tex image calls
+but some drivers use it anyways and read incorrect data.
+
+Texture3DTestES3.PixelUnpackStateTexSubImage covers this case.
+
+Bug: chromium:337766133
+Change-Id: Ic11a056113b1850bd5b4d6840527164a12849a22
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5498735
+Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
+
+Reviewed-by: Shahbaz Youssefi <syoussefi@chromium.org>
+Change-Id: I0736ceb1e3165f571358ae06a0287b3f5a98d425
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/560666
+Reviewed-by: Michal Klocek <michal.klocek@qt.io>
+---
+ .../third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp     | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp b/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
+index 035d4520b13b..0cfd21621bb3 100644
+--- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
++++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/gl/TextureGL.cpp
+@@ -579,6 +579,7 @@ angle::Result TextureGL::setCompressedSubImage(const gl::Context *context,
+         nativegl::GetCompressedSubTexImageFormat(functions, features, format);
+ 
+     stateManager->bindTexture(getType(), mTextureID);
++    ANGLE_TRY(stateManager->setPixelUnpackState(context, unpack));
+     if (nativegl::UseTexImage2D(getType()))
+     {
+         ASSERT(area.z == 0 && area.depth == 1);
+From d553c9366aedad5701852427f8e1910381c4ff8b Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com>
+Date: Tue, 26 Mar 2024 13:53:21 +0000
+Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (1/2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Manual backport of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5387887:
+[M120-LTS] Fix DOMArrayBuffer::IsDetached()
+
+M120 merge issues:
+  third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc:
+    - Conflicting types for variable worlds
+    - Conflicting AllWorldsInIsolate() call (M120 doesn't use the last argument)
+
+A DOMArrayBuffer was maintaining its own "is_detached_" state, and
+would consider itself non-detached even if the corresponding
+JSArrayBuffer (or, all of them, in case there are several) was
+detached.
+
+Piping in the v8::Isolate would be a too big change for this fix, so this is using v8::Isolate::GetCurrent() for now.
+
+Bug: 330759272
+Change-Id: I1e98ebd2066d2e59658db12f1bb419b6ebc1d706
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5387887
+Commit-Queue: Marja Hölttä <marja@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1278283}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562706
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../core/typed_arrays/dom_array_buffer.cc     | 50 +++++++++++++++++++
+ .../core/typed_arrays/dom_array_buffer.h      | 13 +++++
+ .../core/typed_arrays/dom_array_buffer_base.h |  2 +-
+ 3 files changed, 64 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+index c456d15f2f50..38dcd3a35737 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+@@ -18,6 +18,15 @@ static void AccumulateArrayBuffersForAllWorlds(
+     v8::Isolate* isolate,
+     DOMArrayBuffer* object,
+     Vector<v8::Local<v8::ArrayBuffer>, 4>& buffers) {
++  if (!object->has_non_main_world_wrappers() && IsMainThread()) {
++    const DOMWrapperWorld& world = DOMWrapperWorld::MainWorld();
++    v8::Local<v8::Object> wrapper = world.DomDataStore().Get(object, isolate);
++    if (!wrapper.IsEmpty()) {
++      buffers.push_back(v8::Local<v8::ArrayBuffer>::Cast(wrapper));
++    }
++    return;
++  }
++
+   Vector<scoped_refptr<DOMWrapperWorld>> worlds;
+   DOMWrapperWorld::AllWorldsInCurrentThread(worlds);
+   for (const auto& world : worlds) {
+@@ -155,6 +164,47 @@ DOMArrayBuffer* DOMArrayBuffer::Create(
+   return Create(std::move(contents));
+ }
+ 
++bool DOMArrayBuffer::IsDetached() const {
++  if (contents_.BackingStore() == nullptr) {
++    return is_detached_;
++  }
++  if (is_detached_) {
++    return true;
++  }
++
++  v8::Isolate* isolate = v8::Isolate::GetCurrent();
++  v8::HandleScope handle_scope(isolate);
++  Vector<v8::Local<v8::ArrayBuffer>, 4> buffer_handles;
++  AccumulateArrayBuffersForAllWorlds(isolate, const_cast<DOMArrayBuffer*>(this),  buffer_handles);
++
++  // There may be several v8::ArrayBuffers corresponding to the DOMArrayBuffer,
++  // but at most one of them may be non-detached.
++  int nondetached_count = 0;
++  int detached_count = 0;
++
++  for (const auto& buffer_handle : buffer_handles) {
++    if (buffer_handle->WasDetached()) {
++      ++detached_count;
++    } else {
++      ++nondetached_count;
++    }
++  }
++  CHECK_LE(nondetached_count, 1);
++
++  return nondetached_count == 0 && detached_count > 0;
++}
++
++v8::Local<v8::Object> DOMArrayBuffer::AssociateWithWrapper(
++    v8::Isolate* isolate,
++    const WrapperTypeInfo* wrapper_type_info,
++    v8::Local<v8::Object> wrapper) {
++  if (!DOMWrapperWorld::Current(isolate).IsMainWorld()) {
++    has_non_main_world_wrappers_ = true;
++  }
++  return ScriptWrappable::AssociateWithWrapper(isolate, wrapper_type_info,
++                                               wrapper);
++}
++
+ DOMArrayBuffer* DOMArrayBuffer::Slice(size_t begin, size_t end) const {
+   begin = std::min(begin, ByteLengthAsSizeT());
+   end = std::min(end, ByteLengthAsSizeT());
+diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
+index e9a85d38d4d4..b1820dfa8408 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.h
+@@ -79,8 +79,21 @@ class CORE_EXPORT DOMArrayBuffer final : public DOMArrayBufferBase {
+   v8::Local<v8::Value> Wrap(v8::Isolate*,
+                             v8::Local<v8::Object> creation_context) override;
+ 
++  bool IsDetached() const override;
++
++  v8::Local<v8::Object> AssociateWithWrapper(
++      v8::Isolate* isolate,
++      const WrapperTypeInfo* wrapper_type_info,
++      v8::Local<v8::Object> wrapper) override;
++
++  bool has_non_main_world_wrappers() const {
++    return has_non_main_world_wrappers_;
++  }
++
+  private:
+   bool TransferDetachable(v8::Isolate*, ArrayBufferContents& result);
++
++  bool has_non_main_world_wrappers_ = false;
+ };
+ 
+ }  // namespace blink
+diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
+index e99cce60dd7f..3ae9a4360e85 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer_base.h
+@@ -33,7 +33,7 @@ class CORE_EXPORT DOMArrayBufferBase : public ScriptWrappable {
+     return base::checked_cast<unsigned>(contents_.DataLength());
+   }
+ 
+-  bool IsDetached() const { return is_detached_; }
++  virtual bool IsDetached() const { return is_detached_; }
+ 
+   void Detach() { is_detached_ = true; }
+ 
+From efda8125f55049957e196995dffafb6dc171eadf Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marja=20H=C3=B6ltt=C3=A4?= <marja@google.com>
+Date: Thu, 4 Apr 2024 09:43:42 +0200
+Subject: [PATCH] [Backport] CVE-2024-3914: Use after free in V8 (2/2)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Manual cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5419329:
+[M120-LTS] Comment out a CHECK that a DOMAB has maximally one non-detached JSAB
+
+Based on crash reports, this assumption is not true and has to be
+investigated.
+
+Removing this newly introduced CHECK to be able to merge fixes in this
+area - we still violate this invariant but the fixes are a step into
+the right direction.
+
+Fix in question:
+https://chromium-review.googlesource.com/5387887
+which also introduced this CHECK.
+
+Bug: 330759272
+Change-Id: I4ba52fee7ed8f45e352efd347e87df03d896ac3d
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5419329
+Commit-Queue: Marja Hölttä <marja@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#1282379}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562707
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../blink/renderer/core/typed_arrays/dom_array_buffer.cc    | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc b/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+index 38dcd3a3573..69e332272dd 100644
+--- src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
++++ src/3rdparty/chromium/third_party/blink/renderer/core/typed_arrays/dom_array_buffer.cc
+@@ -189,7 +189,11 @@ bool DOMArrayBuffer::IsDetached() const {
+       ++nondetached_count;
+     }
+   }
+-  CHECK_LE(nondetached_count, 1);
++  // This CHECK fires even though it should not. TODO(330759272): Investigate
++  // under which conditions we end up with multiple non-detached JSABs for the
++  // same DOMAB and potentially restore this check.
++
++  // CHECK_LE(nondetached_count, 1);
+ 
+   return nondetached_count == 0 && detached_count > 0;
+ }
+From 91b3c705d739f6b6c58da6133e8e818e06dfcaa3 Mon Sep 17 00:00:00 2001
+From: Victor Gomes <victorgomes@chromium.org>
+Date: Thu, 21 Mar 2024 09:59:19 +0100
+Subject: [PATCH] [Backport] Security bug 329699609
+
+Manual backport of patch originally reviewed on
+https://chromium-review.googlesource.com/c/v8/v8/+/5378286:
+Deal with large strings in NoSideEffectsErrorToString
+
+If name is too big, StringBuilder will fail to even add
+"<a very large string>" suffix.
+
+In this case, we truncate name first.
+
+Bug: 329699609
+Change-Id: I6e4440c07eae84371f44b54f88127e2c70af0db5
+Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378286
+Commit-Queue: Victor Gomes <victorgomes@chromium.org>
+Reviewed-by: Patrick Thier <pthier@chromium.org>
+Auto-Submit: Victor Gomes <victorgomes@chromium.org>
+Cr-Commit-Position: refs/heads/main@{#92932}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/562708
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ chromium/v8/src/objects/objects.cc | 25 +++++++++++++++++++------
+ 1 file changed, 19 insertions(+), 6 deletions(-)
+
+diff --git a/chromium/v8/src/objects/objects.cc b/chromium/v8/src/objects/objects.cc
+index 7b38609e347..7820c7e8e58 100644
+--- src/3rdparty/chromium/v8/src/objects/objects.cc
++++ src/3rdparty/chromium/v8/src/objects/objects.cc
+@@ -425,14 +425,27 @@ Handle<String> NoSideEffectsErrorToString(Isolate* isolate,
+   if (name_str->length() == 0) return msg_str;
+   if (msg_str->length() == 0) return name_str;
+ 
+-  IncrementalStringBuilder builder(isolate);
+-  builder.AppendString(name_str);
+-  builder.AppendCString(": ");
++  constexpr const char error_suffix[] = "<a very large string>";
++  constexpr int error_suffix_size = sizeof(error_suffix);
++  int suffix_size = std::min(error_suffix_size, msg_str->length());
+ 
+-  if (builder.Length() + msg_str->length() <= String::kMaxLength) {
+-    builder.AppendString(msg_str);
++  IncrementalStringBuilder builder(isolate);
++  if (name_str->length() + suffix_size + 2 /* ": " */ > String::kMaxLength) {
++    constexpr const char connector[] = "... : ";
++    int connector_size = sizeof(connector);
++    Handle<String> truncated_name = isolate->factory()->NewProperSubString(
++        name_str, 0, name_str->length() - error_suffix_size - connector_size);
++    builder.AppendString(truncated_name);
++    builder.AppendCString(connector);
++    builder.AppendCString(error_suffix);
+   } else {
+-    builder.AppendCString("<a very large string>");
++    builder.AppendString(name_str);
++    builder.AppendCString(": ");
++    if (builder.Length() + msg_str->length() <= String::kMaxLength) {
++      builder.AppendString(msg_str);
++    } else {
++      builder.AppendCString(error_suffix);
++    }
+   }
+ 
+   return builder.Finish().ToHandleChecked();
+From d3cb500c1d4b0508f3f21bb568c095984c614fcf Mon Sep 17 00:00:00 2001
+From: "Jason E. Hale" <jhale@FreeBSD.org>
+Date: Thu, 20 Jun 2024 23:42:33 -0400
+Subject: [PATCH] [Backport] Fixup CVE-2024-3914: Use after free in V8 (1/2)
+
+Manual backport of requisite method WasDetached() in V8.
+---
+ chromium/v8/include/v8.h   | 8 ++++++++
+ chromium/v8/src/api/api.cc | 4 ++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/chromium/v8/include/v8.h b/chromium/v8/include/v8.h
+index 32687d90b5f..8a1b437bb06 100644
+--- src/3rdparty/chromium/v8/include/v8.h
++++ src/3rdparty/chromium/v8/include/v8.h
+@@ -5299,6 +5299,11 @@ class V8_EXPORT ArrayBuffer : public Object {
+    */
+   bool IsDetachable() const;
+ 
++  /**
++   * Returns true if this ArrayBuffer has been detached.
++   */
++  bool WasDetached() const;
++
+   /**
+    * Detaches this ArrayBuffer and all its views (typed arrays).
+    * Detaching sets the byte length of the buffer and all typed arrays to zero,
+@@ -5349,6 +5354,9 @@ class V8_EXPORT ArrayBuffer : public Object {
+    * should not attempt to manage lifetime of the storage through other means.
+    *
+    * This function replaces both Externalize() and GetContents().
++   *
++   * The returned shared pointer will not be empty, even if the ArrayBuffer has
++   * been detached. Use |WasDetached| to tell if it has been detached instead.
+    */
+   std::shared_ptr<BackingStore> GetBackingStore();
+ 
+diff --git a/chromium/v8/src/api/api.cc b/chromium/v8/src/api/api.cc
+index b6f9d12769e..05d31a7cedf 100644
+--- src/3rdparty/chromium/v8/src/api/api.cc
++++ src/3rdparty/chromium/v8/src/api/api.cc
+@@ -7386,6 +7386,10 @@ bool v8::ArrayBuffer::IsDetachable() const {
+   return Utils::OpenHandle(this)->is_detachable();
+ }
+ 
++bool v8::ArrayBuffer::WasDetached() const {
++  return Utils::OpenHandle(this)->was_detached();
++}
++
+ namespace {
+ // The backing store deleter just deletes the indirection, which downrefs
+ // the shared pointer. It will get collected normally.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202406210628.45L6Sbhd035539>