-
Notifications
You must be signed in to change notification settings - Fork 726
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
www/qt5-webengine: Address a few CVEs in chromium
MFH: 2024Q2 Security: d58455cc-159e-11ef-83d8-4ccc6adda413 (cherry picked from commit 3fc81b9)
- Loading branch information
Showing
2 changed files
with
274 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,273 @@ | ||
Add security patches to this file. | ||
|
||
Addresses the following security issues: | ||
|
||
- Security bug 329674887 | ||
- CVE-2024-3157 | ||
- CVE-2024-3516 | ||
|
||
From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 | ||
From: Marco Paniconi <marpan@google.com> | ||
Date: Wed, 13 Mar 2024 10:58:17 -0700 | ||
Subject: [PATCH] [Backport] Security bug 329674887 (1/2) | ||
|
||
Cherry-pick of patch orignally reviewed on | ||
https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: | ||
Fix to buffer alloc for vp9_bitstream_worker_data | ||
|
||
The code was using the bitstream_worker_data when it | ||
wasn't allocated for big enough size. This is because | ||
the existing condition was to only re-alloc the | ||
bitstream_worker_data when current dest_size was larger | ||
than the current frame_size. But under resolution change | ||
where frame_size is increased, beyond the current dest_size, | ||
we need to allow re-alloc to the new size. | ||
|
||
The existing condition to re-alloc when dest_size is | ||
larger than frame_size (which is not required) is kept | ||
for now. | ||
|
||
Also increase the dest_size to account for image format. | ||
|
||
Added tests, for both ROW_MT=0 and 1, that reproduce | ||
the failures in the bugs below. | ||
|
||
Note: this issue only affects the REALTIME encoding path. | ||
|
||
Bug: b/329088759, b/329674887, b/329179808 | ||
|
||
Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f | ||
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 | ||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> | ||
--- | ||
.../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- | ||
1 file changed, 11 insertions(+), 3 deletions(-) | ||
|
||
diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
index 3eff4ce830d1..22db39714922 100644 | ||
--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { | ||
} | ||
} | ||
|
||
+static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { | ||
+ VP9_COMMON *const cm = &cpi->common; | ||
+ const int image_bps = | ||
+ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * | ||
+ (1 + (cm->bit_depth > 8)); | ||
+ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; | ||
+} | ||
+ | ||
static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { | ||
int i; | ||
const size_t worker_data_size = | ||
@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { | ||
if (!cpi->vp9_bitstream_worker_data) return 1; | ||
for (i = 1; i < cpi->num_workers; ++i) { | ||
cpi->vp9_bitstream_worker_data[i].dest_size = | ||
- cpi->oxcf.width * cpi->oxcf.height; | ||
+ encode_tiles_buffer_alloc_size(cpi); | ||
cpi->vp9_bitstream_worker_data[i].dest = | ||
vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); | ||
if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; | ||
@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { | ||
int tile_col = 0; | ||
|
||
if (!cpi->vp9_bitstream_worker_data || | ||
- cpi->vp9_bitstream_worker_data[1].dest_size > | ||
- (cpi->oxcf.width * cpi->oxcf.height)) { | ||
+ cpi->vp9_bitstream_worker_data[1].dest_size != | ||
+ encode_tiles_buffer_alloc_size(cpi)) { | ||
vp9_bitstream_encode_tiles_buffer_dealloc(cpi); | ||
if (encode_tiles_buffer_alloc(cpi)) return 0; | ||
} | ||
From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 | ||
From: Marco Paniconi <marpan@google.com> | ||
Date: Sat, 16 Mar 2024 10:39:28 -0700 | ||
Subject: [PATCH] [Backport] Security bug 329674887 (2/2) | ||
|
||
Cherry-pick of patch originally reviewed on | ||
https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: | ||
vp9: fix to integer overflow test | ||
|
||
failure for the 16k test: issue introduced | ||
in: c29e637283 | ||
|
||
Bug: b/329088759, b/329674887, b/329179808 | ||
|
||
Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf | ||
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 | ||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> | ||
--- | ||
.../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- | ||
1 file changed, 3 insertions(+), 1 deletion(-) | ||
|
||
diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
index 22db3971492..645ba6ebb3a 100644 | ||
--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
+++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | ||
@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { | ||
const int image_bps = | ||
(8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * | ||
(1 + (cm->bit_depth > 8)); | ||
- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; | ||
+ const int64_t size = | ||
+ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; | ||
+ return (int)size; | ||
} | ||
|
||
static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { | ||
From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 | ||
From: kylechar <kylechar@chromium.org> | ||
Date: Tue, 9 Apr 2024 17:14:26 +0000 | ||
Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing | ||
|
||
Cherry-pick of patch originally reviewed on | ||
https://chromium-review.googlesource.com/c/chromium/src/+/5420432: | ||
Validate buffer length | ||
|
||
The BitmapInSharedMemory mojo traits were only validating row length and | ||
not total buffer length. | ||
|
||
(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) | ||
|
||
(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) | ||
|
||
Bug: 331237485 | ||
Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 | ||
Commit-Queue: Kyle Charbonneau <kylechar@chromium.org> | ||
Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 | ||
Commit-Queue: danakj <danakj@chromium.org> | ||
Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} | ||
Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} | ||
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 | ||
Reviewed-by: danakj <danakj@chromium.org> | ||
Reviewed-by: Kyle Charbonneau <kylechar@chromium.org> | ||
Cr-Commit-Position: refs/branch-heads/6099@{#2003} | ||
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} | ||
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 | ||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> | ||
--- | ||
.../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ | ||
1 file changed, 4 insertions(+) | ||
|
||
diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | ||
index f602fa100477..c6d84002b3e4 100644 | ||
--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | ||
+++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | ||
@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read( | ||
if (!mapping_ptr->IsValid()) | ||
return false; | ||
|
||
+ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { | ||
+ return false; | ||
+ } | ||
+ | ||
if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), | ||
data.row_bytes(), &DeleteSharedMemoryMapping, | ||
mapping_ptr.get())) { | ||
From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 | ||
From: Shahbaz Youssefi <syoussefi@chromium.org> | ||
Date: Mon, 25 Mar 2024 14:46:56 -0400 | ||
Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE | ||
|
||
Cherry-pick of patch originally reviewed on | ||
https://chromium-review.googlesource.com/c/angle/angle/+/5391986: | ||
Translator: Disallow samplers in structs in interface blocks | ||
|
||
As disallowed by the spec: | ||
|
||
> Types and declarators are the same as for other uniform variable | ||
> declarations outside blocks, with these exceptions: | ||
> | ||
> * opaque types are not allowed | ||
|
||
Bug: chromium:328859176 | ||
Change-Id: Ib94977860102329e520e635c3757827c93ca2163 | ||
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 | ||
Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org> | ||
Reviewed-by: Geoff Lang <geofflang@chromium.org> | ||
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> | ||
Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 | ||
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> | ||
--- | ||
.../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- | ||
1 file changed, 21 insertions(+), 12 deletions(-) | ||
|
||
diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp | ||
index 84a0c8fd9e0d..3e8a4a71ff67 100644 | ||
--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp | ||
+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp | ||
@@ -34,27 +34,39 @@ namespace | ||
|
||
const int kWebGLMaxStructNesting = 4; | ||
|
||
-bool ContainsSampler(const TStructure *structType); | ||
+struct IsSamplerFunc | ||
+{ | ||
+ bool operator()(TBasicType type) { return IsSampler(type); } | ||
+}; | ||
+struct IsOpaqueFunc | ||
+{ | ||
+ bool operator()(TBasicType type) { return IsOpaqueType(type); } | ||
+}; | ||
+ | ||
+template <typename OpaqueFunc> | ||
+bool ContainsOpaque(const TStructure *structType); | ||
|
||
-bool ContainsSampler(const TType &type) | ||
+template <typename OpaqueFunc> | ||
+bool ContainsOpaque(const TType &type) | ||
{ | ||
- if (IsSampler(type.getBasicType())) | ||
+ if (OpaqueFunc{}(type.getBasicType())) | ||
{ | ||
return true; | ||
} | ||
if (type.getBasicType() == EbtStruct) | ||
{ | ||
- return ContainsSampler(type.getStruct()); | ||
+ return ContainsOpaque<OpaqueFunc>(type.getStruct()); | ||
} | ||
|
||
return false; | ||
} | ||
|
||
-bool ContainsSampler(const TStructure *structType) | ||
+template <typename OpaqueFunc> | ||
+bool ContainsOpaque(const TStructure *structType) | ||
{ | ||
for (const auto &field : structType->fields()) | ||
{ | ||
- if (ContainsSampler(*field->type())) | ||
+ if (ContainsOpaque<OpaqueFunc>(*field->type())) | ||
return true; | ||
} | ||
return false; | ||
@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, | ||
{ | ||
if (pType.type == EbtStruct) | ||
{ | ||
- if (ContainsSampler(pType.userDef)) | ||
+ if (ContainsOpaque<IsSamplerFunc>(pType.userDef)) | ||
{ | ||
std::stringstream reasonStream = sh::InitializeStream<std::stringstream>(); | ||
reasonStream << reason << " (structure contains a sampler)"; | ||
@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( | ||
{ | ||
TField *field = (*fieldList)[memberIndex]; | ||
TType *fieldType = field->type(); | ||
- if (IsOpaqueType(fieldType->getBasicType())) | ||
+ if (ContainsOpaque<IsOpaqueFunc>(*fieldType)) | ||
{ | ||
- std::string reason("unsupported type - "); | ||
- reason += fieldType->getBasicString(); | ||
- reason += " types are not allowed in interface blocks"; | ||
- error(field->line(), reason.c_str(), fieldType->getBasicString()); | ||
+ error(field->line(), "Opaque types are not allowed in interface blocks", blockName); | ||
} | ||
|
||
const TQualifier qualifier = fieldType->getQualifier(); |