Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: cherry-pick 6 changes from Release-3-M119 #40644

Merged
merged 1 commit into from Nov 30, 2023
Merged

chore: cherry-pick 6 changes from Release-3-M119 #40644

merged 1 commit into from Nov 30, 2023

Conversation

VerteDinde
Copy link
Member

@VerteDinde VerteDinde commented Nov 29, 2023
edited

electron/security#432 - 971d6055e7b7 from openscreen [Cast Streaming] fix heap use-after-free

This patch fixes a use after free, caused by using an iterator
after it has been invalidated by a call to std::map::erase().

Bug: 1491210
Change-Id: I0c546eb6474af82f052b89e819a4886a004270f0
Reviewed-on: https://chromium-review.googlesource.com/c/openscreen/+/4981212
Reviewed-by: Mark Foltz mfoltz@chromium.org
Commit-Queue: Jordan Bayles jophba@chromium.org
Reviewed-by: Muyao Xu muyaoxu@google.com

electron/security#430 - 3f45b1af5e41 from chromium Check context status before creating new platform destination

RealtimeAudioDestinationHandler::SetSinkDescriptor creates new
destination platofrm without validating context status. This can
reactivate the audio rendering thread when AudioContext is already in
closed state.

(cherry picked from commit 0f9bb9a1083865d4e51059e588f27f729ab32753)

Bug: 1500856
Change-Id: If1fd531324b56fcdc38d315fd84d4cec577a14bc
Test: Locally confirmed with ASAN
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5021160
Reviewed-by: Alvin Ji alvinji@chromium.org
Commit-Queue: Alvin Ji alvinji@chromium.org
Reviewed-by: Hongchan Choi hongchan@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1223168}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5026373
Bot-Commit: Rubber Stamper rubber-stamper@appspot.gserviceaccount.com
Commit-Queue: Hongchan Choi hongchan@chromium.org
Cr-Commit-Position: refs/branch-heads/6099@{#607}
Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}

electron/security#431 - e13061c50998 from chromium [M118] Reland: Fix IPC Channel pipe teardown

This is a reland with the new test temporarily disabled on Android
until it can run without disrupting other tests.

(cherry picked from commit cd4c1f165c16c6d8161b5372ef7f61c715e01a42)

Fixed: 1494461
Change-Id: If1d83c2dce62020f78dd50abc460973759002a1a
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5015115
Commit-Queue: Ken Rockot rockot@google.com
Reviewed-by: Robert Sesek rsesek@chromium.org
Cr-Original-Commit-Position: refs/heads/main@{#1221953}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5037764
Reviewed-by: Daniel Cheng dcheng@chromium.org
Auto-Submit: Ken Rockot rockot@google.com
Commit-Queue: Daniel Cheng dcheng@chromium.org
Cr-Commit-Position: refs/branch-heads/5993@{#1618}
Cr-Branched-From: 511350718e646be62331ae9d7213d10ec320d514-refs/heads/main@{#1192594}

electron/security#432 - 6169a1fabae1 from skia Avoid combining extremely large meshes.

Bug: chromium:1505053
Change-Id: I42f2ff872bbf054686ec7af0cc85ff63055fcfbf
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/782936
Commit-Queue: Michael Ludwig michaelludwig@google.com
Reviewed-by: Michael Ludwig michaelludwig@google.com
Auto-Submit: John Stiles johnstiles@google.com

electron/security#429 - 6cc0d9aa5b3fb from libavif Remove potential out of bound access to alphaItemIndices

It is possible to craft a file that has more alpha auxiliary items
than color items and trigger an out of bound access into
alphaItemIndices in the for loop.

Fix is to ensure that each color grid item has exactly one alpha
grid item. Also, ensure that there are exactly the same number of
color grids as informed in the grid config before trying to
find the alpha item.

Also, update a diagnostic error message to cover all cases (i.e.)
there can be more grids than necessary as well.

Bug: 1501766, 1501770
Reviewed-on: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/6d62963f74aa76dbe05ac8c84bed94dece9ddde5
[118] Manual Backport: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/b2d36b1c3bfc806694cd4ff0cb188270823fe6d8

electron/security#429 - 922fca786b61a from libavif Do not store item pointers until all items are created

Calling avifMetaFindOrCreateItem() could invalidate all the
existing item pointers that are being stored by the caller (since
the function could resize the item array).

This patch fixes avifDecoderReset by storing the item indices
instead of item pointers until all the items are either created
or found.

Bug: 1501766, 1501770
Reviewed-on: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/2041109967c1746178c736e0a1504d9c97b51a5c
[118] Manual Backport: https://chromium.googlesource.com/external/github.com/AOMediaCodec/libavif.git/+/922fca786b61a83cfa0a7198bfcb61ece511394d

Notes:

@VerteDinde VerteDinde requested a review from a team as a code owner November 29, 2023 16:28
@VerteDinde VerteDinde added security 🔒 semver/patch backwards-compatible bug fixes backport-check-skip Skip trop's backport validity checking 26-x-y labels Nov 29, 2023
@VerteDinde VerteDinde marked this pull request as draft November 29, 2023 16:34
@VerteDinde VerteDinde force-pushed the cherry-pick/security/26-x-y/release-3-m119 branch from 10c86b9 to 033681a Compare November 29, 2023 19:07
@VerteDinde
chore: [26-x-y] cherry-pick 6 changes from Release-3-M119
9be7bc5 
* 971d6055e7b7 from openscreen
* 3f45b1af5e41 from chromium
* e13061c50998 from chromium
* 6169a1fabae1 from skia
* 6cc0d9aa5b3fb from libavif
* 922fca786b61a from libavif
@VerteDinde VerteDinde force-pushed the cherry-pick/security/26-x-y/release-3-m119 branch from 033681a to 9be7bc5 Compare November 30, 2023 08:30
@VerteDinde VerteDinde changed the title chore: cherry-pick 4 changes from Release-3-M119 chore: cherry-pick 6 changes from Release-3-M119 Nov 30, 2023
@VerteDinde VerteDinde marked this pull request as ready for review November 30, 2023 08:31
@codebytere codebytere merged commit aa688f9 into 26-x-y Nov 30, 2023
16 checks passed
@codebytere codebytere deleted the cherry-pick/security/26-x-y/release-3-m119 branch November 30, 2023 14:07
@release-clerk Release Clerk
Copy link

release-clerk bot commented Nov 30, 2023

Release Notes Persisted

  • Security: backported fix for 1491210.
  • Security: backported fix for CVE-2023-6345
  • Security: backported fix for CVE-2023-6346.
  • Security: backported fix for CVE-2023-6347.
  • Security: backported fix for CVE-2023-6350.

@Hankszhang
Copy link

Hankszhang commented Dec 1, 2023
edited

@VerteDinde openscreen module is not declared in config.json?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@codebytere codebytere codebytere approved these changes

Assignees
No one assigned
Labels
26-x-y backport-check-skip Skip trop's backport validity checking security 🔒 semver/patch backwards-compatible bug fixes
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@VerteDinde @Hankszhang @codebytere