git: 3fc81b9f8145 - main - www/qt5-webengine: Address a few CVEs in chromium
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 May 2024 05:28:49 UTC
The branch main has been updated by jhale:
URL: https://cgit.FreeBSD.org/ports/commit/?id=3fc81b9f8145ade3e1dd6945f603875d0c41f296
commit 3fc81b9f8145ade3e1dd6945f603875d0c41f296
Author: Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-05-19 05:25:08 +0000
Commit: Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-05-19 05:28:42 +0000
www/qt5-webengine: Address a few CVEs in chromium
MFH: 2024Q2
Security: d58455cc-159e-11ef-83d8-4ccc6adda413
---
www/qt5-webengine/Makefile | 2 +-
www/qt5-webengine/files/patch-security-rollup | 273 ++++++++++++++++++++++++++
2 files changed, 274 insertions(+), 1 deletion(-)
diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile
index 9b1dbab6880c..0f6a5f3dca02 100644
--- a/www/qt5-webengine/Makefile
+++ b/www/qt5-webengine/Makefile
@@ -19,7 +19,7 @@
PORTNAME= webengine
DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH}
-PORTREVISION= 1
+PORTREVISION= 2
CATEGORIES= www
PKGNAMEPREFIX= qt5-
diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup
new file mode 100644
index 000000000000..e0554d3d7c61
--- /dev/null
+++ b/www/qt5-webengine/files/patch-security-rollup
@@ -0,0 +1,273 @@
+Add security patches to this file.
+
+Addresses the following security issues:
+
+- Security bug 329674887
+- CVE-2024-3157
+- CVE-2024-3516
+
+From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001
+From: Marco Paniconi <marpan@google.com>
+Date: Wed, 13 Mar 2024 10:58:17 -0700
+Subject: [PATCH] [Backport] Security bug 329674887 (1/2)
+
+Cherry-pick of patch orignally reviewed on
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376:
+Fix to buffer alloc for vp9_bitstream_worker_data
+
+The code was using the bitstream_worker_data when it
+wasn't allocated for big enough size. This is because
+the existing condition was to only re-alloc the
+bitstream_worker_data when current dest_size was larger
+than the current frame_size. But under resolution change
+where frame_size is increased, beyond the current dest_size,
+we need to allow re-alloc to the new size.
+
+The existing condition to re-alloc when dest_size is
+larger than frame_size (which is not required) is kept
+for now.
+
+Also increase the dest_size to account for image format.
+
+Added tests, for both ROW_MT=0 and 1, that reproduce
+the failures in the bugs below.
+
+Note: this issue only affects the REALTIME encoding path.
+
+Bug: b/329088759, b/329674887, b/329179808
+
+Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+index 3eff4ce830d1..22db39714922 100644
+--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) {
+ }
+ }
+
++static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
++ VP9_COMMON *const cm = &cpi->common;
++ const int image_bps =
++ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
++ (1 + (cm->bit_depth > 8));
++ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++}
++
+ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+ int i;
+ const size_t worker_data_size =
+@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+ if (!cpi->vp9_bitstream_worker_data) return 1;
+ for (i = 1; i < cpi->num_workers; ++i) {
+ cpi->vp9_bitstream_worker_data[i].dest_size =
+- cpi->oxcf.width * cpi->oxcf.height;
++ encode_tiles_buffer_alloc_size(cpi);
+ cpi->vp9_bitstream_worker_data[i].dest =
+ vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size);
+ if (!cpi->vp9_bitstream_worker_data[i].dest) return 1;
+@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) {
+ int tile_col = 0;
+
+ if (!cpi->vp9_bitstream_worker_data ||
+- cpi->vp9_bitstream_worker_data[1].dest_size >
+- (cpi->oxcf.width * cpi->oxcf.height)) {
++ cpi->vp9_bitstream_worker_data[1].dest_size !=
++ encode_tiles_buffer_alloc_size(cpi)) {
+ vp9_bitstream_encode_tiles_buffer_dealloc(cpi);
+ if (encode_tiles_buffer_alloc(cpi)) return 0;
+ }
+From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001
+From: Marco Paniconi <marpan@google.com>
+Date: Sat, 16 Mar 2024 10:39:28 -0700
+Subject: [PATCH] [Backport] Security bug 329674887 (2/2)
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794:
+vp9: fix to integer overflow test
+
+failure for the 16k test: issue introduced
+in: c29e637283
+
+Bug: b/329088759, b/329674887, b/329179808
+
+Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+index 22db3971492..645ba6ebb3a 100644
+--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
+ const int image_bps =
+ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
+ (1 + (cm->bit_depth > 8));
+- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++ const int64_t size =
++ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++ return (int)size;
+ }
+
+ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001
+From: kylechar <kylechar@chromium.org>
+Date: Tue, 9 Apr 2024 17:14:26 +0000
+Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5420432:
+Validate buffer length
+
+The BitmapInSharedMemory mojo traits were only validating row length and
+not total buffer length.
+
+(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746)
+
+(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f)
+
+Bug: 331237485
+Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796
+Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432
+Commit-Queue: danakj <danakj@chromium.org>
+Cr-Original-Commit-Position: refs/branch-heads/6312@{#786}
+Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678
+Reviewed-by: danakj <danakj@chromium.org>
+Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
+Cr-Commit-Position: refs/branch-heads/6099@{#2003}
+Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+index f602fa100477..c6d84002b3e4 100644
+--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
++++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read(
+ if (!mapping_ptr->IsValid())
+ return false;
+
++ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) {
++ return false;
++ }
++
+ if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(),
+ data.row_bytes(), &DeleteSharedMemoryMapping,
+ mapping_ptr.get())) {
+From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001
+From: Shahbaz Youssefi <syoussefi@chromium.org>
+Date: Mon, 25 Mar 2024 14:46:56 -0400
+Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/angle/angle/+/5391986:
+Translator: Disallow samplers in structs in interface blocks
+
+As disallowed by the spec:
+
+> Types and declarators are the same as for other uniform variable
+> declarations outside blocks, with these exceptions:
+>
+> * opaque types are not allowed
+
+Bug: chromium:328859176
+Change-Id: Ib94977860102329e520e635c3757827c93ca2163
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986
+Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++-------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
+index 84a0c8fd9e0d..3e8a4a71ff67 100644
+--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
+@@ -34,27 +34,39 @@ namespace
+
+ const int kWebGLMaxStructNesting = 4;
+
+-bool ContainsSampler(const TStructure *structType);
++struct IsSamplerFunc
++{
++ bool operator()(TBasicType type) { return IsSampler(type); }
++};
++struct IsOpaqueFunc
++{
++ bool operator()(TBasicType type) { return IsOpaqueType(type); }
++};
++
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType);
+
+-bool ContainsSampler(const TType &type)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TType &type)
+ {
+- if (IsSampler(type.getBasicType()))
++ if (OpaqueFunc{}(type.getBasicType()))
+ {
+ return true;
+ }
+ if (type.getBasicType() == EbtStruct)
+ {
+- return ContainsSampler(type.getStruct());
++ return ContainsOpaque<OpaqueFunc>(type.getStruct());
+ }
+
+ return false;
+ }
+
+-bool ContainsSampler(const TStructure *structType)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType)
+ {
+ for (const auto &field : structType->fields())
+ {
+- if (ContainsSampler(*field->type()))
++ if (ContainsOpaque<OpaqueFunc>(*field->type()))
+ return true;
+ }
+ return false;
+@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line,
+ {
+ if (pType.type == EbtStruct)
+ {
+- if (ContainsSampler(pType.userDef))
++ if (ContainsOpaque<IsSamplerFunc>(pType.userDef))
+ {
+ std::stringstream reasonStream = sh::InitializeStream<std::stringstream>();
+ reasonStream << reason << " (structure contains a sampler)";
+@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock(
+ {
+ TField *field = (*fieldList)[memberIndex];
+ TType *fieldType = field->type();
+- if (IsOpaqueType(fieldType->getBasicType()))
++ if (ContainsOpaque<IsOpaqueFunc>(*fieldType))
+ {
+- std::string reason("unsupported type - ");
+- reason += fieldType->getBasicString();
+- reason += " types are not allowed in interface blocks";
+- error(field->line(), reason.c_str(), fieldType->getBasicString());
++ error(field->line(), "Opaque types are not allowed in interface blocks", blockName);
+ }
+
+ const TQualifier qualifier = fieldType->getQualifier();