git: 06c911c91573 - 2024Q2 - www/qt5-webengine: Address a few CVEs in chromium
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 19 May 2024 05:29:39 UTC
The branch 2024Q2 has been updated by jhale: URL: https://cgit.FreeBSD.org/ports/commit/?id=06c911c915736be1ac5cc712229cf1766993a007 commit 06c911c915736be1ac5cc712229cf1766993a007 Author: Jason E. Hale <jhale@FreeBSD.org> AuthorDate: 2024-05-19 05:25:08 +0000 Commit: Jason E. Hale <jhale@FreeBSD.org> CommitDate: 2024-05-19 05:29:30 +0000 www/qt5-webengine: Address a few CVEs in chromium MFH: 2024Q2 Security: d58455cc-159e-11ef-83d8-4ccc6adda413 (cherry picked from commit 3fc81b9f8145ade3e1dd6945f603875d0c41f296) --- www/qt5-webengine/Makefile | 2 +- www/qt5-webengine/files/patch-security-rollup | 273 ++++++++++++++++++++++++++ 2 files changed, 274 insertions(+), 1 deletion(-) diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile index 9b1dbab6880c..0f6a5f3dca02 100644 --- a/www/qt5-webengine/Makefile +++ b/www/qt5-webengine/Makefile @@ -19,7 +19,7 @@ PORTNAME= webengine DISTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= www PKGNAMEPREFIX= qt5- diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup new file mode 100644 index 000000000000..e0554d3d7c61 --- /dev/null +++ b/www/qt5-webengine/files/patch-security-rollup @@ -0,0 +1,273 @@ +Add security patches to this file. + +Addresses the following security issues: + +- Security bug 329674887 +- CVE-2024-3157 +- CVE-2024-3516 + +From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001 +From: Marco Paniconi <marpan@google.com> +Date: Wed, 13 Mar 2024 10:58:17 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (1/2) + +Cherry-pick of patch orignally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376: +Fix to buffer alloc for vp9_bitstream_worker_data + +The code was using the bitstream_worker_data when it +wasn't allocated for big enough size. This is because +the existing condition was to only re-alloc the +bitstream_worker_data when current dest_size was larger +than the current frame_size. But under resolution change +where frame_size is increased, beyond the current dest_size, +we need to allow re-alloc to the new size. + +The existing condition to re-alloc when dest_size is +larger than frame_size (which is not required) is kept +for now. + +Also increase the dest_size to account for image format. + +Added tests, for both ROW_MT=0 and 1, that reproduce +the failures in the bugs below. + +Note: this issue only affects the REALTIME encoding path. + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + .../source/libvpx/vp9/encoder/vp9_bitstream.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 3eff4ce830d1..22db39714922 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) { + } + } + ++static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { ++ VP9_COMMON *const cm = &cpi->common; ++ const int image_bps = ++ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * ++ (1 + (cm->bit_depth > 8)); ++ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++} ++ + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + int i; + const size_t worker_data_size = +@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { + if (!cpi->vp9_bitstream_worker_data) return 1; + for (i = 1; i < cpi->num_workers; ++i) { + cpi->vp9_bitstream_worker_data[i].dest_size = +- cpi->oxcf.width * cpi->oxcf.height; ++ encode_tiles_buffer_alloc_size(cpi); + cpi->vp9_bitstream_worker_data[i].dest = + vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size); + if (!cpi->vp9_bitstream_worker_data[i].dest) return 1; +@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) { + int tile_col = 0; + + if (!cpi->vp9_bitstream_worker_data || +- cpi->vp9_bitstream_worker_data[1].dest_size > +- (cpi->oxcf.width * cpi->oxcf.height)) { ++ cpi->vp9_bitstream_worker_data[1].dest_size != ++ encode_tiles_buffer_alloc_size(cpi)) { + vp9_bitstream_encode_tiles_buffer_dealloc(cpi); + if (encode_tiles_buffer_alloc(cpi)) return 0; + } +From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001 +From: Marco Paniconi <marpan@google.com> +Date: Sat, 16 Mar 2024 10:39:28 -0700 +Subject: [PATCH] [Backport] Security bug 329674887 (2/2) + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794: +vp9: fix to integer overflow test + +failure for the 16k test: issue introduced +in: c29e637283 + +Bug: b/329088759, b/329674887, b/329179808 + +Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +index 22db3971492..645ba6ebb3a 100644 +--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c ++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c +@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) { + const int image_bps = + (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) * + (1 + (cm->bit_depth > 8)); +- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ const int64_t size = ++ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8; ++ return (int)size; + } + + static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) { +From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001 +From: kylechar <kylechar@chromium.org> +Date: Tue, 9 Apr 2024 17:14:26 +0000 +Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/5420432: +Validate buffer length + +The BitmapInSharedMemory mojo traits were only validating row length and +not total buffer length. + +(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746) + +(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f) + +Bug: 331237485 +Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796 +Commit-Queue: Kyle Charbonneau <kylechar@chromium.org> +Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432 +Commit-Queue: danakj <danakj@chromium.org> +Cr-Original-Commit-Position: refs/branch-heads/6312@{#786} +Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678 +Reviewed-by: danakj <danakj@chromium.org> +Reviewed-by: Kyle Charbonneau <kylechar@chromium.org> +Cr-Commit-Position: refs/branch-heads/6099@{#2003} +Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +index f602fa100477..c6d84002b3e4 100644 +--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc ++++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc +@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read( + if (!mapping_ptr->IsValid()) + return false; + ++ if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) { ++ return false; ++ } ++ + if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(), + data.row_bytes(), &DeleteSharedMemoryMapping, + mapping_ptr.get())) { +From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001 +From: Shahbaz Youssefi <syoussefi@chromium.org> +Date: Mon, 25 Mar 2024 14:46:56 -0400 +Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/angle/angle/+/5391986: +Translator: Disallow samplers in structs in interface blocks + +As disallowed by the spec: + +> Types and declarators are the same as for other uniform variable +> declarations outside blocks, with these exceptions: +> +> * opaque types are not allowed + +Bug: chromium:328859176 +Change-Id: Ib94977860102329e520e635c3757827c93ca2163 +Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986 +Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org> +Reviewed-by: Geoff Lang <geofflang@chromium.org> +Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + .../src/compiler/translator/ParseContext.cpp | 33 ++++++++++++------- + 1 file changed, 21 insertions(+), 12 deletions(-) + +diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +index 84a0c8fd9e0d..3e8a4a71ff67 100644 +--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp ++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp +@@ -34,27 +34,39 @@ namespace + + const int kWebGLMaxStructNesting = 4; + +-bool ContainsSampler(const TStructure *structType); ++struct IsSamplerFunc ++{ ++ bool operator()(TBasicType type) { return IsSampler(type); } ++}; ++struct IsOpaqueFunc ++{ ++ bool operator()(TBasicType type) { return IsOpaqueType(type); } ++}; ++ ++template <typename OpaqueFunc> ++bool ContainsOpaque(const TStructure *structType); + +-bool ContainsSampler(const TType &type) ++template <typename OpaqueFunc> ++bool ContainsOpaque(const TType &type) + { +- if (IsSampler(type.getBasicType())) ++ if (OpaqueFunc{}(type.getBasicType())) + { + return true; + } + if (type.getBasicType() == EbtStruct) + { +- return ContainsSampler(type.getStruct()); ++ return ContainsOpaque<OpaqueFunc>(type.getStruct()); + } + + return false; + } + +-bool ContainsSampler(const TStructure *structType) ++template <typename OpaqueFunc> ++bool ContainsOpaque(const TStructure *structType) + { + for (const auto &field : structType->fields()) + { +- if (ContainsSampler(*field->type())) ++ if (ContainsOpaque<OpaqueFunc>(*field->type())) + return true; + } + return false; +@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line, + { + if (pType.type == EbtStruct) + { +- if (ContainsSampler(pType.userDef)) ++ if (ContainsOpaque<IsSamplerFunc>(pType.userDef)) + { + std::stringstream reasonStream = sh::InitializeStream<std::stringstream>(); + reasonStream << reason << " (structure contains a sampler)"; +@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( + { + TField *field = (*fieldList)[memberIndex]; + TType *fieldType = field->type(); +- if (IsOpaqueType(fieldType->getBasicType())) ++ if (ContainsOpaque<IsOpaqueFunc>(*fieldType)) + { +- std::string reason("unsupported type - "); +- reason += fieldType->getBasicString(); +- reason += " types are not allowed in interface blocks"; +- error(field->line(), reason.c_str(), fieldType->getBasicString()); ++ error(field->line(), "Opaque types are not allowed in interface blocks", blockName); + } + + const TQualifier qualifier = fieldType->getQualifier();