git: 3fc81b9f8145 - main - www/qt5-webengine: Address a few CVEs in chromium

From: Jason E. Hale <jhale_at_FreeBSD.org>
Date: Sun, 19 May 2024 05:28:49 UTC
The branch main has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=3fc81b9f8145ade3e1dd6945f603875d0c41f296

commit 3fc81b9f8145ade3e1dd6945f603875d0c41f296
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-05-19 05:25:08 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-05-19 05:28:42 +0000

    www/qt5-webengine: Address a few CVEs in chromium
    
    MFH:            2024Q2
    Security:       d58455cc-159e-11ef-83d8-4ccc6adda413
---
 www/qt5-webengine/Makefile                    |   2 +-
 www/qt5-webengine/files/patch-security-rollup | 273 ++++++++++++++++++++++++++
 2 files changed, 274 insertions(+), 1 deletion(-)

diff --git a/www/qt5-webengine/Makefile b/www/qt5-webengine/Makefile
index 9b1dbab6880c..0f6a5f3dca02 100644
--- a/www/qt5-webengine/Makefile
+++ b/www/qt5-webengine/Makefile
@@ -19,7 +19,7 @@
 
 PORTNAME=	webengine
 DISTVERSION=	${QT5_VERSION}${QT5_KDE_PATCH}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	www
 PKGNAMEPREFIX=	qt5-
 
diff --git a/www/qt5-webengine/files/patch-security-rollup b/www/qt5-webengine/files/patch-security-rollup
new file mode 100644
index 000000000000..e0554d3d7c61
--- /dev/null
+++ b/www/qt5-webengine/files/patch-security-rollup
@@ -0,0 +1,273 @@
+Add security patches to this file.
+
+Addresses the following security issues:
+
+- Security bug 329674887
+- CVE-2024-3157
+- CVE-2024-3516
+
+From a3580d0a0fc78016093fd96d72f1449589642292 Mon Sep 17 00:00:00 2001
+From: Marco Paniconi <marpan@google.com>
+Date: Wed, 13 Mar 2024 10:58:17 -0700
+Subject: [PATCH] [Backport] Security bug 329674887 (1/2)
+
+Cherry-pick of patch orignally reviewed on
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5370376:
+Fix to buffer alloc for vp9_bitstream_worker_data
+
+The code was using the bitstream_worker_data when it
+wasn't allocated for big enough size. This is because
+the existing condition was to only re-alloc the
+bitstream_worker_data when current dest_size was larger
+than the current frame_size. But under resolution change
+where frame_size is increased, beyond the current dest_size,
+we need to allow re-alloc to the new size.
+
+The existing condition to re-alloc when dest_size is
+larger than frame_size (which is not required) is kept
+for now.
+
+Also increase the dest_size to account for image format.
+
+Added tests, for both ROW_MT=0 and 1, that reproduce
+the failures in the bugs below.
+
+Note: this issue only affects the REALTIME encoding path.
+
+Bug: b/329088759, b/329674887, b/329179808
+
+Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554667
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../source/libvpx/vp9/encoder/vp9_bitstream.c      | 14 +++++++++++---
+ 1 file changed, 11 insertions(+), 3 deletions(-)
+
+diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+index 3eff4ce830d1..22db39714922 100644
+--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+@@ -963,6 +963,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) {
+   }
+ }
+ 
++static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
++  VP9_COMMON *const cm = &cpi->common;
++  const int image_bps =
++      (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
++      (1 + (cm->bit_depth > 8));
++  return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++}
++
+ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+   int i;
+   const size_t worker_data_size =
+@@ -972,7 +980,7 @@ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+   if (!cpi->vp9_bitstream_worker_data) return 1;
+   for (i = 1; i < cpi->num_workers; ++i) {
+     cpi->vp9_bitstream_worker_data[i].dest_size =
+-        cpi->oxcf.width * cpi->oxcf.height;
++        encode_tiles_buffer_alloc_size(cpi);
+     cpi->vp9_bitstream_worker_data[i].dest =
+         vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size);
+     if (!cpi->vp9_bitstream_worker_data[i].dest) return 1;
+@@ -989,8 +997,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) {
+   int tile_col = 0;
+ 
+   if (!cpi->vp9_bitstream_worker_data ||
+-      cpi->vp9_bitstream_worker_data[1].dest_size >
+-          (cpi->oxcf.width * cpi->oxcf.height)) {
++      cpi->vp9_bitstream_worker_data[1].dest_size !=
++          encode_tiles_buffer_alloc_size(cpi)) {
+     vp9_bitstream_encode_tiles_buffer_dealloc(cpi);
+     if (encode_tiles_buffer_alloc(cpi)) return 0;
+   }
+From 7c81b9390d837ffbaccb1846db64960b4a79626f Mon Sep 17 00:00:00 2001
+From: Marco Paniconi <marpan@google.com>
+Date: Sat, 16 Mar 2024 10:39:28 -0700
+Subject: [PATCH] [Backport] Security bug 329674887 (2/2)
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/webm/libvpx/+/5375794:
+vp9: fix to integer overflow test
+
+failure for the 16k test: issue introduced
+in: c29e637283
+
+Bug: b/329088759, b/329674887, b/329179808
+
+Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554668
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c          | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c b/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+index 22db3971492..645ba6ebb3a 100644
+--- src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
++++ src/3rdparty/chromium/third_party/libvpx/source/libvpx/vp9/encoder/vp9_bitstream.c
+@@ -968,7 +968,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
+   const int image_bps =
+       (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
+       (1 + (cm->bit_depth > 8));
+-  return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++  const int64_t size =
++      (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
++  return (int)size;
+ }
+ 
+ static int encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
+From 11ecd608320b14500f912e827b5b0eab285b8142 Mon Sep 17 00:00:00 2001
+From: kylechar <kylechar@chromium.org>
+Date: Tue, 9 Apr 2024 17:14:26 +0000
+Subject: [PATCH] [Backport] CVE-2024-3157: Out of bounds write in Compositing
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/chromium/src/+/5420432:
+Validate buffer length
+
+The BitmapInSharedMemory mojo traits were only validating row length and
+not total buffer length.
+
+(cherry picked from commit 1a19ff70bd54847d818566bd7a1e7c384c419746)
+
+(cherry picked from commit f15315f1cb7897e208947a40d538aac693283d7f)
+
+Bug: 331237485
+Change-Id: Ia2318899c44e9e7ac72fc7183954e6ce2c702179
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5396796
+Commit-Queue: Kyle Charbonneau <kylechar@chromium.org>
+Cr-Original-Original-Commit-Position: refs/heads/main@{#1278417}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5420432
+Commit-Queue: danakj <danakj@chromium.org>
+Cr-Original-Commit-Position: refs/branch-heads/6312@{#786}
+Cr-Original-Branched-From: 6711dcdae48edaf98cbc6964f90fac85b7d9986e-refs/heads/main@{#1262506}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5433678
+Reviewed-by: danakj <danakj@chromium.org>
+Reviewed-by: Kyle Charbonneau <kylechar@chromium.org>
+Cr-Commit-Position: refs/branch-heads/6099@{#2003}
+Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362}
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554669
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc   | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc b/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+index f602fa100477..c6d84002b3e4 100644
+--- src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
++++ src/3rdparty/chromium/services/viz/public/cpp/compositing/bitmap_in_shared_memory_mojom_traits.cc
+@@ -69,6 +69,10 @@ bool StructTraits<viz::mojom::BitmapInSharedMemoryDataView, SkBitmap>::Read(
+   if (!mapping_ptr->IsValid())
+     return false;
+ 
++  if (mapping_ptr->size() < image_info.computeByteSize(data.row_bytes())) {
++    return false;
++  }
++
+   if (!sk_bitmap->installPixels(image_info, mapping_ptr->memory(),
+                                 data.row_bytes(), &DeleteSharedMemoryMapping,
+                                 mapping_ptr.get())) {
+From 060d3aa868d6f4403a9416fe34b48ffbfcfe19cb Mon Sep 17 00:00:00 2001
+From: Shahbaz Youssefi <syoussefi@chromium.org>
+Date: Mon, 25 Mar 2024 14:46:56 -0400
+Subject: [PATCH] [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE
+
+Cherry-pick of patch originally reviewed on
+https://chromium-review.googlesource.com/c/angle/angle/+/5391986:
+Translator: Disallow samplers in structs in interface blocks
+
+As disallowed by the spec:
+
+> Types and declarators are the same as for other uniform variable
+> declarations outside blocks, with these exceptions:
+>
+> * opaque types are not allowed
+
+Bug: chromium:328859176
+Change-Id: Ib94977860102329e520e635c3757827c93ca2163
+Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5391986
+Auto-Submit: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-by: Geoff Lang <geofflang@chromium.org>
+Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
+Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/554670
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../src/compiler/translator/ParseContext.cpp  | 33 ++++++++++++-------
+ 1 file changed, 21 insertions(+), 12 deletions(-)
+
+diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
+index 84a0c8fd9e0d..3e8a4a71ff67 100644
+--- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
++++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp
+@@ -34,27 +34,39 @@ namespace
+ 
+ const int kWebGLMaxStructNesting = 4;
+ 
+-bool ContainsSampler(const TStructure *structType);
++struct IsSamplerFunc
++{
++    bool operator()(TBasicType type) { return IsSampler(type); }
++};
++struct IsOpaqueFunc
++{
++    bool operator()(TBasicType type) { return IsOpaqueType(type); }
++};
++
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType);
+ 
+-bool ContainsSampler(const TType &type)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TType &type)
+ {
+-    if (IsSampler(type.getBasicType()))
++    if (OpaqueFunc{}(type.getBasicType()))
+     {
+         return true;
+     }
+     if (type.getBasicType() == EbtStruct)
+     {
+-        return ContainsSampler(type.getStruct());
++        return ContainsOpaque<OpaqueFunc>(type.getStruct());
+     }
+ 
+     return false;
+ }
+ 
+-bool ContainsSampler(const TStructure *structType)
++template <typename OpaqueFunc>
++bool ContainsOpaque(const TStructure *structType)
+ {
+     for (const auto &field : structType->fields())
+     {
+-        if (ContainsSampler(*field->type()))
++        if (ContainsOpaque<OpaqueFunc>(*field->type()))
+             return true;
+     }
+     return false;
+@@ -915,7 +927,7 @@ bool TParseContext::checkIsNotOpaqueType(const TSourceLoc &line,
+ {
+     if (pType.type == EbtStruct)
+     {
+-        if (ContainsSampler(pType.userDef))
++        if (ContainsOpaque<IsSamplerFunc>(pType.userDef))
+         {
+             std::stringstream reasonStream = sh::InitializeStream<std::stringstream>();
+             reasonStream << reason << " (structure contains a sampler)";
+@@ -3900,12 +3912,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock(
+     {
+         TField *field    = (*fieldList)[memberIndex];
+         TType *fieldType = field->type();
+-        if (IsOpaqueType(fieldType->getBasicType()))
++        if (ContainsOpaque<IsOpaqueFunc>(*fieldType))
+         {
+-            std::string reason("unsupported type - ");
+-            reason += fieldType->getBasicString();
+-            reason += " types are not allowed in interface blocks";
+-            error(field->line(), reason.c_str(), fieldType->getBasicString());
++            error(field->line(), "Opaque types are not allowed in interface blocks", blockName);
+         }
+ 
+         const TQualifier qualifier = fieldType->getQualifier();