diff options
56 files changed, 615 insertions, 5484 deletions
diff --git a/Mk/Uses/qt.mk b/Mk/Uses/qt.mk index 8d3eceb73f25..e845891c97a0 100644 --- a/Mk/Uses/qt.mk +++ b/Mk/Uses/qt.mk @@ -23,7 +23,7 @@ _QT_MK_INCLUDED= qt.mk # Qt versions currently supported by the framework. _QT_SUPPORTED?= 5 6 QT5_VERSION?= 5.15.12 -QT6_VERSION?= 6.6.1 +QT6_VERSION?= 6.6.2 PYSIDE6_VERSION?= 6.6.1 # We accept the Qt version to be passed by either or all of the three mk files. diff --git a/accessibility/qt6-speech/distinfo b/accessibility/qt6-speech/distinfo index 7850daa2e10b..6e99d6a5e15f 100644 --- a/accessibility/qt6-speech/distinfo +++ b/accessibility/qt6-speech/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101665 -SHA256 (KDE/Qt/6.6.1/qtspeech-everywhere-src-6.6.1.tar.xz) = a28c2052c95144cf25f2f234e5334df364818da2b0fc091e369418869c925899 -SIZE (KDE/Qt/6.6.1/qtspeech-everywhere-src-6.6.1.tar.xz) = 270752 +TIMESTAMP = 1707969713 +SHA256 (KDE/Qt/6.6.2/qtspeech-everywhere-src-6.6.2.tar.xz) = c023bb12403270dbc22aa8fb721b60132bc55504f8a306087785dd70c51d6ee3 +SIZE (KDE/Qt/6.6.2/qtspeech-everywhere-src-6.6.2.tar.xz) = 262008 diff --git a/comms/qt6-connectivity/distinfo b/comms/qt6-connectivity/distinfo index 497155ac308c..59193900fe76 100644 --- a/comms/qt6-connectivity/distinfo +++ b/comms/qt6-connectivity/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101668 -SHA256 (KDE/Qt/6.6.1/qtconnectivity-everywhere-src-6.6.1.tar.xz) = 5b468d4649464ff983746c5e9129b731de639ac835d35857f5d87cd4258e0645 -SIZE (KDE/Qt/6.6.1/qtconnectivity-everywhere-src-6.6.1.tar.xz) = 989544 +TIMESTAMP = 1707969715 +SHA256 (KDE/Qt/6.6.2/qtconnectivity-everywhere-src-6.6.2.tar.xz) = a36f51085883ef8ae5782826d15cef261355a822eba76ccc323f3f0b81defab7 +SIZE (KDE/Qt/6.6.2/qtconnectivity-everywhere-src-6.6.2.tar.xz) = 1060936 diff --git a/comms/qt6-sensors/distinfo b/comms/qt6-sensors/distinfo index 356abc05cb59..dcdbf120f7e1 100644 --- a/comms/qt6-sensors/distinfo +++ b/comms/qt6-sensors/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101671 -SHA256 (KDE/Qt/6.6.1/qtsensors-everywhere-src-6.6.1.tar.xz) = bd13ee815c2fc39ac9e5a2e34f3e7055f972d14b949f00d6c6ec5347783799d3 -SIZE (KDE/Qt/6.6.1/qtsensors-everywhere-src-6.6.1.tar.xz) = 1502740 +TIMESTAMP = 1707969718 +SHA256 (KDE/Qt/6.6.2/qtsensors-everywhere-src-6.6.2.tar.xz) = 4a6f9fcee6d23dd0f7e8b84b0faa12153ad779f09a266bbb6fb657eb16287c28 +SIZE (KDE/Qt/6.6.2/qtsensors-everywhere-src-6.6.2.tar.xz) = 1494024 diff --git a/comms/qt6-serialbus/distinfo b/comms/qt6-serialbus/distinfo index 137174070ed6..9cfb903caac6 100644 --- a/comms/qt6-serialbus/distinfo +++ b/comms/qt6-serialbus/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101674 -SHA256 (KDE/Qt/6.6.1/qtserialbus-everywhere-src-6.6.1.tar.xz) = 5c145e630b30a1c204e787c46833bb68d9bcece31343b588a6788711f49ef7ac -SIZE (KDE/Qt/6.6.1/qtserialbus-everywhere-src-6.6.1.tar.xz) = 554516 +TIMESTAMP = 1707969721 +SHA256 (KDE/Qt/6.6.2/qtserialbus-everywhere-src-6.6.2.tar.xz) = 9cffaa49e1b742e315990c2cf9179f9419ad23c1f0591b6f14b9ac4c03eafa3c +SIZE (KDE/Qt/6.6.2/qtserialbus-everywhere-src-6.6.2.tar.xz) = 545828 diff --git a/comms/qt6-serialport/distinfo b/comms/qt6-serialport/distinfo index 1a997d2215c1..68f69ee705e0 100644 --- a/comms/qt6-serialport/distinfo +++ b/comms/qt6-serialport/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101676 -SHA256 (KDE/Qt/6.6.1/qtserialport-everywhere-src-6.6.1.tar.xz) = 96fc233d5cbcac5048c6020dcfbd6cec8a6a8334eed0a283b33d58afc6d2aed8 -SIZE (KDE/Qt/6.6.1/qtserialport-everywhere-src-6.6.1.tar.xz) = 279564 +TIMESTAMP = 1707969723 +SHA256 (KDE/Qt/6.6.2/qtserialport-everywhere-src-6.6.2.tar.xz) = ba1e0c9caeb1ee06ce940ce32c810e6fab826124281469ad0eecff56f375459a +SIZE (KDE/Qt/6.6.2/qtserialport-everywhere-src-6.6.2.tar.xz) = 270564 diff --git a/databases/qt6-base_sqldriver/distinfo b/databases/qt6-base_sqldriver/distinfo index d2a3bc746c62..bd7c35680ca8 100644 --- a/databases/qt6-base_sqldriver/distinfo +++ b/databases/qt6-base_sqldriver/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101726 -SHA256 (KDE/Qt/6.6.1/qtbase-everywhere-src-6.6.1.tar.xz) = 450c5b4677b2fe40ed07954d7f0f40690068e80a94c9df86c2c905ccd59d02f7 -SIZE (KDE/Qt/6.6.1/qtbase-everywhere-src-6.6.1.tar.xz) = 48370760 +TIMESTAMP = 1707969746 +SHA256 (KDE/Qt/6.6.2/qtbase-everywhere-src-6.6.2.tar.xz) = b89b426b9852a17d3e96230ab0871346574d635c7914480a2a27f98ff942677b +SIZE (KDE/Qt/6.6.2/qtbase-everywhere-src-6.6.2.tar.xz) = 48689304 diff --git a/devel/qt6-5compat/distinfo b/devel/qt6-5compat/distinfo index 3d146fb6c8ea..3a34838591a0 100644 --- a/devel/qt6-5compat/distinfo +++ b/devel/qt6-5compat/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101740 -SHA256 (KDE/Qt/6.6.1/qt5compat-everywhere-src-6.6.1.tar.xz) = 0e1d15b6eda4172383208109d957257c8fa26a8a881f2901a4e9f347a31bc1f2 -SIZE (KDE/Qt/6.6.1/qt5compat-everywhere-src-6.6.1.tar.xz) = 14640664 +TIMESTAMP = 1707969753 +SHA256 (KDE/Qt/6.6.2/qt5compat-everywhere-src-6.6.2.tar.xz) = e07b08ab7658e4856f07e3262ab342df4ed7e7a69f2720e56bb2128729191967 +SIZE (KDE/Qt/6.6.2/qt5compat-everywhere-src-6.6.2.tar.xz) = 14632168 diff --git a/devel/qt6-base/Makefile b/devel/qt6-base/Makefile index 6b55a7b9f2bc..048dc7a6f13c 100644 --- a/devel/qt6-base/Makefile +++ b/devel/qt6-base/Makefile @@ -1,6 +1,5 @@ PORTNAME= base DISTVERSION= ${QT6_VERSION} -PORTREVISION= 2 CATEGORIES= devel PKGNAMEPREFIX= qt6- diff --git a/devel/qt6-base/distinfo b/devel/qt6-base/distinfo index 8fb71367743a..51636b996e2e 100644 --- a/devel/qt6-base/distinfo +++ b/devel/qt6-base/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101741 -SHA256 (KDE/Qt/6.6.1/qtbase-everywhere-src-6.6.1.tar.xz) = 450c5b4677b2fe40ed07954d7f0f40690068e80a94c9df86c2c905ccd59d02f7 -SIZE (KDE/Qt/6.6.1/qtbase-everywhere-src-6.6.1.tar.xz) = 48370760 +TIMESTAMP = 1707969754 +SHA256 (KDE/Qt/6.6.2/qtbase-everywhere-src-6.6.2.tar.xz) = b89b426b9852a17d3e96230ab0871346574d635c7914480a2a27f98ff942677b +SIZE (KDE/Qt/6.6.2/qtbase-everywhere-src-6.6.2.tar.xz) = 48689304 diff --git a/devel/qt6-base/files/patch-cmake_QtBuild.cmake b/devel/qt6-base/files/patch-cmake_QtBuildPathsHelpers.cmake index 81b407b918e3..8df0968ae885 100644 --- a/devel/qt6-base/files/patch-cmake_QtBuild.cmake +++ b/devel/qt6-base/files/patch-cmake_QtBuildPathsHelpers.cmake @@ -1,6 +1,6 @@ ---- cmake/QtBuild.cmake.orig 2023-09-21 19:24:26 UTC -+++ cmake/QtBuild.cmake -@@ -203,7 +203,7 @@ function(qt_internal_set_up_global_paths) +--- cmake/QtBuildPathsHelpers.cmake.orig 2024-02-08 16:01:05 UTC ++++ cmake/QtBuildPathsHelpers.cmake +@@ -100,7 +100,7 @@ function(qt_internal_setup_build_and_install_paths) if(QT_CONFIG_INSTALL_DIR) string(APPEND QT_CONFIG_INSTALL_DIR "/") endif() diff --git a/devel/qt6-base/files/patch-security-rollup b/devel/qt6-base/files/patch-security-rollup deleted file mode 100644 index e1b537aa5e1c..000000000000 --- a/devel/qt6-base/files/patch-security-rollup +++ /dev/null @@ -1,145 +0,0 @@ -From 13c16b756900fe524f6d9534e8a07aa003c05e0c Mon Sep 17 00:00:00 2001 -From: Marc Mutz <marc.mutz@qt.io> -Date: Tue, 12 Dec 2023 20:51:56 +0100 -Subject: [PATCH] HPack: fix a Yoda Condition - -Putting the variable on the LHS of a relational operation makes the -expression easier to read. In this case, we find that the whole -expression is nonsensical as an overflow protection, because if -name.size() + value.size() overflows, the result will exactly _not_ -be > max() - 32, because UB will have happened. - -To be fixed in a follow-up commit. - -As a drive-by, add parentheses around the RHS. - -Pick-to: 6.5 6.2 5.15 -Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> -(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9) -Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> -(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867) ---- - src/network/access/http2/hpacktable.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp -index 74a09a207ff..c8c5d098c80 100644 ---- src/network/access/http2/hpacktable.cpp.orig -+++ src/network/access/http2/hpacktable.cpp -@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value) - // 32 octets of overhead." - - const unsigned sum = unsigned(name.size() + value.size()); -- if (std::numeric_limits<unsigned>::max() - 32 < sum) -+ if (sum > (std::numeric_limits<unsigned>::max() - 32)) - return HeaderSize(); - return HeaderSize(true, quint32(sum + 32)); - } -From 811b9eef6d08d929af8708adbf2a5effb0eb62d7 Mon Sep 17 00:00:00 2001 -From: Marc Mutz <marc.mutz@qt.io> -Date: Tue, 12 Dec 2023 22:08:07 +0100 -Subject: [PATCH] HPack: fix incorrect integer overflow check - -This code never worked: - -For the comparison with max() - 32 to trigger, on 32-bit platforms (or -Qt 5) signed interger overflow would have had to happen in the -addition of the two sizes. The compiler can therefore remove the -overflow check as dead code. - -On Qt 6 and 64-bit platforms, the signed integer addition would be -very unlikely to overflow, but the following truncation to uint32 -would yield the correct result only in a narrow 32-value window just -below UINT_MAX, if even that. - -Fix by using the proper tool, qAddOverflow. - -Pick-to: 6.5 6.2 5.15 -Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> -(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3) -Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> -(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860) -Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> -Reviewed-by: Marc Mutz <marc.mutz@qt.io> ---- - src/network/access/http2/hpacktable.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp -index c8c5d098c80..2c728b37e3b 100644 ---- src/network/access/http2/hpacktable.cpp.orig -+++ src/network/access/http2/hpacktable.cpp -@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value) - // for counting the number of references to the name and value would have - // 32 octets of overhead." - -- const unsigned sum = unsigned(name.size() + value.size()); -+ size_t sum; -+ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum)) -+ return HeaderSize(); - if (sum > (std::numeric_limits<unsigned>::max() - 32)) - return HeaderSize(); - return HeaderSize(true, quint32(sum + 32)); -From 2e50fbc30a61d69cc2caf6fbd8aca29aa6b8db86 Mon Sep 17 00:00:00 2001 -From: Marc Mutz <marc.mutz@qt.io> -Date: Tue, 19 Dec 2023 14:22:37 +0100 -Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -The function is given a vector of Http2::Frame's and flattens it into -a vector<uchar>. While each Frame can contain a maximum of 16GiB of -data (24-bit size field), one "only" needs 257 of them to overflow the -quint32 variable's range. - -So make sure any overflow does not go undetected. - -Keep the limited uint32_t range for now, as we don't know whether all -consumers of the result can deal with more than 4GiB of data. - -Since all these frames must be in memory, this cannot overflow in -practice on 32-bit machines. - -Pick-to: 6.5 6.2 5.15 -Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213 -Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io> -(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61) -Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> -(cherry picked from commit af8a9874c32c6b1af8998be9487170b6269dbe1f) ---- - src/network/access/qhttp2protocolhandler.cpp | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp -index 88963f89687..707ef8de54e 100644 ---- src/network/access/qhttp2protocolhandler.cpp.orig -+++ src/network/access/qhttp2protocolhandler.cpp -@@ -10,10 +10,12 @@ - #include <private/qnoncontiguousbytedevice_p.h> - - #include <QtNetwork/qabstractsocket.h> -+ - #include <QtCore/qloggingcategory.h> - #include <QtCore/qendian.h> - #include <QtCore/qdebug.h> - #include <QtCore/qlist.h> -+#include <QtCore/qnumeric.h> - #include <QtCore/qurl.h> - - #include <qhttp2configuration.h> -@@ -90,8 +92,10 @@ std::vector<uchar> assemble_hpack_block(const std::vector<Http2::Frame> &frames) - std::vector<uchar> hpackBlock; - - quint32 total = 0; -- for (const auto &frame : frames) -- total += frame.hpackBlockSize(); -+ for (const auto &frame : frames) { -+ if (qAddOverflow(total, frame.hpackBlockSize(), &total)) -+ return hpackBlock; -+ } - - if (!total) - return hpackBlock; diff --git a/devel/qt6-base/pkg-plist b/devel/qt6-base/pkg-plist index f3b5273eda02..b07e6bb089c7 100644 --- a/devel/qt6-base/pkg-plist +++ b/devel/qt6-base/pkg-plist @@ -168,6 +168,7 @@ bin/qmake6 %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qtransposeproxymodel_p.h %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qunicodetables_p.h %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qunicodetools_p.h +%%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/quniquehandle_p.h %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qurl_p.h %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qvariant_p.h %%QT_INCDIR%%/QtCore/%%FULLVER%%/QtCore/private/qvariantanimation_p.h @@ -2525,10 +2526,16 @@ lib/cmake/Qt6/Qt6Targets.cmake lib/cmake/Qt6/Qt6VersionlessTargets.cmake lib/cmake/Qt6/QtAndroidHelpers.cmake lib/cmake/Qt6/QtAppHelpers.cmake +lib/cmake/Qt6/QtAutoDetectHelpers.cmake lib/cmake/Qt6/QtAutogenHelpers.cmake lib/cmake/Qt6/QtBaseTopLevelHelpers.cmake lib/cmake/Qt6/QtBuild.cmake +lib/cmake/Qt6/QtBuildHelpers.cmake lib/cmake/Qt6/QtBuildInformation.cmake +lib/cmake/Qt6/QtBuildOptionsHelpers.cmake +lib/cmake/Qt6/QtBuildPathsHelpers.cmake +lib/cmake/Qt6/QtBuildRepoExamplesHelpers.cmake +lib/cmake/Qt6/QtBuildRepoHelpers.cmake lib/cmake/Qt6/QtCMakeHelpers.cmake lib/cmake/Qt6/QtCMakePackageVersionFile.cmake.in lib/cmake/Qt6/QtCMakeVersionHelpers.cmake @@ -2561,6 +2568,7 @@ lib/cmake/Qt6/QtInitProject.cmake lib/cmake/Qt6/QtInstallHelpers.cmake lib/cmake/Qt6/QtJavaHelpers.cmake lib/cmake/Qt6/QtLalrHelpers.cmake +lib/cmake/Qt6/QtMkspecHelpers.cmake lib/cmake/Qt6/QtModuleConfig.cmake.in lib/cmake/Qt6/QtModuleDependencies.cmake.in lib/cmake/Qt6/QtModuleHeadersCheck.cmake @@ -2587,6 +2595,7 @@ lib/cmake/Qt6/QtPublicAppleHelpers.cmake lib/cmake/Qt6/QtPublicCMakeHelpers.cmake lib/cmake/Qt6/QtPublicCMakeVersionHelpers.cmake lib/cmake/Qt6/QtPublicDependencyHelpers.cmake +lib/cmake/Qt6/QtPublicExternalProjectHelpers.cmake lib/cmake/Qt6/QtPublicFinalizerHelpers.cmake lib/cmake/Qt6/QtPublicFindPackageHelpers.cmake lib/cmake/Qt6/QtPublicPluginHelpers.cmake diff --git a/devel/qt6-languageserver/distinfo b/devel/qt6-languageserver/distinfo index 5e54b7d6d245..0dc7be544051 100644 --- a/devel/qt6-languageserver/distinfo +++ b/devel/qt6-languageserver/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101743 -SHA256 (KDE/Qt/6.6.1/qtlanguageserver-everywhere-src-6.6.1.tar.xz) = b0761f5603a989df921df10ff33e70d7b98d2a33b17679a7e84eb4f224e73e6f -SIZE (KDE/Qt/6.6.1/qtlanguageserver-everywhere-src-6.6.1.tar.xz) = 154312 +TIMESTAMP = 1707969756 +SHA256 (KDE/Qt/6.6.2/qtlanguageserver-everywhere-src-6.6.2.tar.xz) = c31f4c45e0abffe7b444b224d1e49948f1c76210172e1f17104cf14a48fceaad +SIZE (KDE/Qt/6.6.2/qtlanguageserver-everywhere-src-6.6.2.tar.xz) = 145480 diff --git a/devel/qt6-location/distinfo b/devel/qt6-location/distinfo index c0b0e0f83f59..a9c68e16b68e 100644 --- a/devel/qt6-location/distinfo +++ b/devel/qt6-location/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101748 -SHA256 (KDE/Qt/6.6.1/qtlocation-everywhere-src-6.6.1.tar.xz) = 8dbe2b62e37278c83c5acdb536c3e4c313ec0bac5380d020873db692199f9c29 -SIZE (KDE/Qt/6.6.1/qtlocation-everywhere-src-6.6.1.tar.xz) = 3035980 +TIMESTAMP = 1707969759 +SHA256 (KDE/Qt/6.6.2/qtlocation-everywhere-src-6.6.2.tar.xz) = 9e25dcfeafecedb288e6011ebd70f6cf68b66204c4acfb97873483a755e5f415 +SIZE (KDE/Qt/6.6.2/qtlocation-everywhere-src-6.6.2.tar.xz) = 3028592 diff --git a/devel/qt6-positioning/distinfo b/devel/qt6-positioning/distinfo index 521860858430..f05fa20608ff 100644 --- a/devel/qt6-positioning/distinfo +++ b/devel/qt6-positioning/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101751 -SHA256 (KDE/Qt/6.6.1/qtpositioning-everywhere-src-6.6.1.tar.xz) = 3ddac73f3b12b8516498cb5d2f9ade058a1a9368f74188d48ed27032833816b8 -SIZE (KDE/Qt/6.6.1/qtpositioning-everywhere-src-6.6.1.tar.xz) = 1513456 +TIMESTAMP = 1707969761 +SHA256 (KDE/Qt/6.6.2/qtpositioning-everywhere-src-6.6.2.tar.xz) = 4da7567cc1ed2480b137ac7d8db16be40ee935c52585762a7a44b6a4ef0ec3e2 +SIZE (KDE/Qt/6.6.2/qtpositioning-everywhere-src-6.6.2.tar.xz) = 1504848 diff --git a/devel/qt6-remoteobjects/distinfo b/devel/qt6-remoteobjects/distinfo index f01d76f67d37..85dd3ae7bb52 100644 --- a/devel/qt6-remoteobjects/distinfo +++ b/devel/qt6-remoteobjects/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101753 -SHA256 (KDE/Qt/6.6.1/qtremoteobjects-everywhere-src-6.6.1.tar.xz) = b89e5898ff8bc0fca03e07cde97158ad02a0e082971e0637c4db69cd06fb9599 -SIZE (KDE/Qt/6.6.1/qtremoteobjects-everywhere-src-6.6.1.tar.xz) = 542624 +TIMESTAMP = 1707969763 +SHA256 (KDE/Qt/6.6.2/qtremoteobjects-everywhere-src-6.6.2.tar.xz) = aae3a20fee7ea2aadc47679f90151ddec3ca1e42c537937d457fde3efd977339 +SIZE (KDE/Qt/6.6.2/qtremoteobjects-everywhere-src-6.6.2.tar.xz) = 534060 diff --git a/devel/qt6-scxml/distinfo b/devel/qt6-scxml/distinfo index 0e689b56a685..06455ad9f39a 100644 --- a/devel/qt6-scxml/distinfo +++ b/devel/qt6-scxml/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101756 -SHA256 (KDE/Qt/6.6.1/qtscxml-everywhere-src-6.6.1.tar.xz) = 874bc57af4399399e36424288d5e23fd8ea18c20ad9e0adb1ae3fbd420dd0897 -SIZE (KDE/Qt/6.6.1/qtscxml-everywhere-src-6.6.1.tar.xz) = 1176684 +TIMESTAMP = 1707969765 +SHA256 (KDE/Qt/6.6.2/qtscxml-everywhere-src-6.6.2.tar.xz) = 094982f0ff828070b2282c97b68229ec8ff4d68b32f335ab1cba81530a40a43e +SIZE (KDE/Qt/6.6.2/qtscxml-everywhere-src-6.6.2.tar.xz) = 1167628 diff --git a/devel/qt6-tools/distinfo b/devel/qt6-tools/distinfo index eeab1507260c..b18c2a4f0b08 100644 --- a/devel/qt6-tools/distinfo +++ b/devel/qt6-tools/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101767 -SHA256 (KDE/Qt/6.6.1/qttools-everywhere-src-6.6.1.tar.xz) = 4939105a7345ab4e19e7caee8654a836e65bd41910359623e0f233f3aff0914a -SIZE (KDE/Qt/6.6.1/qttools-everywhere-src-6.6.1.tar.xz) = 8583536 +TIMESTAMP = 1707969770 +SHA256 (KDE/Qt/6.6.2/qttools-everywhere-src-6.6.2.tar.xz) = e6d49e9f52111287f77878ecb8b708cce682f10b03ba2476d9247603bc6c4746 +SIZE (KDE/Qt/6.6.2/qttools-everywhere-src-6.6.2.tar.xz) = 8594492 diff --git a/devel/qt6-translations/distinfo b/devel/qt6-translations/distinfo index b2d50f964ed1..5d6969f90cf6 100644 --- a/devel/qt6-translations/distinfo +++ b/devel/qt6-translations/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101770 -SHA256 (KDE/Qt/6.6.1/qttranslations-everywhere-src-6.6.1.tar.xz) = 668702e822ad7150b27e7caa2158595fd9b3b77ffbc8262e6509872a3920ee88 -SIZE (KDE/Qt/6.6.1/qttranslations-everywhere-src-6.6.1.tar.xz) = 1481184 +TIMESTAMP = 1707969772 +SHA256 (KDE/Qt/6.6.2/qttranslations-everywhere-src-6.6.2.tar.xz) = ca3ac090ef3aa12566c26b482c106f1f986c5a3444e7003f379726a550530c77 +SIZE (KDE/Qt/6.6.2/qttranslations-everywhere-src-6.6.2.tar.xz) = 1472416 diff --git a/graphics/qt6-3d/distinfo b/graphics/qt6-3d/distinfo index af3c4111ced4..1c5fa14a864a 100644 --- a/graphics/qt6-3d/distinfo +++ b/graphics/qt6-3d/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101914 -SHA256 (KDE/Qt/6.6.1/qt3d-everywhere-src-6.6.1.tar.xz) = f384aed74f14a71c68f607a3b1e859ea22746e82650e775fd40f0653c2443229 -SIZE (KDE/Qt/6.6.1/qt3d-everywhere-src-6.6.1.tar.xz) = 163183224 +TIMESTAMP = 1707969830 +SHA256 (KDE/Qt/6.6.2/qt3d-everywhere-src-6.6.2.tar.xz) = 9174ec6eac56cdf58eb928ea9df8130ef744cee3171d08c78ba1a28778a38582 +SIZE (KDE/Qt/6.6.2/qt3d-everywhere-src-6.6.2.tar.xz) = 141560580 diff --git a/graphics/qt6-3d/files/patch-src_3rdparty_assimp_src_contrib_zip_src_miniz.h b/graphics/qt6-3d/files/patch-src_3rdparty_assimp_src_contrib_zip_src_miniz.h deleted file mode 100644 index 94087bd99309..000000000000 --- a/graphics/qt6-3d/files/patch-src_3rdparty_assimp_src_contrib_zip_src_miniz.h +++ /dev/null @@ -1,13 +0,0 @@ ---- src/3rdparty/assimp/src/contrib/zip/src/miniz.h.orig 2021-10-21 09:07:21 UTC -+++ src/3rdparty/assimp/src/contrib/zip/src/miniz.h -@@ -4201,8 +4201,8 @@ static FILE *mz_freopen(const char *pPath, const char - #define MZ_FWRITE fwrite - #define MZ_FTELL64 ftello64 - #define MZ_FSEEK64 fseeko64 --#define MZ_FILE_STAT_STRUCT stat64 --#define MZ_FILE_STAT stat64 -+#define MZ_FILE_STAT_STRUCT stat -+#define MZ_FILE_STAT stat - #define MZ_FFLUSH fflush - #define MZ_FREOPEN(p, m, s) freopen64(p, m, s) - #define MZ_DELETE_FILE remove diff --git a/graphics/qt6-imageformats/distinfo b/graphics/qt6-imageformats/distinfo index 048befc55cf8..659966fe07d8 100644 --- a/graphics/qt6-imageformats/distinfo +++ b/graphics/qt6-imageformats/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101917 -SHA256 (KDE/Qt/6.6.1/qtimageformats-everywhere-src-6.6.1.tar.xz) = ac4ed08950072e375be662cfa64fdb447dd6e935cf29c56a4128d1500492188f -SIZE (KDE/Qt/6.6.1/qtimageformats-everywhere-src-6.6.1.tar.xz) = 1972464 +TIMESTAMP = 1707969832 +SHA256 (KDE/Qt/6.6.2/qtimageformats-everywhere-src-6.6.2.tar.xz) = 71584c9136d4983ad19fa2d017abbae57b055eb90c62a36bf3f45d6d21a87cb3 +SIZE (KDE/Qt/6.6.2/qtimageformats-everywhere-src-6.6.2.tar.xz) = 1964116 diff --git a/graphics/qt6-lottie/distinfo b/graphics/qt6-lottie/distinfo index 8bc07aac57ce..2e0f84133ddf 100644 --- a/graphics/qt6-lottie/distinfo +++ b/graphics/qt6-lottie/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101919 -SHA256 (KDE/Qt/6.6.1/qtlottie-everywhere-src-6.6.1.tar.xz) = 49cb059364f78936c09fb0f53dad23363ba8ae29d931cd8380cbdff4bda09fc8 -SIZE (KDE/Qt/6.6.1/qtlottie-everywhere-src-6.6.1.tar.xz) = 92264 +TIMESTAMP = 1707969834 +SHA256 (KDE/Qt/6.6.2/qtlottie-everywhere-src-6.6.2.tar.xz) = 276e16da2cba7c242c8fa4032c3838d352c356d6607574cfdc4a2b274bb910c3 +SIZE (KDE/Qt/6.6.2/qtlottie-everywhere-src-6.6.2.tar.xz) = 83340 diff --git a/graphics/qt6-quickeffectmaker/distinfo b/graphics/qt6-quickeffectmaker/distinfo index 0455070383c4..b0935a872383 100644 --- a/graphics/qt6-quickeffectmaker/distinfo +++ b/graphics/qt6-quickeffectmaker/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101926 -SHA256 (KDE/Qt/6.6.1/qtquickeffectmaker-everywhere-src-6.6.1.tar.xz) = ac180953c7479cb707b20f3fffb4b778dc8e62d79455ad499caae66d74dd2653 -SIZE (KDE/Qt/6.6.1/qtquickeffectmaker-everywhere-src-6.6.1.tar.xz) = 4367324 +TIMESTAMP = 1707969837 +SHA256 (KDE/Qt/6.6.2/qtquickeffectmaker-everywhere-src-6.6.2.tar.xz) = 079fa12d5092c84bd835fa83633622fca4e9baa7737ec4c76c83a4cbc3a9dc53 +SIZE (KDE/Qt/6.6.2/qtquickeffectmaker-everywhere-src-6.6.2.tar.xz) = 4358240 diff --git a/graphics/qt6-svg/distinfo b/graphics/qt6-svg/distinfo index 74ec38d2875e..9bfb359627e9 100644 --- a/graphics/qt6-svg/distinfo +++ b/graphics/qt6-svg/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101929 -SHA256 (KDE/Qt/6.6.1/qtsvg-everywhere-src-6.6.1.tar.xz) = 248deb56d26a463cf3162f530358ccf90cfb654bbf518bb35ddf81b205e09228 -SIZE (KDE/Qt/6.6.1/qtsvg-everywhere-src-6.6.1.tar.xz) = 1651976 +TIMESTAMP = 1707969840 +SHA256 (KDE/Qt/6.6.2/qtsvg-everywhere-src-6.6.2.tar.xz) = 5a231d59ef1b42bfbaa5174d4ff39f8e1b4ba070ef984a70b069b4b2576d8181 +SIZE (KDE/Qt/6.6.2/qtsvg-everywhere-src-6.6.2.tar.xz) = 1643056 diff --git a/graphics/qt6-wayland/distinfo b/graphics/qt6-wayland/distinfo index 6a34f4a5279e..4ce8f09d55d3 100644 --- a/graphics/qt6-wayland/distinfo +++ b/graphics/qt6-wayland/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101932 -SHA256 (KDE/Qt/6.6.1/qtwayland-everywhere-src-6.6.1.tar.xz) = 66cc2d632dc07fc6cc4e35247f48b7c1753276ccbf86e86d7b24d799725568b1 -SIZE (KDE/Qt/6.6.1/qtwayland-everywhere-src-6.6.1.tar.xz) = 1127148 +TIMESTAMP = 1707969842 +SHA256 (KDE/Qt/6.6.2/qtwayland-everywhere-src-6.6.2.tar.xz) = 9bcdd5cef7ae304e3e0435dac495367ccfb010d09f664b596ba330361941dd78 +SIZE (KDE/Qt/6.6.2/qtwayland-everywhere-src-6.6.2.tar.xz) = 1118996 diff --git a/misc/qt6-doc/distinfo b/misc/qt6-doc/distinfo index d4c18997b51d..006fd78435f1 100644 --- a/misc/qt6-doc/distinfo +++ b/misc/qt6-doc/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701101948 -SHA256 (KDE/Qt/6.6.1/qtdoc-everywhere-src-6.6.1.tar.xz) = 944ba524e99e8e3c33b1f46de26b06599511b0004a0936d34fd520645c0cb059 -SIZE (KDE/Qt/6.6.1/qtdoc-everywhere-src-6.6.1.tar.xz) = 13174324 +TIMESTAMP = 1707969848 +SHA256 (KDE/Qt/6.6.2/qtdoc-everywhere-src-6.6.2.tar.xz) = afc71e6c7dfc084cfaab3ba5501215ae07bf75cee26326243faa1f283c207b43 +SIZE (KDE/Qt/6.6.2/qtdoc-everywhere-src-6.6.2.tar.xz) = 13237576 diff --git a/misc/qt6-doc/pkg-plist b/misc/qt6-doc/pkg-plist index 19a5c3b9a783..1e946c46b5c7 100644 --- a/misc/qt6-doc/pkg-plist +++ b/misc/qt6-doc/pkg-plist @@ -116,13 +116,13 @@ %%QT_DOCDIR%%/qtdoc/images/btn_prev.png %%QT_DOCDIR%%/qtdoc/images/bullet_dn.png %%QT_DOCDIR%%/qtdoc/images/bullet_sq.png -%%QT_DOCDIR%%/qtdoc/images/coffee_machine_emptycup.png %%QT_DOCDIR%%/qtdoc/images/coffee_machine_modify.png %%QT_DOCDIR%%/qtdoc/images/coffee_machine_overview.png %%QT_DOCDIR%%/qtdoc/images/coffee_machine_selection.png %%QT_DOCDIR%%/qtdoc/images/colorpalette_editing.png %%QT_DOCDIR%%/qtdoc/images/colorpalette_listing.png %%QT_DOCDIR%%/qtdoc/images/colorpalette_urlselection.png +%%QT_DOCDIR%%/qtdoc/images/controls.png %%QT_DOCDIR%%/qtdoc/images/deployment-mac-application.png %%QT_DOCDIR%%/qtdoc/images/deployment-mac-bundlestructure.png %%QT_DOCDIR%%/qtdoc/images/desktop_dark.png @@ -158,6 +158,7 @@ %%QT_DOCDIR%%/qtdoc/images/open-project.png %%QT_DOCDIR%%/qtdoc/images/piemenu.gif %%QT_DOCDIR%%/qtdoc/images/project-structure.png +%%QT_DOCDIR%%/qtdoc/images/project_structure.png %%QT_DOCDIR%%/qtdoc/images/qml-application.png %%QT_DOCDIR%%/qtdoc/images/qml-extending-types.gif %%QT_DOCDIR%%/qtdoc/images/qml-uses-animation.png @@ -205,6 +206,8 @@ %%QT_DOCDIR%%/qtdoc/images/qtquick-demo-clocks-small.png %%QT_DOCDIR%%/qtdoc/images/qtquick-demo-photosurface-small.png %%QT_DOCDIR%%/qtdoc/images/qtquick-demo-rssnews-small.png +%%QT_DOCDIR%%/qtdoc/images/qtquick-demo-samegame-med-1.png +%%QT_DOCDIR%%/qtdoc/images/qtquick-demo-samegame-med-2.png %%QT_DOCDIR%%/qtdoc/images/qtquick-demo-stocqt.png %%QT_DOCDIR%%/qtdoc/images/qtquick3D.png %%QT_DOCDIR%%/qtdoc/images/rhiarch.png @@ -315,7 +318,6 @@ %%QT_DOCDIR%%/qtdoc/qt6-buildsystem.html %%QT_DOCDIR%%/qtdoc/qtconcurrent-mtexamples.html %%QT_DOCDIR%%/qtdoc/qtconcurrentexamples.html -%%QT_DOCDIR%%/qtdoc/qtdoc-attribution-coffeeexample-titillium.html %%QT_DOCDIR%%/qtdoc/qtdoc-attribution-colorpaletteclient.html %%QT_DOCDIR%%/qtdoc/qtdoc-attribution-dice-roundcarpet.html %%QT_DOCDIR%%/qtdoc/qtdoc-attribution-dice-table.html @@ -335,6 +337,7 @@ %%QT_DOCDIR%%/qtdoc/qtdoc-demos-photosurface-example.html %%QT_DOCDIR%%/qtdoc/qtdoc-demos-robotarm-example.html %%QT_DOCDIR%%/qtdoc/qtdoc-demos-rssnews-example.html +%%QT_DOCDIR%%/qtdoc/qtdoc-demos-samegame-example.html %%QT_DOCDIR%%/qtdoc/qtdoc-demos-stocqt-example.html %%QT_DOCDIR%%/qtdoc/qtdoc-demos-thermostat-example.html %%QT_DOCDIR%%/qtdoc/qtdoc-demos-todolist-example.html diff --git a/misc/qt6-examples/distinfo b/misc/qt6-examples/distinfo index abf5eaaa5ca8..0f97e02c131c 100644 --- a/misc/qt6-examples/distinfo +++ b/misc/qt6-examples/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102607 -SHA256 (KDE/Qt/6.6.1/qt-everywhere-src-6.6.1.tar.xz) = dd3668f65645fe270bc615d748bd4dc048bd17b9dc297025106e6ecc419ab95d -SIZE (KDE/Qt/6.6.1/qt-everywhere-src-6.6.1.tar.xz) = 814132652 +TIMESTAMP = 1707970195 +SHA256 (KDE/Qt/6.6.2/qt-everywhere-src-6.6.2.tar.xz) = 3c1e42b3073ade1f7adbf06863c01e2c59521b7cc2349df2f74ecd7ebfcb922d +SIZE (KDE/Qt/6.6.2/qt-everywhere-src-6.6.2.tar.xz) = 801078264 diff --git a/misc/qt6-examples/pkg-plist b/misc/qt6-examples/pkg-plist index 7f387afbde77..f8af7a256567 100644 --- a/misc/qt6-examples/pkg-plist +++ b/misc/qt6-examples/pkg-plist @@ -103,6 +103,23 @@ %%QT_EXAMPLEDIR%%/bluetooth/btchat/chatserver.h %%QT_EXAMPLEDIR%%/bluetooth/btchat/doc/images/btchat-example.png %%QT_EXAMPLEDIR%%/bluetooth/btchat/doc/src/btchat.qdoc +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24/bluetooth.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24/bluetooth_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24/send.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24/send_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@2/bluetooth.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@2/bluetooth_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@2/send.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@2/send_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@3/bluetooth.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@3/bluetooth_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@3/send.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@3/send_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@4/bluetooth.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@4/bluetooth_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@4/send.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/24x24@4/send_dark.png +%%QT_EXAMPLEDIR%%/bluetooth/btchat/icons/btchat/index.theme %%QT_EXAMPLEDIR%%/bluetooth/btchat/main.cpp %%QT_EXAMPLEDIR%%/bluetooth/btchat/remoteselector.cpp %%QT_EXAMPLEDIR%%/bluetooth/btchat/remoteselector.h @@ -132,16 +149,21 @@ %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/devicehandler.h %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/deviceinfo.cpp %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/deviceinfo.h -%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-result.png -%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-running.png -%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-search.png -%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-start.png +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-result.webp +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-running.webp +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-search.webp +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/images/heartgame-start.webp %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/doc/src/heartrate-game.qdoc %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/heartrate-game.pro %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/heartrate-global.h +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/alert.svg +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/bluetooth.svg %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/bt_off_to_on.png +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/clock.svg %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/heart.png %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/logo.png +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/progress.svg +%%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/images/search.svg %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/main.cpp %%QT_EXAMPLEDIR%%/bluetooth/heartrate-game/qmldir %%QT_EXAMPLEDIR%%/bluetooth/heartrate-server/CMakeLists.txt @@ -820,8 +842,6 @@ %%QT_EXAMPLEDIR%%/dbus/remotecontrolledcar/remotecontrolledcar.pro %%QT_EXAMPLEDIR%%/demos/CMakeLists.txt %%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/CMakeLists.txt -%%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/PocketDemo.qmlproject -%%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/PocketDemo.qmlproject.qtds %%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/README.md %%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/content/AmbientEffect.ui.qml %%QT_EXAMPLEDIR%%/demos/FX_Material_Showroom/content/App.qml @@ -981,6 +1001,8 @@ %%QT_EXAMPLEDIR%%/demos/calqlatr/content/images/paper-grip.png %%QT_EXAMPLEDIR%%/demos/calqlatr/doc/images/qtquick-demo-calqlatr.png %%QT_EXAMPLEDIR%%/demos/calqlatr/doc/src/calqlatr.qdoc +%%QT_EXAMPLEDIR%%/demos/calqlatr/ios/Assets.xcassets/AppIcon.appiconset/AppleIconCalqlatr.png +%%QT_EXAMPLEDIR%%/demos/calqlatr/ios/Assets.xcassets/AppIcon.appiconset/Contents.json %%QT_EXAMPLEDIR%%/demos/calqlatr/main.cpp %%QT_EXAMPLEDIR%%/demos/clocks/CMakeLists.txt %%QT_EXAMPLEDIR%%/demos/clocks/clocks.pro @@ -1002,47 +1024,52 @@ %%QT_EXAMPLEDIR%%/demos/clocks/main.cpp %%QT_EXAMPLEDIR%%/demos/coffee/ApplicationFlow.qml %%QT_EXAMPLEDIR%%/demos/coffee/ApplicationFlowForm.ui.qml -%%QT_EXAMPLEDIR%%/demos/coffee/Brewing.qml -%%QT_EXAMPLEDIR%%/demos/coffee/BrewingForm.ui.qml %%QT_EXAMPLEDIR%%/demos/coffee/CMakeLists.txt -%%QT_EXAMPLEDIR%%/demos/coffee/ChoosingCoffee.ui.qml -%%QT_EXAMPLEDIR%%/demos/coffee/CoffeeButton.qml +%%QT_EXAMPLEDIR%%/demos/coffee/ChoosingCoffee.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Coffee.qrc +%%QT_EXAMPLEDIR%%/demos/coffee/CoffeeCard.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Colors.qml %%QT_EXAMPLEDIR%%/demos/coffee/Cup.qml -%%QT_EXAMPLEDIR%%/demos/coffee/CupForm.ui.qml -%%QT_EXAMPLEDIR%%/demos/coffee/EmptyCup.qml -%%QT_EXAMPLEDIR%%/demos/coffee/EmptyCupForm.ui.qml +%%QT_EXAMPLEDIR%%/demos/coffee/CustomButton.qml +%%QT_EXAMPLEDIR%%/demos/coffee/CustomSlider.qml +%%QT_EXAMPLEDIR%%/demos/coffee/CustomToolBar.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Home.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Insert.qml %%QT_EXAMPLEDIR%%/demos/coffee/LICENSE.txt -%%QT_EXAMPLEDIR%%/demos/coffee/NavigationButton.ui.qml -%%QT_EXAMPLEDIR%%/demos/coffee/SideBar.qml -%%QT_EXAMPLEDIR%%/demos/coffee/SideBarForm.ui.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Progress.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Ready.qml +%%QT_EXAMPLEDIR%%/demos/coffee/Settings.qml %%QT_EXAMPLEDIR%%/demos/coffee/coffee.pro -%%QT_EXAMPLEDIR%%/demos/coffee/coffee.qdoc -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/coffee_cup_large.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/coffee_cup_outline.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/cup elements/coffee_cup_back.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/cup elements/coffee_cup_coverplate.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/cup elements/coffee_cup_front.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/liquids/liquid_coffee.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/liquids/liquid_foam.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/cup structure/liquids/liquid_milk.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/coffees/Americano.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/coffees/Espresso.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/coffees/Latte.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/coffees/Macchiato.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/coffees/cappucino.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/contents/coffee.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/contents/milk.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/contents/sugar.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/ui controls/buttons/back/white.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/ui controls/buttons/go/white.png -%%QT_EXAMPLEDIR%%/demos/coffee/images/ui controls/line.png -%%QT_EXAMPLEDIR%%/demos/coffee/imports/Coffee/Constants.qml -%%QT_EXAMPLEDIR%%/demos/coffee/imports/Coffee/TitilliumWeb-Regular.ttf -%%QT_EXAMPLEDIR%%/demos/coffee/imports/Coffee/qmldir +%%QT_EXAMPLEDIR%%/demos/coffee/doc/images/coffee_machine_emptycup.png +%%QT_EXAMPLEDIR%%/demos/coffee/doc/images/coffee_machine_modify.png +%%QT_EXAMPLEDIR%%/demos/coffee/doc/images/coffee_machine_overview.png +%%QT_EXAMPLEDIR%%/demos/coffee/doc/images/coffee_machine_selection.png +%%QT_EXAMPLEDIR%%/demos/coffee/doc/src/coffee.qdoc +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/card_cup_dark.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/card_cup_light.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/dark_cup.svgz +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/home_dark.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/home_light.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Cups/light_cup.svgz +%%QT_EXAMPLEDIR%%/demos/coffee/images/Ingredients/Milk_foam.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Ingredients/espresso_coffee.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Ingredients/milk.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/Ingredients/sugar.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/Polygon.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/Qt-logo-white-transparent.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/check.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/dark_mode_black_24dp.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/ellipse_dark.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/ellipse_light.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/keyboard_backspace_black.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/keyboard_backspace_black_left.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/keyboard_backspace_black_right.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/keyboard_backspace_white_left.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/keyboard_backspace_white_right.svg +%%QT_EXAMPLEDIR%%/demos/coffee/images/icons/light_mode_black_24dp.svg %%QT_EXAMPLEDIR%%/demos/coffee/main.cpp %%QT_EXAMPLEDIR%%/demos/coffee/main.qml -%%QT_EXAMPLEDIR%%/demos/coffee/qml.qrc -%%QT_EXAMPLEDIR%%/demos/coffee/qt_attribution.json +%%QT_EXAMPLEDIR%%/demos/coffee/qmldir %%QT_EXAMPLEDIR%%/demos/coffee/qtquickcontrols2.conf %%QT_EXAMPLEDIR%%/demos/colorpaletteclient/CMakeLists.txt %%QT_EXAMPLEDIR%%/demos/colorpaletteclient/MainWindow.qml @@ -1099,13 +1126,23 @@ %%QT_EXAMPLEDIR%%/demos/dice/Carpet.qml %%QT_EXAMPLEDIR%%/demos/dice/DiceSpawner.qml %%QT_EXAMPLEDIR%%/demos/dice/Dice_low.qml +%%QT_EXAMPLEDIR%%/demos/dice/Menu_Icon.svg %%QT_EXAMPLEDIR%%/demos/dice/PhysicalDie.qml %%QT_EXAMPLEDIR%%/demos/dice/PhysicalTable.qml %%QT_EXAMPLEDIR%%/demos/dice/RoundTable.qml %%QT_EXAMPLEDIR%%/demos/dice/Scene.qml +%%QT_EXAMPLEDIR%%/demos/dice/android/AndroidManifest.xml +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-hdpi/icon.png +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-ldpi/icon.png +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-mdpi/icon.png +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-xhdpi/icon.png +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-xxhdpi/icon.png +%%QT_EXAMPLEDIR%%/demos/dice/android/res/drawable-xxxhdpi/icon.png %%QT_EXAMPLEDIR%%/demos/dice/dice.pro %%QT_EXAMPLEDIR%%/demos/dice/doc/images/dice-screenshot.webp %%QT_EXAMPLEDIR%%/demos/dice/doc/src/dice.qdoc +%%QT_EXAMPLEDIR%%/demos/dice/ios/Assets.xcassets/AppIcon.appiconset/App-Icon-Apple-Qt-Dice.png +%%QT_EXAMPLEDIR%%/demos/dice/ios/Assets.xcassets/AppIcon.appiconset/Contents.json %%QT_EXAMPLEDIR%%/demos/dice/license_carpet.txt %%QT_EXAMPLEDIR%%/demos/dice/license_table.txt %%QT_EXAMPLEDIR%%/demos/dice/main.cpp @@ -1410,7 +1447,11 @@ %%QT_EXAMPLEDIR%%/demos/mediaplayer/MediaPlayer/icons/Shadow@2x.png %%QT_EXAMPLEDIR%%/demos/mediaplayer/MediaPlayer/icons/Warning_Icon.svg %%QT_EXAMPLEDIR%%/demos/mediaplayer/MediaPlayer/qmldir +%%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/images/controls.png %%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/images/mediaplayer.png +%%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/images/playlist.png +%%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/images/project_structure.png +%%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/images/theme_info.png %%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/src/mediaplayer.qdoc %%QT_EXAMPLEDIR%%/demos/mediaplayer/doc/src/mediaplayer.rst %%QT_EXAMPLEDIR%%/demos/mediaplayer/main.cpp @@ -1580,50 +1621,272 @@ %%QT_EXAMPLEDIR%%/demos/samegame/samegame.qmlproject %%QT_EXAMPLEDIR%%/demos/samegame/samegame.qrc %%QT_EXAMPLEDIR%%/demos/stocqt/CMakeLists.txt -%%QT_EXAMPLEDIR%%/demos/stocqt/content/+windows/Settings.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/Banner.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/Button.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/CheckBox.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/Settings.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/Main.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/CMakeLists.txt +%%QT_EXAMPLEDIR%%/demos/stocqt/content/FavoriteChart.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/FavoriteView.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/SettingsView.qml %%QT_EXAMPLEDIR%%/demos/stocqt/content/StockChart.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/StockInfo.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/StockListDelegate.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/StockListModel.qml %%QT_EXAMPLEDIR%%/demos/stocqt/content/StockListView.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/StockModel.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/StockSettingsPanel.qml %%QT_EXAMPLEDIR%%/demos/stocqt/content/StockView.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/AAPL.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/ADSK.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/AMD.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/AMZN.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/CSCO.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/EA.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/EBAY.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/FB.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/GOOG.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/GOOGL.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/INTC.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/MSFT.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/NCLH.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/NFLX.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/NTAP.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/NVDA.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/PYPL.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/QCOM.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/TSLA.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/data/TXN.csv -%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/icon-left-arrow.png -%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/wheel-touch.png -%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/wheel.png -%%QT_EXAMPLEDIR%%/demos/stocqt/content/qmldir +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/AddDelegate.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/FavStatsDelegate.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/FavTab.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/Keystats.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/Legend.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/Navbar.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/Search.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/Star.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/StockCheckbox.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/StockDelegate.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/StockDetail.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/StockTitle.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/TabMenu.ui.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/components/TimeBar.qml +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/arrowDown.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/arrowLeft.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/arrowUp.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/fullscreen.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/home.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logoBG.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AAPL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ABNB.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ACGL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ADBE.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ADI.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ADP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ADSK.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AEP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ALGN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AMAT.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AMD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AMGN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AMZN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ANSS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ASML.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ATVI.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AVGO.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/AZN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/BIDU.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/BIIB.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/BKNG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/BKR.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CDNS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CEG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CHTR.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CMCSA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CME.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/COST.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CPRT.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CRWD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CSCO.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CSGP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CSX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CTAS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/CTSH.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/DDOG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/DLTR.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/DXCM.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/EA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/EBAY.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ENPH.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/EQIX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/EXC.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/FANG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/FAST.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/FTNT.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/GFS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/GILD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/GOOG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/GOOGL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/HON.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/IDXX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ILMN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/INTC.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/INTU.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ISRG.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/JD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/KDP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/KHC.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/KLAC.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/LCID.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/LRCX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/LULU.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MAR.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MCHP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MDLZ.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MELI.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/META.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MNST.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MRNA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MRVL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MSFT.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/MU.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/NFLX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/NTES.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/NVDA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/NXPI.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ODFL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ON.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ORLY.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PANW.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PAYX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PCAR.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PDD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PEP.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/PYPL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/QCOM.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/QTCOM.HE.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/REGN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/RIVN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ROST.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/RYAAY.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/SBUX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/SGEN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/SIRI.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/SNPS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/TEAM.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/TMUS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/TSLA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/TXN.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/VRSK.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/VRTX.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/WBA.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/WBD.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/WDAY.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/XEL.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ZM.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/logos/ZS.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/qtLogo.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/qtLogo2.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/save1.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/save2.png +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/searchIcon.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/settings.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/stackStar.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/starEmpty.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/starFilled.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/starMuted.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/content/images/timeGreen.svg +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AAPL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ABNB.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ADBE.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ADI.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ADP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ADSK.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AEP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ALGN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AMAT.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AMD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AMGN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AMZN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ANSS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ASML.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ATVI.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AVGO.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/AZN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/BIIB.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/BKNG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/BKR.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CDNS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CEG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CHTR.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CMCSA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/COST.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CPRT.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CRWD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CSCO.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CSGP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CSX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CTAS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/CTSH.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/DDOG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/DLTR.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/DXCM.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/EA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/EBAY.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ENPH.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/EXC.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/FANG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/FAST.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/FISV.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/FTNT.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/GFS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/GILD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/GOOG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/GOOGL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/HON.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/IDXX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ILMN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/INTC.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/INTU.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ISRG.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/JD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/KDP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/KHC.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/KLAC.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/LCID.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/LRCX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/LULU.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MAR.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MCHP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MDLZ.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MELI.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/META.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MNST.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MRNA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MRVL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MSFT.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/MU.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/NFLX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/NVDA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/NXPI.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ODFL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ORLY.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PANW.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PAYX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PCAR.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PDD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PEP.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/PYPL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/QCOM.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/QTCOM.HE.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/REGN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/RIVN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ROST.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/SBUX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/SGEN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/SIRI.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/SNPS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/TEAM.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/TMUS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/TSLA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/TXN.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/VRSK.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/VRTX.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/WBA.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/WBD.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/WDAY.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/XEL.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ZM.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/ZS.json +%%QT_EXAMPLEDIR%%/demos/stocqt/data/quotes.json %%QT_EXAMPLEDIR%%/demos/stocqt/doc/images/qtquick-demo-stocqt.png %%QT_EXAMPLEDIR%%/demos/stocqt/doc/src/stocqt.qdoc -%%QT_EXAMPLEDIR%%/demos/stocqt/main.cpp -%%QT_EXAMPLEDIR%%/demos/stocqt/stocqt.pro -%%QT_EXAMPLEDIR%%/demos/stocqt/stocqt.qml -%%QT_EXAMPLEDIR%%/demos/stocqt/stocqt.qmlproject -%%QT_EXAMPLEDIR%%/demos/stocqt/stocqt.qrc +%%QT_EXAMPLEDIR%%/demos/stocqt/qtquickcontrols2.conf +%%QT_EXAMPLEDIR%%/demos/stocqt/src/apihandler.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/apihandler.h +%%QT_EXAMPLEDIR%%/demos/stocqt/src/favoritesmodel.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/favoritesmodel.h +%%QT_EXAMPLEDIR%%/demos/stocqt/src/main.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stockengine.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stockengine.h +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stocklistmodel.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stocklistmodel.h +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stockmodel.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/stockmodel.h +%%QT_EXAMPLEDIR%%/demos/stocqt/src/timeformatter.cpp +%%QT_EXAMPLEDIR%%/demos/stocqt/src/timeformatter.h %%QT_EXAMPLEDIR%%/demos/thermostat/CMakeLists.txt %%QT_EXAMPLEDIR%%/demos/thermostat/Main.qml %%QT_EXAMPLEDIR%%/demos/thermostat/Thermostat.qmlproject @@ -2300,11 +2563,6 @@ %%QT_EXAMPLEDIR%%/mqtt/websocketsubscription/websocketiodevice.h %%QT_EXAMPLEDIR%%/mqtt/websocketsubscription/websocketsubscription.pro %%QT_EXAMPLEDIR%%/multimedia/CMakeLists.txt -%%QT_EXAMPLEDIR%%/multimedia/audiodecoder/CMakeLists.txt -%%QT_EXAMPLEDIR%%/multimedia/audiodecoder/audiodecoder.cpp -%%QT_EXAMPLEDIR%%/multimedia/audiodecoder/audiodecoder.h -%%QT_EXAMPLEDIR%%/multimedia/audiodecoder/audiodecoder.pro -%%QT_EXAMPLEDIR%%/multimedia/audiodecoder/main.cpp %%QT_EXAMPLEDIR%%/multimedia/audiodevices/CMakeLists.txt %%QT_EXAMPLEDIR%%/multimedia/audiodevices/audiodevices.cpp %%QT_EXAMPLEDIR%%/multimedia/audiodevices/audiodevices.h @@ -2401,9 +2659,6 @@ %%QT_EXAMPLEDIR%%/multimedia/declarative-camera/images/toolbutton.png %%QT_EXAMPLEDIR%%/multimedia/declarative-camera/images/toolbutton.sci %%QT_EXAMPLEDIR%%/multimedia/declarative-camera/qmlcamera.cpp -%%QT_EXAMPLEDIR%%/multimedia/devices/CMakeLists.txt -%%QT_EXAMPLEDIR%%/multimedia/devices/devices.pro -%%QT_EXAMPLEDIR%%/multimedia/devices/main.cpp %%QT_EXAMPLEDIR%%/multimedia/multimedia.pro %%QT_EXAMPLEDIR%%/multimedia/player/CMakeLists.txt %%QT_EXAMPLEDIR%%/multimedia/player/doc/images/mediaplayerex.jpg @@ -2973,7 +3228,7 @@ %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/Tank2Unit.qml %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/TankDisplay.qml %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/ValueDisplay.qml -%%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/doc/images/tankexample.jpg +%%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/doc/images/tankexample.png %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/doc/waterpump-qml.qdoc %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/machine/Machine.qml %%QT_EXAMPLEDIR%%/opcua/waterpump/waterpump-qml/machine/Tank.qml @@ -3465,6 +3720,21 @@ %%QT_EXAMPLEDIR%%/qml/tutorials/extending-qml/chapter6-plugins/main.cpp %%QT_EXAMPLEDIR%%/qml/tutorials/extending-qml/extending-qml.pro %%QT_EXAMPLEDIR%%/qml/tutorials/tutorials.pro +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter1/CMakeLists.txt +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter1/helloplugin.cpp +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter1/helloplugin.h +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter1/plugin.json +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter1/test.qml +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter2/CMakeLists.txt +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter2/helloplugin.cpp +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter2/helloplugin.h +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter2/plugin.json +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter2/test.qml +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter3/CMakeLists.txt +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter3/helloplugin.cpp +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter3/helloplugin.h +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter3/plugin.json +%%QT_EXAMPLEDIR%%/qmlcompiler/tutorials/helloworld/chapter3/test.qml %%QT_EXAMPLEDIR%%/qmltest/CMakeLists.txt %%QT_EXAMPLEDIR%%/qmltest/qmltest.pro %%QT_EXAMPLEDIR%%/qmltest/qmltest/CMakeLists.txt @@ -5139,6 +5409,66 @@ %%QT_EXAMPLEDIR%%/quick3d/view3d/qml.qrc %%QT_EXAMPLEDIR%%/quick3d/view3d/teapot.mesh %%QT_EXAMPLEDIR%%/quick3d/view3d/view3d.pro +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/Main.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/VirtualAssistant.qmlproject +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/RobotHeart/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/RobotHeart/RobotHeart.hints +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/RobotHeart/RobotHeart.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/RobotHeart/meshes/plane.mesh +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/RobotHeart/qmldir +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/VirtualAssistant.hints +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/VirtualAssistant.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/meshes/body.mesh +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/meshes/mesh_107.mesh +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/meshes/mesh_108.mesh +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/meshes/mesh_109.mesh +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/asset_imports/Quick3DAssets/VirtualAssistant/qmldir +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/App.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/ControlPanel.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/Screen01.ui.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/SettingsPanel.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/content/colosseum_4k.hdr +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/doc/images/VirtualAssistantHome.png +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/doc/src/virtualassistant.qdoc +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/imports/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/imports/Constants/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/imports/Constants/Constants.qml +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/imports/Constants/designer/plugin.metainfo +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/imports/Constants/qmldir +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/qmlmodules +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/qt_attribution.json +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/qtquickcontrols2.conf +%%QT_EXAMPLEDIR%%/quick3d/virtualassistant/src/main.cpp +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/ArcballController.qml +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/CMakeLists.txt +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/Main.qml +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/OriginGizmo.qml +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/SpacingMap.mjs +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/Spinner.qml +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/alpha_blending.frag +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/alpha_blending.vert +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/doc/images/volumeraycaster.webp +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/doc/src/volumeraycaster.qdoc +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/circle.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-coolwarm.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-gist_rainbow.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-gnuplot.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-plasma.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-rainbow.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/images/colormap-viridis.png +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/lineboxgeometry.cpp +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/lineboxgeometry.h +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/main.cpp +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/qmldir +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/qt_attribution.json +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/volumeraycaster.pro +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/volumetexturedata.cpp +%%QT_EXAMPLEDIR%%/quick3d/volumeraycaster/volumetexturedata.h %%QT_EXAMPLEDIR%%/quick3dphysics/CMakeLists.txt %%QT_EXAMPLEDIR%%/quick3dphysics/cannon/Box.qml %%QT_EXAMPLEDIR%%/quick3dphysics/cannon/CMakeLists.txt @@ -5381,10 +5711,10 @@ %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/ContactDelegate.ui.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/ContactDialog.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/ContactForm.ui.qml +%%QT_EXAMPLEDIR%%/quickcontrols/contactlist/ContactList.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/ContactView.ui.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/SectionDelegate.ui.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/contactlist.pro -%%QT_EXAMPLEDIR%%/quickcontrols/contactlist/contactlist.qml %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/contactmodel.cpp %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/contactmodel.h %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/designer/Backend/ContactModel.qml @@ -5392,6 +5722,7 @@ %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/doc/images/qtquickcontrols-contactlist.png %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/doc/src/qtquickcontrols-contactlist.qdoc %%QT_EXAMPLEDIR%%/quickcontrols/contactlist/main.cpp +%%QT_EXAMPLEDIR%%/quickcontrols/contactlist/qmldir %%QT_EXAMPLEDIR%%/quickcontrols/eventcalendar/CMakeLists.txt %%QT_EXAMPLEDIR%%/quickcontrols/eventcalendar/MonthGridDelegate.qml %%QT_EXAMPLEDIR%%/quickcontrols/eventcalendar/doc/images/qtquickcalendar-eventcalendar.png @@ -6242,8 +6573,8 @@ %%QT_EXAMPLEDIR%%/sql/books/books.qrc %%QT_EXAMPLEDIR%%/sql/books/bookwindow.cpp %%QT_EXAMPLEDIR%%/sql/books/bookwindow.h -%%QT_EXAMPLEDIR%%/sql/books/bookwindow.ui -%%QT_EXAMPLEDIR%%/sql/books/images/star.png +%%QT_EXAMPLEDIR%%/sql/books/images/star-filled.svg +%%QT_EXAMPLEDIR%%/sql/books/images/star.svg %%QT_EXAMPLEDIR%%/sql/books/initdb.h %%QT_EXAMPLEDIR%%/sql/books/main.cpp %%QT_EXAMPLEDIR%%/sql/cachedtable/CMakeLists.txt @@ -6871,7 +7202,6 @@ %%QT_EXAMPLEDIR%%/webenginewidgets/notifications/notifications.pro %%QT_EXAMPLEDIR%%/webenginewidgets/printme/CMakeLists.txt %%QT_EXAMPLEDIR%%/webenginewidgets/printme/data/data.qrc -%%QT_EXAMPLEDIR%%/webenginewidgets/printme/data/icon.svg %%QT_EXAMPLEDIR%%/webenginewidgets/printme/data/index.html %%QT_EXAMPLEDIR%%/webenginewidgets/printme/data/style.css %%QT_EXAMPLEDIR%%/webenginewidgets/printme/doc/images/printme-example.png @@ -6905,6 +7235,11 @@ %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/3rdparty/qt_attribution.json %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/custom.css %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/custom.js +%%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/icons/add.svg +%%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/icons/edit.svg +%%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/icons/remove.svg +%%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/icons/stylesheets.svg +%%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/icons/view.svg %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/pages/burger.html %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/pages/cupcakes.html %%QT_EXAMPLEDIR%%/webenginewidgets/recipebrowser/assets/pages/images/burger.jpg @@ -6975,7 +7310,6 @@ %%QT_EXAMPLEDIR%%/webenginewidgets/simplebrowser/webview.cpp %%QT_EXAMPLEDIR%%/webenginewidgets/simplebrowser/webview.h %%QT_EXAMPLEDIR%%/webenginewidgets/spellchecker/CMakeLists.txt -%%QT_EXAMPLEDIR%%/webenginewidgets/spellchecker/data/icon.svg %%QT_EXAMPLEDIR%%/webenginewidgets/spellchecker/data/index.html %%QT_EXAMPLEDIR%%/webenginewidgets/spellchecker/data/spellchecker.qrc %%QT_EXAMPLEDIR%%/webenginewidgets/spellchecker/data/style.css @@ -7209,7 +7543,6 @@ %%QT_EXAMPLEDIR%%/widgets/doc/src/combowidgetmapper.qdoc %%QT_EXAMPLEDIR%%/widgets/doc/src/completer.qdoc %%QT_EXAMPLEDIR%%/widgets/doc/src/composition.qdoc -%%QT_EXAMPLEDIR%%/widgets/doc/src/concentriccircles.qdoc %%QT_EXAMPLEDIR%%/widgets/doc/src/customsortfiltermodel.qdoc %%QT_EXAMPLEDIR%%/widgets/doc/src/deform.qdoc %%QT_EXAMPLEDIR%%/widgets/doc/src/diagramscene.qdoc @@ -7451,6 +7784,7 @@ %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/mainwindow.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/mainwindow.h %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/mainwindow.ui +%%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/test.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/treeitem.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/treeitem.h %%QT_EXAMPLEDIR%%/widgets/itemviews/editabletreemodel/treemodel.cpp @@ -7475,6 +7809,7 @@ %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/main.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/simpletreemodel.pro %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/simpletreemodel.qrc +%%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/test.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/treeitem.cpp %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/treeitem.h %%QT_EXAMPLEDIR%%/widgets/itemviews/simpletreemodel/treemodel.cpp @@ -7558,13 +7893,6 @@ %%QT_EXAMPLEDIR%%/widgets/painting/composition/flower.jpg %%QT_EXAMPLEDIR%%/widgets/painting/composition/flower_alpha.jpg %%QT_EXAMPLEDIR%%/widgets/painting/composition/main.cpp -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/CMakeLists.txt -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/circlewidget.cpp -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/circlewidget.h -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/concentriccircles.pro -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/main.cpp -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/window.cpp -%%QT_EXAMPLEDIR%%/widgets/painting/concentriccircles/window.h %%QT_EXAMPLEDIR%%/widgets/painting/deform/CMakeLists.txt %%QT_EXAMPLEDIR%%/widgets/painting/deform/deform.pro %%QT_EXAMPLEDIR%%/widgets/painting/deform/deform.qrc diff --git a/multimedia/qt6-multimedia/distinfo b/multimedia/qt6-multimedia/distinfo index 61b40c1a2cf9..1bac4d3765ab 100644 --- a/multimedia/qt6-multimedia/distinfo +++ b/multimedia/qt6-multimedia/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102613 -SHA256 (KDE/Qt/6.6.1/qtmultimedia-everywhere-src-6.6.1.tar.xz) = 7ee4e2296f5714961692f6ded568d3e3fde3687cee48e9d717194b5d1360db4a -SIZE (KDE/Qt/6.6.1/qtmultimedia-everywhere-src-6.6.1.tar.xz) = 6723296 +TIMESTAMP = 1707970200 +SHA256 (KDE/Qt/6.6.2/qtmultimedia-everywhere-src-6.6.2.tar.xz) = e2942599ba0ae106ab3e4f82d6633e8fc1943f8a35d91f99d1fca46d251804ec +SIZE (KDE/Qt/6.6.2/qtmultimedia-everywhere-src-6.6.2.tar.xz) = 8305476 diff --git a/multimedia/qt6-multimedia/pkg-plist b/multimedia/qt6-multimedia/pkg-plist index 0e29106b9276..688f6e8f3549 100644 --- a/multimedia/qt6-multimedia/pkg-plist +++ b/multimedia/qt6-multimedia/pkg-plist @@ -13,6 +13,7 @@ %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qcameradevice_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qcapturablewindow_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qerrorinfo_p.h +%%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qimagevideobuffer_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qmediaplayer_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qmediarecorder_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qmediastoragelocation_p.h @@ -43,6 +44,7 @@ %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qsamplecache_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qtmultimedia-config_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qtmultimediaglobal_p.h +%%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qvideo_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qvideoframeconversionhelper_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qvideoframeconverter_p.h %%QT_INCDIR%%/QtMultimedia/%%FULLVER%%/QtMultimedia/private/qvideooutputorientationhandler_p.h diff --git a/net/qt6-coap/distinfo b/net/qt6-coap/distinfo index d699afc779f3..2ca7b7d72e53 100644 --- a/net/qt6-coap/distinfo +++ b/net/qt6-coap/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102615 -SHA256 (KDE/Qt/6.6.1/qt-qtcoap-v6.6.1_GH0.tar.gz) = a11cae6ec75ba31150ac94b076b43d1e9c235e9872b5c02dc70734449dc07551 -SIZE (KDE/Qt/6.6.1/qt-qtcoap-v6.6.1_GH0.tar.gz) = 183077 +TIMESTAMP = 1707970202 +SHA256 (KDE/Qt/6.6.2/qt-qtcoap-v6.6.2_GH0.tar.gz) = 636dbcfb01d94d2b6aa9c1ef255b0d6c9488c9b786b6056bdca49c530aab2b6e +SIZE (KDE/Qt/6.6.2/qt-qtcoap-v6.6.2_GH0.tar.gz) = 183072 diff --git a/net/qt6-networkauth/distinfo b/net/qt6-networkauth/distinfo index 95517104e0bf..08532e7f24ad 100644 --- a/net/qt6-networkauth/distinfo +++ b/net/qt6-networkauth/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102617 -SHA256 (KDE/Qt/6.6.1/qtnetworkauth-everywhere-src-6.6.1.tar.xz) = 693e11945b22735fc9b1662cad53c60098882d301c4f4a3e13c01bcc41c00d49 -SIZE (KDE/Qt/6.6.1/qtnetworkauth-everywhere-src-6.6.1.tar.xz) = 152916 +TIMESTAMP = 1707970203 +SHA256 (KDE/Qt/6.6.2/qtnetworkauth-everywhere-src-6.6.2.tar.xz) = 32bdd5550ba893b5fb7d07ea2a3adc1729ed8b4565dc4aa963fa21b978d332d2 +SIZE (KDE/Qt/6.6.2/qtnetworkauth-everywhere-src-6.6.2.tar.xz) = 143612 diff --git a/science/qt6-quick3dphysics/distinfo b/science/qt6-quick3dphysics/distinfo index d12d67d348dc..e6bd05955cab 100644 --- a/science/qt6-quick3dphysics/distinfo +++ b/science/qt6-quick3dphysics/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102622 -SHA256 (KDE/Qt/6.6.1/qtquick3dphysics-everywhere-src-6.6.1.tar.xz) = 2cc6b5f58d7b1de6de34279657ad2c73a0e82e29c7a56a12f2c00fb62725e15a -SIZE (KDE/Qt/6.6.1/qtquick3dphysics-everywhere-src-6.6.1.tar.xz) = 4700696 +TIMESTAMP = 1707970207 +SHA256 (KDE/Qt/6.6.2/qtquick3dphysics-everywhere-src-6.6.2.tar.xz) = 4ca1922b329dd2fb80038f66b27c1b50585db5db9b41483761abe405534f4080 +SIZE (KDE/Qt/6.6.2/qtquick3dphysics-everywhere-src-6.6.2.tar.xz) = 4691884 diff --git a/www/qt6-httpserver/distinfo b/www/qt6-httpserver/distinfo index c9a1e2660b0b..b8ba01959805 100644 --- a/www/qt6-httpserver/distinfo +++ b/www/qt6-httpserver/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102624 -SHA256 (KDE/Qt/6.6.1/qthttpserver-everywhere-src-6.6.1.tar.xz) = 1bfeb3f52f15002a0197a4ef4f3ada7b43a6d0681e1797a11c1460ecfa83124c -SIZE (KDE/Qt/6.6.1/qthttpserver-everywhere-src-6.6.1.tar.xz) = 171104 +TIMESTAMP = 1707970208 +SHA256 (KDE/Qt/6.6.2/qthttpserver-everywhere-src-6.6.2.tar.xz) = a2413a6a33b53289d74a00ee47b79d5a22532a0f46fbca139b216320bc49fce3 +SIZE (KDE/Qt/6.6.2/qthttpserver-everywhere-src-6.6.2.tar.xz) = 162152 diff --git a/www/qt6-webchannel/distinfo b/www/qt6-webchannel/distinfo index 905a33698582..fe218fe976fa 100644 --- a/www/qt6-webchannel/distinfo +++ b/www/qt6-webchannel/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102626 -SHA256 (KDE/Qt/6.6.1/qtwebchannel-everywhere-src-6.6.1.tar.xz) = f16087cd573ada98b3c90f10a18bb660dc8a65a6404e4d8e24a712799f91e543 -SIZE (KDE/Qt/6.6.1/qtwebchannel-everywhere-src-6.6.1.tar.xz) = 215212 +TIMESTAMP = 1707970210 +SHA256 (KDE/Qt/6.6.2/qtwebchannel-everywhere-src-6.6.2.tar.xz) = 3d7c7d3999a394aa337bf575e33e526b058922e3760b34c942e5c8c174dcccc6 +SIZE (KDE/Qt/6.6.2/qtwebchannel-everywhere-src-6.6.2.tar.xz) = 206440 diff --git a/www/qt6-webengine/Makefile b/www/qt6-webengine/Makefile index 9cf2441c7458..e78bd490a6a5 100644 --- a/www/qt6-webengine/Makefile +++ b/www/qt6-webengine/Makefile @@ -12,7 +12,7 @@ PORTNAME?= webengine DISTVERSION= ${QT6_VERSION} -PORTREVISION?= 5 # Master port for print/qt6-pdf. Please keep this line. +PORTREVISION?= 0 # Master port for print/qt6-pdf. Please keep this line. CATEGORIES?= www PKGNAMEPREFIX= qt6- @@ -46,7 +46,8 @@ CMAKE_OFF+= QT_FEATURE_qtwebengine_build SYS_LIBS= freetype .else BUILD_DEPENDS+= ${LOCALBASE}/include/linux/videodev2.h:multimedia/v4l_compat -LIB_DEPENDS+= libavcodec.so:multimedia/ffmpeg \ +LIB_DEPENDS+= libabsl_base.so:devel/abseil \ + libavcodec.so:multimedia/ffmpeg \ libdbus-1.so:devel/dbus \ libdrm.so:graphics/libdrm \ libevent.so:devel/libevent \ diff --git a/www/qt6-webengine/distinfo b/www/qt6-webengine/distinfo index a301e0df3970..fdfcf1c15b6d 100644 --- a/www/qt6-webengine/distinfo +++ b/www/qt6-webengine/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102894 -SHA256 (KDE/Qt/6.6.1/qtwebengine-everywhere-src-6.6.1.tar.xz) = 7a6ea228214bd66029ca90549b29021f30f7544abff997b7f831ceac2ce73691 -SIZE (KDE/Qt/6.6.1/qtwebengine-everywhere-src-6.6.1.tar.xz) = 421042656 +TIMESTAMP = 1707970378 +SHA256 (KDE/Qt/6.6.2/qtwebengine-everywhere-src-6.6.2.tar.xz) = d61d87b2d2ccf8487e248bd8777d208ba3acd65bd60d6bb7d87dbaafa3850396 +SIZE (KDE/Qt/6.6.2/qtwebengine-everywhere-src-6.6.2.tar.xz) = 421147952 diff --git a/www/qt6-webengine/files/patch-cmake_Functions.cmake b/www/qt6-webengine/files/patch-cmake_Functions.cmake index 0b7d8a757852..7dcc0eee40f7 100644 --- a/www/qt6-webengine/files/patch-cmake_Functions.cmake +++ b/www/qt6-webengine/files/patch-cmake_Functions.cmake @@ -1,6 +1,6 @@ ---- cmake/Functions.cmake.orig 2023-11-20 16:08:07 UTC +--- cmake/Functions.cmake.orig 2024-02-10 00:23:21 UTC +++ cmake/Functions.cmake -@@ -452,7 +452,7 @@ function(add_linker_options target buildDir completeSt +@@ -416,7 +416,7 @@ function(add_linker_options target buildDir completeSt set(libs_rsp "${buildDir}/${ninjaTarget}_libs.rsp") set(ldir_rsp "${buildDir}/${ninjaTarget}_ldir.rsp") set_target_properties(${cmakeTarget} PROPERTIES STATIC_LIBRARY_OPTIONS "@${objects_rsp}") @@ -9,7 +9,7 @@ get_gn_arch(cpu ${TEST_architecture_arch}) if(CMAKE_CROSSCOMPILING AND cpu STREQUAL "arm" AND ${config} STREQUAL "Debug") target_link_options(${cmakeTarget} PRIVATE "LINKER:--long-plt") -@@ -704,6 +704,8 @@ function(get_gn_os result) +@@ -673,6 +673,8 @@ function(get_gn_os result) set(${result} "mac" PARENT_SCOPE) elseif(IOS) set(${result} "ios" PARENT_SCOPE) @@ -18,7 +18,7 @@ else() message(DEBUG "Unrecognized OS") endif() -@@ -894,7 +896,7 @@ macro(append_build_type_setup) +@@ -865,7 +867,7 @@ macro(append_build_type_setup) extend_gn_list(gnArgArg ARGS enable_precompiled_headers @@ -27,7 +27,7 @@ ) extend_gn_list(gnArgArg ARGS dcheck_always_on -@@ -946,7 +948,7 @@ macro(append_compiler_linker_sdk_setup) +@@ -917,7 +919,7 @@ macro(append_compiler_linker_sdk_setup) use_libcxx=true ) endif() @@ -36,7 +36,7 @@ extend_gn_list(gnArgArg ARGS use_libcxx CONDITION QT_FEATURE_stdlib_libcpp ) -@@ -984,7 +986,7 @@ macro(append_compiler_linker_sdk_setup) +@@ -955,7 +957,7 @@ macro(append_compiler_linker_sdk_setup) ) endif() get_gn_arch(cpu ${TEST_architecture_arch}) @@ -45,16 +45,16 @@ extend_gn_list_cflag(gnArgArg ARG arm_tune -@@ -1059,7 +1061,7 @@ macro(append_toolchain_setup) - ) - list(APPEND gnArgArg host_cpu="${cpu}") - endif() -- if(LINUX) -+ if(LINUX OR FREEBSD) +@@ -1040,7 +1042,7 @@ macro(append_toolchain_setup) + host_cpu="${cpu}" + ) + endif() +- elseif(LINUX) ++ elseif(LINUX OR FREEBSD) + get_gn_arch(cpu ${TEST_architecture_arch}) list(APPEND gnArgArg custom_toolchain="${buildDir}/target_toolchain:target" - host_toolchain="${buildDir}/host_toolchain:host" -@@ -1091,7 +1093,7 @@ macro(append_pkg_config_setup) +@@ -1073,7 +1075,7 @@ macro(append_pkg_config_setup) macro(append_pkg_config_setup) @@ -63,7 +63,7 @@ list(APPEND gnArgArg pkg_config="${PKG_CONFIG_EXECUTABLE}" host_pkg_config="${PKG_CONFIG_HOST_EXECUTABLE}" -@@ -1184,6 +1186,20 @@ function(add_gn_build_aritfacts_to_target) +@@ -1166,6 +1168,20 @@ function(add_gn_build_artifacts_to_target) set_target_properties(${arg_CMAKE_TARGET} PROPERTIES LINK_DEPENDS ${arg_BUILDDIR}/${config}/${arch}/${arg_NINJA_STAMP} ) @@ -84,7 +84,7 @@ if(QT_IS_MACOS_UNIVERSAL) add_intermediate_archive(${target} ${arg_BUILDDIR}/${config}/${arch} ${arg_COMPLETE_STATIC}) elseif(IOS) -@@ -1311,7 +1327,7 @@ function(check_for_ulimit) +@@ -1283,7 +1299,7 @@ function(check_for_ulimit) function(check_for_ulimit) message("-- Checking 'ulimit -n'") @@ -93,7 +93,7 @@ OUTPUT_VARIABLE ulimitOutput ) string(REGEX MATCHALL "[0-9]+" limit "${ulimitOutput}") -@@ -1320,7 +1336,7 @@ function(check_for_ulimit) +@@ -1292,7 +1308,7 @@ function(check_for_ulimit) if(NOT ${CMAKE_VERSION} VERSION_LESS "3.21.0") message(" -- Creating linker launcher") file(GENERATE OUTPUT ${PROJECT_BINARY_DIR}/linker_ulimit.sh diff --git a/www/qt6-webengine/files/patch-configure.cmake b/www/qt6-webengine/files/patch-configure.cmake index b99f8dc18884..ff2e426fbc47 100644 --- a/www/qt6-webengine/files/patch-configure.cmake +++ b/www/qt6-webengine/files/patch-configure.cmake @@ -1,4 +1,4 @@ ---- configure.cmake.orig 2023-11-20 16:08:07 UTC +--- configure.cmake.orig 2024-02-10 00:23:21 UTC +++ configure.cmake @@ -67,7 +67,7 @@ endif() endif() @@ -9,7 +9,7 @@ check_for_ulimit() endif() -@@ -439,7 +439,7 @@ qt_feature("webengine-ozone-x11" PRIVATE +@@ -427,7 +427,7 @@ qt_feature("webengine-ozone-x11" PRIVATE qt_feature("webengine-ozone-x11" PRIVATE LABEL "Support GLX on qpa-xcb" @@ -18,7 +18,7 @@ AND TARGET Qt::Gui AND QT_FEATURE_xcb AND X11_FOUND -@@ -476,12 +476,12 @@ add_check_for_support( +@@ -464,12 +464,12 @@ add_check_for_support( ) add_check_for_support( MODULES QtWebEngine @@ -33,39 +33,39 @@ MESSAGE "Build can be done only on Linux, Windows, macO, iOS and Android(on non-Windows hosts only)." ) if(LINUX AND CMAKE_CROSSCOMPILING) -@@ -503,13 +503,6 @@ add_check_for_support( +@@ -492,13 +492,6 @@ add_check_for_support( MESSAGE "node.js version 14 or later is required." ) add_check_for_support( - MODULES QtWebEngine -- CONDITION NOT (Nodejs_ARCH STREQUAL ia32) AND -- NOT (Nodejs_ARCH STREQUAL x86) AND -- NOT (Nodejs_ARCH STREQUAL arm) +- CONDITION NOT (Nodejs_ARCH STREQUAL "ia32") AND +- NOT (Nodejs_ARCH STREQUAL "x86") AND +- NOT (Nodejs_ARCH STREQUAL "arm") - MESSAGE "32bit version of Nodejs is not supported." -) -add_check_for_support( MODULES QtWebEngine QtPdf CONDITION Python3_EXECUTABLE MESSAGE "Python version 3.6 or later is required." -@@ -587,8 +580,8 @@ add_check_for_support( +@@ -576,8 +569,8 @@ add_check_for_support( add_check_for_support( MODULES QtWebEngine CONDITION MSVC OR -- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL GNU) OR -- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL Clang) OR -+ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL GNU) OR -+ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL Clang) OR - (MACOS AND CMAKE_CXX_COMPILER_ID STREQUAL AppleClang) +- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL "GNU") OR +- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang") OR ++ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL "GNU") OR ++ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang") OR + (MACOS AND CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang") MESSAGE "${CMAKE_CXX_COMPILER_ID} compiler is not supported." -@@ -597,8 +590,8 @@ add_check_for_support( +@@ -586,8 +579,8 @@ add_check_for_support( add_check_for_support( MODULES QtPdf CONDITION MSVC OR -- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL GNU) OR -- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL Clang) OR -+ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL GNU) OR -+ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL Clang) OR - (APPLE AND CMAKE_CXX_COMPILER_ID STREQUAL AppleClang) OR - (ANDROID AND CMAKE_CXX_COMPILER_ID STREQUAL Clang) OR - (MINGW AND CMAKE_CXX_COMPILER_ID STREQUAL GNU) OR +- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL "GNU") OR +- (LINUX AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang") OR ++ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL "GNU") OR ++ (FREEBSD AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang") OR + (APPLE AND CMAKE_CXX_COMPILER_ID STREQUAL "AppleClang") OR + (ANDROID AND CMAKE_CXX_COMPILER_ID STREQUAL "Clang") OR + (MINGW AND CMAKE_CXX_COMPILER_ID STREQUAL "GNU") OR diff --git a/www/qt6-webengine/files/patch-security-rollup b/www/qt6-webengine/files/patch-security-rollup deleted file mode 100644 index 2f8615470498..000000000000 --- a/www/qt6-webengine/files/patch-security-rollup +++ /dev/null @@ -1,4979 +0,0 @@ -Add security patches to this file. - -Addresses the following security issues: -- CVE-2023-5997 -- CVE-2023-6112 -- CVE-2023-6345 -- CVE-2023-6346 -- CVE-2023-6347 -- CVE-2023-6510 -- Security bug 1485266 -- CVE-2023-6702 -- CVE-2023-6703 -- CVE-2023-6705 -- CVE-2023-6706 -- Security bug 1506726 -- Security bug 1505632 -- Security bug 1488199 -- CVE-2023-7024 -- CVE-2024-0333 -- CVE-2024-0225 -- CVE-2024-0224 -- CVE-2024-0223 -- CVE-2024-0222 -- Security bug 1511689 -- CVE-2024-0519 -- CVE-2024-0518 -- Security bug 1506535 -- CVE-2024-0808 -- CVE-2024-0807 -- Security bug 1511389 -- CVE-2024-0810 -- Security bug 1407197 -- Security bug 1519980 -- CVE-2024-1060 -- CVE-2024-1077 -- CVE-2024-1059 -- CVE-2024-1283 -- CVE-2024-1284 - -From 669506a53474e3d7637666d3c53f6101fb94d96f Mon Sep 17 00:00:00 2001 -From: Nidhi Jaju <nidhijaju@chromium.org> -Date: Thu, 2 Nov 2023 08:16:57 +0000 -Subject: [PATCH] [Backport] CVE-2023-5997: Use after free in Garbage - Collection - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/4996929: -Make URLSearchParams persistent to avoid UaF - -The URLSearchParams::Create() function returns an on-heap object, but it -can be garbage collected, so making it a persistent variable in -DidFetchDataLoadedString() mitigates the issue. - -Bug: 1497997 -Change-Id: I229efec33451792a10a185cb2f9aa37dd0579823 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4996929 -Reviewed-by: Adam Rice <ricea@chromium.org> -Commit-Queue: Nidhi Jaju <nidhijaju@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1218682} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/518606 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/third_party/blink/renderer/core/fetch/body.cc | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/blink/renderer/core/fetch/body.cc b/chromium/third_party/blink/renderer/core/fetch/body.cc -index f24125ee271..6f6abd5b961 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/core/fetch/body.cc.orig -+++ src/3rdparty/chromium/third_party/blink/renderer/core/fetch/body.cc -@@ -119,8 +119,13 @@ class BodyFormDataConsumer final : public BodyConsumerBase { - - void DidFetchDataLoadedString(const String& string) override { - auto* formData = MakeGarbageCollected<FormData>(); -- for (const auto& pair : URLSearchParams::Create(string)->Params()) -+ // URLSearchParams::Create() returns an on-heap object, but it can be -+ // garbage collected, so making it a persistent variable on the stack -+ // mitigates use-after-free scenarios. See crbug.com/1497997. -+ Persistent<URLSearchParams> search_params = URLSearchParams::Create(string); -+ for (const auto& pair : search_params->Params()) { - formData->append(pair.first, pair.second); -+ } - DidFetchDataLoadedFormData(formData); - } - }; -From 6c805bf7507997616d826f20c7c901739ed3b431 Mon Sep 17 00:00:00 2001 -From: Yoshisato Yanagisawa <yyanagisawa@chromium.org> -Date: Tue, 7 Nov 2023 02:56:57 +0000 -Subject: [PATCH] [Backport] CVE-2023-6112: Use after free in Navigation - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5004329: -Use WeakPointer for the loader fallback callback. - -`MaybeStartLoader` binds an unretained pointer to -`FallbackToNonInterceptedRequest`, which is passed through a series of -objects until it reaches `ServiceWorkerMainResourceLoader`. - -When "network" or "cache" is selected as a ServiceWorker static -routing API's source and caused the network fallback, the unretained -pointer can be released and may cause use-after-free. - -This CL changes the unretained pointer to a weak pointer to avoid that. -For the consistency of the function call, both of the callbacks -starts to use weak pointers. - -Bug: 1499298 -Change-Id: I7e7c93fa389ab35584703f30bfc722eadeca81dd -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5004329 -Reviewed-by: Shunya Shishido <sisidovski@chromium.org> -Reviewed-by: Minoru Chikamune <chikamune@chromium.org> -Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> -Commit-Queue: Yoshisato Yanagisawa <yyanagisawa@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1220697} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/518607 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/content/browser/loader/navigation_url_loader_impl.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/chromium/content/browser/loader/navigation_url_loader_impl.cc b/chromium/content/browser/loader/navigation_url_loader_impl.cc -index 0e8f73e7d18..0bd83dadec2 100644 ---- src/3rdparty/chromium/content/browser/loader/navigation_url_loader_impl.cc.orig -+++ src/3rdparty/chromium/content/browser/loader/navigation_url_loader_impl.cc -@@ -638,10 +638,10 @@ void NavigationURLLoaderImpl::MaybeStartLoader( - next_interceptor->MaybeCreateLoader( - *resource_request_, browser_context_, - base::BindOnce(&NavigationURLLoaderImpl::MaybeStartLoader, -- base::Unretained(this), next_interceptor), -+ weak_factory_.GetWeakPtr(), next_interceptor), - base::BindOnce( - &NavigationURLLoaderImpl::FallbackToNonInterceptedRequest, -- base::Unretained(this))); -+ weak_factory_.GetWeakPtr())); - return; - } - -From d997551c21008fb8d9f5fe9ffe5506af6273ea49 Mon Sep 17 00:00:00 2001 -From: John Stiles <johnstiles@google.com> -Date: Fri, 24 Nov 2023 09:40:11 -0500 -Subject: [PATCH] [Backport] CVE-2023-6345: Integer overflow in Skia (1/2) - -Cherry-pick of patch originally reviewed on -https://skia-review.googlesource.com/c/skia/+/782936: -Avoid combining extremely large meshes. - -Bug: chromium:1505053 -Change-Id: I42f2ff872bbf054686ec7af0cc85ff63055fcfbf -Reviewed-on: https://skia-review.googlesource.com/c/skia/+/782936 -Commit-Queue: Michael Ludwig <michaelludwig@google.com> -Reviewed-by: Michael Ludwig <michaelludwig@google.com> -Auto-Submit: John Stiles <johnstiles@google.com> -(cherry picked from commit 6169a1fabae1743709bc9641ad43fcbb6a4f62e1) -Reviewed-on: https://skia-review.googlesource.com/c/skia/+/783296 -Reviewed-by: John Stiles <johnstiles@google.com> -Commit-Queue: Brian Osman <brianosman@google.com> -Auto-Submit: Brian Osman <brianosman@google.com> -Commit-Queue: John Stiles <johnstiles@google.com> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/522251 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp b/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp -index 9b38c0bdb61..4dc885a7431 100644 ---- src/3rdparty/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp.orig -+++ src/3rdparty/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp -@@ -998,10 +998,13 @@ GrOp::CombineResult MeshOp::onCombineIfPossible(GrOp* t, SkArenaAlloc*, const Gr - return CombineResult::kCannotCombine; - } - -+ if (fVertexCount > INT32_MAX - that->fVertexCount) { -+ return CombineResult::kCannotCombine; -+ } - if (SkToBool(fIndexCount) != SkToBool(that->fIndexCount)) { - return CombineResult::kCannotCombine; - } -- if (SkToBool(fIndexCount) && fVertexCount + that->fVertexCount > SkToInt(UINT16_MAX)) { -+ if (SkToBool(fIndexCount) && fVertexCount > UINT16_MAX - that->fVertexCount) { - return CombineResult::kCannotCombine; - } - -From 297e07a3f4008da601f6190e65c5c0368a7a7997 Mon Sep 17 00:00:00 2001 -From: John Stiles <johnstiles@google.com> -Date: Sat, 25 Nov 2023 22:41:31 -0500 -Subject: [PATCH] [Backport] CVE-2023-6345: Integer overflow in Skia (2/2) - -Cherry-pick of patch originally reviewed on -https://skia-review.googlesource.com/c/skia/+/783036: -Use SkToInt to avoid warning in Flutter roll. - -The Flutter roll was failing due to -Wsign-compare. - -Bug: chromium:1505053 -Change-Id: Id12876f6f97682466f19b56cfa562366380f27cb -Reviewed-on: https://skia-review.googlesource.com/c/skia/+/783036 -Auto-Submit: John Stiles <johnstiles@google.com> -Commit-Queue: Brian Osman <brianosman@google.com> -Reviewed-by: Brian Osman <brianosman@google.com> -(cherry picked from commit 0eea0b277d7d35e4c2612646d7dfe507341e337e) -Reviewed-on: https://skia-review.googlesource.com/c/skia/+/782579 -Commit-Queue: John Stiles <johnstiles@google.com> -Reviewed-by: John Stiles <johnstiles@google.com> -Auto-Submit: Brian Osman <brianosman@google.com> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/522252 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp b/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp -index 4dc885a7431..d594abec6dd 100644 ---- src/3rdparty/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp.orig -+++ src/3rdparty/chromium/third_party/skia/src/gpu/ganesh/ops/DrawMeshOp.cpp -@@ -1004,7 +1004,7 @@ GrOp::CombineResult MeshOp::onCombineIfPossible(GrOp* t, SkArenaAlloc*, const Gr - if (SkToBool(fIndexCount) != SkToBool(that->fIndexCount)) { - return CombineResult::kCannotCombine; - } -- if (SkToBool(fIndexCount) && fVertexCount > UINT16_MAX - that->fVertexCount) { -+ if (SkToBool(fIndexCount) && fVertexCount > SkToInt(UINT16_MAX) - that->fVertexCount) { - return CombineResult::kCannotCombine; - } - -From 41b5dbaa659003d91ebf1b1018201d3cb76d4486 Mon Sep 17 00:00:00 2001 -From: Ken Rockot <rockot@google.com> -Date: Thu, 16 Nov 2023 23:23:22 +0000 -Subject: [PATCH] [Backport] CVE-2023-6347: Use after free in Mojo - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5038080: -Reland: Fix IPC Channel pipe teardown - -This is a reland with the new test temporarily disabled on Android -until it can run without disrupting other tests. - -(cherry picked from commit cd4c1f165c16c6d8161b5372ef7f61c715e01a42) - -Fixed: 1494461 -Change-Id: If1d83c2dce62020f78dd50abc460973759002a1a -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5015115 -Commit-Queue: Ken Rockot <rockot@google.com> -Reviewed-by: Robert Sesek <rsesek@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1221953} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5038080 -Auto-Submit: Ken Rockot <rockot@google.com> -Commit-Queue: Daniel Cheng <dcheng@chromium.org> -Reviewed-by: Daniel Cheng <dcheng@chromium.org> -Cr-Commit-Position: refs/branch-heads/6045@{#1383} -Cr-Branched-From: 905e8bdd32d891451d94d1ec71682e989da2b0a1-refs/heads/main@{#1204232} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/522253 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/ipc/ipc_mojo_bootstrap.cc | 43 ++++++++++++++++++++++-------- - 1 file changed, 32 insertions(+), 11 deletions(-) - -diff --git a/chromium/ipc/ipc_mojo_bootstrap.cc b/chromium/ipc/ipc_mojo_bootstrap.cc -index b9b5ec389aa..5391400cdb0 100644 ---- src/3rdparty/chromium/ipc/ipc_mojo_bootstrap.cc.orig -+++ src/3rdparty/chromium/ipc/ipc_mojo_bootstrap.cc -@@ -793,13 +793,12 @@ class ChannelAssociatedGroupController - // handle. - DCHECK(!endpoint->client()); - DCHECK(endpoint->peer_closed()); -- MarkClosedAndMaybeRemove(endpoint); -+ MarkClosed(endpoint); - } else { -- MarkPeerClosedAndMaybeRemove(endpoint); -+ MarkPeerClosed(endpoint); - } - } -- -- DCHECK(endpoints_.empty()); -+ endpoints_.clear(); - - GetMemoryDumpProvider().RemoveController(this); - } -@@ -844,15 +843,19 @@ class ChannelAssociatedGroupController - base::AutoLock locker(lock_); - encountered_error_ = true; - -+ std::vector<uint32_t> endpoints_to_remove; - std::vector<scoped_refptr<Endpoint>> endpoints_to_notify; - for (auto iter = endpoints_.begin(); iter != endpoints_.end();) { - Endpoint* endpoint = iter->second.get(); - ++iter; - -- if (endpoint->client()) -+ if (endpoint->client()) { - endpoints_to_notify.push_back(endpoint); -+ } - -- MarkPeerClosedAndMaybeRemove(endpoint); -+ if (MarkPeerClosed(endpoint)) { -+ endpoints_to_remove.push_back(endpoint->id()); -+ } - } - - for (auto& endpoint : endpoints_to_notify) { -@@ -861,6 +864,10 @@ class ChannelAssociatedGroupController - if (endpoint->client()) - NotifyEndpointOfError(endpoint.get(), false /* force_async */); - } -+ -+ for (uint32_t id : endpoints_to_remove) { -+ endpoints_.erase(id); -+ } - } - - void NotifyEndpointOfError(Endpoint* endpoint, bool force_async) { -@@ -899,19 +906,33 @@ class ChannelAssociatedGroupController - NotifyEndpointOfError(endpoint, false /* force_async */); - } - -- void MarkClosedAndMaybeRemove(Endpoint* endpoint) { -+ // Marks `endpoint` as closed and returns true if and only if its peer was -+ // also already closed. -+ bool MarkClosed(Endpoint* endpoint) { - lock_.AssertAcquired(); - endpoint->set_closed(); -- if (endpoint->closed() && endpoint->peer_closed()) -- endpoints_.erase(endpoint->id()); -+ return endpoint->peer_closed(); - } - -- void MarkPeerClosedAndMaybeRemove(Endpoint* endpoint) { -+ // Marks `endpoint` as having a closed peer and returns true if and only if -+ // `endpoint` itself was also already closed. -+ bool MarkPeerClosed(Endpoint* endpoint) { - lock_.AssertAcquired(); - endpoint->set_peer_closed(); - endpoint->SignalSyncMessageEvent(); -- if (endpoint->closed() && endpoint->peer_closed()) -+ return endpoint->closed(); -+ } -+ -+ void MarkClosedAndMaybeRemove(Endpoint* endpoint) { -+ if (MarkClosed(endpoint)) { - endpoints_.erase(endpoint->id()); -+ } -+ } -+ -+ void MarkPeerClosedAndMaybeRemove(Endpoint* endpoint) { -+ if (MarkPeerClosed(endpoint)) { -+ endpoints_.erase(endpoint->id()); -+ } - } - - Endpoint* FindOrInsertEndpoint(mojo::InterfaceId id, bool* inserted) { -From 148f39658c9977dcdfe8a51e212ce936f246dcfc Mon Sep 17 00:00:00 2001 -From: Alvin Ji <alvinji@chromium.org> -Date: Fri, 17 Nov 2023 00:56:14 +0000 -Subject: [PATCH] [Backport] CVE-2023-6346: Use after free in WebAudio - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5037917: -Check context status before creating new platform destination - -RealtimeAudioDestinationHandler::SetSinkDescriptor creates new -destination platofrm without validating context status. This can -reactivate the audio rendering thread when AudioContext is already in -closed state. - -(cherry picked from commit 0f9bb9a1083865d4e51059e588f27f729ab32753) - -Bug: 1500856 -Change-Id: If1fd531324b56fcdc38d315fd84d4cec577a14bc -Test: Locally confirmed with ASAN -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5021160 -Reviewed-by: Alvin Ji <alvinji@chromium.org> -Commit-Queue: Alvin Ji <alvinji@chromium.org> -Reviewed-by: Hongchan Choi <hongchan@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1223168} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5037917 -Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> -Commit-Queue: Hongchan Choi <hongchan@chromium.org> -Cr-Commit-Position: refs/branch-heads/5993@{#1619} -Cr-Branched-From: 511350718e646be62331ae9d7213d10ec320d514-refs/heads/main@{#1192594} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/522254 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../webaudio/realtime_audio_destination_handler.cc | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/chromium/third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc -index 8cc1d9dadcb..0cde579951a 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc.orig -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/realtime_audio_destination_handler.cc -@@ -398,6 +398,17 @@ void RealtimeAudioDestinationHandler::SetSinkDescriptor( - MaxChannelCount(), GetCallbackBufferSize())); - DCHECK(IsMainThread()); - -+ // After the context is closed, `SetSinkDescriptor` request will be ignored -+ // because it will trigger the recreation of the platform destination. This in -+ // turn can activate the audio rendering thread. -+ AudioContext* context = static_cast<AudioContext*>(Context()); -+ CHECK(context); -+ if (context->ContextState() == AudioContext::kClosed) { -+ std::move(callback).Run( -+ media::OutputDeviceStatus::OUTPUT_DEVICE_STATUS_ERROR_INTERNAL); -+ return; -+ } -+ - // Create a pending AudioDestination to replace the current one. - scoped_refptr<AudioDestination> pending_platform_destination = - AudioDestination::Create( -From db834bc30340727483633a92bbf27eb60839a56f Mon Sep 17 00:00:00 2001 -From: Jordan Bayles <jophba@chromium.org> -Date: Fri, 6 Oct 2023 23:50:59 +0000 -Subject: [PATCH] [Backport] CVE-2023-6510: Use after free in Media Capture - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/4908770: -Fix UaF in WebContentsFrameTracker - -This patch fixes a use-after-free by moving to a base::WeakPtr -instead of a raw_ptr. Looking at the callstack in the referenced bug, what is clearly happening is that the frame tracker is deleted AFTER the capture device. I believe that this is due to the MouseCursorOverlayController being deleted through the DeleteOnUIThread destructor, which, if you are already on the UI thread, is synchronous: - -https://source.chromium.org/chromium/chromium/src/+/main:content/public/browser/browser_thread.h;l=141?q=BrowserThread::DeleteOnThread&ss=chromium%2Fchromium%2Fsrc - -In comparison, the WebContentsFrameTracker is implemented using base::SequenceBound, which ends up calling an internal destruct method that ALWAYS posts back a task: - -https://source.chromium.org/chromium/chromium/src/+/main:base/threading/sequence_bound_internal.h;drc=f5bdc89c7395ed24f1b8d196a3bdd6232d5bf771;l=122 - -So, this bug is ultimately caused by the simple fact that base::SequenceBound does NOT have an optimization to not post a deletion task if we are already running on that sequence. There may be a good followup task here to change either DeleteOnThread or base::SequenceBound to have the same behavior, however I think this change a good first step. - -Bug: 1480152 -Change-Id: Iee2d41e66b10403d6c78547bcbe84d2454236d5b -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4908770 -Reviewed-by: Mark Foltz <mfoltz@chromium.org> -Commit-Queue: Jordan Bayles <jophba@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1206698} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/523710 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../media/capture/web_contents_frame_tracker.cc | 17 +++++++++++------ - .../media/capture/web_contents_frame_tracker.h | 11 +++++------ - 2 files changed, 16 insertions(+), 12 deletions(-) - -diff --git a/chromium/content/browser/media/capture/web_contents_frame_tracker.cc b/chromium/content/browser/media/capture/web_contents_frame_tracker.cc -index 353f47f24af..9e3e3e82809 100644 ---- src/3rdparty/chromium/content/browser/media/capture/web_contents_frame_tracker.cc.orig -+++ src/3rdparty/chromium/content/browser/media/capture/web_contents_frame_tracker.cc -@@ -126,17 +126,20 @@ WebContentsFrameTracker::WebContentsFrameTracker( - base::WeakPtr<WebContentsVideoCaptureDevice> device, - MouseCursorOverlayController* cursor_controller) - : device_(std::move(device)), -- device_task_runner_(std::move(device_task_runner)) { -+ device_task_runner_(std::move(device_task_runner)) -+#if !BUILDFLAG(IS_ANDROID) -+ , -+ cursor_controller_(cursor_controller->GetWeakPtr()) -+#endif -+{ - // Verify on construction that this object is created on the UI thread. After - // this, depend on the sequence checker to ensure consistent execution. - DCHECK_CURRENTLY_ON(BrowserThread::UI); - DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_); -- -- DCHECK(device_task_runner_); -+ CHECK(device_task_runner_); - - #if !BUILDFLAG(IS_ANDROID) -- cursor_controller_ = cursor_controller; -- DCHECK(cursor_controller_); -+ CHECK(cursor_controller_); - #endif - } - -@@ -516,7 +519,9 @@ void WebContentsFrameTracker::SetTargetView(gfx::NativeView view) { - return; - target_native_view_ = view; - #if !BUILDFLAG(IS_ANDROID) -- cursor_controller_->SetTargetView(view); -+ if (cursor_controller_) { -+ cursor_controller_->SetTargetView(view); -+ } - #endif - } - -diff --git a/chromium/content/browser/media/capture/web_contents_frame_tracker.h b/chromium/content/browser/media/capture/web_contents_frame_tracker.h -index f15b09619de..c6485cc6fdf 100644 ---- src/3rdparty/chromium/content/browser/media/capture/web_contents_frame_tracker.h.orig -+++ src/3rdparty/chromium/content/browser/media/capture/web_contents_frame_tracker.h -@@ -171,13 +171,12 @@ class CONTENT_EXPORT WebContentsFrameTracker final - // The task runner to be used for device callbacks. - const scoped_refptr<base::SequencedTaskRunner> device_task_runner_; - -- // Owned by FrameSinkVideoCaptureDevice. This will be valid for the life of -- // WebContentsFrameTracker because the WebContentsFrameTracker deleter task -- // will be posted to the UI thread before the MouseCursorOverlayController -- // deleter task. -+ // Owned by FrameSinkVideoCaptureDevice. This may only be accessed on the -+ // UI thread. This is not guaranteed to be valid and must be checked before -+ // use. -+ // https://crbug.com/1480152 - #if !BUILDFLAG(IS_ANDROID) -- raw_ptr<MouseCursorOverlayController, DanglingUntriaged> cursor_controller_ = -- nullptr; -+ const base::WeakPtr<MouseCursorOverlayController> cursor_controller_; - #endif - - // We may not have a frame sink ID target at all times. -From d8d7dc06d0423ad9fdcbe23e741c24b560ff97b8 Mon Sep 17 00:00:00 2001 -From: Evan Stade <estade@chromium.org> -Date: Wed, 4 Oct 2023 00:08:36 +0000 -Subject: [PATCH] [Backport] Security bug 1485266 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/4902775: -Drag and drop: prevent cross-origin same-tab drags that span navigations - -In IsValidDragTarget, the old RenderViewHostID comparison was not -necessary to distinguish between same- and different-tab drags because, -contrary to the previous comment, that case is covered by the -`drag_start_` check. This check was only serving to permit some drags -which were same-tab, but not same-RVH, which should be disallowed. - -A complete rundown of the business logic and the reason for the -business logic is here: -https://bugs.chromium.org/p/chromium/issues/detail?id=1266953#c22 - -A regression test is added which is confirmed to fail without this fix, -but only on Chrome OS because that's the only Aura platform where the -DND interactive UI tests are not already disabled (Windows and Linux -were disabled). - -Bug: 1485266 -Change-Id: Ifdd6eec14df42372b0afc8ccba779a948cbaaaa7 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4902775 -Commit-Queue: Evan Stade <estade@chromium.org> -Reviewed-by: Daniel Cheng <dcheng@chromium.org> -Reviewed-by: Charlie Reis <creis@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1204930} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/523711 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../web_contents/web_contents_view_aura.cc | 44 ++++++------------- - .../web_contents/web_contents_view_aura.h | 26 +++-------- - 2 files changed, 20 insertions(+), 50 deletions(-) - -diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.cc b/chromium/content/browser/web_contents/web_contents_view_aura.cc -index 37b75adc1ef..c96e932aacc 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_view_aura.cc.orig -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_view_aura.cc -@@ -765,13 +765,10 @@ void WebContentsViewAura::PrepareDropData( - // Do not add FileContents if this is a tainted-cross-origin same-page image - // (https://crbug.com/1264873). - bool access_allowed = -- // Drag started outside blink. - !drag_start_ || -- // Drag began in blink, but image access is allowed. -- drag_start_->image_accessible_from_frame || -- // Drag began in blink, but in a different WebContents. -- GetRenderViewHostID(web_contents_->GetRenderViewHost()) != -- drag_start_->view_id; -+ // Drag began in this top-level WebContents, and image access is allowed -+ // (not cross-origin). -+ drag_start_->image_accessible_from_frame; - data.GetFilenames(&drop_data->filenames); - if (access_allowed && drop_data->filenames.empty()) { - base::FilePath filename; -@@ -887,6 +884,8 @@ bool WebContentsViewAura::IsValidDragTarget( - // drags between cross-origin frames within the same page. Otherwise, a - // malicious attacker could abuse drag interactions to leak information - // across origins without explicit user intent. -+ // `drag_start_` is null when the drag started outside of the browser or from -+ // a different top-level WebContents. - if (!drag_start_) - return true; - -@@ -894,35 +893,19 @@ bool WebContentsViewAura::IsValidDragTarget( - // perform the check unless it already has access to the starting - // document's origin. If the SiteInstanceGroups match, then the process - // allocation policy decided that it is OK for the source and target -- // frames to live in the same renderer process. Furthermore, it means that -- // either the source and target frame are part of the same `blink::Page` or -- // that there is an opener relationship and would cross tab boundaries. Allow -- // this drag to the renderer. Blink will perform an additional check against -+ // frames to live in the same renderer process. Furthermore, having matching -+ // SiteInstanceGroups means that either (1) the source and target frame are -+ // part of the same blink::Page, or (2) that they are in the same Browsing -+ // Context Group and the drag would cross tab boundaries (the latter of which -+ // can't happen here since `drag_start_` is null). Allow this drag to the -+ // renderer. Blink will perform an additional check against - // `blink::DragController::drag_initiator_` to decide whether or not to - // allow the drag operation. This can be done in the renderer, as the - // browser-side checks only have local tree fragment (potentially with - // multiple origins) granularity at best, but a drag operation eventually - // targets one single frame in that local tree fragment. -- bool same_site_instance_group = target_rwh->GetSiteInstanceGroup()->GetId() == -- drag_start_->site_instance_group_id; -- if (same_site_instance_group) -- return true; -- -- // Otherwise, if the SiteInstanceGroups do not match, enforce explicit -- // user intent by ensuring this drag operation is crossing page boundaries. -- // `drag_start_->view_id` is set to the main `RenderFrameHost`'s -- // `RenderViewHost`'s ID when a drag starts, so if the two IDs match here, -- // the drag is within the same page and disallowed. -- // -- // Drags between an embedder and an inner `WebContents` will disallowed by -- // the above view ID check because `WebContentsViewAura` is always created -- // for the outermost view. Inner `WebContents` will have a -- // `WebContentsViewChildFrame` so when dragging between an inner -- // `WebContents` and its embedder the view IDs will be the same. -- bool cross_tab_drag = -- GetRenderViewHostID(web_contents_->GetRenderViewHost()) != -- drag_start_->view_id; -- return cross_tab_drag; -+ return target_rwh->GetSiteInstanceGroup()->GetId() == -+ drag_start_->site_instance_group_id; - } - - //////////////////////////////////////////////////////////////////////////////// -@@ -1180,7 +1163,6 @@ void WebContentsViewAura::StartDragging( - - drag_start_ = - DragStart(source_rwh->GetSiteInstanceGroup()->GetId(), -- GetRenderViewHostID(web_contents_->GetRenderViewHost()), - drop_data.file_contents_image_accessible); - - ui::TouchSelectionController* selection_controller = GetSelectionController(); -diff --git a/chromium/content/browser/web_contents/web_contents_view_aura.h b/chromium/content/browser/web_contents/web_contents_view_aura.h -index dc308525002..48d30860e5e 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_view_aura.h.orig -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_view_aura.h -@@ -162,7 +162,7 @@ class CONTENT_EXPORT WebContentsViewAura - - // Returns whether |target_rwh| is a valid RenderWidgetHost to be dragging - // over. This enforces that same-page, cross-site drags are not allowed. See -- // crbug.com/666858. -+ // crbug.com/666858, crbug.com/1266953, crbug.com/1485266. - bool IsValidDragTarget(RenderWidgetHostImpl* target_rwh) const; - - // Called from CreateView() to create |window_|. -@@ -342,7 +342,7 @@ class CONTENT_EXPORT WebContentsViewAura - std::unique_ptr<WindowObserver> window_observer_; - - // The WebContentsImpl whose contents we display. -- raw_ptr<WebContentsImpl> web_contents_; -+ const raw_ptr<WebContentsImpl> web_contents_; - - std::unique_ptr<WebContentsViewDelegate> delegate_; - -@@ -360,33 +360,21 @@ class CONTENT_EXPORT WebContentsViewAura - // avoid sending the drag exited message after leaving the current view. - GlobalRoutingID current_rvh_for_drag_; - -- // We track the IDs of the source RenderProcessHost and RenderViewHost from -- // which the current drag originated. These are used to ensure that drag -- // events do not fire over a cross-site frame (with respect to the source -- // frame) in the same page (see crbug.com/666858). Specifically, the -- // RenderViewHost is used to check the "same page" property, while the -- // RenderProcessHost is used to check the "cross-site" property. Note that the -- // reason the RenderProcessHost is tracked instead of the RenderWidgetHost is -- // so that we still allow drags between non-contiguous same-site frames (such -- // frames will have the same process, but different widgets). Note also that -- // the RenderViewHost may not be in the same process as the RenderProcessHost, -- // since the view corresponds to the page, while the process is specific to -- // the frame from which the drag started. -- // We also track whether a dragged image is accessible from its frame, so we -- // can disallow tainted-cross-origin same-page drag-drop. -+ // Used to track security-salient details about a drag source. See -+ // documentation in `IsValidDragTarget()` for `site_instance_group_id`. -+ // See crbug.com/1264873 for `image_accessible_from_frame`. - struct DragStart { - DragStart(SiteInstanceGroupId site_instance_group_id, -- GlobalRoutingID view_id, - bool image_accessible_from_frame) - : site_instance_group_id(site_instance_group_id), -- view_id(view_id), - image_accessible_from_frame(image_accessible_from_frame) {} - ~DragStart() = default; - - SiteInstanceGroupId site_instance_group_id; -- GlobalRoutingID view_id; - bool image_accessible_from_frame; - }; -+ // Will hold a value when the current drag started in this page (outermost -+ // WebContents). - absl::optional<DragStart> drag_start_; - - // Responsible for handling gesture-nav and pull-to-refresh UI. -From fe07848de4cd69e57f79528a70c75075ca2951dc Mon Sep 17 00:00:00 2001 -From: Zakhar Voit <voit@google.com> -Date: Thu, 14 Dec 2023 11:11:43 +0000 -Subject: [PATCH] [Backport] CVE-2023-6702: Type Confusion in V8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/5110982: -Fix the case when the closure has run - -M114 changes: -- replace IsNativeContext(*context) by context->IsNativeContext() - -We were using the closure pointing to NativeContext as a marker that the -closure has run, but async stack trace code was confused about it. - -(cherry picked from commit bde3d360097607f36cd1d17cbe8412b84eae0a7f) - -Bug: chromium:1501326 -Change-Id: I30d438f3b2e3fdd7562ea9a79dde4561ce9b0083 -Cr-Original-Commit-Position: refs/heads/main@{#90949} -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5110982 -Commit-Queue: Marja Hölttä <marja@chromium.org> -Auto-Submit: Marja Hölttä <marja@chromium.org> -Cr-Commit-Position: refs/branch-heads/12.0@{#18} -Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1} -Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651} -(cherry picked from commit cbd09b2ca928f1fd929ef52e173aa81213e38cb8) -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526344 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/v8/src/execution/isolate.cc | 24 +++++++++++++++++++++--- - 1 file changed, 21 insertions(+), 3 deletions(-) - -diff --git a/chromium/v8/src/execution/isolate.cc b/chromium/v8/src/execution/isolate.cc -index 1c6c464dd6f..d0dc49cd754 100644 ---- src/3rdparty/chromium/v8/src/execution/isolate.cc.orig -+++ src/3rdparty/chromium/v8/src/execution/isolate.cc -@@ -974,7 +974,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise, - isolate); - builder->AppendPromiseCombinatorFrame(function, combinator); - -- // Now peak into the Promise.all() resolve element context to -+ if (context->IsNativeContext()) { -+ // NativeContext is used as a marker that the closure was already -+ // called. We can't access the reject element context any more. -+ return; -+ } -+ -+ // Now peek into the Promise.all() resolve element context to - // find the promise capability that's being resolved when all - // the concurrent promises resolve. - int const index = -@@ -993,7 +999,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise, - context->native_context().promise_all_settled(), isolate); - builder->AppendPromiseCombinatorFrame(function, combinator); - -- // Now peak into the Promise.allSettled() resolve element context to -+ if (context->IsNativeContext()) { -+ // NativeContext is used as a marker that the closure was already -+ // called. We can't access the reject element context any more. -+ return; -+ } -+ -+ // Now peek into the Promise.allSettled() resolve element context to - // find the promise capability that's being resolved when all - // the concurrent promises resolve. - int const index = -@@ -1011,7 +1023,13 @@ void CaptureAsyncStackTrace(Isolate* isolate, Handle<JSPromise> promise, - isolate); - builder->AppendPromiseCombinatorFrame(function, combinator); - -- // Now peak into the Promise.any() reject element context to -+ if (context->IsNativeContext()) { -+ // NativeContext is used as a marker that the closure was already -+ // called. We can't access the reject element context any more. -+ return; -+ } -+ -+ // Now peek into the Promise.any() reject element context to - // find the promise capability that's being resolved when any of - // the concurrent promises resolve. - int const index = PromiseBuiltins::kPromiseAnyRejectElementCapabilitySlot; -From e935bf78711c7b8e3938eb3b58d6d61fa7fc2127 Mon Sep 17 00:00:00 2001 -From: Paul Semel <paulsemel@chromium.org> -Date: Wed, 6 Dec 2023 15:52:56 +0000 -Subject: [PATCH] [Backport] CVE-2023-6703: Use after free in Blink - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5071252: -[M120] ImageBitmapFactory: fix empty context dcheck - -Approved by: -https://bugs.chromium.org/p/chromium/issues/detail?id=1502102#c34 - -(cherry picked from commit c4d2f15b8f97076c8fd0f9aa5814b94db698b75c) - -Fixed: 1502102 -Change-Id: Ib42d2897d62136ae835561bcf56884b5624060a5 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5071252 -Commit-Queue: Paul Semel <paulsemel@chromium.org> -Reviewed-by: Jean-Philippe Gravel <jpgravel@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1230617} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5088373 -Auto-Submit: Arthur Sonzogni <arthursonzogni@google.com> -Reviewed-by: Paul Semel <paulsemel@chromium.org> -Cr-Commit-Position: refs/branch-heads/6099@{#1416} -Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526345 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../modules/canvas/imagebitmap/image_bitmap_factories.cc | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/blink/renderer/modules/canvas/imagebitmap/image_bitmap_factories.cc b/chromium/third_party/blink/renderer/modules/canvas/imagebitmap/image_bitmap_factories.cc -index 99feb736a50..3a546a64fe8 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/imagebitmap/image_bitmap_factories.cc.orig -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/imagebitmap/image_bitmap_factories.cc -@@ -156,7 +156,9 @@ ScriptPromise ImageBitmapFactories::CreateImageBitmapFromBlob( - ImageBitmapSource* bitmap_source, - absl::optional<gfx::Rect> crop_rect, - const ImageBitmapOptions* options) { -- DCHECK(script_state->ContextIsValid()); -+ if (!script_state->ContextIsValid()) { -+ return ScriptPromise(); -+ } - - // imageOrientation: 'from-image' will be used to replace imageOrientation: - // 'none'. Adding a deprecation warning when 'none' is called in -From d5f5cda70cad9ce87e306a1843cf5970bda04236 Mon Sep 17 00:00:00 2001 -From: Guido Urdaneta <guidou@chromium.org> -Date: Fri, 1 Dec 2023 08:19:24 +0000 -Subject: [PATCH] [Backport] CVE-2023-6705: Use after free in WebRTC - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5077845: -Drop frames received on the wrong task runner - -It can happen during transfer that a frame is posted from the -background media thread to the task runner of the old execution -context, which can lead to races and UAF. - -This CL makes underlying sources drop frames received on the -wrong task runner to avoid the problem. - -Bug: 1505708 -Change-Id: I686228d88cb1c48bdf8c0b6bf85edd280a54300a -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5077845 -Commit-Queue: Guido Urdaneta <guidou@chromium.org> -Reviewed-by: Tony Herre <toprice@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1231802} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526346 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../rtc_encoded_audio_underlying_source.cc | 10 +++++++++- - .../rtc_encoded_video_underlying_source.cc | 10 +++++++++- - 2 files changed, 18 insertions(+), 2 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_audio_underlying_source.cc b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_audio_underlying_source.cc -index 56926ce628fb..64348f4a273e 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_audio_underlying_source.cc.orig -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_audio_underlying_source.cc -@@ -60,7 +60,15 @@ void RTCEncodedAudioUnderlyingSource::Trace(Visitor* visitor) const { - - void RTCEncodedAudioUnderlyingSource::OnFrameFromSource( - std::unique_ptr<webrtc::TransformableFrameInterface> webrtc_frame) { -- DCHECK(task_runner_->BelongsToCurrentThread()); -+ // It can happen that a frame is posted to the task runner of the old -+ // execution context during a stream transfer to a new context. -+ // TODO(https://crbug.com/1506631): Make the state updates related to the -+ // transfer atomic and turn this into a DCHECK. -+ if (!task_runner_->BelongsToCurrentThread()) { -+ DVLOG(1) << "Dropped frame posted to incorrect task runner. This can " -+ "happen during transfer."; -+ return; -+ } - // If the source is canceled or there are too many queued frames, - // drop the new frame. - if (!disconnect_callback_ || !GetExecutionContext()) { -diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_source.cc b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_source.cc -index 54ca7d1529b1..8fb1d8460e28 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_source.cc.orig -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_encoded_video_underlying_source.cc -@@ -58,7 +58,15 @@ void RTCEncodedVideoUnderlyingSource::Trace(Visitor* visitor) const { - - void RTCEncodedVideoUnderlyingSource::OnFrameFromSource( - std::unique_ptr<webrtc::TransformableVideoFrameInterface> webrtc_frame) { -- DCHECK(task_runner_->BelongsToCurrentThread()); -+ // It can happen that a frame is posted to the task runner of the old -+ // execution context during a stream transfer to a new context. -+ // TODO(https://crbug.com/1506631): Make the state updates related to the -+ // transfer atomic and turn this into a DCHECK. -+ if (!task_runner_->BelongsToCurrentThread()) { -+ DVLOG(1) << "Dropped frame posted to incorrect task runner. This can " -+ "happen during transfer."; -+ return; -+ } - // If the source is canceled or there are too many queued frames, - // drop the new frame. - if (!disconnect_callback_ || !GetExecutionContext()) { -From 9050bef97ea5f15232210e6d1096e9badc04d13e Mon Sep 17 00:00:00 2001 -From: Yi Gu <yigu@chromium.org> -Date: Tue, 28 Nov 2023 15:51:40 +0000 -Subject: [PATCH] [Backport] CVE-2023-6706: Use after free in FedCM - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5095846: -[M114-LTS][FedCM] Check API permission before showing accounts UI - -M114 merge issues: - content/browser/webid/federated_auth_request_impl.h/cc: - - The GetApiPermissionStatus() doesn't exist in 114, it uses api_permission_delegate_ - directly. - -The accounts fetch could be delayed for legitimate reasons. A user may be -able to disable FedCM API (e.g. via settings or dismissing another FedCM -UI on the same RP origin) before the browser receives the accounts -response. - -This patch checks the API permission before showing the accounts UI. - -Change-Id: Idbbe88912941113ec3f54d7f222845cd774dc897 -Bug: 1500921 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5064052 -Commit-Queue: Yi Gu <yigu@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1229912} -(cherry picked from commit 98676a2f66c4b4b802316eef70f4aab77e631f85) -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526347 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../browser/webid/federated_auth_request_impl.cc | 13 +++++++++++++ - 1 file changed, 13 insertions(+) - -diff --git a/chromium/content/browser/webid/federated_auth_request_impl.cc b/chromium/content/browser/webid/federated_auth_request_impl.cc -index cbae35e588c..8242b6cc502 100644 ---- src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc.orig -+++ src/3rdparty/chromium/content/browser/webid/federated_auth_request_impl.cc -@@ -867,6 +867,19 @@ void FederatedAuthRequestImpl::MaybeShowAccountsDialog() { - return; - } - -+ // The accounts fetch could be delayed for legitimate reasons. A user may be -+ // able to disable FedCM API (e.g. via settings or dismissing another FedCM UI -+ // on the same RP origin) before the browser receives the accounts response. -+ // We should exit early without showing any UI. -+ if (api_permission_delegate_->GetApiPermissionStatus(GetEmbeddingOrigin()) != -+ FederatedApiPermissionStatus::GRANTED) { -+ CompleteRequestWithError( -+ FederatedAuthRequestResult::kErrorDisabledInSettings, -+ TokenStatus::kDisabledInSettings, -+ /*should_delay_callback=*/true); -+ return; -+ } -+ - // The RenderFrameHost may be alive but not visible in the following - // situations: - // Situation #1: User switched tabs -From 4f5687248f9993cf1dacdc034a203b9e2d61c324 Mon Sep 17 00:00:00 2001 -From: Vasiliy Telezhnikov <vasilyt@chromium.org> -Date: Fri, 1 Dec 2023 17:45:27 +0000 -Subject: [PATCH] [Backport] Security bug 1506726 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5078779: -Check for slugs count before deserializing Slugs in DrawSlugOp - -Count is part of serialized data and while we never serialize values -less then 1, it can be any value when coming over IPC, we should check -that it's positive before substacting one. - -Bug: 1506726 -Change-Id: I244f50a682f2e852b22ba88f1e9cddddb0fdfcb9 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5078779 -Reviewed-by: Peng Huang <penghuang@chromium.org> -Commit-Queue: Vasiliy Telezhnikov <vasilyt@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1232013} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526348 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/cc/paint/paint_op.cc | 10 ++++++---- - 1 file changed, 6 insertions(+), 4 deletions(-) - -diff --git a/chromium/cc/paint/paint_op.cc b/chromium/cc/paint/paint_op.cc -index 225630cb462..6f8c3df3d22 100644 ---- src/3rdparty/chromium/cc/paint/paint_op.cc.orig -+++ src/3rdparty/chromium/cc/paint/paint_op.cc -@@ -971,10 +971,12 @@ PaintOp* DrawSlugOp::Deserialize(PaintOpReader& reader, void* output) { - reader.Read(&op->flags); - unsigned int count = 0; - reader.Read(&count); -- reader.Read(&op->slug); -- op->extra_slugs.resize(count - 1); -- for (auto& extra_slug : op->extra_slugs) { -- reader.Read(&extra_slug); -+ if (count > 0) { -+ reader.Read(&op->slug); -+ op->extra_slugs.resize(count - 1); -+ for (auto& extra_slug : op->extra_slugs) { -+ reader.Read(&extra_slug); -+ } - } - return op; - } -From 6237d58de03877b9ff5bf5bfad1e0eeb6a4c4b4c Mon Sep 17 00:00:00 2001 -From: Kai Ninomiya <kainino@chromium.org> -Date: Wed, 29 Nov 2023 17:44:48 +0000 -Subject: [PATCH] [Backport] Security bug 1505632 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5069480: -Fix reinit order in ContextProviderCommandBuffer::BindToCurrentSequence - -See comments for explanation. - -Bug: 1505632 -Change-Id: I0f43821a9708af91303048332e9fae5e100deee5 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5069480 -Reviewed-by: Saifuddin Hitawala <hitawala@chromium.org> -Commit-Queue: Kai Ninomiya <kainino@chromium.org> -Reviewed-by: Brendon Tiszka <tiszka@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1230735} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/526349 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../gpu/context_provider_command_buffer.cc | 24 +++++++++----- - .../cpp/gpu/context_provider_command_buffer.h | 31 ++++++++++++++++--- - 2 files changed, 44 insertions(+), 11 deletions(-) - -diff --git a/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.cc b/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.cc -index 6637a9f89dc..d29c926a49e 100644 ---- src/3rdparty/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.cc.orig -+++ src/3rdparty/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.cc -@@ -169,13 +169,13 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - } - - // The transfer buffer is used to serialize Dawn commands -- transfer_buffer_ = -+ auto transfer_buffer = - std::make_unique<gpu::TransferBuffer>(webgpu_helper.get()); - - // The WebGPUImplementation exposes the WebGPUInterface, as well as the - // gpu::ContextSupport interface. - auto webgpu_impl = std::make_unique<gpu::webgpu::WebGPUImplementation>( -- webgpu_helper.get(), transfer_buffer_.get(), command_buffer_.get()); -+ webgpu_helper.get(), transfer_buffer.get(), command_buffer_.get()); - bind_result_ = webgpu_impl->Initialize(memory_limits_); - if (bind_result_ != gpu::ContextResult::kSuccess) { - DLOG(ERROR) << "Failed to initialize WebGPUImplementation."; -@@ -187,8 +187,11 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - std::string unique_context_name = - base::StringPrintf("%s-%p", type_name.c_str(), webgpu_impl.get()); - -+ // IMPORTANT: These hold raw_ptrs to each other, so must be set together. -+ // See note in the header (and keep it up to date if things change). - impl_ = webgpu_impl.get(); - webgpu_interface_ = std::move(webgpu_impl); -+ transfer_buffer_ = std::move(transfer_buffer); - helper_ = std::move(webgpu_helper); - } else if (attributes_.enable_raster_interface && - !attributes_.enable_gles2_interface && -@@ -206,14 +209,14 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - } - // The transfer buffer is used to copy resources between the client - // process and the GPU process. -- transfer_buffer_ = -+ auto transfer_buffer = - std::make_unique<gpu::TransferBuffer>(raster_helper.get()); - - // The RasterImplementation exposes the RasterInterface, as well as the - // gpu::ContextSupport interface. - DCHECK(channel_); - auto raster_impl = std::make_unique<gpu::raster::RasterImplementation>( -- raster_helper.get(), transfer_buffer_.get(), -+ raster_helper.get(), transfer_buffer.get(), - attributes_.bind_generates_resource, - attributes_.lose_context_when_out_of_memory, command_buffer_.get(), - channel_->image_decode_accelerator_proxy()); -@@ -230,8 +233,11 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - raster_impl->TraceBeginCHROMIUM("gpu_toplevel", - unique_context_name.c_str()); - -+ // IMPORTANT: These hold raw_ptrs to each other, so must be set together. -+ // See note in the header (and keep it up to date if things change). - impl_ = raster_impl.get(); - raster_interface_ = std::move(raster_impl); -+ transfer_buffer_ = std::move(transfer_buffer); - helper_ = std::move(raster_helper); - } else { - // The GLES2 helper writes the command buffer protocol. -@@ -246,7 +252,7 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - - // The transfer buffer is used to copy resources between the client - // process and the GPU process. -- transfer_buffer_ = -+ auto transfer_buffer = - std::make_unique<gpu::TransferBuffer>(gles2_helper.get()); - - // The GLES2Implementation exposes the OpenGLES2 API, as well as the -@@ -259,13 +265,13 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - // we only use it if grcontext_support was requested. - gles2_impl = std::make_unique< - skia_bindings::GLES2ImplementationWithGrContextSupport>( -- gles2_helper.get(), /*share_group=*/nullptr, transfer_buffer_.get(), -+ gles2_helper.get(), /*share_group=*/nullptr, transfer_buffer.get(), - attributes_.bind_generates_resource, - attributes_.lose_context_when_out_of_memory, - support_client_side_arrays, command_buffer_.get()); - } else { - gles2_impl = std::make_unique<gpu::gles2::GLES2Implementation>( -- gles2_helper.get(), /*share_group=*/nullptr, transfer_buffer_.get(), -+ gles2_helper.get(), /*share_group=*/nullptr, transfer_buffer.get(), - attributes_.bind_generates_resource, - attributes_.lose_context_when_out_of_memory, - support_client_side_arrays, command_buffer_.get()); -@@ -276,8 +282,11 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - return bind_result_; - } - -+ // IMPORTANT: These hold raw_ptrs to each other, so must be set together. -+ // See note in the header (and keep it up to date if things change). - impl_ = gles2_impl.get(); - gles2_impl_ = std::move(gles2_impl); -+ transfer_buffer_ = std::move(transfer_buffer); - helper_ = std::move(gles2_helper); - } - -@@ -311,6 +320,7 @@ gpu::ContextResult ContextProviderCommandBuffer::BindToCurrentSequence() { - switches::kEnableGpuClientTracing)) { - // This wraps the real GLES2Implementation and we should always use this - // instead when it's present. -+ // IMPORTANT: This holds a raw_ptr to gles2_impl_. - trace_impl_ = std::make_unique<gpu::gles2::GLES2TraceImplementation>( - gles2_impl_.get()); - gl = trace_impl_.get(); -diff --git a/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.h b/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.h -index e434c1b4fc4..b25506f3b32 100644 ---- src/3rdparty/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.h.orig -+++ src/3rdparty/chromium/services/viz/public/cpp/gpu/context_provider_command_buffer.h -@@ -162,19 +162,42 @@ class ContextProviderCommandBuffer - // associated shared images are destroyed. - std::unique_ptr<gpu::ClientSharedImageInterface> shared_image_interface_; - -- base::Lock context_lock_; // Referenced by command_buffer_. -+ ////////////////////////////////////////////////////////////////////////////// -+ // IMPORTANT NOTE: All of the objects in this block are part of a complex // -+ // graph of raw pointers (holder or pointee of various raw_ptrs). They are // -+ // defined in topological order: only later items point to earlier items. // -+ // - When writing any member, always ensure its pointers to earlier members -+ // are guaranteed to stay alive. -+ // - When clearing OR overwriting any member, always ensure objects that -+ // point to it have already been cleared. -+ // - The topological order of definitions guarantees that the -+ // destructors will be called in the correct order (bottom to top). -+ // - When overwriting multiple members, similarly do so in reverse order. -+ // -+ // Please note these comments are likely not to stay perfectly up-to-date. -+ -+ base::Lock context_lock_; -+ // Points to the context_lock_ field of `this`. - std::unique_ptr<gpu::CommandBufferProxyImpl> command_buffer_; -+ -+ // Points to command_buffer_. - std::unique_ptr<gpu::CommandBufferHelper> helper_; -+ // Points to helper_. - std::unique_ptr<gpu::TransferBuffer> transfer_buffer_; - -+ // Points to transfer_buffer_, helper_, and command_buffer_. - std::unique_ptr<gpu::gles2::GLES2Implementation> gles2_impl_; -+ // Points to gles2_impl_. - std::unique_ptr<gpu::gles2::GLES2TraceImplementation> trace_impl_; -+ // Points to transfer_buffer_, helper_, and command_buffer_. - std::unique_ptr<gpu::raster::RasterInterface> raster_interface_; -+ // Points to transfer_buffer_, helper_, and command_buffer_. - std::unique_ptr<gpu::webgpu::WebGPUInterface> webgpu_interface_; -+ // This is an alias for gles2_impl_, raster_interface_, or webgpu_interface_. -+ raw_ptr<gpu::ImplementationBase> impl_ = nullptr; - -- // Owned by one of gles2_impl_, raster_interface_, or webgpu_interface_. It -- // must be declared last and cleared first. -- raw_ptr<gpu::ImplementationBase> impl_; -+ // END IMPORTANT NOTE // -+ ////////////////////////////////////////////////////////////////////////////// - - std::unique_ptr<skia_bindings::GrContextForGLES2Interface> gr_context_; - #if BUILDFLAG(SKIA_USE_DAWN) -From 536f81c3de46e6e1ac2b23ed610f9526bce14fe4 Mon Sep 17 00:00:00 2001 -From: pthier <pthier@chromium.org> -Date: Tue, 24 Oct 2023 13:28:22 +0200 -Subject: [PATCH] [Backport] Security bug 1488199 (1/3) - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/4971832: -[regexp] Fix stack check in native code when interrupt was requested - -When an interrupt was requested at the time we hit the stack check, the -check to ensure we have enough space for local variables was skipped. - -Bug: chromium:1488199 -Change-Id: I95d82fe737420d2ef43c1ace35560cfd5860829b -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4971832 -Commit-Queue: Patrick Thier <pthier@chromium.org> -Reviewed-by: Jakob Linke <jgruber@chromium.org> -Cr-Commit-Position: refs/heads/main@{#90560} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/523712 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../regexp/arm/regexp-macro-assembler-arm.cc | 23 +++++++----- - .../regexp/arm/regexp-macro-assembler-arm.h | 5 +-- - .../arm64/regexp-macro-assembler-arm64.cc | 21 ++++++----- - .../arm64/regexp-macro-assembler-arm64.h | 6 ++-- - .../ia32/regexp-macro-assembler-ia32.cc | 19 ++++++---- - .../regexp/ia32/regexp-macro-assembler-ia32.h | 5 +-- - .../v8/src/regexp/regexp-macro-assembler.cc | 5 +-- - .../v8/src/regexp/regexp-macro-assembler.h | 2 +- - .../regexp/x64/regexp-macro-assembler-x64.cc | 36 +++++++++++-------- - .../regexp/x64/regexp-macro-assembler-x64.h | 4 +-- - 10 files changed, 78 insertions(+), 48 deletions(-) - -diff --git a/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.cc b/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.cc -index 8aa815db2ac..6b167fe3dc2 100644 ---- src/3rdparty/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.cc -+++ src/3rdparty/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.cc -@@ -754,11 +754,13 @@ Handle<HeapObject> RegExpMacroAssemblerARM::GetCode(Handle<String> source) { - __ mov(r0, Operand(stack_limit)); - __ ldr(r0, MemOperand(r0)); - __ sub(r0, sp, r0, SetCC); -+ Operand extra_space_for_variables(num_registers_ * kSystemPointerSize); -+ - // Handle it if the stack pointer is already below the stack limit. - __ b(ls, &stack_limit_hit); - // Check if there is room for the variable number of registers above - // the stack limit. -- __ cmp(r0, Operand(num_registers_ * kSystemPointerSize)); -+ __ cmp(r0, extra_space_for_variables); - __ b(hs, &stack_ok); - // Exit with OutOfMemory exception. There is not enough space on the stack - // for our working registers. -@@ -766,7 +768,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM::GetCode(Handle<String> source) { - __ jmp(&return_r0); - - __ bind(&stack_limit_hit); -- CallCheckStackGuardState(); -+ CallCheckStackGuardState(extra_space_for_variables); - __ cmp(r0, Operand::Zero()); - // If returned value is non-zero, we exit with the returned value as result. - __ b(ne, &return_r0); -@@ -1158,16 +1160,18 @@ void RegExpMacroAssemblerARM::ClearRegisters(int reg_from, int reg_to) { - - // Private methods: - --void RegExpMacroAssemblerARM::CallCheckStackGuardState() { -+void RegExpMacroAssemblerARM::CallCheckStackGuardState(Operand extra_space) { - DCHECK(!isolate()->IsGeneratingEmbeddedBuiltins()); - DCHECK(!masm_->options().isolate_independent_code); - -- __ PrepareCallCFunction(3); -+ __ PrepareCallCFunction(4); - -+ // Extra space for variables to consider in stack check. -+ __ mov(arg_reg_4, extra_space); - // RegExp code frame pointer. -- __ mov(r2, frame_pointer()); -+ __ mov(arg_reg_3, frame_pointer()); - // InstructionStream of self. -- __ mov(r1, Operand(masm_->CodeObject())); -+ __ mov(arg_reg_2, Operand(masm_->CodeObject())); - - // We need to make room for the return address on the stack. - int stack_alignment = base::OS::ActivationFrameAlignment(); -@@ -1195,7 +1199,6 @@ void RegExpMacroAssemblerARM::CallCheckStackGuardState() { - __ mov(code_pointer(), Operand(masm_->CodeObject())); - } - -- - // Helper function for reading a value out of a stack frame. - template <typename T> - static T& frame_entry(Address re_frame, int frame_offset) { -@@ -1210,7 +1213,8 @@ static T* frame_entry_address(Address re_frame, int frame_offset) { - - int RegExpMacroAssemblerARM::CheckStackGuardState(Address* return_address, - Address raw_code, -- Address re_frame) { -+ Address re_frame, -+ uintptr_t extra_space) { - InstructionStream re_code = InstructionStream::cast(Object(raw_code)); - return NativeRegExpMacroAssembler::CheckStackGuardState( - frame_entry<Isolate*>(re_frame, kIsolateOffset), -@@ -1220,7 +1224,8 @@ int RegExpMacroAssemblerARM::CheckStackGuardState(Address* return_address, - return_address, re_code, - frame_entry_address<Address>(re_frame, kInputStringOffset), - frame_entry_address<const byte*>(re_frame, kInputStartOffset), -- frame_entry_address<const byte*>(re_frame, kInputEndOffset)); -+ frame_entry_address<const byte*>(re_frame, kInputEndOffset), -+ extra_space); - } - - -diff --git a/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.h b/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.h -index 44be0d920b6..e8d9f6d76de 100644 ---- src/3rdparty/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.h -+++ src/3rdparty/chromium/v8/src/regexp/arm/regexp-macro-assembler-arm.h -@@ -88,7 +88,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM - // returning. - // {raw_code} is an Address because this is called via ExternalReference. - static int CheckStackGuardState(Address* return_address, Address raw_code, -- Address re_frame); -+ Address re_frame, uintptr_t extra_space); - - private: - // Offsets from frame_pointer() of function parameters and stored registers. -@@ -152,7 +152,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM - // Check whether we are exceeding the stack limit on the backtrack stack. - void CheckStackLimit(); - -- void CallCheckStackGuardState(); -+ void CallCheckStackGuardState( -+ Operand extra_space_for_variables = Operand::Zero()); - void CallIsCharacterInRangeArray(const ZoneList<CharacterRange>* ranges); - - // The ebp-relative location of a regexp register. -diff --git a/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc b/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -index d453922f6bf..e8d48236621 100644 ---- src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -+++ src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -@@ -866,13 +866,14 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) { - __ Mov(x10, stack_limit); - __ Ldr(x10, MemOperand(x10)); - __ Subs(x10, sp, x10); -+ Operand extra_space_for_variables(num_wreg_to_allocate * kWRegSize); - - // Handle it if the stack pointer is already below the stack limit. - __ B(ls, &stack_limit_hit); - - // Check if there is room for the variable number of registers above - // the stack limit. -- __ Cmp(x10, num_wreg_to_allocate * kWRegSize); -+ __ Cmp(x10, extra_space_for_variables); - __ B(hs, &stack_ok); - - // Exit with OutOfMemory exception. There is not enough space on the stack -@@ -881,7 +882,7 @@ Handle<HeapObject> RegExpMacroAssemblerARM64::GetCode(Handle<String> source) { - __ B(&return_w0); - - __ Bind(&stack_limit_hit); -- CallCheckStackGuardState(x10); -+ CallCheckStackGuardState(x10, extra_space_for_variables); - // If returned value is non-zero, we exit with the returned value as result. - __ Cbnz(w0, &return_w0); - -@@ -1433,7 +1434,8 @@ static T* frame_entry_address(Address re_frame, int frame_offset) { - - int RegExpMacroAssemblerARM64::CheckStackGuardState( - Address* return_address, Address raw_code, Address re_frame, -- int start_index, const byte** input_start, const byte** input_end) { -+ int start_index, const byte** input_start, const byte** input_end, -+ uintptr_t extra_space) { - InstructionStream re_code = InstructionStream::cast(Object(raw_code)); - return NativeRegExpMacroAssembler::CheckStackGuardState( - frame_entry<Isolate*>(re_frame, kIsolateOffset), start_index, -@@ -1441,7 +1443,7 @@ int RegExpMacroAssemblerARM64::CheckStackGuardState( - frame_entry<int>(re_frame, kDirectCallOffset)), - return_address, re_code, - frame_entry_address<Address>(re_frame, kInputStringOffset), input_start, -- input_end); -+ input_end, extra_space); - } - - -@@ -1460,21 +1462,24 @@ void RegExpMacroAssemblerARM64::CheckPosition(int cp_offset, - - // Private methods: - --void RegExpMacroAssemblerARM64::CallCheckStackGuardState(Register scratch) { -+void RegExpMacroAssemblerARM64::CallCheckStackGuardState(Register scratch, -+ Operand extra_space) { - DCHECK(!isolate()->IsGeneratingEmbeddedBuiltins()); - DCHECK(!masm_->options().isolate_independent_code); - - // Allocate space on the stack to store the return address. The - // CheckStackGuardState C++ function will override it if the code -- // moved. Allocate extra space for 2 arguments passed by pointers. -- // AAPCS64 requires the stack to be 16 byte aligned. -+ // moved. Allocate extra space for 3 arguments (2 for input start/end and 1 -+ // for gap). AAPCS64 requires the stack to be 16 byte aligned. - int alignment = masm_->ActivationFrameAlignment(); - DCHECK_EQ(alignment % 16, 0); - int align_mask = (alignment / kXRegSize) - 1; -- int xreg_to_claim = (3 + align_mask) & ~align_mask; -+ int xreg_to_claim = (4 + align_mask) & ~align_mask; - - __ Claim(xreg_to_claim); - -+ __ Mov(x0, extra_space); -+ __ Poke(x0, 3 * kSystemPointerSize); - // CheckStackGuardState needs the end and start addresses of the input string. - __ Poke(input_end(), 2 * kSystemPointerSize); - __ Add(x5, sp, 2 * kSystemPointerSize); -diff --git a/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.h b/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.h -index a5164472b71..05b4eb5bd7b 100644 ---- src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.h -+++ src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.h -@@ -95,7 +95,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64 - static int CheckStackGuardState(Address* return_address, Address raw_code, - Address re_frame, int start_offset, - const byte** input_start, -- const byte** input_end); -+ const byte** input_end, -+ uintptr_t extra_space); - - private: - static constexpr int kFramePointerOffset = 0; -@@ -174,7 +175,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerARM64 - // Check whether we are exceeding the stack limit on the backtrack stack. - void CheckStackLimit(); - -- void CallCheckStackGuardState(Register scratch); -+ void CallCheckStackGuardState(Register scratch, -+ Operand extra_space = Operand(0)); - void CallIsCharacterInRangeArray(const ZoneList<CharacterRange>* ranges); - - // Location of a 32 bit position register. -diff --git a/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.cc b/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.cc -index 6370e7e57da..8dff4abcb25 100644 ---- src/3rdparty/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.cc -+++ src/3rdparty/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.cc -@@ -801,11 +801,13 @@ Handle<HeapObject> RegExpMacroAssemblerIA32::GetCode(Handle<String> source) { - ExternalReference::address_of_jslimit(isolate()); - __ mov(eax, esp); - __ sub(eax, StaticVariable(stack_limit)); -+ Immediate extra_space_for_variables(num_registers_ * kSystemPointerSize); -+ - // Handle it if the stack pointer is already below the stack limit. - __ j(below_equal, &stack_limit_hit); - // Check if there is room for the variable number of registers above - // the stack limit. -- __ cmp(eax, num_registers_ * kSystemPointerSize); -+ __ cmp(eax, extra_space_for_variables); - __ j(above_equal, &stack_ok); - // Exit with OutOfMemory exception. There is not enough space on the stack - // for our working registers. -@@ -814,7 +816,7 @@ Handle<HeapObject> RegExpMacroAssemblerIA32::GetCode(Handle<String> source) { - - __ bind(&stack_limit_hit); - __ push(backtrack_stackpointer()); -- CallCheckStackGuardState(ebx); -+ CallCheckStackGuardState(ebx, extra_space_for_variables); - __ pop(backtrack_stackpointer()); - __ or_(eax, eax); - // If returned value is non-zero, we exit with the returned value as result. -@@ -1214,9 +1216,12 @@ void RegExpMacroAssemblerIA32::ClearRegisters(int reg_from, int reg_to) { - - // Private methods: - --void RegExpMacroAssemblerIA32::CallCheckStackGuardState(Register scratch) { -- static const int num_arguments = 3; -+void RegExpMacroAssemblerIA32::CallCheckStackGuardState(Register scratch, -+ Immediate extra_space) { -+ static const int num_arguments = 4; - __ PrepareCallCFunction(num_arguments, scratch); -+ // Extra space for variables. -+ __ mov(Operand(esp, 3 * kSystemPointerSize), extra_space); - // RegExp code frame pointer. - __ mov(Operand(esp, 2 * kSystemPointerSize), ebp); - // InstructionStream of self. -@@ -1247,7 +1252,8 @@ static T* frame_entry_address(Address re_frame, int frame_offset) { - - int RegExpMacroAssemblerIA32::CheckStackGuardState(Address* return_address, - Address raw_code, -- Address re_frame) { -+ Address re_frame, -+ uintptr_t extra_space) { - InstructionStream re_code = InstructionStream::cast(Object(raw_code)); - return NativeRegExpMacroAssembler::CheckStackGuardState( - frame_entry<Isolate*>(re_frame, kIsolateOffset), -@@ -1257,7 +1263,8 @@ int RegExpMacroAssemblerIA32::CheckStackGuardState(Address* return_address, - return_address, re_code, - frame_entry_address<Address>(re_frame, kInputStringOffset), - frame_entry_address<const byte*>(re_frame, kInputStartOffset), -- frame_entry_address<const byte*>(re_frame, kInputEndOffset)); -+ frame_entry_address<const byte*>(re_frame, kInputEndOffset), -+ extra_space); - } - - -diff --git a/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.h b/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.h -index 649c61d880e..a33b687c8c3 100644 ---- src/3rdparty/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.h -+++ src/3rdparty/chromium/v8/src/regexp/ia32/regexp-macro-assembler-ia32.h -@@ -89,7 +89,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32 - // returning. - // {raw_code} is an Address because this is called via ExternalReference. - static int CheckStackGuardState(Address* return_address, Address raw_code, -- Address re_frame); -+ Address re_frame, uintptr_t extra_space); - - private: - Operand StaticVariable(const ExternalReference& ext); -@@ -159,7 +159,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerIA32 - // Check whether we are exceeding the stack limit on the backtrack stack. - void CheckStackLimit(); - -- void CallCheckStackGuardState(Register scratch); -+ void CallCheckStackGuardState(Register scratch, -+ Immediate extra_space = Immediate(0)); - void CallIsCharacterInRangeArray(const ZoneList<CharacterRange>* ranges); - - // The ebp-relative location of a regexp register. -diff --git a/chromium/v8/src/regexp/regexp-macro-assembler.cc b/chromium/v8/src/regexp/regexp-macro-assembler.cc -index 2fcb0a425ec..19c4cc9c8dd 100644 ---- src/3rdparty/chromium/v8/src/regexp/regexp-macro-assembler.cc -+++ src/3rdparty/chromium/v8/src/regexp/regexp-macro-assembler.cc -@@ -284,14 +284,15 @@ bool NativeRegExpMacroAssembler::CanReadUnaligned() const { - int NativeRegExpMacroAssembler::CheckStackGuardState( - Isolate* isolate, int start_index, RegExp::CallOrigin call_origin, - Address* return_address, InstructionStream re_code, Address* subject, -- const byte** input_start, const byte** input_end) { -+ const byte** input_start, const byte** input_end, -+ uintptr_t gap) { - DisallowGarbageCollection no_gc; - Address old_pc = PointerAuthentication::AuthenticatePC(return_address, 0); - DCHECK_LE(re_code.instruction_start(), old_pc); - DCHECK_LE(old_pc, re_code.instruction_end()); - - StackLimitCheck check(isolate); -- bool js_has_overflowed = check.JsHasOverflowed(); -+ bool js_has_overflowed = check.JsHasOverflowed(gap); - - if (call_origin == RegExp::CallOrigin::kFromJs) { - // Direct calls from JavaScript can be interrupted in two ways: -diff --git a/chromium/v8/src/regexp/regexp-macro-assembler.h b/chromium/v8/src/regexp/regexp-macro-assembler.h -index 2ba9e2d28d0..4d16f8a98ad 100644 ---- src/3rdparty/chromium/v8/src/regexp/regexp-macro-assembler.h -+++ src/3rdparty/chromium/v8/src/regexp/regexp-macro-assembler.h -@@ -334,7 +334,7 @@ class NativeRegExpMacroAssembler: public RegExpMacroAssembler { - Address* return_address, - InstructionStream re_code, Address* subject, - const byte** input_start, -- const byte** input_end); -+ const byte** input_end, uintptr_t gap); - - static Address word_character_map_address() { - return reinterpret_cast<Address>(&word_character_map[0]); -diff --git a/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.cc b/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.cc -index b6b2f5f5606..83f5cbf2d29 100644 ---- src/3rdparty/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.cc -+++ src/3rdparty/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.cc -@@ -842,11 +842,13 @@ Handle<HeapObject> RegExpMacroAssemblerX64::GetCode(Handle<String> source) { - __ movq(r9, rsp); - __ Move(kScratchRegister, stack_limit); - __ subq(r9, Operand(kScratchRegister, 0)); -+ Immediate extra_space_for_variables(num_registers_ * kSystemPointerSize); -+ - // Handle it if the stack pointer is already below the stack limit. - __ j(below_equal, &stack_limit_hit); - // Check if there is room for the variable number of registers above - // the stack limit. -- __ cmpq(r9, Immediate(num_registers_ * kSystemPointerSize)); -+ __ cmpq(r9, extra_space_for_variables); - __ j(above_equal, &stack_ok); - // Exit with OutOfMemory exception. There is not enough space on the stack - // for our working registers. -@@ -856,7 +858,8 @@ Handle<HeapObject> RegExpMacroAssemblerX64::GetCode(Handle<String> source) { - __ bind(&stack_limit_hit); - __ Move(code_object_pointer(), masm_.CodeObject()); - __ pushq(backtrack_stackpointer()); -- CallCheckStackGuardState(); // Preserves no registers beside rbp and rsp. -+ // CallCheckStackGuardState preserves no registers beside rbp and rsp. -+ CallCheckStackGuardState(extra_space_for_variables); - __ popq(backtrack_stackpointer()); - __ testq(rax, rax); - // If returned value is non-zero, we exit with the returned value as result. -@@ -1267,35 +1270,38 @@ void RegExpMacroAssemblerX64::ClearRegisters(int reg_from, int reg_to) { - - // Private methods: - --void RegExpMacroAssemblerX64::CallCheckStackGuardState() { -+void RegExpMacroAssemblerX64::CallCheckStackGuardState(Immediate extra_space) { - // This function call preserves no register values. Caller should - // store anything volatile in a C call or overwritten by this function. -- static const int num_arguments = 3; -+ static const int num_arguments = 4; - __ PrepareCallCFunction(num_arguments); - #ifdef V8_TARGET_OS_WIN -+ // Fourth argument: Extra space for variables. -+ __ movq(arg_reg_4, extra_space); - // Second argument: InstructionStream of self. (Do this before overwriting -- // r8). -- __ movq(rdx, code_object_pointer()); -+ // r8 (arg_reg_3)). -+ __ movq(arg_reg_2, code_object_pointer()); - // Third argument: RegExp code frame pointer. -- __ movq(r8, rbp); -+ __ movq(arg_reg_3, rbp); - // First argument: Next address on the stack (will be address of - // return address). -- __ leaq(rcx, Operand(rsp, -kSystemPointerSize)); -+ __ leaq(arg_reg_1, Operand(rsp, -kSystemPointerSize)); - #else -+ // Fourth argument: Extra space for variables. -+ __ movq(arg_reg_4, extra_space); - // Third argument: RegExp code frame pointer. -- __ movq(rdx, rbp); -+ __ movq(arg_reg_3, rbp); - // Second argument: InstructionStream of self. -- __ movq(rsi, code_object_pointer()); -+ __ movq(arg_reg_2, code_object_pointer()); - // First argument: Next address on the stack (will be address of - // return address). -- __ leaq(rdi, Operand(rsp, -kSystemPointerSize)); -+ __ leaq(arg_reg_1, Operand(rsp, -kSystemPointerSize)); - #endif - ExternalReference stack_check = - ExternalReference::re_check_stack_guard_state(); - CallCFunctionFromIrregexpCode(stack_check, num_arguments); - } - -- - // Helper function for reading a value out of a stack frame. - template <typename T> - static T& frame_entry(Address re_frame, int frame_offset) { -@@ -1310,7 +1316,8 @@ static T* frame_entry_address(Address re_frame, int frame_offset) { - - int RegExpMacroAssemblerX64::CheckStackGuardState(Address* return_address, - Address raw_code, -- Address re_frame) { -+ Address re_frame, -+ uintptr_t extra_space) { - InstructionStream re_code = InstructionStream::cast(Object(raw_code)); - return NativeRegExpMacroAssembler::CheckStackGuardState( - frame_entry<Isolate*>(re_frame, kIsolateOffset), -@@ -1320,7 +1327,8 @@ int RegExpMacroAssemblerX64::CheckStackGuardState(Address* return_address, - return_address, re_code, - frame_entry_address<Address>(re_frame, kInputStringOffset), - frame_entry_address<const byte*>(re_frame, kInputStartOffset), -- frame_entry_address<const byte*>(re_frame, kInputEndOffset)); -+ frame_entry_address<const byte*>(re_frame, kInputEndOffset), -+ extra_space); - } - - -diff --git a/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.h b/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.h -index bfe8290a19c..85dacfddf6a 100644 ---- src/3rdparty/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.h -+++ src/3rdparty/chromium/v8/src/regexp/x64/regexp-macro-assembler-x64.h -@@ -88,7 +88,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64 - // returning. - // {raw_code} is an Address because this is called via ExternalReference. - static int CheckStackGuardState(Address* return_address, Address raw_code, -- Address re_frame); -+ Address re_frame, uintptr_t extra_space); - - private: - // Offsets from rbp of function parameters and stored registers. -@@ -198,7 +198,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerX64 - // Check whether we are exceeding the stack limit on the backtrack stack. - void CheckStackLimit(); - -- void CallCheckStackGuardState(); -+ void CallCheckStackGuardState(Immediate extra_space = Immediate(0)); - void CallIsCharacterInRangeArray(const ZoneList<CharacterRange>* ranges); - - // The rbp-relative location of a regexp register. -From b2748c8718a07d0bfbfcdde10866c43c1708676e Mon Sep 17 00:00:00 2001 -From: Lu Yahan <yahan@iscas.ac.cn> -Date: Wed, 25 Oct 2023 10:44:00 +0800 -Subject: [PATCH] [Backport] Security bug 1488199 (2/3) - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/4975715: -[riscv][regexp] Fix stack check in native code when interrupt was requested - -Port commit 7f1aaf2a1c763c8aa1358ec8ed24f39bfa17b767 - -Bug: chromium:1488199 - -Change-Id: I6b2567267cee0b30230b2e42b8606188011b4463 -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4975715 -Auto-Submit: Yahan Lu <yahan@iscas.ac.cn> -Commit-Queue: Yahan Lu <yahan@iscas.ac.cn> -Commit-Queue: Ji Qiu <qiuji@iscas.ac.cn> -Reviewed-by: Ji Qiu <qiuji@iscas.ac.cn> -Cr-Commit-Position: refs/heads/main@{#90597} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/523713 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../regexp/riscv/regexp-macro-assembler-riscv.cc | 15 ++++++++++----- - .../regexp/riscv/regexp-macro-assembler-riscv.h | 5 +++-- - 2 files changed, 13 insertions(+), 7 deletions(-) - -diff --git a/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc b/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc -index 5bf630d6200..30337c75978 100644 ---- src/3rdparty/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc -+++ src/3rdparty/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.cc -@@ -732,18 +732,19 @@ Handle<HeapObject> RegExpMacroAssemblerRISCV::GetCode(Handle<String> source) { - __ li(a0, Operand(stack_limit)); - __ LoadWord(a0, MemOperand(a0)); - __ SubWord(a0, sp, a0); -+ Operand extra_space_for_variables(num_registers_ * kSystemPointerSize); - // Handle it if the stack pointer is already below the stack limit. - __ Branch(&stack_limit_hit, le, a0, Operand(zero_reg)); - // Check if there is room for the variable number of registers above - // the stack limit. -- __ Branch(&stack_ok, uge, a0, Operand(num_registers_ * kPointerSize)); -+ __ Branch(&stack_ok, uge, a0, extra_space_for_variables); - // Exit with OutOfMemory exception. There is not enough space on the stack - // for our working registers. - __ li(a0, Operand(EXCEPTION)); - __ jmp(&return_a0); - - __ bind(&stack_limit_hit); -- CallCheckStackGuardState(a0); -+ CallCheckStackGuardState(a0, extra_space_for_variables); - // If returned value is non-zero, we exit with the returned value as - // result. - __ Branch(&return_a0, ne, a0, Operand(zero_reg)); -@@ -1142,7 +1143,8 @@ bool RegExpMacroAssemblerRISCV::CanReadUnaligned() const { return false; } - #endif - // Private methods: - --void RegExpMacroAssemblerRISCV::CallCheckStackGuardState(Register scratch) { -+void RegExpMacroAssemblerRISCV::CallCheckStackGuardState(Register scratch, -+ Operand extra_space) { - DCHECK(!isolate()->IsGeneratingEmbeddedBuiltins()); - DCHECK(!masm_->options().isolate_independent_code); - -@@ -1155,6 +1157,7 @@ void RegExpMacroAssemblerRISCV::CallCheckStackGuardState(Register scratch) { - __ And(sp, sp, Operand(-stack_alignment)); - __ StoreWord(scratch, MemOperand(sp)); - -+ __ li(a3, extra_space); - __ mv(a2, frame_pointer()); - // InstructionStream of self. - __ li(a1, Operand(masm_->CodeObject()), CONSTANT_SIZE); -@@ -1215,7 +1218,8 @@ static T* frame_entry_address(Address re_frame, int frame_offset) { - - int64_t RegExpMacroAssemblerRISCV::CheckStackGuardState(Address* return_address, - Address raw_code, -- Address re_frame) { -+ Address re_frame, -+ uintptr_t extra_space) { - InstructionStream re_code = InstructionStream::cast(Object(raw_code)); - return NativeRegExpMacroAssembler::CheckStackGuardState( - frame_entry<Isolate*>(re_frame, kIsolateOffset), -@@ -1225,7 +1229,8 @@ int64_t RegExpMacroAssemblerRISCV::CheckStackGuardState(Address* return_address, - return_address, re_code, - frame_entry_address<Address>(re_frame, kInputStringOffset), - frame_entry_address<const byte*>(re_frame, kInputStartOffset), -- frame_entry_address<const byte*>(re_frame, kInputEndOffset)); -+ frame_entry_address<const byte*>(re_frame, kInputEndOffset), -+ extra_space); - } - - MemOperand RegExpMacroAssemblerRISCV::register_location(int register_index) { -diff --git a/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.h b/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.h -index 90a1d314cc7..aa45a531b85 100644 ---- src/3rdparty/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.h -+++ src/3rdparty/chromium/v8/src/regexp/riscv/regexp-macro-assembler-riscv.h -@@ -91,7 +91,7 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerRISCV - // returning. - // {raw_code} is an Address because this is called via ExternalReference. - static int64_t CheckStackGuardState(Address* return_address, Address raw_code, -- Address re_frame); -+ Address re_frame, uintptr_t extra_space); - - void print_regexp_frame_constants(); - -@@ -165,7 +165,8 @@ class V8_EXPORT_PRIVATE RegExpMacroAssemblerRISCV - // Check whether we are exceeding the stack limit on the backtrack stack. - void CheckStackLimit(); - -- void CallCheckStackGuardState(Register scratch); -+ void CallCheckStackGuardState(Register scratch, -+ Operand extra_space_for_variables = Operand(0)); - void CallIsCharacterInRangeArray(const ZoneList<CharacterRange>* ranges); - - // The ebp-relative location of a regexp register. -From c660893ad341e4d5a81ddaf8b23dadcb6cd51660 Mon Sep 17 00:00:00 2001 -From: pthier <pthier@chromium.org> -Date: Mon, 30 Oct 2023 11:59:09 +0100 -Subject: [PATCH] [Backport] Security bug 1488199 (3/3) - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/4987306: -[regexp][arm64] Fix stack check extra space argument - -Pass argument in register instead of the stack. - -Bug: chromium:1488199, v8:14415 -Change-Id: Ic9967c9f2ca5da1981a0138ddb5f0335ab7f1425 -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4987306 -Commit-Queue: Patrick Thier <pthier@chromium.org> -Reviewed-by: Camillo Bruni <cbruni@chromium.org> -Cr-Commit-Position: refs/heads/main@{#90669} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/523714 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc | 9 ++++----- - 1 file changed, 4 insertions(+), 5 deletions(-) - -diff --git a/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc b/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -index e8d48236621..dd3f047ffc4 100644 ---- src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -+++ src/3rdparty/chromium/v8/src/regexp/arm64/regexp-macro-assembler-arm64.cc -@@ -1469,17 +1469,16 @@ void RegExpMacroAssemblerARM64::CallCheckStackGuardState(Register scratch, - - // Allocate space on the stack to store the return address. The - // CheckStackGuardState C++ function will override it if the code -- // moved. Allocate extra space for 3 arguments (2 for input start/end and 1 -- // for gap). AAPCS64 requires the stack to be 16 byte aligned. -+ // moved. Allocate extra space for 2 arguments passed by pointers. -+ // AAPCS64 requires the stack to be 16 byte aligned. - int alignment = masm_->ActivationFrameAlignment(); - DCHECK_EQ(alignment % 16, 0); - int align_mask = (alignment / kXRegSize) - 1; -- int xreg_to_claim = (4 + align_mask) & ~align_mask; -+ int xreg_to_claim = (3 + align_mask) & ~align_mask; - - __ Claim(xreg_to_claim); - -- __ Mov(x0, extra_space); -- __ Poke(x0, 3 * kSystemPointerSize); -+ __ Mov(x6, extra_space); - // CheckStackGuardState needs the end and start addresses of the input string. - __ Poke(input_end(), 2 * kSystemPointerSize); - __ Add(x5, sp, 2 * kSystemPointerSize); -From 243fab4932e66121061ada4bb4724ed341c6622e Mon Sep 17 00:00:00 2001 -From: Gustaf Ullberg <gustaf@chromium.org> -Date: Tue, 19 Dec 2023 18:08:19 +0000 -Subject: [PATCH] [Backport] CVE-2023-7024: Heap buffer overflow in WebRTC - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5136295: -WebRtcAudioSink: Stop on invalid configuration - -Bug: 1513170 -Change-Id: Ia4ca55e9eafb81789b28b8b8c54e615ac28df633 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5136295 -Reviewed-by: Harald Alvestrand <hta@chromium.org> -Commit-Queue: Gustaf Ullberg <gustaf@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1239233} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530064 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../blink/renderer/platform/peerconnection/webrtc_audio_sink.cc | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/chromium/third_party/blink/renderer/platform/peerconnection/webrtc_audio_sink.cc b/chromium/third_party/blink/renderer/platform/peerconnection/webrtc_audio_sink.cc -index cd9f2edbf6e..209a2277056 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/peerconnection/webrtc_audio_sink.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/peerconnection/webrtc_audio_sink.cc -@@ -121,7 +121,7 @@ void WebRtcAudioSink::OnData(const media::AudioBus& audio_bus, - } - - void WebRtcAudioSink::OnSetFormat(const media::AudioParameters& params) { -- DCHECK(params.IsValid()); -+ CHECK(params.IsValid()); - SendLogMessage(base::StringPrintf("OnSetFormat([label=%s] {params=[%s]})", - adapter_->label().c_str(), - params.AsHumanReadableString().c_str())); -From 6027a6d13bd29c144d3340d997dac822f625086e Mon Sep 17 00:00:00 2001 -From: Joshua Pawlicki <waffles@chromium.org> -Date: Wed, 20 Dec 2023 22:33:06 +0000 -Subject: [PATCH] [Backport] CVE-2024-0333: Insufficient data validation in - Extensions - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5141787: -crx_file: Error early for CRXs with ZIP markers in header. - -Bug: 1513379 -Change-Id: I029b4f15778df0c150866b1f49a9b5b2924690ed -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5141787 -Commit-Queue: Joshua Pawlicki <waffles@chromium.org> -Auto-Submit: Joshua Pawlicki <waffles@chromium.org> -Code-Coverage: findit-for-me@appspot.gserviceaccount.com <findit-for-me@appspot.gserviceaccount.com> -Commit-Queue: Sorin Jianu <sorin@chromium.org> -Reviewed-by: Sorin Jianu <sorin@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1239849} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530065 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/components/crx_file/crx_verifier.cc | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/chromium/components/crx_file/crx_verifier.cc b/chromium/components/crx_file/crx_verifier.cc -index 2378aa5a951..cf038c50bdb 100644 ---- src/3rdparty/chromium/components/crx_file/crx_verifier.cc -+++ src/3rdparty/chromium/components/crx_file/crx_verifier.cc -@@ -4,6 +4,7 @@ - - #include "components/crx_file/crx_verifier.h" - -+#include <algorithm> - #include <climits> - #include <cstring> - #include <iterator> -@@ -43,6 +44,9 @@ constexpr uint8_t kPublisherTestKeyHash[] = { - 0x5f, 0x64, 0xf3, 0xa6, 0x17, 0x03, 0x0d, 0xde, 0x21, 0x61, 0xbe, - 0xb7, 0x95, 0x91, 0x95, 0x83, 0x68, 0x12, 0xe9, 0x78, 0x1e}; - -+constexpr uint8_t kEocd[] = {'P', 'K', 0x05, 0x06}; -+constexpr uint8_t kEocd64[] = {'P', 'K', 0x06, 0x07}; -+ - using VerifierCollection = - std::vector<std::unique_ptr<crypto::SignatureVerifier>>; - using RepeatedProof = google::protobuf::RepeatedPtrField<AsymmetricKeyProof>; -@@ -109,6 +113,18 @@ VerifierResult VerifyCrx3( - header_size) { - return VerifierResult::ERROR_HEADER_INVALID; - } -+ -+ // If the header contains a ZIP EOCD or EOCD64 token, unzipping may not work -+ // correctly. -+ if (std::search(std::begin(header_bytes), std::end(header_bytes), -+ std::begin(kEocd), -+ std::end(kEocd)) != std::end(header_bytes) || -+ std::search(std::begin(header_bytes), std::end(header_bytes), -+ std::begin(kEocd64), -+ std::end(kEocd64)) != std::end(header_bytes)) { -+ return VerifierResult::ERROR_HEADER_INVALID; -+ } -+ - CrxFileHeader header; - if (!header.ParseFromArray(header_bytes.data(), header_size)) - return VerifierResult::ERROR_HEADER_INVALID; -From 70667dfeaa0cac885821a5fd1479502ff02c78ae Mon Sep 17 00:00:00 2001 -From: Austin Eng <enga@chromium.org> -Date: Tue, 19 Dec 2023 17:25:51 +0000 -Subject: [PATCH] [Backport] CVE-2024-0225: Use after free in WebGPU - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5133239: -Use cross thread handles to bind args for async webgpu context creation - -(cherry picked from commit 542b278a0c1de7202f4bf5e3e5cbdc2dd6c337d4) - -Fixed: 1506923 -Change-Id: I174703cbd993471e3afb39c0cfa4cce2770755f7 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5113019 -Reviewed-by: Corentin Wallez <cwallez@chromium.org> -Commit-Queue: Austin Eng <enga@chromium.org> -Reviewed-by: Stephen White <senorblanco@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1237179} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5133239 -Cr-Commit-Position: refs/branch-heads/6099@{#1551} -Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530066 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../blink/renderer/modules/webgpu/gpu.cc | 19 ++++++++++++++++--- - .../web_graphics_context_3d_provider_util.cc | 7 +++---- - .../web_graphics_context_3d_provider_util.h | 5 +++-- - 3 files changed, 22 insertions(+), 9 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc b/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc -index df95fe1d397..273c874affb 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webgpu/gpu.cc -@@ -35,11 +35,13 @@ - #include "third_party/blink/renderer/platform/graphics/gpu/dawn_control_client_holder.h" - #include "third_party/blink/renderer/platform/graphics/gpu/webgpu_callback.h" - #include "third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.h" -+#include "third_party/blink/renderer/platform/heap/cross_thread_handle.h" - #include "third_party/blink/renderer/platform/heap/garbage_collected.h" - #include "third_party/blink/renderer/platform/heap/thread_state.h" - #include "third_party/blink/renderer/platform/instrumentation/use_counter.h" - #include "third_party/blink/renderer/platform/privacy_budget/identifiability_digest_helpers.h" - #include "third_party/blink/renderer/platform/weborigin/kurl.h" -+#include "third_party/blink/renderer/platform/wtf/cross_thread_functional.h" - - namespace blink { - -@@ -288,9 +290,19 @@ void GPU::RequestAdapterImpl(ScriptState* script_state, - CreateWebGPUGraphicsContext3DProviderAsync( - execution_context->Url(), - execution_context->GetTaskRunner(TaskType::kWebGPU), -- WTF::BindOnce( -- [](GPU* gpu, ExecutionContext* execution_context, -+ CrossThreadBindOnce( -+ [](CrossThreadHandle<GPU> gpu_handle, -+ CrossThreadHandle<ExecutionContext> execution_context_handle, - std::unique_ptr<WebGraphicsContext3DProvider> context_provider) { -+ auto unwrap_gpu = MakeUnwrappingCrossThreadHandle(gpu_handle); -+ auto unwrap_execution_context = -+ MakeUnwrappingCrossThreadHandle(execution_context_handle); -+ if (!unwrap_gpu || !unwrap_execution_context) { -+ return; -+ } -+ auto* gpu = unwrap_gpu.GetOnCreationThread(); -+ auto* execution_context = -+ unwrap_execution_context.GetOnCreationThread(); - const KURL& url = execution_context->Url(); - context_provider = - CheckContextProvider(url, std::move(context_provider)); -@@ -312,7 +324,8 @@ void GPU::RequestAdapterImpl(ScriptState* script_state, - std::move(callback).Run(); - } - }, -- WrapPersistent(this), WrapPersistent(execution_context))); -+ MakeCrossThreadHandle(this), -+ MakeCrossThreadHandle(execution_context))); - return; - } - -diff --git a/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.cc b/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.cc -index f859f3e62c5..3d9890b9b4a 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.cc -@@ -121,8 +121,8 @@ CreateWebGPUGraphicsContext3DProvider(const KURL& url) { - void CreateWebGPUGraphicsContext3DProviderAsync( - const KURL& url, - scoped_refptr<base::SingleThreadTaskRunner> current_thread_task_runner, -- base::OnceCallback<void(std::unique_ptr<WebGraphicsContext3DProvider>)> -- callback) { -+ WTF::CrossThreadOnceFunction< -+ void(std::unique_ptr<WebGraphicsContext3DProvider>)> callback) { - if (IsMainThread()) { - std::move(callback).Run( - Platform::Current()->CreateWebGPUGraphicsContext3DProvider(url)); -@@ -140,8 +140,7 @@ void CreateWebGPUGraphicsContext3DProviderAsync( - AccessMainThreadForWebGraphicsContext3DProvider()), - FROM_HERE, - CrossThreadBindOnce(&CreateWebGPUGraphicsContextOnMainThreadAsync, url, -- current_thread_task_runner, -- CrossThreadBindOnce(std::move(callback)))); -+ current_thread_task_runner, std::move(callback))); - } - } - -diff --git a/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.h b/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.h -index 8fcab24bfec..8b785cc30ac 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.h -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/graphics/web_graphics_context_3d_provider_util.h -@@ -10,6 +10,7 @@ - #include "third_party/blink/public/platform/web_graphics_context_3d_provider.h" - #include "third_party/blink/renderer/platform/platform_export.h" - #include "third_party/blink/renderer/platform/weborigin/kurl.h" -+#include "third_party/blink/renderer/platform/wtf/functional.h" - - namespace blink { - -@@ -42,8 +43,8 @@ CreateWebGPUGraphicsContext3DProvider(const KURL& url); - PLATFORM_EXPORT void CreateWebGPUGraphicsContext3DProviderAsync( - const KURL& url, - scoped_refptr<base::SingleThreadTaskRunner> current_thread_task_runner, -- base::OnceCallback<void(std::unique_ptr<WebGraphicsContext3DProvider>)> -- callback); -+ WTF::CrossThreadOnceFunction< -+ void(std::unique_ptr<WebGraphicsContext3DProvider>)> callback); - - } // namespace blink - -From a3d7e657936027aa3f3a257d3afd525c81c152f0 Mon Sep 17 00:00:00 2001 -From: Hongchan Choi <hongchan@chromium.org> -Date: Tue, 12 Dec 2023 02:36:08 +0000 -Subject: [PATCH] [Backport] CVE-2024-0224: Use after free in WebAudio - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5112992: -Wrap buffer read index in delay kernel - -The current code assumes that the first buffer read index in the delay -kernel does not go out of bound. This CL applies the wrapping function -to the read index array. - -(cherry picked from commit fb96fd5f41bec823dbb208d9a7d53fbbf4d16ce4) - -Bug: 1505086 -Test: Locally confirmed the repro does not crash anymore -Change-Id: Idca3dfc7dec5b5a7f9b22d87135e2d775729631a -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5072113 -Commit-Queue: Hongchan Choi <hongchan@chromium.org> -Reviewed-by: Michael Wilson <mjwilson@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1231040} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5112992 -Auto-Submit: Hongchan Choi <hongchan@chromium.org> -Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> -Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com> -Cr-Commit-Position: refs/branch-heads/6099@{#1498} -Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530067 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../renderer/platform/audio/audio_delay_dsp_kernel.cc | 2 +- - .../audio/cpu/arm/audio_delay_dsp_kernel_neon.cc | 7 +++++-- - .../audio/cpu/x86/audio_delay_dsp_kernel_sse2.cc | 10 +++++++--- - 3 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/platform/audio/audio_delay_dsp_kernel.cc b/chromium/third_party/blink/renderer/platform/audio/audio_delay_dsp_kernel.cc -index b6613ff3df7b..2e17efd95802 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/audio/audio_delay_dsp_kernel.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/audio/audio_delay_dsp_kernel.cc -@@ -155,7 +155,7 @@ int AudioDelayDSPKernel::ProcessARateScalar(unsigned start, - const float* delay_times = delay_times_.Data(); - - for (unsigned i = start; i < frames_to_process; ++i) { -- double delay_time = delay_times[i]; -+ double delay_time = std::fmax(delay_times[i], 0); - double desired_delay_frames = delay_time * sample_rate; - - double read_position = w_index + buffer_length - desired_delay_frames; -diff --git a/chromium/third_party/blink/renderer/platform/audio/cpu/arm/audio_delay_dsp_kernel_neon.cc b/chromium/third_party/blink/renderer/platform/audio/cpu/arm/audio_delay_dsp_kernel_neon.cc -index e3c6fd5eb064..8bf0d2a57305 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/audio/cpu/arm/audio_delay_dsp_kernel_neon.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/audio/cpu/arm/audio_delay_dsp_kernel_neon.cc -@@ -60,6 +60,7 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - int w_index = write_index_; - - const float32x4_t v_sample_rate = vdupq_n_f32(sample_rate); -+ const float32x4_t v_all_zeros = vdupq_n_f32(0); - - // The buffer length as a float and as an int so we don't need to constant - // convert from one to the other. -@@ -87,7 +88,8 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - int k = 0; - - for (int n = 0; n < number_of_loops; ++n, k += 4) { -- const float32x4_t v_delay_time = vld1q_f32(delay_times + k); -+ const float32x4_t v_delay_time = vmaxq_f32(vld1q_f32(delay_times + k), -+ v_all_zeros); - const float32x4_t v_desired_delay_frames = - vmulq_f32(v_delay_time, v_sample_rate); - -@@ -100,7 +102,8 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - WrapPositionVector(v_read_position, v_buffer_length_float); - - // Get indices into the buffer for the samples we need for interpolation. -- const int32x4_t v_read_index1 = vcvtq_s32_f32(v_read_position); -+ const int32x4_t v_read_index1 = WrapIndexVector( -+ vcvtq_s32_f32(v_read_position), v_buffer_length_int); - const int32x4_t v_read_index2 = WrapIndexVector( - vaddq_s32(v_read_index1, vdupq_n_s32(1)), v_buffer_length_int); - -diff --git a/chromium/third_party/blink/renderer/platform/audio/cpu/x86/audio_delay_dsp_kernel_sse2.cc b/chromium/third_party/blink/renderer/platform/audio/cpu/x86/audio_delay_dsp_kernel_sse2.cc -index fc409b192d62..c2443da23e55 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/audio/cpu/x86/audio_delay_dsp_kernel_sse2.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/audio/cpu/x86/audio_delay_dsp_kernel_sse2.cc -@@ -58,10 +58,10 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - - const float sample_rate = SampleRate(); - const float* delay_times = delay_times_.Data(); -- - int w_index = write_index_; - - const __m128 v_sample_rate = _mm_set1_ps(sample_rate); -+ const __m128 v_all_zeros = _mm_setzero_ps(); - - // The buffer length as a float and as an int so we don't need to constant - // convert from one to the other. -@@ -84,7 +84,10 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - int k = 0; - - for (int n = 0; n < number_of_loops; ++n, k += 4) { -- const __m128 v_delay_time = _mm_loadu_ps(delay_times + k); -+ // It's possible that `delay_time` contains negative values. Make sure -+ // they are greater than zero. -+ const __m128 v_delay_time = _mm_max_ps(_mm_loadu_ps(delay_times + k), -+ v_all_zeros); - const __m128 v_desired_delay_frames = - _mm_mul_ps(v_delay_time, v_sample_rate); - -@@ -97,7 +100,8 @@ std::tuple<unsigned, int> AudioDelayDSPKernel::ProcessARateVector( - WrapPositionVector(v_read_position, v_buffer_length_float); - - // Get indices into the buffer for the samples we need for interpolation. -- const __m128i v_read_index1 = _mm_cvttps_epi32(v_read_position); -+ const __m128i v_read_index1 = WrapIndexVector( -+ _mm_cvttps_epi32(v_read_position), v_buffer_length_int); - const __m128i v_read_index2 = WrapIndexVector( - _mm_add_epi32(v_read_index1, _mm_set1_epi32(1)), v_buffer_length_int); - -From 4d4242d5d572e9427465e1833a711f50d4e30973 Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Thu, 30 Nov 2023 13:53:00 -0500 -Subject: [PATCH] [Backport] CVE-2024-0223: Heap buffer overflow in ANGLE (1/3) - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5077407: -Translator: Optimize field-name-collision check - -As each field of the struct was encountered, its name was linearly -checked against previously added fields. That's O(n^2). - -The name collision check is now moved to when the struct is completely -defined, and is done with an unordered_map. - -Bug: chromium:1505009 -Change-Id: If28d738254a541450912eba4ed168424dad9d8be -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5077407 -Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-by: Roman Lavrov <romanl@google.com> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530069 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../src/compiler/translator/ParseContext.cpp | 39 +++++++++---------- - .../src/compiler/translator/ParseContext.h | 5 +-- - 2 files changed, 20 insertions(+), 24 deletions(-) - -diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -index b3d90a1a279..638cea22976 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -@@ -4665,6 +4665,9 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( - const TVector<unsigned int> *arraySizes, - const TSourceLoc &arraySizesLine) - { -+ // Ensure there are no duplicate field names -+ checkDoesNotHaveDuplicateFieldNames(fieldList, nameLine); -+ - const bool isGLPerVertex = blockName == "gl_PerVertex"; - // gl_PerVertex is allowed to be redefined and therefore not reserved - if (!isGLPerVertex) -@@ -6172,28 +6175,25 @@ TDeclarator *TParseContext::parseStructArrayDeclarator(const ImmutableString &id - return new TDeclarator(identifier, arraySizes, loc); - } - --void TParseContext::checkDoesNotHaveDuplicateFieldName(const TFieldList::const_iterator begin, -- const TFieldList::const_iterator end, -- const ImmutableString &name, -- const TSourceLoc &location) -+void TParseContext::checkDoesNotHaveDuplicateFieldNames(const TFieldList *fields, -+ const TSourceLoc &location) - { -- for (auto fieldIter = begin; fieldIter != end; ++fieldIter) -+ TUnorderedMap<ImmutableString, uint32_t, ImmutableString::FowlerNollVoHash<sizeof(size_t)>> -+ fieldNames; -+ for (TField *field : *fields) - { -- if ((*fieldIter)->name() == name) -+ // Note: operator[] adds this name to the map if it doesn't already exist, and initializes -+ // its value to 0. -+ uint32_t count = ++fieldNames[field->name()]; -+ if (count != 1) - { -- error(location, "duplicate field name in structure", name); -+ error(location, "Duplicate field name in structure", field->name()); - } - } - } - - TFieldList *TParseContext::addStructFieldList(TFieldList *fields, const TSourceLoc &location) - { -- for (TFieldList::const_iterator fieldIter = fields->begin(); fieldIter != fields->end(); -- ++fieldIter) -- { -- checkDoesNotHaveDuplicateFieldName(fields->begin(), fieldIter, (*fieldIter)->name(), -- location); -- } - return fields; - } - -@@ -6201,12 +6201,8 @@ TFieldList *TParseContext::combineStructFieldLists(TFieldList *processedFields, - const TFieldList *newlyAddedFields, - const TSourceLoc &location) - { -- for (TField *field : *newlyAddedFields) -- { -- checkDoesNotHaveDuplicateFieldName(processedFields->begin(), processedFields->end(), -- field->name(), location); -- processedFields->push_back(field); -- } -+ processedFields->insert(processedFields->end(), newlyAddedFields->begin(), -+ newlyAddedFields->end()); - return processedFields; - } - -@@ -6299,7 +6295,10 @@ TTypeSpecifierNonArray TParseContext::addStructure(const TSourceLoc &structLine, - } - } - -- // ensure we do not specify any storage qualifiers on the struct members -+ // Ensure there are no duplicate field names -+ checkDoesNotHaveDuplicateFieldNames(fieldList, structLine); -+ -+ // Ensure we do not specify any storage qualifiers on the struct members - for (unsigned int typeListIndex = 0; typeListIndex < fieldList->size(); typeListIndex++) - { - TField &field = *(*fieldList)[typeListIndex]; -diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.h b/chromium/third_party/angle/src/compiler/translator/ParseContext.h -index ee0cebe4f00..ca8dab269d6 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.h -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.h -@@ -354,10 +354,7 @@ class TParseContext : angle::NonCopyable - const TSourceLoc &loc, - const TVector<unsigned int> *arraySizes); - -- void checkDoesNotHaveDuplicateFieldName(const TFieldList::const_iterator begin, -- const TFieldList::const_iterator end, -- const ImmutableString &name, -- const TSourceLoc &location); -+ void checkDoesNotHaveDuplicateFieldNames(const TFieldList *fields, const TSourceLoc &location); - TFieldList *addStructFieldList(TFieldList *fields, const TSourceLoc &location); - TFieldList *combineStructFieldLists(TFieldList *processedFields, - const TFieldList *newlyAddedFields, -From d0b3ab561418251a16c18ef5eba488294a209848 Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Thu, 30 Nov 2023 14:12:42 -0500 -Subject: [PATCH] [Backport] CVE-2024-0223: Heap buffer overflow in ANGLE (2/3) - -Cherry-pick of patch originally reviewed pn -https://chromium-review.googlesource.com/c/angle/angle/+/5074629: -Translator: Fail compilation if too many struct fields - -If there are too many struct fields, SPIR-V cannot be produced (as it -has a hard limit of 16383 fields). The Nvidia GL driver has also been -observed to fail when there are too many fields. - -Bug: chromium:1505009 -Change-Id: If9b01716c1cab35a6e537da64421e29fe0eda91e -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5074629 -Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-by: Roman Lavrov <romanl@google.com> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530070 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../src/compiler/translator/ParseContext.cpp | 19 +++++++++++++++++++ - .../src/compiler/translator/ParseContext.h | 3 +++ - 2 files changed, 22 insertions(+) - -diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp b/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -index 638cea22976..5a4352b51ae 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.cpp -@@ -4665,6 +4665,8 @@ TIntermDeclaration *TParseContext::addInterfaceBlock( - const TVector<unsigned int> *arraySizes, - const TSourceLoc &arraySizesLine) - { -+ checkDoesNotHaveTooManyFields(blockName, fieldList, nameLine); -+ - // Ensure there are no duplicate field names - checkDoesNotHaveDuplicateFieldNames(fieldList, nameLine); - -@@ -6192,6 +6194,21 @@ void TParseContext::checkDoesNotHaveDuplicateFieldNames(const TFieldList *fields - } - } - -+void TParseContext::checkDoesNotHaveTooManyFields(const ImmutableString &name, -+ const TFieldList *fields, -+ const TSourceLoc &location) -+{ -+ // Check that there are not too many fields. SPIR-V has a limit of 16383 fields, and it would -+ // be reasonable to apply that limit to all outputs. For example, it was observed that 32768 -+ // fields cause the Nvidia GL driver to fail compilation, so such a limit is not too specific to -+ // SPIR-V. -+ constexpr size_t kMaxFieldCount = 16383; -+ if (fields->size() > kMaxFieldCount) -+ { -+ error(location, "Too many fields in the struct (limit is 16383)", name); -+ } -+} -+ - TFieldList *TParseContext::addStructFieldList(TFieldList *fields, const TSourceLoc &location) - { - return fields; -@@ -6295,6 +6312,8 @@ TTypeSpecifierNonArray TParseContext::addStructure(const TSourceLoc &structLine, - } - } - -+ checkDoesNotHaveTooManyFields(structName, fieldList, structLine); -+ - // Ensure there are no duplicate field names - checkDoesNotHaveDuplicateFieldNames(fieldList, structLine); - -diff --git a/chromium/third_party/angle/src/compiler/translator/ParseContext.h b/chromium/third_party/angle/src/compiler/translator/ParseContext.h -index ca8dab269d6..dca714a9e3d 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.h -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ParseContext.h -@@ -355,6 +355,9 @@ class TParseContext : angle::NonCopyable - const TVector<unsigned int> *arraySizes); - - void checkDoesNotHaveDuplicateFieldNames(const TFieldList *fields, const TSourceLoc &location); -+ void checkDoesNotHaveTooManyFields(const ImmutableString &name, -+ const TFieldList *fields, -+ const TSourceLoc &location); - TFieldList *addStructFieldList(TFieldList *fields, const TSourceLoc &location); - TFieldList *combineStructFieldLists(TFieldList *processedFields, - const TFieldList *newlyAddedFields, -From fda3dd792d69ae6697fd63bebebd280a6c2aedd4 Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Thu, 30 Nov 2023 15:42:32 -0500 -Subject: [PATCH] [Backport] CVE-2024-0223: Heap buffer overflow in ANGLE (3/3) - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5077408: -Translator: Limit private variable size to 64KB - -This is indirectly fixing an issue where passing large arrays in SPIR-V -such that an internal cast is needed (such as array inside interface -block copied to local varaible) causes an overflow of the instruction -length limit (in the absence of OpCopyLogical). - -By limiting the size of private variables to 32KB, this limitation is -indirectly enforced. It was observed that all the test shaders added in -this CL fail on the Nvidia OpenGL drivers, so such a limit seems to be -reasonble. - -Bug: chromium:1505009 -Change-Id: Ia36134b2bf8501a5b875814db3566be28b183e0f -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5077408 -Reviewed-by: Charlie Lao <cclao@google.com> -Reviewed-by: Geoff Lang <geofflang@chromium.org> -Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530091 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../src/compiler/translator/Compiler.cpp | 12 +- - .../ValidateTypeSizeLimitations.cpp | 131 +++++++++++++----- - 2 files changed, 107 insertions(+), 36 deletions(-) - -diff --git a/chromium/third_party/angle/src/compiler/translator/Compiler.cpp b/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -index b5b4ccf1c2d..cc5d026099d 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/Compiler.cpp -@@ -770,11 +770,6 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root, - return false; - } - -- if (shouldLimitTypeSizes() && !ValidateTypeSizeLimitations(root, &mSymbolTable, &mDiagnostics)) -- { -- return false; -- } -- - if (!ValidateFragColorAndFragData(mShaderType, mShaderVersion, mSymbolTable, &mDiagnostics)) - { - return false; -@@ -1053,6 +1048,13 @@ bool TCompiler::checkAndSimplifyAST(TIntermBlock *root, - return false; - } - -+ // Run after RemoveUnreferencedVariables, validate that the shader does not have excessively -+ // large variables. -+ if (shouldLimitTypeSizes() && !ValidateTypeSizeLimitations(root, &mSymbolTable, &mDiagnostics)) -+ { -+ return false; -+ } -+ - // Built-in function emulation needs to happen after validateLimitations pass. - GetGlobalPoolAllocator()->lock(); - initBuiltInFunctionEmulator(&mBuiltInFunctionEmulator, compileOptions); -diff --git a/chromium/third_party/angle/src/compiler/translator/ValidateTypeSizeLimitations.cpp b/chromium/third_party/angle/src/compiler/translator/ValidateTypeSizeLimitations.cpp -index f0ff9cb11ac..07e41d99354 100644 ---- src/3rdparty/chromium/third_party/angle/src/compiler/translator/ValidateTypeSizeLimitations.cpp -+++ src/3rdparty/chromium/third_party/angle/src/compiler/translator/ValidateTypeSizeLimitations.cpp -@@ -24,10 +24,11 @@ namespace - // Arbitrarily enforce that all types declared with a size in bytes of over 2 GB will cause - // compilation failure. - // --// For local and global variables, the limit is much lower (16MB) as that much memory won't fit in -+// For local and global variables, the limit is much lower (64KB) as that much memory won't fit in - // the GPU registers anyway. --constexpr size_t kMaxVariableSizeInBytes = static_cast<size_t>(2) * 1024 * 1024 * 1024; --constexpr size_t kMaxPrivateVariableSizeInBytes = static_cast<size_t>(16) * 1024 * 1024; -+constexpr size_t kMaxVariableSizeInBytes = static_cast<size_t>(2) * 1024 * 1024 * 1024; -+constexpr size_t kMaxPrivateVariableSizeInBytes = static_cast<size_t>(64) * 1024; -+constexpr size_t kMaxTotalPrivateVariableSizeInBytes = static_cast<size_t>(16) * 1024 * 1024; - - // Traverses intermediate tree to ensure that the shader does not - // exceed certain implementation-defined limits on the sizes of types. -@@ -70,43 +71,111 @@ class ValidateTypeSizeLimitationsTraverser : public TIntermTraverser - continue; - } - -- const TType &variableType = asSymbol->getType(); -- -- // Create a ShaderVariable from which to compute -- // (conservative) sizing information. -- ShaderVariable shaderVar; -- setCommonVariableProperties(variableType, variable, &shaderVar); -- -- // Compute the std140 layout of this variable, assuming -- // it's a member of a block (which it might not be). -- Std140BlockEncoder layoutEncoder; -- BlockEncoderVisitor visitor("", "", &layoutEncoder); -- // Since the size limit's arbitrary, it doesn't matter -- // whether the row-major layout is correctly determined. -- bool isRowMajorLayout = false; -- TraverseShaderVariable(shaderVar, isRowMajorLayout, &visitor); -- if (layoutEncoder.getCurrentOffset() > kMaxVariableSizeInBytes) -+ if (!validateVariableSize(variable, asSymbol->getLine())) - { -- error(asSymbol->getLine(), -- "Size of declared variable exceeds implementation-defined limit", -- asSymbol->getName()); - return false; - } -+ } -+ -+ return true; -+ } -+ -+ void visitFunctionPrototype(TIntermFunctionPrototype *node) override -+ { -+ const TFunction *function = node->getFunction(); -+ const size_t paramCount = function->getParamCount(); -+ -+ for (size_t paramIndex = 0; paramIndex < paramCount; ++paramIndex) -+ { -+ validateVariableSize(*function->getParam(paramIndex), node->getLine()); -+ } -+ } -+ -+ bool validateVariableSize(const TVariable &variable, const TSourceLoc &location) -+ { -+ const TType &variableType = variable.getType(); -+ -+ // Create a ShaderVariable from which to compute -+ // (conservative) sizing information. -+ ShaderVariable shaderVar; -+ setCommonVariableProperties(variableType, variable, &shaderVar); -+ -+ // Compute the std140 layout of this variable, assuming -+ // it's a member of a block (which it might not be). -+ Std140BlockEncoder layoutEncoder; -+ BlockEncoderVisitor visitor("", "", &layoutEncoder); -+ // Since the size limit's arbitrary, it doesn't matter -+ // whether the row-major layout is correctly determined. -+ bool isRowMajorLayout = false; -+ TraverseShaderVariable(shaderVar, isRowMajorLayout, &visitor); -+ if (layoutEncoder.getCurrentOffset() > kMaxVariableSizeInBytes) -+ { -+ error(location, "Size of declared variable exceeds implementation-defined limit", -+ variable.name()); -+ return false; -+ } -+ -+ // Skip over struct declarations. As long as they are not used (or if they are used later -+ // in a less-restricted context (such as a UBO or SSBO)), they can be larger than -+ // kMaxPrivateVariableSizeInBytes. -+ if (variable.symbolType() == SymbolType::Empty && variableType.isStructSpecifier()) -+ { -+ return true; -+ } -+ -+ switch (variableType.getQualifier()) -+ { -+ // List of all types that need to be limited (for example because they cause overflows -+ // in drivers, or create trouble for the SPIR-V gen as the number of an instruction's -+ // arguments cannot be more than 64KB (see OutputSPIRVTraverser::cast)). -+ -+ // Local/global variables -+ case EvqTemporary: -+ case EvqGlobal: -+ case EvqConst: -+ -+ // Function arguments -+ case EvqParamIn: -+ case EvqParamOut: -+ case EvqParamInOut: -+ case EvqParamConst: -+ -+ // Varyings -+ case EvqVaryingIn: -+ case EvqVaryingOut: -+ case EvqSmoothOut: -+ case EvqFlatOut: -+ case EvqNoPerspectiveOut: -+ case EvqCentroidOut: -+ case EvqSampleOut: -+ case EvqSmoothIn: -+ case EvqFlatIn: -+ case EvqNoPerspectiveIn: -+ case EvqCentroidIn: -+ case EvqVertexOut: -+ case EvqFragmentIn: -+ case EvqGeometryIn: -+ case EvqGeometryOut: -+ case EvqPerVertexIn: -+ case EvqPerVertexOut: -+ case EvqPatchIn: -+ case EvqPatchOut: -+ case EvqTessControlIn: -+ case EvqTessControlOut: -+ case EvqTessEvaluationIn: -+ case EvqTessEvaluationOut: - -- const bool isPrivate = variableType.getQualifier() == EvqTemporary || -- variableType.getQualifier() == EvqGlobal || -- variableType.getQualifier() == EvqConst; -- if (isPrivate) -- { - if (layoutEncoder.getCurrentOffset() > kMaxPrivateVariableSizeInBytes) - { -- error(asSymbol->getLine(), -+ error(location, - "Size of declared private variable exceeds implementation-defined limit", -- asSymbol->getName()); -+ variable.name()); - return false; - } - mTotalPrivateVariablesSize += layoutEncoder.getCurrentOffset(); -- } -+ break; -+ default: -+ break; - } - - return true; -@@ -115,7 +184,7 @@ class ValidateTypeSizeLimitationsTraverser : public TIntermTraverser - void validateTotalPrivateVariableSize() - { - if (mTotalPrivateVariablesSize.ValueOrDefault(std::numeric_limits<size_t>::max()) > -- kMaxPrivateVariableSizeInBytes) -+ kMaxTotalPrivateVariableSizeInBytes) - { - mDiagnostics->error( - TSourceLoc{}, -From 5bbe9cf3b48b80901df6b446520581809f88e945 Mon Sep 17 00:00:00 2001 -From: Shahbaz Youssefi <syoussefi@chromium.org> -Date: Tue, 5 Dec 2023 13:36:53 -0500 -Subject: [PATCH] [Backport] CVE-2024-0222: Use after free in ANGLE - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/angle/angle/+/5143829: -M120: Vulkan: Don't crash when glCopyTexImage2D redefines itself - -The Vulkan backend marks a level being redefined as such before doing -the copy. If a single-level texture was being redefined, it releases it -so it can be immediately reallocated. If the source of the copy is the -same texture, this causes a crash. - -This can be properly supported by using a temp image to do the copy, but -that is not implemented in this change. - -Bug: chromium:1501798 -Change-Id: I3a902b1e9eec41afd385d9c75a8c95dc986070a8 -Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/5143829 -Reviewed-by: Cody Northrop <cnorthrop@google.com> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530092 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../libANGLE/renderer/vulkan/TextureVk.cpp | 23 ++++++++++++++++++- - 1 file changed, 22 insertions(+), 1 deletion(-) - -diff --git a/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp b/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp -index 903def6e88e..fcd3bfa02f3 100644 ---- src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp -+++ src/3rdparty/chromium/third_party/angle/src/libANGLE/renderer/vulkan/TextureVk.cpp -@@ -698,8 +698,28 @@ angle::Result TextureVk::copyImage(const gl::Context *context, - gl::GetInternalFormatInfo(internalFormat, GL_UNSIGNED_BYTE); - const vk::Format &vkFormat = renderer->getFormat(internalFormatInfo.sizedInternalFormat); - -+ // The texture level being redefined might be the same as the one bound to the framebuffer. -+ // This _could_ be supported by using a temp image before redefining the level (and potentially -+ // discarding the image). However, this is currently unimplemented. -+ FramebufferVk *framebufferVk = vk::GetImpl(source); -+ RenderTargetVk *colorReadRT = framebufferVk->getColorReadRenderTarget(); -+ vk::ImageHelper *srcImage = &colorReadRT->getImageForCopy(); -+ const bool isCubeMap = index.getType() == gl::TextureType::CubeMap; -+ gl::LevelIndex levelIndex(getNativeImageIndex(index).getLevelIndex()); -+ const uint32_t layerIndex = index.hasLayer() ? index.getLayerIndex() : 0; -+ const uint32_t redefinedFace = isCubeMap ? layerIndex : 0; -+ const uint32_t sourceFace = isCubeMap ? colorReadRT->getLayerIndex() : 0; -+ const bool isSelfCopy = mImage == srcImage && levelIndex == colorReadRT->getLevelIndex() && -+ redefinedFace == sourceFace; -+ - ANGLE_TRY(redefineLevel(context, index, vkFormat, newImageSize)); - -+ if (isSelfCopy) -+ { -+ UNIMPLEMENTED(); -+ return angle::Result::Continue; -+ } -+ - return copySubImageImpl(context, index, gl::Offset(0, 0, 0), sourceArea, internalFormatInfo, - source); - } -@@ -1784,7 +1804,8 @@ angle::Result TextureVk::redefineLevel(const gl::Context *context, - mImage->getLevelCount() == 1 && mImage->getFirstAllocatedLevel() == levelIndexGL; - - // If incompatible, and redefining the single-level image, release it so it can be -- // recreated immediately. This is an optimization to avoid an extra copy. -+ // recreated immediately. This is needed so that the texture can be reallocated with -+ // the correct format/size. - if (!isCompatibleRedefinition && isUpdateToSingleLevelImage) - { - releaseImage(contextVk); -From 4ce1bbed853cba46f9ab6d1546e10253cc42f619 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io> -Date: Sun, 14 Jan 2024 23:48:08 +0100 -Subject: [PATCH] Fixup: [Backport] Security bug 1488199 - -Add register aliases following respective platform calling -conventions. - -Change-Id: I8f844cd4db35393580f2a0adae6a4095584087a5 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530630 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - chromium/v8/src/codegen/arm/register-arm.h | 6 ++++++ - chromium/v8/src/codegen/arm64/register-arm64.h | 6 ++++++ - chromium/v8/src/codegen/loong64/register-loong64.h | 6 ++++++ - chromium/v8/src/codegen/mips64/register-mips64.h | 6 ++++++ - chromium/v8/src/codegen/ppc/register-ppc.h | 6 ++++++ - chromium/v8/src/codegen/riscv/register-riscv.h | 5 +++++ - chromium/v8/src/codegen/s390/register-s390.h | 6 ++++++ - 7 files changed, 41 insertions(+) - -diff --git a/chromium/v8/src/codegen/arm/register-arm.h b/chromium/v8/src/codegen/arm/register-arm.h -index 4edcddaa6f5a..40d07e4984e8 100644 ---- src/3rdparty/chromium/v8/src/codegen/arm/register-arm.h -+++ src/3rdparty/chromium/v8/src/codegen/arm/register-arm.h -@@ -84,6 +84,12 @@ GENERAL_REGISTERS(DECLARE_REGISTER) - #undef DECLARE_REGISTER - constexpr Register no_reg = Register::no_reg(); - -+// ARM calling convention -+constexpr Register arg_reg_1 = r0; -+constexpr Register arg_reg_2 = r1; -+constexpr Register arg_reg_3 = r2; -+constexpr Register arg_reg_4 = r3; -+ - // Returns the number of padding slots needed for stack pointer alignment. - constexpr int ArgumentPaddingSlots(int argument_count) { - // No argument padding required. -diff --git a/chromium/v8/src/codegen/arm64/register-arm64.h b/chromium/v8/src/codegen/arm64/register-arm64.h -index 24878e9d2567..a90412ae2061 100644 ---- src/3rdparty/chromium/v8/src/codegen/arm64/register-arm64.h -+++ src/3rdparty/chromium/v8/src/codegen/arm64/register-arm64.h -@@ -525,6 +525,12 @@ ALIAS_REGISTER(VRegister, fp_scratch2, d31); - - #undef ALIAS_REGISTER - -+// Arm64 calling convention -+constexpr Register arg_reg_1 = x0; -+constexpr Register arg_reg_2 = x1; -+constexpr Register arg_reg_3 = x2; -+constexpr Register arg_reg_4 = x3; -+ - // AreAliased returns true if any of the named registers overlap. Arguments set - // to NoReg are ignored. The system stack pointer may be specified. - V8_EXPORT_PRIVATE bool AreAliased( -diff --git a/chromium/v8/src/codegen/loong64/register-loong64.h b/chromium/v8/src/codegen/loong64/register-loong64.h -index 07c975223b26..724103587cf5 100644 ---- src/3rdparty/chromium/v8/src/codegen/loong64/register-loong64.h -+++ src/3rdparty/chromium/v8/src/codegen/loong64/register-loong64.h -@@ -186,6 +186,12 @@ DEFINE_REGISTER_NAMES(Register, GENERAL_REGISTERS) - DEFINE_REGISTER_NAMES(FPURegister, DOUBLE_REGISTERS) - - // Give alias names to registers for calling conventions. -+ -+constexpr Register arg_reg_1 = a0; -+constexpr Register arg_reg_2 = a1; -+constexpr Register arg_reg_3 = a2; -+constexpr Register arg_reg_4 = a3; -+ - constexpr Register kReturnRegister0 = a0; - constexpr Register kReturnRegister1 = a1; - constexpr Register kReturnRegister2 = a2; -diff --git a/chromium/v8/src/codegen/mips64/register-mips64.h b/chromium/v8/src/codegen/mips64/register-mips64.h -index 00feb1c01c14..f3d5bd5c7985 100644 ---- src/3rdparty/chromium/v8/src/codegen/mips64/register-mips64.h -+++ src/3rdparty/chromium/v8/src/codegen/mips64/register-mips64.h -@@ -278,6 +278,12 @@ DEFINE_REGISTER_NAMES(FPURegister, DOUBLE_REGISTERS) - DEFINE_REGISTER_NAMES(MSARegister, SIMD128_REGISTERS) - - // Give alias names to registers for calling conventions. -+ -+constexpr Register arg_reg_1 = a0; -+constexpr Register arg_reg_2 = a1; -+constexpr Register arg_reg_3 = a2; -+constexpr Register arg_reg_4 = a3; -+ - constexpr Register kReturnRegister0 = v0; - constexpr Register kReturnRegister1 = v1; - constexpr Register kReturnRegister2 = a0; -diff --git a/chromium/v8/src/codegen/ppc/register-ppc.h b/chromium/v8/src/codegen/ppc/register-ppc.h -index bdcb12b9d2d8..a2085e0e593b 100644 ---- src/3rdparty/chromium/v8/src/codegen/ppc/register-ppc.h -+++ src/3rdparty/chromium/v8/src/codegen/ppc/register-ppc.h -@@ -152,6 +152,12 @@ constexpr Register kPtrComprCageBaseRegister = r27; // callee save - constexpr Register kPtrComprCageBaseRegister = kRootRegister; - #endif - -+// PPC64 calling convention -+constexpr Register arg_reg_1 = r3; -+constexpr Register arg_reg_2 = r4; -+constexpr Register arg_reg_3 = r5; -+constexpr Register arg_reg_4 = r6; -+ - // Returns the number of padding slots needed for stack pointer alignment. - constexpr int ArgumentPaddingSlots(int argument_count) { - // No argument padding required. -diff --git a/chromium/v8/src/codegen/riscv/register-riscv.h b/chromium/v8/src/codegen/riscv/register-riscv.h -index c530c54b4ea1..d45fa80b5c91 100644 ---- src/3rdparty/chromium/v8/src/codegen/riscv/register-riscv.h -+++ src/3rdparty/chromium/v8/src/codegen/riscv/register-riscv.h -@@ -271,6 +271,11 @@ DEFINE_REGISTER_NAMES(FPURegister, DOUBLE_REGISTERS) - DEFINE_REGISTER_NAMES(VRegister, VECTOR_REGISTERS) - - // Give alias names to registers for calling conventions. -+constexpr Register arg_reg_1 = a0; -+constexpr Register arg_reg_2 = a1; -+constexpr Register arg_reg_3 = a2; -+constexpr Register arg_reg_4 = a3; -+ - constexpr Register kReturnRegister0 = a0; - constexpr Register kReturnRegister1 = a1; - constexpr Register kReturnRegister2 = a2; -diff --git a/chromium/v8/src/codegen/s390/register-s390.h b/chromium/v8/src/codegen/s390/register-s390.h -index b3e5a49f2db5..6320135a2400 100644 ---- src/3rdparty/chromium/v8/src/codegen/s390/register-s390.h -+++ src/3rdparty/chromium/v8/src/codegen/s390/register-s390.h -@@ -116,6 +116,12 @@ constexpr Register no_reg = Register::no_reg(); - constexpr Register kRootRegister = r10; // Roots array pointer. - constexpr Register cp = r13; // JavaScript context pointer. - -+// s390x calling convention -+constexpr Register arg_reg_1 = r2; -+constexpr Register arg_reg_2 = r3; -+constexpr Register arg_reg_3 = r4; -+constexpr Register arg_reg_4 = r5; -+ - // Returns the number of padding slots needed for stack pointer alignment. - constexpr int ArgumentPaddingSlots(int argument_count) { - // No argument padding required. -From d3328103b5e8336449108b8ba13549ced9caf404 Mon Sep 17 00:00:00 2001 -From: Evan Stade <estade@chromium.org> -Date: Fri, 15 Dec 2023 21:38:02 +0000 -Subject: [PATCH] [Backport] Security bug 1511689 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/5123910: -Fix a spurious "misuse of aggregate function" error that could occur when an aggregate function was used within the FROM clause of a sub-select of the select that owns the aggregate. e.g. "SELECT (SELECT x FROM (SELECT sum(t1.a) AS x)) FROM t1". [forum:/forumpost/c9970a37ed | Forum post c9970a37ed]. - -FossilOrigin-Name: 4470f657d2069972d02a00983252dec1f814d90c0d8d0906e320e955111e8c11 -(cherry picked from commit 5e4233a9e48b124d4d342b757b34e4ae849f5cf8) - -Bug: 1511689 -Change-Id: I69263fc0a5fa66df5c09b964864568f2fc7a6ca5 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/deps/sqlite/+/5123910 -Auto-Submit: Evan Stade <estade@chromium.org> -Commit-Queue: Ayu Ishii <ayui@chromium.org> -Reviewed-by: Ayu Ishii <ayui@chromium.org> -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/530068 -Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> ---- - chromium/third_party/sqlite/src/amalgamation/sqlite3.c | 6 +++++- - chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c | 6 +++++- - chromium/third_party/sqlite/src/src/resolve.c | 7 +++++-- - chromium/third_party/sqlite/src/src/sqliteInt.h | 1 + - 4 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/chromium/third_party/sqlite/src/amalgamation/sqlite3.c b/chromium/third_party/sqlite/src/amalgamation/sqlite3.c -index d7766b7d7ec..b353aa88348 100644 ---- src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c -+++ src/3rdparty/chromium/third_party/sqlite/src/amalgamation/sqlite3.c -@@ -18804,6 +18804,7 @@ struct NameContext { - int nRef; /* Number of names resolved by this context */ - int nNcErr; /* Number of errors encountered while resolving names */ - int ncFlags; /* Zero or more NC_* flags defined below */ -+ int nNestedSelect; /* Number of nested selects using this NC */ - Select *pWinSelect; /* SELECT statement for any window functions */ - }; - -@@ -104749,11 +104750,12 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ - while( pNC2 - && sqlite3ReferencesSrcList(pParse, pExpr, pNC2->pSrcList)==0 - ){ -- pExpr->op2++; -+ pExpr->op2 += (1 + pNC2->nNestedSelect); - pNC2 = pNC2->pNext; - } - assert( pDef!=0 || IN_RENAME_OBJECT ); - if( pNC2 && pDef ){ -+ pExpr->op2 += pNC2->nNestedSelect; - assert( SQLITE_FUNC_MINMAX==NC_MinMaxAgg ); - assert( SQLITE_FUNC_ANYORDER==NC_OrderAgg ); - testcase( (pDef->funcFlags & SQLITE_FUNC_MINMAX)!=0 ); -@@ -105314,6 +105316,7 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - - /* Recursively resolve names in all subqueries in the FROM clause - */ -+ if( pOuterNC ) pOuterNC->nNestedSelect++; - for(i=0; i<p->pSrc->nSrc; i++){ - SrcItem *pItem = &p->pSrc->a[i]; - if( pItem->pSelect && (pItem->pSelect->selFlags & SF_Resolved)==0 ){ -@@ -105338,6 +105341,7 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - } - } - } -+ if( pOuterNC ) pOuterNC->nNestedSelect--; - - /* Set up the local name-context to pass to sqlite3ResolveExprNames() to - ** resolve the result-set expression list. -diff --git a/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c b/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c -index 0819ea6a615..5c72a44dd6b 100644 ---- src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c -+++ src/3rdparty/chromium/third_party/sqlite/src/amalgamation_dev/sqlite3.c -@@ -18817,6 +18817,7 @@ struct NameContext { - int nRef; /* Number of names resolved by this context */ - int nNcErr; /* Number of errors encountered while resolving names */ - int ncFlags; /* Zero or more NC_* flags defined below */ -+ int nNestedSelect; /* Number of nested selects using this NC */ - Select *pWinSelect; /* SELECT statement for any window functions */ - }; - -@@ -104762,11 +104763,12 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ - while( pNC2 - && sqlite3ReferencesSrcList(pParse, pExpr, pNC2->pSrcList)==0 - ){ -- pExpr->op2++; -+ pExpr->op2 += (1 + pNC2->nNestedSelect); - pNC2 = pNC2->pNext; - } - assert( pDef!=0 || IN_RENAME_OBJECT ); - if( pNC2 && pDef ){ -+ pExpr->op2 += pNC2->nNestedSelect; - assert( SQLITE_FUNC_MINMAX==NC_MinMaxAgg ); - assert( SQLITE_FUNC_ANYORDER==NC_OrderAgg ); - testcase( (pDef->funcFlags & SQLITE_FUNC_MINMAX)!=0 ); -@@ -105327,6 +105329,7 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - - /* Recursively resolve names in all subqueries in the FROM clause - */ -+ if( pOuterNC ) pOuterNC->nNestedSelect++; - for(i=0; i<p->pSrc->nSrc; i++){ - SrcItem *pItem = &p->pSrc->a[i]; - if( pItem->pSelect && (pItem->pSelect->selFlags & SF_Resolved)==0 ){ -@@ -105351,6 +105354,7 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - } - } - } -+ if( pOuterNC ) pOuterNC->nNestedSelect--; - - /* Set up the local name-context to pass to sqlite3ResolveExprNames() to - ** resolve the result-set expression list. -diff --git a/chromium/third_party/sqlite/src/src/resolve.c b/chromium/third_party/sqlite/src/src/resolve.c -index 4b36ecca348..c5228a7f097 100644 ---- src/3rdparty/chromium/third_party/sqlite/src/src/resolve.c -+++ src/3rdparty/chromium/third_party/sqlite/src/src/resolve.c -@@ -1211,11 +1211,12 @@ static int resolveExprStep(Walker *pWalker, Expr *pExpr){ - while( pNC2 - && sqlite3ReferencesSrcList(pParse, pExpr, pNC2->pSrcList)==0 - ){ -- pExpr->op2++; -+ pExpr->op2 += (1 + pNC2->nNestedSelect); - pNC2 = pNC2->pNext; - } - assert( pDef!=0 || IN_RENAME_OBJECT ); - if( pNC2 && pDef ){ -+ pExpr->op2 += pNC2->nNestedSelect; - assert( SQLITE_FUNC_MINMAX==NC_MinMaxAgg ); - assert( SQLITE_FUNC_ANYORDER==NC_OrderAgg ); - testcase( (pDef->funcFlags & SQLITE_FUNC_MINMAX)!=0 ); -@@ -1776,6 +1777,7 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - - /* Recursively resolve names in all subqueries in the FROM clause - */ -+ if( pOuterNC ) pOuterNC->nNestedSelect++; - for(i=0; i<p->pSrc->nSrc; i++){ - SrcItem *pItem = &p->pSrc->a[i]; - if( pItem->pSelect && (pItem->pSelect->selFlags & SF_Resolved)==0 ){ -@@ -1800,7 +1802,8 @@ static int resolveSelectStep(Walker *pWalker, Select *p){ - } - } - } -- -+ if( pOuterNC ) pOuterNC->nNestedSelect--; -+ - /* Set up the local name-context to pass to sqlite3ResolveExprNames() to - ** resolve the result-set expression list. - */ -diff --git a/chromium/third_party/sqlite/src/src/sqliteInt.h b/chromium/third_party/sqlite/src/src/sqliteInt.h -index 2614f4be458..07bc4def106 100644 ---- src/3rdparty/chromium/third_party/sqlite/src/src/sqliteInt.h -+++ src/3rdparty/chromium/third_party/sqlite/src/src/sqliteInt.h -@@ -3321,6 +3321,7 @@ struct NameContext { - int nRef; /* Number of names resolved by this context */ - int nNcErr; /* Number of errors encountered while resolving names */ - int ncFlags; /* Zero or more NC_* flags defined below */ -+ int nNestedSelect; /* Number of nested selects using this NC */ - Select *pWinSelect; /* SELECT statement for any window functions */ - }; - -From 54da597d9f7e7b9f331a15077eba6485b68280ab Mon Sep 17 00:00:00 2001 -From: Toon Verwaest <verwaest@chromium.org> -Date: Thu, 11 Jan 2024 10:47:17 +0100 -Subject: [PATCH] [Backport] CVE-2024-0519: Out of bounds memory access in V8 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/5192447: -Merged: [runtime] Drop fast last-property deletion - -This interacts badly with other optimizations and isn't particularly -common. - -Bug: chromium:1517354 -(cherry picked from commit 389ea9be7d68bb189e16da79f6414edbd4f7594f) - -Change-Id: Ie16aa38e8984c4879491c0d9a0ca9df0e041fd1d -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5192447 -Auto-Submit: Toon Verwaest <verwaest@chromium.org> -Reviewed-by: Leszek Swirski <leszeks@chromium.org> -Cr-Commit-Position: refs/branch-heads/12.0@{#32} -Cr-Branched-From: ed7b4caf1fb8184ad9e24346c84424055d4d430a-refs/heads/12.0.267@{#1} -Cr-Branched-From: 210e75b19db4352c9b78dce0bae11c2dc3077df4-refs/heads/main@{#90651} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531577 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/v8/src/runtime/runtime-object.cc | 174 ---------------------- - 1 file changed, 174 deletions(-) - -diff --git a/chromium/v8/src/runtime/runtime-object.cc b/chromium/v8/src/runtime/runtime-object.cc -index 2d4965549b2..ee8a9fbd147 100644 ---- src/3rdparty/chromium/v8/src/runtime/runtime-object.cc -+++ src/3rdparty/chromium/v8/src/runtime/runtime-object.cc -@@ -81,184 +81,10 @@ MaybeHandle<Object> Runtime::HasProperty(Isolate* isolate, - : ReadOnlyRoots(isolate).false_value_handle(); - } - --namespace { -- --// This function sets the sentinel value in a deleted field. Thes sentinel has --// to look like a proper standalone object because the slack tracking may --// complete at any time. For this reason we use the filler map word. --// If V8_MAP_PACKING is enabled, then the filler map word is a packed filler --// map. Otherwise, the filler map word is the same as the filler map. --inline void ClearField(Isolate* isolate, JSObject object, FieldIndex index) { -- if (index.is_inobject()) { -- MapWord filler_map_word = -- ReadOnlyRoots(isolate).one_pointer_filler_map_word(); --#ifndef V8_MAP_PACKING -- DCHECK_EQ(filler_map_word.ToMap(), -- ReadOnlyRoots(isolate).one_pointer_filler_map()); --#endif -- int offset = index.offset(); -- TaggedField<MapWord>::Release_Store(object, offset, filler_map_word); -- } else { -- object.property_array().set( -- index.outobject_array_index(), -- ReadOnlyRoots(isolate).one_pointer_filler_map()); -- } --} -- --void GeneralizeAllTransitionsToFieldAsMutable(Isolate* isolate, Handle<Map> map, -- Handle<Name> name) { -- InternalIndex descriptor(map->NumberOfOwnDescriptors()); -- -- Handle<Map> target_maps[kPropertyAttributesCombinationsCount]; -- int target_maps_count = 0; -- -- // Collect all outgoing field transitions. -- { -- DisallowGarbageCollection no_gc; -- TransitionsAccessor transitions(isolate, *map); -- transitions.ForEachTransitionTo( -- *name, -- [&](Map target) { -- DCHECK_EQ(descriptor, target.LastAdded()); -- DCHECK_EQ(*name, target.GetLastDescriptorName(isolate)); -- PropertyDetails details = target.GetLastDescriptorDetails(isolate); -- // Currently, we track constness only for fields. -- if (details.kind() == PropertyKind::kData && -- details.constness() == PropertyConstness::kConst) { -- target_maps[target_maps_count++] = handle(target, isolate); -- } -- DCHECK_IMPLIES(details.kind() == PropertyKind::kAccessor, -- details.constness() == PropertyConstness::kConst); -- }, -- &no_gc); -- CHECK_LE(target_maps_count, kPropertyAttributesCombinationsCount); -- } -- -- for (int i = 0; i < target_maps_count; i++) { -- Handle<Map> target = target_maps[i]; -- PropertyDetails details = -- target->instance_descriptors(isolate).GetDetails(descriptor); -- Handle<FieldType> field_type( -- target->instance_descriptors(isolate).GetFieldType(descriptor), -- isolate); -- MapUpdater::GeneralizeField(isolate, target, descriptor, -- PropertyConstness::kMutable, -- details.representation(), field_type); -- DCHECK_EQ(PropertyConstness::kMutable, target->instance_descriptors(isolate) -- .GetDetails(descriptor) -- .constness()); -- } --} -- --bool DeleteObjectPropertyFast(Isolate* isolate, Handle<JSReceiver> receiver, -- Handle<Object> raw_key) { -- // This implements a special case for fast property deletion: when the -- // last property in an object is deleted, then instead of normalizing -- // the properties, we can undo the last map transition, with a few -- // prerequisites: -- // (1) The receiver must be a regular object and the key a unique name. -- Handle<Map> receiver_map(receiver->map(), isolate); -- if (receiver_map->IsSpecialReceiverMap()) return false; -- DCHECK(receiver_map->IsJSObjectMap()); -- -- if (!raw_key->IsUniqueName()) return false; -- Handle<Name> key = Handle<Name>::cast(raw_key); -- // (2) The property to be deleted must be the last property. -- int nof = receiver_map->NumberOfOwnDescriptors(); -- if (nof == 0) return false; -- InternalIndex descriptor(nof - 1); -- Handle<DescriptorArray> descriptors( -- receiver_map->instance_descriptors(isolate), isolate); -- if (descriptors->GetKey(descriptor) != *key) return false; -- // (3) The property to be deleted must be deletable. -- PropertyDetails details = descriptors->GetDetails(descriptor); -- if (!details.IsConfigurable()) return false; -- // (4) The map must have a back pointer. -- Handle<Object> backpointer(receiver_map->GetBackPointer(), isolate); -- if (!backpointer->IsMap()) return false; -- Handle<Map> parent_map = Handle<Map>::cast(backpointer); -- // (5) The last transition must have been caused by adding a property -- // (and not any kind of special transition). -- if (parent_map->NumberOfOwnDescriptors() != nof - 1) return false; -- -- // Preconditions successful. No more bailouts after this point. -- -- // Zap the property to avoid keeping objects alive. Zapping is not necessary -- // for properties stored in the descriptor array. -- if (details.location() == PropertyLocation::kField) { -- DisallowGarbageCollection no_gc; -- -- // Invalidate slots manually later in case we delete an in-object tagged -- // property. In this case we might later store an untagged value in the -- // recorded slot. -- isolate->heap()->NotifyObjectLayoutChange(*receiver, no_gc, -- InvalidateRecordedSlots::kNo); -- FieldIndex index = -- FieldIndex::ForPropertyIndex(*receiver_map, details.field_index()); -- // Special case deleting the last out-of object property. -- if (!index.is_inobject() && index.outobject_array_index() == 0) { -- DCHECK(!parent_map->HasOutOfObjectProperties()); -- // Clear out the properties backing store. -- receiver->SetProperties(ReadOnlyRoots(isolate).empty_fixed_array()); -- } else { -- ClearField(isolate, JSObject::cast(*receiver), index); -- if (index.is_inobject()) { -- // We need to clear the recorded slot in this case because in-object -- // slack tracking might not be finished. This ensures that we don't -- // have recorded slots in free space. -- isolate->heap()->ClearRecordedSlot(*receiver, -- receiver->RawField(index.offset())); -- } -- } -- } -- // If the {receiver_map} was marked stable before, then there could be -- // optimized code that depends on the assumption that no object that -- // reached this {receiver_map} transitions away from it without triggering -- // the "deoptimize dependent code" mechanism. -- receiver_map->NotifyLeafMapLayoutChange(isolate); -- // Finally, perform the map rollback. -- receiver->set_map(*parent_map, kReleaseStore); --#if VERIFY_HEAP -- if (v8_flags.verify_heap) { -- receiver->HeapObjectVerify(isolate); -- receiver->property_array().PropertyArrayVerify(isolate); -- } --#endif -- -- // If the {descriptor} was "const" so far, we need to update the -- // {receiver_map} here, otherwise we could get the constants wrong, i.e. -- // -- // o.x = 1; -- // [change o.x's attributes or reconfigure property kind] -- // delete o.x; -- // o.x = 2; -- // -- // could trick V8 into thinking that `o.x` is still 1 even after the second -- // assignment. -- -- // Step 1: Migrate object to an up-to-date shape. -- if (parent_map->is_deprecated()) { -- JSObject::MigrateInstance(isolate, Handle<JSObject>::cast(receiver)); -- parent_map = handle(receiver->map(), isolate); -- } -- -- // Step 2: Mark outgoing transitions from the up-to-date version of the -- // parent_map to same property name of any kind or attributes as mutable. -- // Also migrate object to the up-to-date map to make the object shapes -- // converge sooner. -- GeneralizeAllTransitionsToFieldAsMutable(isolate, parent_map, key); -- -- return true; --} -- --} // namespace -- - Maybe<bool> Runtime::DeleteObjectProperty(Isolate* isolate, - Handle<JSReceiver> receiver, - Handle<Object> key, - LanguageMode language_mode) { -- if (DeleteObjectPropertyFast(isolate, receiver, key)) return Just(true); -- - bool success = false; - PropertyKey lookup_key(isolate, key, &success); - if (!success) return Nothing<bool>(); -From be7a2c69bf21ed5c1185840cc651608dfad95b75 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Dominik=20Inf=C3=BChr?= <dinfuehr@chromium.org> -Date: Mon, 18 Dec 2023 09:15:00 +0100 -Subject: [PATCH] [Backport] CVE-2024-0518: Type Confusion in V8 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/v8/v8/+/5125960: -[codegen] Install BytecodeArray last in SharedFunctionInfo - -Maglev assumes that when a SharedFunctionInfo has a BytecodeArray, -then it should also have FeedbackMetadata. However, this may not -hold with concurrent compilation when the SharedFunctionInfo is -re-compiled after being flushed. Here the BytecodeArray was installed -on the SFI before the FeedbackMetadata and a concurrent thread could -observe the BytecodeArray but not the FeedbackMetadata. - -Drive-by: Reset the age field before setting the BytecodeArray as -well. This ensures that the concurrent marker will not observe the -old age for the new BytecodeArray. - -Bug: chromium:1507412 -Change-Id: I8855ed7ecc50c4a47d2c89043d62ac053858bc75 -Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5125960 -Reviewed-by: Leszek Swirski <leszeks@chromium.org> -Commit-Queue: Dominik Inführ <dinfuehr@chromium.org> -Cr-Commit-Position: refs/heads/main@{#91568} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531578 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/v8/src/codegen/compiler.cc | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/chromium/v8/src/codegen/compiler.cc b/chromium/v8/src/codegen/compiler.cc -index 5d3ee6e6a0c..47b58f1874f 100644 ---- src/3rdparty/chromium/v8/src/codegen/compiler.cc -+++ src/3rdparty/chromium/v8/src/codegen/compiler.cc -@@ -686,11 +686,11 @@ void InstallUnoptimizedCode(UnoptimizedCompilationInfo* compilation_info, - } - #endif // V8_ENABLE_WEBASSEMBLY - -- shared_info->set_bytecode_array(*compilation_info->bytecode_array()); -- - Handle<FeedbackMetadata> feedback_metadata = FeedbackMetadata::New( - isolate, compilation_info->feedback_vector_spec()); - shared_info->set_feedback_metadata(*feedback_metadata, kReleaseStore); -+ -+ shared_info->set_bytecode_array(*compilation_info->bytecode_array()); - } else { - #if V8_ENABLE_WEBASSEMBLY - DCHECK(compilation_info->has_asm_wasm_data()); -From 7b40abebdec3e2931c88010fedc96c49fbba1731 Mon Sep 17 00:00:00 2001 -From: Mike Wasserman <msw@chromium.org> -Date: Tue, 9 Jan 2024 01:07:39 +0000 -Subject: [PATCH] [Backport] Security bug 1506535 - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5146875: -[M120 merge] Speculative fix for UAF in content::WebContentsImpl::ExitFullscreenMode - -(cherry picked from commit c1cda70a433a0c625b280eb88ed6ff4f4feffa12) - -Bug: 1506535, 854815 -Change-Id: Iace64d63f8cea2dbfbc761ad233db42451ec101c -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5146875 -Commit-Queue: John Abd-El-Malek <jam@chromium.org> -Auto-Submit: Mike Wasserman <msw@chromium.org> -Reviewed-by: John Abd-El-Malek <jam@chromium.org> -Cr-Original-Commit-Position: refs/heads/main@{#1240353} -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5178801 -Cr-Commit-Position: refs/branch-heads/6099@{#1727} -Cr-Branched-From: e6ee4500f7d6549a9ac1354f8d056da49ef406be-refs/heads/main@{#1217362} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/531579 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/content/browser/web_contents/web_contents_impl.cc | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc -index 59bbb727e6b..8b3f7055430 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -@@ -3600,7 +3600,12 @@ void WebContentsImpl::ExitFullscreenMode(bool will_cause_resize) { - static_cast<RenderWidgetHostViewBase*>(view)->ExitFullscreenMode(); - - if (delegate_) { -+ // This may spin the message loop and destroy this object crbug.com/1506535 -+ base::WeakPtr<WebContentsImpl> weak_ptr = weak_factory_.GetWeakPtr(); - delegate_->ExitFullscreenModeForTab(this); -+ if (!weak_ptr) { -+ return; -+ } - - if (keyboard_lock_widget_) - delegate_->CancelKeyboardLockRequest(this); -From 8ab0eb9f07be8cd735e03b5536fc2e361e70a5cf Mon Sep 17 00:00:00 2001 -From: Lyra Rebane <rebane2001@gmail.com> -Date: Mon, 8 Jan 2024 13:39:46 +0000 -Subject: [PATCH] [Backport] CVE-2024-0808: Integer underflow in WebUI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5177426: -Verify resource order in data pack files - -This CL adds a resource order check when loading a data pack or calling DataPack::GetStringPiece to make sure the resources are ordered sequentially in memory. - -Bug: 1504936 -Change-Id: Ie3bf1d9dbac937407355935a859a5daa9ce84350 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5059113 -Commit-Queue: Peter Boström <pbos@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1238675} -(cherry picked from commit c4b2e6246ad0e95eaf0727bb25a2e4969155e989) -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535516 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/AUTHORS | 1 + - chromium/ui/base/resource/data_pack.cc | 19 ++++++++++++++++++- - .../ui/base/resource/data_pack_literal.cc | 12 ++++++++++++ - chromium/ui/base/resource/data_pack_literal.h | 2 ++ - .../ui/base/resource/data_pack_unittest.cc | 7 +++++++ - 5 files changed, 40 insertions(+), 1 deletion(-) - -diff --git a/chromium/AUTHORS b/chromium/AUTHORS -index ff6abe8d1135..772aab22c671 100644 ---- src/3rdparty/chromium/AUTHORS -+++ src/3rdparty/chromium/AUTHORS -@@ -769,6 +769,7 @@ Luke Seunghoe Gu <gulukesh@gmail.com> - Luke Zarko <lukezarko@gmail.com> - Luoxi Pan <l.panpax@gmail.com> - Lu Yahan <yahan@iscas.ac.cn> -+Lyra Rebane <rebane2001@gmail.com> - Ma Aiguo <imaiguo@gmail.com> - Maarten Lankhorst <m.b.lankhorst@gmail.com> - Maciej Pawlowski <m.pawlowski@eyeo.com> -diff --git a/chromium/ui/base/resource/data_pack.cc b/chromium/ui/base/resource/data_pack.cc -index 74069c99d00a..6dc0985b78dd 100644 ---- src/3rdparty/chromium/ui/base/resource/data_pack.cc -+++ src/3rdparty/chromium/ui/base/resource/data_pack.cc -@@ -310,7 +310,16 @@ bool DataPack::SanityCheckFileAndRegisterResources(size_t margin_to_skip, - } - } - -- // 3) Verify the aliases are within the appropriate bounds. -+ // 3) Verify the entries are ordered correctly. -+ for (size_t i = 0; i < resource_count_; ++i) { -+ if (resource_table_[i].file_offset > resource_table_[i + 1].file_offset) { -+ LOG(ERROR) << "Data pack file corruption: " -+ << "Entry #" << i + 1 << " before Entry #" << i << "."; -+ return false; -+ } -+ } -+ -+ // 4) Verify the aliases are within the appropriate bounds. - for (size_t i = 0; i < alias_count_; ++i) { - if (alias_table_[i].entry_index >= resource_count_) { - LOG(ERROR) << "Data pack file corruption: " -@@ -428,6 +437,14 @@ bool DataPack::GetStringPiece(uint16_t resource_id, - << "file modified?"; - return false; - } -+ if (target->file_offset > next_entry->file_offset) { -+ size_t entry_index = target - resource_table_; -+ size_t next_index = next_entry - resource_table_; -+ LOG(ERROR) << "Entry #" << next_index << " in data pack is before Entry #" -+ << entry_index << ". This should have been caught when loading. " -+ << "Was the file modified?"; -+ return false; -+ } - - MaybePrintResourceId(resource_id); - GetStringPieceFromOffset(target->file_offset, next_entry->file_offset, -diff --git a/chromium/ui/base/resource/data_pack_literal.cc b/chromium/ui/base/resource/data_pack_literal.cc -index caac0709b42b..4197ea03fd68 100644 ---- src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc -+++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.cc -@@ -89,6 +89,18 @@ const uint8_t kSampleCorruptPakContents[] = { - - const size_t kSampleCorruptPakSize = sizeof(kSampleCorruptPakContents); - -+const uint8_t kSampleMisorderedPakContents[] = { -+ 0x05, 0x00, 0x00, 0x00, // version -+ 0x01, 0x00, 0x00, 0x00, // encoding + padding -+ 0x02, 0x00, 0x00, 0x00, // num_resources, num_aliases -+ 0x06, 0x00, 0x2a, 0x00, 0x00, 0x00, // index entry 6 (wrong order) -+ 0x04, 0x00, 0x1e, 0x00, 0x00, 0x00, // index entry 4 -+ 0x00, 0x00, 0x36, 0x00, 0x00, 0x00, // extra entry for the size of last -+ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '4', -+ 't', 'h', 'i', 's', ' ', 'i', 's', ' ', 'i', 'd', ' ', '6'}; -+ -+const size_t kSampleMisorderedPakSize = sizeof(kSampleMisorderedPakContents); -+ - const uint8_t kSamplePakContents2x[] = { - 0x04, 0x00, 0x00, 0x00, // header(version - 0x01, 0x00, 0x00, 0x00, // no. entries -diff --git a/chromium/ui/base/resource/data_pack_literal.h b/chromium/ui/base/resource/data_pack_literal.h -index eb5a94895f2d..9173ce149935 100644 ---- src/3rdparty/chromium/ui/base/resource/data_pack_literal.h -+++ src/3rdparty/chromium/ui/base/resource/data_pack_literal.h -@@ -22,6 +22,8 @@ extern const uint8_t kEmptyPakContents[]; - extern const size_t kEmptyPakSize; - extern const uint8_t kSampleCorruptPakContents[]; - extern const size_t kSampleCorruptPakSize; -+extern const uint8_t kSampleMisorderedPakContents[]; -+extern const size_t kSampleMisorderedPakSize; - - } // namespace ui - -diff --git a/chromium/ui/base/resource/data_pack_unittest.cc b/chromium/ui/base/resource/data_pack_unittest.cc -index 25b33b813ac4..0a4a169ca225 100644 ---- src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc -+++ src/3rdparty/chromium/ui/base/resource/data_pack_unittest.cc -@@ -366,4 +366,11 @@ TEST(DataPackTest, ModifiedWhileUsed) { - } - #endif - -+TEST(DataPackTest, Misordered) { -+ DataPack pack(k100Percent); -+ -+ ASSERT_FALSE(pack.LoadFromBuffer( -+ {kSampleMisorderedPakContents, kSampleMisorderedPakSize})); -+} -+ - } // namespace ui -From 46069ff72f6e1d6fe75bd2c04350bcd74b308923 Mon Sep 17 00:00:00 2001 -From: Hongchan Choi <hongchan@chromium.org> -Date: Fri, 12 Jan 2024 22:57:22 +0000 -Subject: [PATCH] [Backport] CVE-2024-0807: Use after free in WebAudio - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5225523: -Update rendering state of automatic pull nodes before graph rendering - -M114 merge issues: - third_party/blink/renderer/modules/webaudio/analyser_handler.cc: - PullInputs/CheckNumberOfChannelsForInput not present in 114. - -In rare cases, the rendering fan out count of automatic pull node -does not match the main thread fan out count after recreating -a platform destination followed by disconnection. - -This CL forces the update of the rendering state of automatic -pull nodes before graph rendering to make sure that fan out counts -are synchronized before executing the audio processing function call. - -NOTE: This change makes 2 WPTs fail. The follow-up work is planned -to address them once this patch is merged. - -Bug: 1505080 -Test: Locally confirmed that ASAN doesn't crash on all repro cases. -Change-Id: I6768cd8bc64525ea9d56a19b9c58439e9cdab9a8 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5131958 -Commit-Queue: Hongchan Choi <hongchan@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1246718} -(cherry picked from commit f4bffa09b46c21147431179e1e6dd2b27bc35fbc) -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535517 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../renderer/modules/webaudio/analyser_handler.cc | 14 ++++++++++++-- - .../modules/webaudio/audio_worklet_handler.cc | 7 +++++-- - .../modules/webaudio/audio_worklet_processor.cc | 6 ++++++ - .../modules/webaudio/deferred_task_handler.cc | 10 ++++++++++ - 4 files changed, 33 insertions(+), 4 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc -index c823c923a1cc..87a1f109a28c 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/analyser_handler.cc -@@ -39,9 +39,14 @@ AnalyserHandler::~AnalyserHandler() { - } - - void AnalyserHandler::Process(uint32_t frames_to_process) { -- AudioBus* output_bus = Output(0).Bus(); -+ DCHECK(Context()->IsAudioThread()); - -- if (!IsInitialized()) { -+ // It's possible that output is not connected. Assign nullptr to indicate -+ // such case. -+ AudioBus* output_bus = -+ Output(0).RenderingFanOutCount() > 0 ? Output(0).Bus() : nullptr; -+ -+ if (!IsInitialized() && output_bus) { - output_bus->Zero(); - return; - } -@@ -53,6 +58,11 @@ void AnalyserHandler::Process(uint32_t frames_to_process) { - // Analyser reflects the current input. - analyser_.WriteInput(input_bus.get(), frames_to_process); - -+ // Subsequent steps require `output_bus` to be valid. -+ if (!output_bus) { -+ return; -+ } -+ - if (!Input(0).IsConnected()) { - // No inputs, so clear the output, and propagate the silence hint. - output_bus->Zero(); -diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc -index 7f591531ad6f..b2b1500d3aab 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_handler.cc -@@ -114,12 +114,15 @@ void AudioWorkletHandler::Process(uint32_t frames_to_process) { - // We also need to check if the global scope is valid before we request - // the rendering in the AudioWorkletGlobalScope. - if (processor_ && !processor_->hasErrorOccurred()) { -- // If the input is not connected, inform the processor with nullptr. -+ // If the input or the output is not connected, inform the processor with -+ // nullptr. - for (unsigned i = 0; i < NumberOfInputs(); ++i) { - inputs_[i] = Input(i).IsConnected() ? Input(i).Bus() : nullptr; - } - for (unsigned i = 0; i < NumberOfOutputs(); ++i) { -- outputs_[i] = WrapRefCounted(Output(i).Bus()); -+ outputs_[i] = Output(i).RenderingFanOutCount() > 0 -+ ? WrapRefCounted(Output(i).Bus()) -+ : nullptr; - } - - for (const auto& param_name : param_value_map_.Keys()) { -diff --git a/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc b/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc -index 1f884cb12b43..c47e39effa40 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/audio_worklet_processor.cc -@@ -367,6 +367,12 @@ void AudioWorkletProcessor::CopyArrayBuffersToPort( - - for (uint32_t bus_index = 0; bus_index < audio_port.size(); ++bus_index) { - const scoped_refptr<AudioBus>& audio_bus = audio_port[bus_index]; -+ -+ // nullptr indicates the output bus is not connected. Do not proceed. -+ if (!audio_bus) { -+ break; -+ } -+ - for (uint32_t channel_index = 0; - channel_index < audio_bus->NumberOfChannels(); ++channel_index) { - auto backing_store = array_buffers[bus_index][channel_index] -diff --git a/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc b/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc -index fa1de8f37b9b..4730383dafa9 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/deferred_task_handler.cc -@@ -172,6 +172,16 @@ void DeferredTaskHandler::UpdateAutomaticPullNodes() { - base::AutoTryLock try_locker(automatic_pull_handlers_lock_); - if (try_locker.is_acquired()) { - rendering_automatic_pull_handlers_.assign(automatic_pull_handlers_); -+ -+ // In rare cases, it is possible for automatic pull nodes' output bus -+ // to become stale. Make sure update their rendering output counts. -+ // crbug.com/1505080. -+ for (auto& handler : rendering_automatic_pull_handlers_) { -+ for (unsigned i = 0; i < handler->NumberOfOutputs(); ++i) { -+ handler->Output(i).UpdateRenderingState(); -+ } -+ } -+ - automatic_pull_handlers_need_updating_ = false; - } - } -From 0801943eea5309d1912bac96ed15af49b9f4e532 Mon Sep 17 00:00:00 2001 -From: Cheng Chen <chengchen@google.com> -Date: Thu, 7 Dec 2023 12:17:23 -0800 -Subject: [PATCH] [Backport] Security bug 1511389 (1/2) - -Manual partial cherry-pick of patch originally reviewed on -https://aomedia-review.googlesource.com/c/aom/+/184763: -Do not use adaptive error estimate - -When the reference frame size is different than the current, -we will not use adaptive error estimate. - -STATS_CHANGED - -Bug: b:314858909 -Change-Id: Ic64d9b4a1d94889d7283c044b17ffc24627478d7 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535518 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../libaom/source/libaom/av1/encoder/ratectrl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c -index 4ea1c9a3e33..c7b503d80a2 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ratectrl.c -@@ -187,8 +187,7 @@ int av1_rc_bits_per_mb(const AV1_COMP *cpi, FRAME_TYPE frame_type, int qindex, - assert(correction_factor <= MAX_BPB_FACTOR && - correction_factor >= MIN_BPB_FACTOR); - -- if (frame_type != KEY_FRAME && accurate_estimate) { -- assert(cpi->rec_sse != UINT64_MAX); -+ if (frame_type != KEY_FRAME && accurate_estimate && cpi->rec_sse != UINT64_MAX) { - const int mbs = cm->mi_params.MBs; - const double sse_sqrt = - (double)((int)sqrt((double)(cpi->rec_sse)) << BPER_MB_NORMBITS) / -@@ -2021,6 +2020,13 @@ static void rc_compute_variance_onepass_rt(AV1_COMP *cpi) { - // TODO(yunqing): support scaled reference frames. - if (cpi->scaled_ref_buf[LAST_FRAME - 1]) return; - -+ for (int i = 0; i < 2; ++i) { -+ if (unscaled_src->widths[i] != yv12->widths[i] || -+ unscaled_src->heights[i] != yv12->heights[i]) { -+ return; -+ } -+ } -+ - const int num_mi_cols = cm->mi_params.mi_cols; - const int num_mi_rows = cm->mi_params.mi_rows; - const BLOCK_SIZE bsize = BLOCK_64X64; -From 1a76ec5bc55594a7feada7c510949450d489996b Mon Sep 17 00:00:00 2001 -From: Remya Prakasan <remya.prakasan@ittiam.com> -Date: Mon, 8 May 2023 15:03:27 +0530 -Subject: [PATCH] [Backport] Dependency for security bug 1511389 (1/1) - -Manual cherry-pick of patch originally reviewed on -https://aomedia-review.googlesource.com/c/aom/+/175041: -Add support for dynamic allocation of thread data - -Added support for reallocation of thread data when the -workers for multi-threading in encode stage changes with -frame resizing. Also modified TestExternalResizeWorks -of ResizeRealtimeTest to test this scenario. - -BUG=aomedia:3429 - -Change-Id: Ieee94b229274e942203c9fc7dffd59a9a3fb5c26 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535519 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../libaom/source/libaom/av1/av1_cx_iface.c | 14 ++++++++ - .../source/libaom/av1/encoder/encoder.c | 34 ------------------- - .../source/libaom/av1/encoder/encoder.h | 5 +++ - .../source/libaom/av1/encoder/encoder_alloc.h | 34 +++++++++++++++++++ - .../source/libaom/av1/encoder/ethread.c | 5 +++ - 5 files changed, 58 insertions(+), 34 deletions(-) - -diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -index 3e764dd6ca6..1d114779c83 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -@@ -25,6 +25,7 @@ - #include "av1/av1_iface_common.h" - #include "av1/encoder/bitstream.h" - #include "av1/encoder/encoder.h" -+#include "av1/encoder/encoder_alloc.h" - #include "av1/encoder/encoder_utils.h" - #include "av1/encoder/ethread.h" - #include "av1/encoder/external_partition.h" -@@ -3095,6 +3096,19 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, - } - #endif // CONFIG_MULTITHREAD - } -+ -+ // Re-allocate thread data if workers for encoder multi-threading stage -+ // exceeds prev_num_enc_workers. -+ const int num_enc_workers = -+ av1_get_num_mod_workers_for_alloc(&ppi->p_mt_info, MOD_ENC); -+ if (ppi->p_mt_info.prev_num_enc_workers < num_enc_workers && -+ num_enc_workers <= ppi->p_mt_info.num_workers) { -+ free_thread_data(ppi); -+ for (int j = 0; j < ppi->num_fp_contexts; j++) -+ aom_free(ppi->parallel_cpi[j]->td.tctx); -+ av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); -+ } -+ - for (int i = 0; i < ppi->num_fp_contexts; i++) { - av1_init_frame_mt(ppi, ppi->parallel_cpi[i]); - } -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -index 72cb92bbb22..c2bf5b9b344 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -@@ -1569,40 +1569,6 @@ static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { - } - } - --// Deallocate allocated thread_data. --static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { -- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; -- for (int t = 1; t < p_mt_info->num_workers; ++t) { -- EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; -- thread_data->td = thread_data->original_td; -- aom_free(thread_data->td->tctx); -- aom_free(thread_data->td->palette_buffer); -- aom_free(thread_data->td->tmp_conv_dst); -- release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); -- for (int j = 0; j < 2; ++j) { -- aom_free(thread_data->td->tmp_pred_bufs[j]); -- } -- aom_free(thread_data->td->pixel_gradient_info); -- aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); -- release_obmc_buffers(&thread_data->td->obmc_buffer); -- aom_free(thread_data->td->vt64x64); -- -- for (int x = 0; x < 2; x++) { -- for (int y = 0; y < 2; y++) { -- aom_free(thread_data->td->hash_value_buffer[x][y]); -- thread_data->td->hash_value_buffer[x][y] = NULL; -- } -- } -- aom_free(thread_data->td->counts); -- av1_free_pmc(thread_data->td->firstpass_ctx, -- ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); -- thread_data->td->firstpass_ctx = NULL; -- av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); -- av1_free_sms_tree(thread_data->td); -- aom_free(thread_data->td); -- } --} -- - void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { - if (!ppi) return; - #if !CONFIG_REALTIME_ONLY -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h -index a95ea2505d7..153b3665f23 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.h -@@ -1631,6 +1631,11 @@ typedef struct PrimaryMultiThreadInfo { - * Number of primary workers created for multi-threading. - */ - int p_num_workers; -+ -+ /*! -+ * Tracks the number of workers in encode stage multi-threading. -+ */ -+ int prev_num_enc_workers; - } PrimaryMultiThreadInfo; - - /*! -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h -index a4aef85aedb..27b5546371a 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder_alloc.h -@@ -398,6 +398,40 @@ static AOM_INLINE YV12_BUFFER_CONFIG *realloc_and_scale_source( - return &cpi->scaled_source; - } - -+// Deallocate allocated thread_data. -+static AOM_INLINE void free_thread_data(AV1_PRIMARY *ppi) { -+ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; -+ for (int t = 1; t < p_mt_info->num_workers; ++t) { -+ EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[t]; -+ thread_data->td = thread_data->original_td; -+ aom_free(thread_data->td->tctx); -+ aom_free(thread_data->td->palette_buffer); -+ aom_free(thread_data->td->tmp_conv_dst); -+ release_compound_type_rd_buffers(&thread_data->td->comp_rd_buffer); -+ for (int j = 0; j < 2; ++j) { -+ aom_free(thread_data->td->tmp_pred_bufs[j]); -+ } -+ aom_free(thread_data->td->pixel_gradient_info); -+ aom_free(thread_data->td->src_var_info_of_4x4_sub_blocks); -+ release_obmc_buffers(&thread_data->td->obmc_buffer); -+ aom_free(thread_data->td->vt64x64); -+ -+ for (int x = 0; x < 2; x++) { -+ for (int y = 0; y < 2; y++) { -+ aom_free(thread_data->td->hash_value_buffer[x][y]); -+ thread_data->td->hash_value_buffer[x][y] = NULL; -+ } -+ } -+ aom_free(thread_data->td->counts); -+ av1_free_pmc(thread_data->td->firstpass_ctx, -+ ppi->seq_params.monochrome ? 1 : MAX_MB_PLANE); -+ thread_data->td->firstpass_ctx = NULL; -+ av1_free_shared_coeff_buffer(&thread_data->td->shared_coeff_buf); -+ av1_free_sms_tree(thread_data->td); -+ aom_free(thread_data->td); -+ } -+} -+ - #ifdef __cplusplus - } // extern "C" - #endif -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -index 1c8631ae1fd..8c62b2107c3 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -@@ -777,6 +777,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { - - int num_workers = p_mt_info->num_workers; - int num_enc_workers = av1_get_num_mod_workers_for_alloc(p_mt_info, MOD_ENC); -+ assert(num_enc_workers <= num_workers); - for (int i = num_workers - 1; i >= 0; i--) { - EncWorkerData *const thread_data = &p_mt_info->tile_thr_data[i]; - -@@ -886,6 +887,10 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { - } - } - } -+ -+ // Record the number of workers in encode stage multi-threading for which -+ // allocation is done. -+ p_mt_info->prev_num_enc_workers = num_enc_workers; - } - - void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { -From 9e80e8bff6bd41a61b589ecb6b006c1711e83431 Mon Sep 17 00:00:00 2001 -From: Cheng Chen <chengchen@google.com> -Date: Tue, 5 Dec 2023 16:34:43 -0800 -Subject: [PATCH] [Backport] Security bug 1511389 (2/2) - -Manual cherry-pick of patch originally reviewed on -https://aomedia-review.googlesource.com/c/aom/+/184761: -Recreate workers if necessary - -As shown in the unit test, if the number of workers increases, -we need to propoerly recreate new workers. - -Bug: b:310455204 - -Change-Id: I0fafb11c10ffba209a4c49f4a531cfbf09c9c2b4 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535520 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../libaom/source/libaom/av1/av1_cx_iface.c | 15 ++++++++++++++- - .../libaom/source/libaom/av1/encoder/encoder.c | 16 ++++------------ - .../libaom/source/libaom/av1/encoder/ethread.c | 12 ++++++++++++ - .../libaom/source/libaom/av1/encoder/ethread.h | 2 ++ - 4 files changed, 32 insertions(+), 13 deletions(-) - -diff --git a/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c b/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -index 1d114779c83..618021a768d 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/av1_cx_iface.c -@@ -3078,12 +3078,25 @@ static aom_codec_err_t encoder_encode(aom_codec_alg_priv_t *ctx, - av1_compute_num_workers_for_mt(cpi); - num_workers = av1_get_max_num_workers(cpi); - } -- if ((num_workers > 1) && (ppi->p_mt_info.num_workers == 0)) { -+ if (num_workers > 1 && ppi->p_mt_info.num_workers < num_workers) { - // Obtain the maximum no. of frames that can be supported in a parallel - // encode set. - if (is_stat_consumption_stage(cpi)) { - ppi->num_fp_contexts = av1_compute_num_fp_contexts(ppi, &cpi->oxcf); - } -+ if (ppi->p_mt_info.num_workers > 0) { -+ av1_terminate_workers(ppi); -+ free_thread_data(ppi); -+ aom_free(ppi->p_mt_info.tile_thr_data); -+ ppi->p_mt_info.tile_thr_data = NULL; -+ aom_free(ppi->p_mt_info.workers); -+ ppi->p_mt_info.workers = NULL; -+ ppi->p_mt_info.num_workers = 0; -+ for (int j = 0; j < ppi->num_fp_contexts; j++) { -+ aom_free(ppi->parallel_cpi[j]->td.tctx); -+ ppi->parallel_cpi[j]->td.tctx = NULL; -+ } -+ } - av1_create_workers(ppi, num_workers); - av1_init_tile_thread_data(ppi, cpi->oxcf.pass == AOM_RC_FIRST_PASS); - #if CONFIG_MULTITHREAD -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c b/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -index c2bf5b9b344..5825ee00f76 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/encoder.c -@@ -1558,17 +1558,6 @@ AV1_COMP *av1_create_compressor(AV1_PRIMARY *ppi, const AV1EncoderConfig *oxcf, - snprintf((H) + strlen(H), sizeof(H) - strlen(H), (T), (V)) - #endif // CONFIG_INTERNAL_STATS - --// This function will change the state and free the mutex of corresponding --// workers and terminate the object. The object can not be re-used unless a call --// to reset() is made. --static AOM_INLINE void terminate_worker_data(AV1_PRIMARY *ppi) { -- PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; -- for (int t = p_mt_info->num_workers - 1; t >= 0; --t) { -- AVxWorker *const worker = &p_mt_info->workers[t]; -- aom_get_worker_interface()->end(worker); -- } --} -- - void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { - if (!ppi) return; - #if !CONFIG_REALTIME_ONLY -@@ -1596,11 +1585,14 @@ void av1_remove_primary_compressor(AV1_PRIMARY *ppi) { - av1_tpl_dealloc(&tpl_data->tpl_mt_sync); - #endif - -- terminate_worker_data(ppi); -+ av1_terminate_workers(ppi); - free_thread_data(ppi); - - aom_free(ppi->p_mt_info.tile_thr_data); -+ ppi->p_mt_info.tile_thr_data = NULL; - aom_free(ppi->p_mt_info.workers); -+ ppi->p_mt_info.workers = NULL; -+ ppi->p_mt_info.num_workers = 0; - - aom_free(ppi); - } -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -index 8c62b2107c3..d59c4f1d57e 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.c -@@ -896,6 +896,7 @@ void av1_init_tile_thread_data(AV1_PRIMARY *ppi, int is_first_pass) { - void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { - PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; - const AVxWorkerInterface *const winterface = aom_get_worker_interface(); -+ assert(p_mt_info->num_workers == 0); - - AOM_CHECK_MEM_ERROR(&ppi->error, p_mt_info->workers, - aom_malloc(num_workers * sizeof(*p_mt_info->workers))); -@@ -927,6 +928,17 @@ void av1_create_workers(AV1_PRIMARY *ppi, int num_workers) { - } - } - -+// This function will change the state and free the mutex of corresponding -+// workers and terminate the object. The object can not be re-used unless a call -+// to reset() is made. -+void av1_terminate_workers(AV1_PRIMARY *ppi) { -+ PrimaryMultiThreadInfo *const p_mt_info = &ppi->p_mt_info; -+ for (int t = 0; t < p_mt_info->num_workers; ++t) { -+ AVxWorker *const worker = &p_mt_info->workers[t]; -+ aom_get_worker_interface()->end(worker); -+ } -+} -+ - // This function returns 1 if frame parallel encode is supported for - // the current configuration. Returns 0 otherwise. - static AOM_INLINE int is_fpmt_config(AV1_PRIMARY *ppi, AV1EncoderConfig *oxcf) { -diff --git a/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h b/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h -index 6c4bce4db57..942ed64510b 100644 ---- src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h -+++ src/3rdparty/chromium/third_party/libaom/source/libaom/av1/encoder/ethread.h -@@ -87,6 +87,8 @@ int av1_get_max_num_workers(const AV1_COMP *cpi); - - void av1_create_workers(AV1_PRIMARY *ppi, int num_workers); - -+void av1_terminate_workers(AV1_PRIMARY *ppi); -+ - void av1_init_frame_mt(AV1_PRIMARY *ppi, AV1_COMP *cpi); - - void av1_init_cdef_worker(AV1_COMP *cpi); -From da29c7f0b3e2044a7e597498a6fb62a306661f03 Mon Sep 17 00:00:00 2001 -From: Andrey Kosyakov <caseq@chromium.org> -Date: Fri, 17 Nov 2023 17:48:22 +0000 -Subject: [PATCH] [Backport] CVE-2024-0810: Insufficient policy enforcement in - DevTools - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5039174: -Do not let chrome.debugger extensions invoke Network.getAllCookies - -Network.getAllCookies is deprecated in favor of Storage.getCookies -and the latter is not allowed for extensions, so we shouldn't let -extensions use the former either. - -Bug: 1496250 -Change-Id: I3e97e9249dbba61d1f7951ed22ef9b1bef9f2355 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5039174 -Reviewed-by: Danil Somsikov <dsv@chromium.org> -Commit-Queue: Andrey Kosyakov <caseq@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1226203} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535521 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../browser/devtools/protocol/network_handler.cc | 14 ++++++++++---- - .../browser/devtools/protocol/network_handler.h | 6 ++++-- - .../devtools/render_frame_devtools_agent_host.cc | 3 ++- - .../devtools/service_worker_devtools_agent_host.cc | 3 ++- - .../devtools/shared_worker_devtools_agent_host.cc | 3 ++- - .../browser/devtools/worker_devtools_agent_host.cc | 3 ++- - 6 files changed, 22 insertions(+), 10 deletions(-) - -diff --git a/chromium/content/browser/devtools/protocol/network_handler.cc b/chromium/content/browser/devtools/protocol/network_handler.cc -index cfab47157112..7de14e0e4b95 100644 ---- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc -+++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.cc -@@ -109,7 +109,8 @@ using DeleteCookiesCallback = Network::Backend::DeleteCookiesCallback; - using ClearBrowserCookiesCallback = - Network::Backend::ClearBrowserCookiesCallback; - --const char kInvalidCookieFields[] = "Invalid cookie fields"; -+static constexpr char kInvalidCookieFields[] = "Invalid cookie fields"; -+static constexpr char kNotAllowedError[] = "Not allowed"; - - Network::CertificateTransparencyCompliance SerializeCTPolicyCompliance( - net::ct::CTPolicyCompliance ct_compliance) { -@@ -1027,11 +1028,14 @@ NetworkHandler::NetworkHandler( - const base::UnguessableToken& devtools_token, - DevToolsIOContext* io_context, - base::RepeatingClosure update_loader_factories_callback, -- bool allow_file_access) -+ bool allow_file_access, -+ bool client_is_trusted) - : DevToolsDomainHandler(Network::Metainfo::domainName), - host_id_(host_id), - devtools_token_(devtools_token), - io_context_(io_context), -+ allow_file_access_(allow_file_access), -+ client_is_trusted_(client_is_trusted), - browser_context_(nullptr), - storage_partition_(nullptr), - host_(nullptr), -@@ -1042,8 +1046,7 @@ NetworkHandler::NetworkHandler( - bypass_service_worker_(false), - cache_disabled_(false), - update_loader_factories_callback_( -- std::move(update_loader_factories_callback)), -- allow_file_access_(allow_file_access) { -+ std::move(update_loader_factories_callback)) { - DCHECK(io_context_); - static bool have_configured_service_worker_context = false; - if (have_configured_service_worker_context) -@@ -1505,6 +1508,9 @@ void NetworkHandler::GetCookies(Maybe<Array<String>> protocol_urls, - - void NetworkHandler::GetAllCookies( - std::unique_ptr<GetAllCookiesCallback> callback) { -+ if (!client_is_trusted_) { -+ callback->sendFailure(Response::ServerError(kNotAllowedError)); -+ } - if (!storage_partition_) { - callback->sendFailure(Response::InternalError()); - return; -diff --git a/chromium/content/browser/devtools/protocol/network_handler.h b/chromium/content/browser/devtools/protocol/network_handler.h -index 6cbb0098e892..81636185d04f 100644 ---- src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h -+++ src/3rdparty/chromium/content/browser/devtools/protocol/network_handler.h -@@ -72,7 +72,8 @@ class NetworkHandler : public DevToolsDomainHandler, - const base::UnguessableToken& devtools_token, - DevToolsIOContext* io_context, - base::RepeatingClosure update_loader_factories_callback, -- bool allow_file_access); -+ bool allow_file_access, -+ bool client_is_trusted); - - NetworkHandler(const NetworkHandler&) = delete; - NetworkHandler& operator=(const NetworkHandler&) = delete; -@@ -337,6 +338,8 @@ class NetworkHandler : public DevToolsDomainHandler, - - const base::UnguessableToken devtools_token_; - DevToolsIOContext* const io_context_; -+ const bool allow_file_access_; -+ const bool client_is_trusted_; - - std::unique_ptr<Network::Frontend> frontend_; - BrowserContext* browser_context_; -@@ -358,7 +361,6 @@ class NetworkHandler : public DevToolsDomainHandler, - loaders_; - absl::optional<std::set<net::SourceStream::SourceType>> - accepted_stream_types_; -- const bool allow_file_access_; - std::unordered_map<String, std::pair<String, bool>> received_body_data_; - base::WeakPtrFactory<NetworkHandler> weak_factory_{this}; - }; -diff --git a/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc b/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc -index fe726068dee4..425eded3f56b 100644 ---- src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc -+++ src/3rdparty/chromium/content/browser/devtools/render_frame_devtools_agent_host.cc -@@ -336,7 +336,8 @@ bool RenderFrameDevToolsAgentHost::AttachSession(DevToolsSession* session, - base::BindRepeating( - &RenderFrameDevToolsAgentHost::UpdateResourceLoaderFactories, - base::Unretained(this)), -- session->GetClient()->MayReadLocalFiles()); -+ session->GetClient()->MayReadLocalFiles(), -+ session->GetClient()->IsTrusted()); - session->CreateAndAddHandler<protocol::FetchHandler>( - GetIOContext(), base::BindRepeating( - [](RenderFrameDevToolsAgentHost* self, -diff --git a/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc -index d2b307373ea1..7278a116ec78 100644 ---- src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc -+++ src/3rdparty/chromium/content/browser/devtools/service_worker_devtools_agent_host.cc -@@ -230,7 +230,8 @@ bool ServiceWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, - session->CreateAndAddHandler<protocol::InspectorHandler>(); - session->CreateAndAddHandler<protocol::NetworkHandler>( - GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), -- session->GetClient()->MayReadLocalFiles()); -+ session->GetClient()->MayReadLocalFiles(), -+ session->GetClient()->IsTrusted()); - - session->CreateAndAddHandler<protocol::FetchHandler>( - GetIOContext(), -diff --git a/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc b/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc -index 6cfb49a9cb63..da9c8a3d18a4 100644 ---- src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc -+++ src/3rdparty/chromium/content/browser/devtools/shared_worker_devtools_agent_host.cc -@@ -91,7 +91,8 @@ bool SharedWorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, - session->CreateAndAddHandler<protocol::InspectorHandler>(); - session->CreateAndAddHandler<protocol::NetworkHandler>( - GetId(), devtools_worker_token_, GetIOContext(), -- base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles()); -+ base::BindRepeating([] {}), session->GetClient()->MayReadLocalFiles(), -+ session->GetClient()->IsTrusted()); - // TODO(crbug.com/1143100): support pushing updated loader factories down to - // renderer. - session->CreateAndAddHandler<protocol::FetchHandler>( -diff --git a/chromium/content/browser/devtools/worker_devtools_agent_host.cc b/chromium/content/browser/devtools/worker_devtools_agent_host.cc -index 5bca24a4bb16..dbce6e066adb 100644 ---- src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc -+++ src/3rdparty/chromium/content/browser/devtools/worker_devtools_agent_host.cc -@@ -137,7 +137,8 @@ bool WorkerDevToolsAgentHost::AttachSession(DevToolsSession* session, - auto_attacher_.get(), session); - session->CreateAndAddHandler<protocol::NetworkHandler>( - GetId(), devtools_worker_token_, GetIOContext(), base::DoNothing(), -- session->GetClient()->MayReadLocalFiles()); -+ session->GetClient()->MayReadLocalFiles(), -+ session->GetClient()->IsTrusted()); - return true; - } - -From 9b72e2301892ea6619fb6e64f67812238ad56830 Mon Sep 17 00:00:00 2001 -From: Bo Liu <boliu@chromium.org> -Date: Mon, 18 Sep 2023 21:17:14 +0000 -Subject: [PATCH] [Backport] Security bug 1407197 (1/2) - -Partial manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/4869854: -Tag WebContents ownership for debugging - -Tag WebContents owner and add it as a CrashKey for the -DumpWithoutCrashing in ~WebContentsOfBrowserContext. - -The actual tags in this CL is more focused on android and is not -exhaustive. Can keep adding new ones in the future as needed. - -Bug: 1407197 -Change-Id: I6c0261ae5967fdb01ff2a5f3d0d6fe07f572bd20 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4869854 -Reviewed-by: Ted Choc <tedchoc@chromium.org> -Commit-Queue: Bo Liu <boliu@chromium.org> -Reviewed-by: Avi Drissman <avi@chromium.org> -Reviewed-by: Finnur Thorarinsson <finnur@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1198010} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535707 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../browser/distiller_page_web_contents.cc | 6 +++- - .../guest_view/browser/guest_view_base.cc | 6 ++++ - .../browser/no_state_prefetch_contents.cc | 1 + - .../browser/no_state_prefetch_manager.cc | 5 +++ - .../background_loader_contents.cc | 1 + - chromium/content/browser/portal/portal.cc | 3 ++ - chromium/content/browser/portal/portal.h | 3 ++ - .../browser/web_contents/web_contents_impl.cc | 31 +++++++++++++++++-- - .../browser/web_contents/web_contents_impl.h | 8 +++++ - .../content/public/browser/web_contents.h | 6 ++++ - chromium/extensions/browser/extension_host.cc | 3 +- - 11 files changed, 69 insertions(+), 4 deletions(-) - -diff --git a/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc b/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc -index e4025f7bc94c..78abc76a6bf2 100644 ---- src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc -+++ src/3rdparty/chromium/components/dom_distiller/content/browser/distiller_page_web_contents.cc -@@ -30,7 +30,11 @@ namespace dom_distiller { - SourcePageHandleWebContents::SourcePageHandleWebContents( - content::WebContents* web_contents, - bool owned) -- : web_contents_(web_contents), owned_(owned) {} -+ : web_contents_(web_contents), owned_(owned) { -+ if (web_contents_ && owned) { -+ web_contents_->SetOwnerLocationForDebug(FROM_HERE); -+ } -+} - - SourcePageHandleWebContents::~SourcePageHandleWebContents() { - if (owned_) { -diff --git a/chromium/components/guest_view/browser/guest_view_base.cc b/chromium/components/guest_view/browser/guest_view_base.cc -index d2ea8b7ce3fd..06ba6ab1c7fc 100644 ---- src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc -+++ src/3rdparty/chromium/components/guest_view/browser/guest_view_base.cc -@@ -480,6 +480,9 @@ void GuestViewBase::WillAttach( - std::unique_ptr<WebContents> owned_guest_contents = - std::move(owned_guest_contents_); - DCHECK_EQ(owned_guest_contents.get(), web_contents()); -+ if (owned_guest_contents) { -+ owned_guest_contents->SetOwnerLocationForDebug(absl::nullopt); -+ } - - // Since this inner WebContents is created from the browser side we do - // not have RemoteFrame mojo channels so we pass in -@@ -774,6 +777,9 @@ void GuestViewBase::TakeGuestContentsOwnership( - std::unique_ptr<WebContents> guest_web_contents) { - DCHECK(!owned_guest_contents_); - owned_guest_contents_ = std::move(guest_web_contents); -+ if (owned_guest_contents_) { -+ owned_guest_contents_->SetOwnerLocationForDebug(FROM_HERE); -+ } - } - - void GuestViewBase::ClearOwnedGuestContents() { -diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc -index f2f8dc5ff921..35fac905dc1f 100644 ---- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc -+++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_contents.cc -@@ -271,6 +271,7 @@ void NoStatePrefetchContents::StartPrerendering( - attempt_.get(), content::PreloadingTriggeringOutcome::kRunning); - - no_state_prefetch_contents_ = CreateWebContents(session_storage_namespace); -+ no_state_prefetch_contents_->SetOwnerLocationForDebug(FROM_HERE); - content::WebContentsObserver::Observe(no_state_prefetch_contents_.get()); - delegate_->OnNoStatePrefetchContentsCreated( - no_state_prefetch_contents_.get()); -diff --git a/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc b/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc -index 3403fa8d1342..7397d1aa5de5 100644 ---- src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc -+++ src/3rdparty/chromium/components/no_state_prefetch/browser/no_state_prefetch_manager.cc -@@ -118,6 +118,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter - OnCloseWebContentsDeleter(NoStatePrefetchManager* manager, - std::unique_ptr<WebContents> tab) - : manager_(manager), tab_(std::move(tab)) { -+ tab_->SetOwnerLocationForDebug(FROM_HERE); - tab_->SetDelegate(this); - base::SingleThreadTaskRunner::GetCurrentDefault()->PostDelayedTask( - FROM_HERE, -@@ -140,6 +141,7 @@ class NoStatePrefetchManager::OnCloseWebContentsDeleter - void ScheduleWebContentsForDeletion(bool timeout) { - UMA_HISTOGRAM_BOOLEAN("Prerender.TabContentsDeleterTimeout", timeout); - tab_->SetDelegate(nullptr); -+ tab_->SetOwnerLocationForDebug(absl::nullopt); - manager_->ScheduleDeleteOldWebContents(std::move(tab_), this); - // |this| is deleted at this point. - } -@@ -981,6 +983,9 @@ void NoStatePrefetchManager::CleanUpOldNavigations( - void NoStatePrefetchManager::ScheduleDeleteOldWebContents( - std::unique_ptr<WebContents> tab, - OnCloseWebContentsDeleter* deleter) { -+ if (tab) { -+ tab->SetOwnerLocationForDebug(FROM_HERE); -+ } - old_web_contents_list_.push_back(std::move(tab)); - PostCleanupTask(); - -diff --git a/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc b/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc -index e055852342ae..524b71f68bc0 100644 ---- src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc -+++ src/3rdparty/chromium/components/offline_pages/content/background_loader/background_loader_contents.cc -@@ -23,6 +23,7 @@ BackgroundLoaderContents::BackgroundLoaderContents( - // could kill the background offliner while it was running. - web_contents_ = content::WebContents::Create( - content::WebContents::CreateParams(browser_context_)); -+ web_contents_->SetOwnerLocationForDebug(FROM_HERE); - web_contents_->SetAudioMuted(true); - web_contents_->SetDelegate(this); - } -diff --git a/chromium/content/browser/portal/portal.cc b/chromium/content/browser/portal/portal.cc -index f9b06fbab8df..b0c8b201db29 100644 ---- src/3rdparty/chromium/content/browser/portal/portal.cc -+++ src/3rdparty/chromium/content/browser/portal/portal.cc -@@ -731,6 +731,9 @@ void Portal::WebContentsHolder::SetOwned( - std::unique_ptr<WebContents> web_contents) { - SetUnowned(static_cast<WebContentsImpl*>(web_contents.get())); - owned_contents_ = std::move(web_contents); -+ if (owned_contents_) { -+ owned_contents_->SetOwnerLocationForDebug(FROM_HERE); -+ } - } - - void Portal::WebContentsHolder::Clear() { -diff --git a/chromium/content/browser/portal/portal.h b/chromium/content/browser/portal/portal.h -index 055d8e4f0cf5..aecf381ed594 100644 ---- src/3rdparty/chromium/content/browser/portal/portal.h -+++ src/3rdparty/chromium/content/browser/portal/portal.h -@@ -177,6 +177,9 @@ class CONTENT_EXPORT Portal : public blink::mojom::Portal, - // caller. - std::unique_ptr<WebContents> ReleaseOwnership() { - DCHECK(OwnsContents()); -+ if (owned_contents_) { -+ owned_contents_->SetOwnerLocationForDebug(absl::nullopt); -+ } - return std::move(owned_contents_); - } - -diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc -index 8b3f7055430c..d8b3ad83bbb6 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -@@ -795,6 +795,9 @@ void WebContentsImpl::WebContentsTreeNode::AttachInnerWebContents( - inner_web_contents_node.outer_contents_frame_tree_node_id_ = - render_frame_host->frame_tree_node()->frame_tree_node_id(); - -+ if (inner_web_contents) { -+ inner_web_contents->SetOwnerLocationForDebug(FROM_HERE); -+ } - inner_web_contents_.push_back(std::move(inner_web_contents)); - - render_frame_host->frame_tree_node()->AddObserver(&inner_web_contents_node); -@@ -814,6 +817,9 @@ WebContentsImpl::WebContentsTreeNode::DetachInnerWebContents( - std::swap(web_contents, inner_web_contents_.back()); - inner_web_contents_.pop_back(); - current_web_contents_->InnerWebContentsDetached(inner_web_contents); -+ if (detached_contents) { -+ detached_contents->SetOwnerLocationForDebug(absl::nullopt); -+ } - return detached_contents; - } - } -@@ -922,13 +928,29 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { - // RenderFrameHosts, SiteInstances, etc.) risk causing - // use-after-free bugs. For more discussion about managing the - // lifetime of WebContents please see https://crbug.com/1376879#c44. -- for (WebContents* web_contents_with_dangling_ptr_to_browser_context : -+ for (WebContentsImpl* web_contents_with_dangling_ptr_to_browser_context : - web_contents_set_) { - std::string creator = web_contents_with_dangling_ptr_to_browser_context - ->GetCreatorLocation() - .ToString(); - SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/creator", creator); - -+ const absl::optional<base::Location>& ownership_location = -+ web_contents_with_dangling_ptr_to_browser_context -+ ->ownership_location(); -+ std::string owner; -+ if (ownership_location) { -+ if (ownership_location->has_source_info()) { -+ owner = std::string(ownership_location->function_name()) + "@" + -+ ownership_location->file_name(); -+ } else { -+ owner = "no_source_info"; -+ } -+ } else { -+ owner = "unknown"; -+ } -+ SCOPED_CRASH_KEY_STRING256("shutdown", "web_contents/owner", owner); -+ - #if BUILDFLAG(IS_ANDROID) - // On Android, also report the Java stack trace from WebContents's - // creation. -@@ -974,7 +996,7 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { - // Usage of `raw_ptr` below is okay (i.e. it shouldn't dangle), because - // when `WebContentsImpl`'s destructor runs, then it removes the set entry - // (by calling `Detach`). -- std::set<raw_ptr<WebContents>> web_contents_set_; -+ std::set<raw_ptr<WebContentsImpl>> web_contents_set_; - }; - - } // namespace -@@ -9697,6 +9719,11 @@ std::unique_ptr<PrerenderHandle> WebContentsImpl::StartPrerendering( - return nullptr; - } - -+void WebContentsImpl::SetOwnerLocationForDebug( -+ absl::optional<base::Location> owner_location) { -+ ownership_location_ = owner_location; -+} -+ - void WebContentsImpl::AboutToBeDiscarded(WebContents* new_contents) { - observers_.NotifyObservers(&WebContentsObserver::AboutToBeDiscarded, - new_contents); -diff --git a/chromium/content/browser/web_contents/web_contents_impl.h b/chromium/content/browser/web_contents/web_contents_impl.h -index bc3dc3d00a39..815694c05b18 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.h -@@ -858,6 +858,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, - PreloadingAttempt* preloading_attempt, - absl::optional<base::RepeatingCallback<bool(const GURL&)>> - url_match_predicate = absl::nullopt) override; -+ void SetOwnerLocationForDebug( -+ absl::optional<base::Location> owner_location) override; - - // NavigatorDelegate --------------------------------------------------------- - -@@ -1346,6 +1348,10 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, - - ui::mojom::VirtualKeyboardMode GetVirtualKeyboardMode() const; - -+ const absl::optional<base::Location>& ownership_location() const { -+ return ownership_location_; -+ } -+ - private: - using FrameTreeIterationCallback = base::RepeatingCallback<void(FrameTree&)>; - using RenderViewHostIterationCallback = -@@ -2370,6 +2376,8 @@ class CONTENT_EXPORT WebContentsImpl : public WebContents, - - base::WeakPtr<FileChooserImpl> active_file_chooser_; - -+ absl::optional<base::Location> ownership_location_; -+ - base::WeakPtrFactory<WebContentsImpl> loading_weak_factory_{this}; - base::WeakPtrFactory<WebContentsImpl> weak_factory_{this}; - }; -diff --git a/chromium/content/public/browser/web_contents.h b/chromium/content/public/browser/web_contents.h -index bdd18c6c4ed8..6490fefaa940 100644 ---- src/3rdparty/chromium/content/public/browser/web_contents.h -+++ src/3rdparty/chromium/content/public/browser/web_contents.h -@@ -1393,6 +1393,12 @@ class WebContents : public PageNavigator, - absl::optional<base::RepeatingCallback<bool(const GURL&)>> - url_match_predicate = absl::nullopt) = 0; - -+ // Tag `WebContents` with its owner. Used purely for debugging purposes so it -+ // does not need to be exhaustive or perfectly correct. -+ // TODO(crbug.com/1407197): Remove after bug is fixed. -+ virtual void SetOwnerLocationForDebug( -+ absl::optional<base::Location> owner_location) = 0; -+ - private: - // This interface should only be implemented inside content. - friend class WebContentsImpl; -diff --git a/chromium/extensions/browser/extension_host.cc b/chromium/extensions/browser/extension_host.cc -index 91928c8b7811..42c92939788b 100644 ---- src/3rdparty/chromium/extensions/browser/extension_host.cc -+++ src/3rdparty/chromium/extensions/browser/extension_host.cc -@@ -63,7 +63,8 @@ ExtensionHost::ExtensionHost(const Extension* extension, - host_type == mojom::ViewType::kExtensionPopup || - host_type == mojom::ViewType::kExtensionSidePanel); - host_contents_ = WebContents::Create( -- WebContents::CreateParams(browser_context_, site_instance)), -+ WebContents::CreateParams(browser_context_, site_instance)); -+ host_contents_->SetOwnerLocationForDebug(FROM_HERE); - content::WebContentsObserver::Observe(host_contents_.get()); - host_contents_->SetDelegate(this); - SetViewType(host_contents_.get(), host_type); -From e257d6513927fa24df48075bce9b33c4b5f546ff Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io> -Date: Tue, 30 Jan 2024 11:51:16 +0100 -Subject: [PATCH] [Backport] Security bug 1407197 (2/2) -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5080603: -Safely crash on dangling profile - -Bug: 1407197 -Change-Id: Idcafd8f0ba2f980d06338e573489a3456e3823c1 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5080603 -Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> -Commit-Queue: Bo Liu <boliu@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1232704} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/535708 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../browser/web_contents/web_contents_impl.cc | 22 ++++++++++++++----- - 1 file changed, 17 insertions(+), 5 deletions(-) - -diff --git a/chromium/content/browser/web_contents/web_contents_impl.cc b/chromium/content/browser/web_contents/web_contents_impl.cc -index d8b3ad83bbb..3087f9c3e0b 100644 ---- src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -+++ src/3rdparty/chromium/content/browser/web_contents/web_contents_impl.cc -@@ -220,6 +220,11 @@ namespace { - // The window which we dobounce load info updates in. - constexpr auto kUpdateLoadStatesInterval = base::Milliseconds(250); - -+// Kill switch for crash immediately on dangling BrowserContext. -+BASE_FEATURE(kCrashOnDanglingBrowserContext, -+ "CrashOnDanglingBrowserContext", -+ base::FEATURE_ENABLED_BY_DEFAULT); -+ - using LifecycleState = RenderFrameHost::LifecycleState; - using LifecycleStateImpl = RenderFrameHostImpl::LifecycleStateImpl; - -@@ -958,11 +963,18 @@ class WebContentsOfBrowserContext : public base::SupportsUserData::Data { - env, web_contents_with_dangling_ptr_to_browser_context); - #endif // BUILDFLAG(IS_ANDROID) - -- NOTREACHED() -- << "BrowserContext is getting destroyed without first closing all " -- << "WebContents (for more info see https://crbug.com/1376879#c44); " -- << "creator = " << creator; -- base::debug::DumpWithoutCrashing(); -+ if (base::FeatureList::IsEnabled(kCrashOnDanglingBrowserContext)) { -+ LOG(FATAL) -+ << "BrowserContext is getting destroyed without first closing all " -+ << "WebContents (for more info see https://crbug.com/1376879#c44); " -+ << "creator = " << creator; -+ } else { -+ NOTREACHED() -+ << "BrowserContext is getting destroyed without first closing all " -+ << "WebContents (for more info see https://crbug.com/1376879#c44); " -+ << "creator = " << creator; -+ base::debug::DumpWithoutCrashing(); -+ } - } - } - -From f2480155fcf5f753d60b818986d136fcd2309edc Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Peter=20Bostr=C3=B6m?= <pbos@chromium.org> -Date: Tue, 23 Jan 2024 01:06:06 +0000 -Subject: [PATCH] [Backport] Security bug 1519980 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5226127: -Speculatively fix race in mojo ShutDownOnIOThread - -This acquires `write_lock_` before resetting handles used by WriteNoLock -(which is called under the same lock in another thread). We also set -`reject_writes_` to prevent future write attempts after shutdown. That -seems strictly more correct. - -We also acquire `fds_to_close_lock_` before clearing the FDs. - -I was unable to repro locally as content_browsertests just times out -in my local setup without reporting anything interesting. This seems -strictly more correct though. - -Bug: 1519980 -Change-Id: I96279936ca908ecb98eddd381df20d61597cba43 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5226127 -Auto-Submit: Peter Boström <pbos@chromium.org> -Reviewed-by: Ken Rockot <rockot@google.com> -Commit-Queue: Ken Rockot <rockot@google.com> -Commit-Queue: Peter Boström <pbos@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1250580} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/537138 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/mojo/core/channel_posix.cc | 25 +++++++++++++++---------- - 1 file changed, 15 insertions(+), 10 deletions(-) - -diff --git a/chromium/mojo/core/channel_posix.cc b/chromium/mojo/core/channel_posix.cc -index f57c9b3cb5f..faf728fdd3d 100644 ---- src/3rdparty/chromium/mojo/core/channel_posix.cc -+++ src/3rdparty/chromium/mojo/core/channel_posix.cc -@@ -264,18 +264,23 @@ void ChannelPosix::WaitForWriteOnIOThreadNoLock() { - void ChannelPosix::ShutDownOnIOThread() { - base::CurrentThread::Get()->RemoveDestructionObserver(this); - -- read_watcher_.reset(); -- write_watcher_.reset(); -- if (leak_handle_) { -- std::ignore = socket_.release(); -- server_.TakePlatformHandle().release(); -- } else { -- socket_.reset(); -- std::ignore = server_.TakePlatformHandle(); -- } -+ { -+ base::AutoLock lock(write_lock_); -+ reject_writes_ = true; -+ read_watcher_.reset(); -+ write_watcher_.reset(); -+ if (leak_handle_) { -+ std::ignore = socket_.release(); -+ server_.TakePlatformHandle().release(); -+ } else { -+ socket_.reset(); -+ std::ignore = server_.TakePlatformHandle(); -+ } - #if BUILDFLAG(IS_IOS) -- fds_to_close_.clear(); -+ base::AutoLock fd_lock(fds_to_close_lock_); -+ fds_to_close_.clear(); - #endif -+ } - - // May destroy the |this| if it was the last reference. - self_ = nullptr; -From d9b4b11c104ec5112900dad72af8ff058c3f069b Mon Sep 17 00:00:00 2001 -From: Jean-Philippe Gravel <jpgravel@chromium.org> -Date: Wed, 17 Jan 2024 17:45:45 +0000 -Subject: [PATCH] [Backport] CVE-2024-1060: Use after free in Canvas - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5198419: -Fix use-after-free in DrawTextInternal - -DrawTextInternal was calling GetOrCreatePaintCanvas multiple times, -once at the start of the function, once inside of the -BaseRenderingContext2DAutoRestoreSkCanvas helper class and once in the -Draw call. GetOrCreatePaintCanvas destroys the canvas resource provider -if the GPU context is lost. If this happens on the second call to -GetOrCreatePaintCanvas, destroying the resource provider will -invalidate the cc::PaintCanvas returned by the first call to -GetOrCreatePaintCanvas. - -The GPU process can technically crash at any point during the renderer -process execution (perhaps because of something another renderer -process did). We therefore have to assume that any call to -GetOrCreatePaintCanvas can invalidate previously returned -cc::PaintCanvas. - -Change-Id: Ifa77735ab1b2b55b3d494f886b8566299937f6fe -Fixed: 1511567 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5198419 -Reviewed-by: Fernando Serboncini <fserb@chromium.org> -Commit-Queue: Jean-Philippe Gravel <jpgravel@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1248204} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/537140 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../canvas2d/canvas_rendering_context_2d.cc | 50 ++++++------------- - .../canvas2d/canvas_rendering_context_2d.h | 2 - - 2 files changed, 16 insertions(+), 36 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.cc b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.cc -index 01720502d6a..adab5144f93 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.cc -@@ -102,35 +102,6 @@ static mojom::blink::ColorScheme GetColorSchemeFromCanvas( - return mojom::blink::ColorScheme::kLight; - } - --// Drawing methods need to use this instead of SkAutoCanvasRestore in case --// overdraw detection substitutes the recording canvas (to discard overdrawn --// draw calls). --class CanvasRenderingContext2DAutoRestoreSkCanvas { -- STACK_ALLOCATED(); -- -- public: -- explicit CanvasRenderingContext2DAutoRestoreSkCanvas( -- CanvasRenderingContext2D* context) -- : context_(context) { -- DCHECK(context_); -- cc::PaintCanvas* c = context_->GetOrCreatePaintCanvas(); -- if (c) { -- save_count_ = c->getSaveCount(); -- } -- } -- -- ~CanvasRenderingContext2DAutoRestoreSkCanvas() { -- cc::PaintCanvas* c = context_->GetOrCreatePaintCanvas(); -- if (c) -- c->restoreToCount(save_count_); -- context_->ValidateStateStack(); -- } -- -- private: -- CanvasRenderingContext2D* context_; -- int save_count_ = 0; --}; -- - CanvasRenderingContext* CanvasRenderingContext2D::Factory::Create( - CanvasRenderingContextHost* host, - const CanvasContextCreationAttributesCore& attrs) { -@@ -999,9 +970,11 @@ void CanvasRenderingContext2D::DrawTextInternal( - // to 0, for example), so update style before grabbing the PaintCanvas. - canvas()->GetDocument().UpdateStyleAndLayoutTreeForNode(canvas()); - -- cc::PaintCanvas* c = GetOrCreatePaintCanvas(); -- if (!c) -+ // Abort if we don't have a paint canvas (e.g. the context was lost). -+ cc::PaintCanvas* paint_canvas = GetOrCreatePaintCanvas(); -+ if (!paint_canvas) { - return; -+ } - - if (!std::isfinite(x) || !std::isfinite(y)) - return; -@@ -1066,14 +1039,13 @@ void CanvasRenderingContext2D::DrawTextInternal( - if (paint_type == CanvasRenderingContext2DState::kStrokePaintType) - InflateStrokeRect(bounds); - -- CanvasRenderingContext2DAutoRestoreSkCanvas state_restorer(this); - if (use_max_width) { -- c->save(); -+ paint_canvas->save(); - // We draw when fontWidth is 0 so compositing operations (eg, a "copy" op) - // still work. As the width of canvas is scaled, so text can be scaled to - // match the given maxwidth, update text location so it appears on desired - // place. -- c->scale(ClampTo<float>(width / font_width), 1); -+ paint_canvas->scale(ClampTo<float>(width / font_width), 1); - location.set_x(location.x() / ClampTo<float>(width / font_width)); - } - -@@ -1093,6 +1065,16 @@ void CanvasRenderingContext2D::DrawTextInternal( - { return false; }, - bounds, paint_type, CanvasRenderingContext2DState::kNoImage, - CanvasPerformanceMonitor::DrawType::kText); -+ -+ if (use_max_width) { -+ // Cannot use `paint_canvas` in case recording canvas was substituted or -+ // destroyed during draw call. -+ cc::PaintCanvas* c = GetPaintCanvas(); -+ if (c) { -+ c->restore(); -+ } -+ } -+ ValidateStateStack(); - } - - const Font& CanvasRenderingContext2D::AccessFont() { -diff --git a/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.h b/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.h -index 508af63e75a..59566cb117c 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.h -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/canvas/canvas2d/canvas_rendering_context_2d.h -@@ -245,8 +245,6 @@ class MODULES_EXPORT CanvasRenderingContext2D final - void TryRestoreContextEvent(TimerBase*) override; - - private: -- friend class CanvasRenderingContext2DAutoRestoreSkCanvas; -- - void PruneLocalFontCache(size_t target_size); - - void ScrollPathIntoViewInternal(const Path&); -From 5f7b5772910e721f0cbdfd97925e84afa94aeec8 Mon Sep 17 00:00:00 2001 -From: Tsuyoshi Horo <horo@chromium.org> -Date: Tue, 9 Jan 2024 08:40:00 +0000 -Subject: [PATCH] [Backport] CVE-2024-1077: Use after free in Network - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5179746: -Fix UAF in SourceStreamToDataPipe - -SourceStreamToDataPipe::ReadMore() is passing a callback with -Unretained(this) to net::SourceStream::Read(). But this callback may be -called even after the SourceStream is destructed. This is causing UAF -issue (crbug.com/1511085). - -To solve this problem, this CL changes ReadMore() method to pass a -callback with a weak ptr of this. - -Bug: 1511085 -Change-Id: Idd4e34ff300ff5db2de1de7b303841c7db3a964a -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5179746 -Reviewed-by: Adam Rice <ricea@chromium.org> -Commit-Queue: Tsuyoshi Horo <horo@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1244526} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/537141 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../network/public/cpp/source_stream_to_data_pipe.cc | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/chromium/services/network/public/cpp/source_stream_to_data_pipe.cc b/chromium/services/network/public/cpp/source_stream_to_data_pipe.cc -index bfd85b1a00b..07afd58a40f 100644 ---- src/3rdparty/chromium/services/network/public/cpp/source_stream_to_data_pipe.cc -+++ src/3rdparty/chromium/services/network/public/cpp/source_stream_to_data_pipe.cc -@@ -55,9 +55,9 @@ void SourceStreamToDataPipe::ReadMore() { - - scoped_refptr<net::IOBuffer> buffer( - new network::NetToMojoIOBuffer(pending_write_.get())); -- int result = source_->Read( -- buffer.get(), base::checked_cast<int>(num_bytes), -- base::BindOnce(&SourceStreamToDataPipe::DidRead, base::Unretained(this))); -+ int result = source_->Read(buffer.get(), base::checked_cast<int>(num_bytes), -+ base::BindOnce(&SourceStreamToDataPipe::DidRead, -+ weak_factory_.GetWeakPtr())); - - if (result != net::ERR_IO_PENDING) - DidRead(result); -From 9bcf4d966b8315c3801721222c937f6c4fbc00b2 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michael=20Br=C3=BCning?= <michael.bruning@qt.io> -Date: Wed, 7 Feb 2024 12:07:44 +0100 -Subject: [PATCH] Fixup: [Backport] Security bug 1407197 - -It was missing setting one of the debug locations in code that we -may potentially compile. - -Change-Id: Ia47c270eb042d131621babaef3927b0745c36014 -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/537953 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - chromium/chrome/browser/devtools/devtools_window.cc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/chromium/chrome/browser/devtools/devtools_window.cc b/chromium/chrome/browser/devtools/devtools_window.cc -index de1b8b019fc..94343b63153 100644 ---- src/3rdparty/chromium/chrome/browser/devtools/devtools_window.cc -+++ src/3rdparty/chromium/chrome/browser/devtools/devtools_window.cc -@@ -1301,6 +1301,7 @@ void DevToolsWindow::AddNewContents( - bool* was_blocked) { - if (new_contents.get() == toolbox_web_contents_) { - owned_toolbox_web_contents_ = std::move(new_contents); -+ owned_toolbox_web_contents_->SetOwnerLocationForDebug(FROM_HERE); - - toolbox_web_contents_->SetDelegate(new DevToolsToolboxDelegate( - toolbox_web_contents_, inspected_web_contents_)); -From beb4a95a8040535701840e84338998b711cf86ff Mon Sep 17 00:00:00 2001 -From: Guido Urdaneta <guidou@chromium.org> -Date: Thu, 18 Jan 2024 16:47:18 +0000 -Subject: [PATCH] [Backport] CVE-2024-1059: Use after free in WebRTC - -Manual backport of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5210359: -[RTCPeerConnection] Exit early from RTCPeerConnectionHandler - -For certain operations that require a live client -(i.e., RTCPeerConnection, which is garbage collected), -PeerConnectionHandler keeps a pointer to the client on the stack -to prevent garbage collection. - -In some cases, the client may have already been garbage collected -(the client is null). In that case, there is no point in doing the -operation and it should exit early to avoid UAF/crashes. - -This CL adds early exit to the cases that do not already have it. - -Bug: 1514777 -Change-Id: I27e9541cfaa74d978799c03e2832a0980f9e5710 -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5210359 -Reviewed-by: Tomas Gunnarsson <tommi@chromium.org> -Commit-Queue: Guido Urdaneta <guidou@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1248826} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/537139 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../rtc_peer_connection_handler.cc | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc b/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc -index 83853f003c7..fc2336dbb88 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/modules/peerconnection/rtc_peer_connection_handler.cc -@@ -1058,15 +1058,19 @@ bool RTCPeerConnectionHandler::Initialize( - WebLocalFrame* frame, - ExceptionState& exception_state) { - DCHECK(task_runner_->RunsTasksInCurrentSequence()); -- DCHECK(frame); - DCHECK(dependency_factory_); -- frame_ = frame; - - CHECK(!initialize_called_); - initialize_called_ = true; - - // Prevent garbage collection of client_ during processing. - auto* client_on_stack = client_; -+ if (!client_on_stack) { -+ return false; -+ } -+ -+ DCHECK(frame); -+ frame_ = frame; - peer_connection_tracker_ = PeerConnectionTracker::From(*frame); - - configuration_ = server_configuration; -@@ -2268,10 +2272,13 @@ void RTCPeerConnectionHandler::OnIceCandidate(const String& sdp, - int sdp_mline_index, - int component, - int address_family) { -+ DCHECK(task_runner_->RunsTasksInCurrentSequence()); - // In order to ensure that the RTCPeerConnection is not garbage collected - // from under the function, we keep a pointer to it on the stack. - auto* client_on_stack = client_; -- DCHECK(task_runner_->RunsTasksInCurrentSequence()); -+ if (!client_on_stack) { -+ return; -+ } - TRACE_EVENT0("webrtc", "RTCPeerConnectionHandler::OnIceCandidateImpl"); - // This line can cause garbage collection. - auto* platform_candidate = MakeGarbageCollected<RTCIceCandidatePlatform>( -@@ -2281,7 +2288,8 @@ void RTCPeerConnectionHandler::OnIceCandidate(const String& sdp, - this, platform_candidate, PeerConnectionTracker::kSourceLocal, true); - } - -- if (!is_closed_) -+ client_on_stack = client_; -+ if (!is_closed_ && client_on_stack) - client_on_stack->DidGenerateICECandidate(platform_candidate); - } - -From 149e8c185ff1ea7ee0a7037153311b026e142ac3 Mon Sep 17 00:00:00 2001 -From: John Stiles <johnstiles@google.com> -Date: Mon, 29 Jan 2024 23:50:14 +0000 -Subject: [PATCH] [Backport] CVE-2024-1283: Heap buffer overflow in Skia - -Manual cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5241305: -Fix a crash when a BMP image contains an unnecessary EOF code. - -Previously, this would try to perform color correction on a row -one past the end of the image data. - -Bug: 1521893 -Change-Id: I425437005b9ef400138556705616095857d2cf0d -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5241305 -Auto-Submit: John Stiles <johnstiles@google.com> -Commit-Queue: John Stiles <johnstiles@google.com> -Reviewed-by: Peter Kasting <pkasting@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1253633} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/538110 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../image-decoders/bmp/bmp_image_reader.cc | 17 ++++++++++++++--- - 1 file changed, 14 insertions(+), 3 deletions(-) - -diff --git a/chromium/third_party/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc b/chromium/third_party/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc -index 063e5385d7f6..b40c8aa5c1fe 100644 ---- src/3rdparty/chromium/third_party/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc -+++ src/3rdparty/chromium/third_party/blink/renderer/platform/image-decoders/bmp/bmp_image_reader.cc -@@ -827,8 +827,10 @@ BMPImageReader::ProcessingResult BMPImageReader::ProcessRLEData() { - // the image. - const uint8_t count = ReadUint8(0); - const uint8_t code = ReadUint8(1); -- if ((count || (code != 1)) && PastEndOfImage(0)) -+ const bool is_past_end_of_image = PastEndOfImage(0); -+ if ((count || (code != 1)) && is_past_end_of_image) { - return kFailure; -+ } - - // Decode. - if (!count) { -@@ -849,7 +851,9 @@ BMPImageReader::ProcessingResult BMPImageReader::ProcessRLEData() { - (is_top_down_ ? (coord_.y() < (parent_->Size().height() - 1)) - : (coord_.y() > 0))) - buffer_->SetHasAlpha(true); -- ColorCorrectCurrentRow(); -+ if (!is_past_end_of_image) { -+ ColorCorrectCurrentRow(); -+ } - // There's no need to move |coord_| here to trigger the caller - // to call SetPixelsChanged(). If the only thing that's changed - // is the alpha state, that will be properly written into the -@@ -1061,6 +1065,13 @@ void BMPImageReader::ColorCorrectCurrentRow() { - const ColorProfileTransform* const transform = parent_->ColorTransform(); - if (!transform) - return; -+ int decoder_width = parent_->Size().width(); -+ // Enforce 0 ≤ current row < bitmap height. -+ CHECK_GE(coord_.y(), 0); -+ CHECK_LT(coord_.y(), buffer_->Bitmap().height()); -+ // Enforce decoder width == bitmap width exactly. (The bitmap rowbytes might -+ // add a bit of padding, but we are only converting one row at a time.) -+ CHECK_EQ(decoder_width, buffer_->Bitmap().width()); - ImageFrame::PixelData* const row = buffer_->GetAddr(0, coord_.y()); - const skcms_PixelFormat fmt = XformColorFormat(); - const skcms_AlphaFormat alpha = -@@ -1069,7 +1080,7 @@ void BMPImageReader::ColorCorrectCurrentRow() { - : skcms_AlphaFormat_Unpremul; - const bool success = - skcms_Transform(row, fmt, alpha, transform->SrcProfile(), row, fmt, alpha, -- transform->DstProfile(), parent_->Size().width()); -+ transform->DstProfile(), decoder_width); - DCHECK(success); - buffer_->SetPixelsChanged(true); - } -From 707f4e7c0110c33df3d36a1942ad1b0ea2cb997b Mon Sep 17 00:00:00 2001 -From: Ken Rockot <rockot@google.com> -Date: Fri, 26 Jan 2024 21:53:06 +0000 -Subject: [PATCH] [Backport] CVE-2024-1284: Use after free in Mojo - -Cherry-pick of patch originally reviewed on -https://chromium-review.googlesource.com/c/chromium/src/+/5240312: -ipcz: Fix a few weak asserts - -DriverMemory cloning should not weakly assert success, as it can fail in -real production scenarios. Now Clone() will return an invalid -DriverMemory object if it fails to duplicate the internal handle. -Existing callers of Clone() are already durable to an invalid output, so -this change results in graceful failures instead of undefined behavior. - -This also replaces some weak asserts in DriverTransport creation with -hardening asserts. We may want to fail more gracefully if these end -up crashing a lot, but it seems unlikely. - -Fixed: 1521571 -Change-Id: Id764b33ead8bbba58e61b3270920c839479eaa4a -Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5240312 -Commit-Queue: Ken Rockot <rockot@google.com> -Reviewed-by: Alex Gough <ajgo@chromium.org> -Cr-Commit-Position: refs/heads/main@{#1252882} -Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/538111 -Reviewed-by: Michal Klocek <michal.klocek@qt.io> ---- - .../third_party/ipcz/src/ipcz/driver_memory.cc | 15 +++++++++------ - .../third_party/ipcz/src/ipcz/driver_transport.cc | 4 ++-- - 2 files changed, 11 insertions(+), 8 deletions(-) - -diff --git a/chromium/third_party/ipcz/src/ipcz/driver_memory.cc b/chromium/third_party/ipcz/src/ipcz/driver_memory.cc -index 612eca89d52..b92c04bf521 100644 ---- src/3rdparty/chromium/third_party/ipcz/src/ipcz/driver_memory.cc -+++ src/3rdparty/chromium/third_party/ipcz/src/ipcz/driver_memory.cc -@@ -30,10 +30,11 @@ DriverMemory::DriverMemory(const IpczDriver& driver, size_t num_bytes) - : size_(num_bytes) { - ABSL_ASSERT(num_bytes > 0); - IpczDriverHandle handle; -- IpczResult result = -+ const IpczResult result = - driver.AllocateSharedMemory(num_bytes, IPCZ_NO_FLAGS, nullptr, &handle); -- ABSL_ASSERT(result == IPCZ_RESULT_OK); -- memory_ = DriverObject(driver, handle); -+ if (result == IPCZ_RESULT_OK) { -+ memory_ = DriverObject(driver, handle); -+ } - } - - DriverMemory::DriverMemory(DriverMemory&& other) = default; -@@ -43,12 +44,14 @@ DriverMemory& DriverMemory::operator=(DriverMemory&& other) = default; - DriverMemory::~DriverMemory() = default; - - DriverMemory DriverMemory::Clone() { -- ABSL_ASSERT(is_valid()); -+ ABSL_HARDENING_ASSERT(is_valid()); - - IpczDriverHandle handle; -- IpczResult result = memory_.driver()->DuplicateSharedMemory( -+ const IpczResult result = memory_.driver()->DuplicateSharedMemory( - memory_.handle(), 0, nullptr, &handle); -- ABSL_ASSERT(result == IPCZ_RESULT_OK); -+ if (result != IPCZ_RESULT_OK) { -+ return DriverMemory(); -+ } - - return DriverMemory(DriverObject(*memory_.driver(), handle)); - } -diff --git a/chromium/third_party/ipcz/src/ipcz/driver_transport.cc b/chromium/third_party/ipcz/src/ipcz/driver_transport.cc -index a8cb7a1251f..2550c2891fd 100644 ---- src/3rdparty/chromium/third_party/ipcz/src/ipcz/driver_transport.cc -+++ src/3rdparty/chromium/third_party/ipcz/src/ipcz/driver_transport.cc -@@ -68,14 +68,14 @@ DriverTransport::Pair DriverTransport::CreatePair( - IpczDriverHandle target_transport0 = IPCZ_INVALID_DRIVER_HANDLE; - IpczDriverHandle target_transport1 = IPCZ_INVALID_DRIVER_HANDLE; - if (transport0) { -- ABSL_ASSERT(transport1); -+ ABSL_HARDENING_ASSERT(transport1); - target_transport0 = transport0->driver_object().handle(); - target_transport1 = transport1->driver_object().handle(); - } - IpczResult result = driver.CreateTransports( - target_transport0, target_transport1, IPCZ_NO_FLAGS, nullptr, - &new_transport0, &new_transport1); -- ABSL_ASSERT(result == IPCZ_RESULT_OK); -+ ABSL_HARDENING_ASSERT(result == IPCZ_RESULT_OK); - auto first = - MakeRefCounted<DriverTransport>(DriverObject(driver, new_transport0)); - auto second = diff --git a/www/qt6-webengine/files/patch-src_3rdparty_chromium_base_containers_checked__iterators.h b/www/qt6-webengine/files/patch-src_3rdparty_chromium_base_containers_checked__iterators.h deleted file mode 100644 index 0c4ea373280b..000000000000 --- a/www/qt6-webengine/files/patch-src_3rdparty_chromium_base_containers_checked__iterators.h +++ /dev/null @@ -1,75 +0,0 @@ ---- src/3rdparty/chromium/base/containers/checked_iterators.h.orig 2023-11-20 16:08:07 UTC -+++ src/3rdparty/chromium/base/containers/checked_iterators.h -@@ -24,6 +24,9 @@ class CheckedContiguousIterator { - using pointer = T*; - using reference = T&; - using iterator_category = std::random_access_iterator_tag; -+#if __cplusplus >= 202002L -+ using iterator_concept = std::contiguous_iterator_tag; -+#endif - - // Required for converting constructor below. - template <typename U> -@@ -31,10 +34,8 @@ class CheckedContiguousIterator { - - // Required for certain libc++ algorithm optimizations that are not available - // for NaCl. --#if defined(_LIBCPP_VERSION) && !BUILDFLAG(IS_NACL) - template <typename Ptr> - friend struct std::pointer_traits; --#endif - - constexpr CheckedContiguousIterator() = default; - -@@ -224,7 +225,6 @@ using CheckedContiguousConstIterator = CheckedContiguo - - } // namespace base - --#if defined(_LIBCPP_VERSION) && !BUILDFLAG(IS_NACL) - // Specialize both std::__is_cpp17_contiguous_iterator and std::pointer_traits - // for CCI in case we compile with libc++ outside of NaCl. The former is - // required to enable certain algorithm optimizations (e.g. std::copy can be a -@@ -242,13 +242,35 @@ using CheckedContiguousConstIterator = CheckedContiguo - // [1] https://wg21.link/iterator.concept.contiguous - // [2] https://wg21.link/std.iterator.tags - // [3] https://wg21.link/pointer.traits.optmem --namespace std { - -+#if defined(_LIBCPP_VERSION) -+ -+// TODO(crbug.com/1284275): Remove when C++20 is on by default, as the use -+// of `iterator_concept` above should suffice. -+_LIBCPP_BEGIN_NAMESPACE_STD -+ -+// TODO(crbug.com/1449299): https://reviews.llvm.org/D150801 renamed this from -+// `__is_cpp17_contiguous_iterator` to `__libcpp_is_contiguous_iterator`. Clean -+// up the old spelling after libc++ rolls. - template <typename T> -+struct __is_cpp17_contiguous_iterator; -+template <typename T> - struct __is_cpp17_contiguous_iterator<::base::CheckedContiguousIterator<T>> - : true_type {}; - - template <typename T> -+struct __libcpp_is_contiguous_iterator; -+template <typename T> -+struct __libcpp_is_contiguous_iterator<::base::CheckedContiguousIterator<T>> -+ : true_type {}; -+ -+_LIBCPP_END_NAMESPACE_STD -+ -+#endif -+ -+namespace std { -+ -+template <typename T> - struct pointer_traits<::base::CheckedContiguousIterator<T>> { - using pointer = ::base::CheckedContiguousIterator<T>; - using element_type = T; -@@ -267,6 +289,5 @@ struct pointer_traits<::base::CheckedContiguousIterato - }; - - } // namespace std --#endif - - #endif // BASE_CONTAINERS_CHECKED_ITERATORS_H_ diff --git a/www/qt6-webengine/files/patch-src_3rdparty_chromium_build_config_linux_pkg-config.py b/www/qt6-webengine/files/patch-src_3rdparty_chromium_build_config_linux_pkg-config.py index 564aa1a88b7b..5bf1f6d7757d 100644 --- a/www/qt6-webengine/files/patch-src_3rdparty_chromium_build_config_linux_pkg-config.py +++ b/www/qt6-webengine/files/patch-src_3rdparty_chromium_build_config_linux_pkg-config.py @@ -1,11 +1,11 @@ ---- src/3rdparty/chromium/build/config/linux/pkg-config.py.orig 2023-03-09 06:31:50 UTC +--- src/3rdparty/chromium/build/config/linux/pkg-config.py.orig 2024-02-10 00:23:21 UTC +++ src/3rdparty/chromium/build/config/linux/pkg-config.py @@ -108,7 +108,7 @@ def main(): # If this is run on non-Linux platforms, just return nothing and indicate # success. This allows us to "kind of emulate" a Linux build from other # platforms. -- if "linux" not in sys.platform: -+ if not sys.platform.startswith(tuple(['linux', 'openbsd', 'freebsd'])): +- if 'linux' not in sys.platform and 'darwin' not in sys.platform: ++ if not sys.platform.startswith(tuple(['linux', 'openbsd', 'freebsd', 'darwin'])): print("[[],[],[],[],[]]") return 0 diff --git a/www/qt6-webengine/pkg-plist b/www/qt6-webengine/pkg-plist index 8479693b2243..3a88087a9a7c 100644 --- a/www/qt6-webengine/pkg-plist +++ b/www/qt6-webengine/pkg-plist @@ -152,6 +152,7 @@ lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreConfig.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreConfigVersion.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreConfigVersionImpl.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreDependencies.cmake +lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreDeploySupport.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreMacros.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreTargets-%%CMAKE_BUILD_TYPE%%.cmake lib/cmake/Qt6WebEngineCore/Qt6WebEngineCoreTargets.cmake diff --git a/www/qt6-websockets/distinfo b/www/qt6-websockets/distinfo index ff6134430cb1..c3217a6c35fc 100644 --- a/www/qt6-websockets/distinfo +++ b/www/qt6-websockets/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102896 -SHA256 (KDE/Qt/6.6.1/qtwebsockets-everywhere-src-6.6.1.tar.xz) = 787514349876d87e046504e5f64886d886bd2993a53fa795598ea07ecc7b0643 -SIZE (KDE/Qt/6.6.1/qtwebsockets-everywhere-src-6.6.1.tar.xz) = 463896 +TIMESTAMP = 1707970380 +SHA256 (KDE/Qt/6.6.2/qtwebsockets-everywhere-src-6.6.2.tar.xz) = c0e6ea9bc8db4290bb43e683fb3d639055fe91258f357980eb6ef5abab4438f9 +SIZE (KDE/Qt/6.6.2/qtwebsockets-everywhere-src-6.6.2.tar.xz) = 455088 diff --git a/www/qt6-webview/distinfo b/www/qt6-webview/distinfo index e60aa427e0ee..d884824e00ab 100644 --- a/www/qt6-webview/distinfo +++ b/www/qt6-webview/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102898 -SHA256 (KDE/Qt/6.6.1/qtwebview-everywhere-src-6.6.1.tar.xz) = d6de1ba33be93ae464147c9c069e115c7a24e3e475640016bc2f07c93c4a256c -SIZE (KDE/Qt/6.6.1/qtwebview-everywhere-src-6.6.1.tar.xz) = 147644 +TIMESTAMP = 1707970381 +SHA256 (KDE/Qt/6.6.2/qtwebview-everywhere-src-6.6.2.tar.xz) = 8b171236406d7a8e0c384513d9d140d1a3953e2f8d6f05e1c86d3c6fc40b777c +SIZE (KDE/Qt/6.6.2/qtwebview-everywhere-src-6.6.2.tar.xz) = 138792 diff --git a/x11-toolkits/qt6-charts/distinfo b/x11-toolkits/qt6-charts/distinfo index 876e37096f08..594981cdc703 100644 --- a/x11-toolkits/qt6-charts/distinfo +++ b/x11-toolkits/qt6-charts/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102903 -SHA256 (KDE/Qt/6.6.1/qtcharts-everywhere-src-6.6.1.tar.xz) = 1156caa94526b7e1bc30da800a7503d19744b10afc7c1f702da6dedfaa2a31b6 -SIZE (KDE/Qt/6.6.1/qtcharts-everywhere-src-6.6.1.tar.xz) = 4669120 +TIMESTAMP = 1707970385 +SHA256 (KDE/Qt/6.6.2/qtcharts-everywhere-src-6.6.2.tar.xz) = b1486262ee07b4420b8cdd1525c01800186b15d4fee0669cf544fdd5e941f5f4 +SIZE (KDE/Qt/6.6.2/qtcharts-everywhere-src-6.6.2.tar.xz) = 4660052 diff --git a/x11-toolkits/qt6-datavis3d/distinfo b/x11-toolkits/qt6-datavis3d/distinfo index da55b6452653..b2dbb0e6d0a0 100644 --- a/x11-toolkits/qt6-datavis3d/distinfo +++ b/x11-toolkits/qt6-datavis3d/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102910 -SHA256 (KDE/Qt/6.6.1/qtdatavis3d-everywhere-src-6.6.1.tar.xz) = b9dc3bcd8e222effcc8ab0c286c7bcc5507188a43ac01bee855f9642d1a71ba2 -SIZE (KDE/Qt/6.6.1/qtdatavis3d-everywhere-src-6.6.1.tar.xz) = 3955668 +TIMESTAMP = 1707970388 +SHA256 (KDE/Qt/6.6.2/qtdatavis3d-everywhere-src-6.6.2.tar.xz) = 314a6b2904006d151c2ec7d753814c8c63903ff814069baf9c4978d49d2a1c47 +SIZE (KDE/Qt/6.6.2/qtdatavis3d-everywhere-src-6.6.2.tar.xz) = 3947636 diff --git a/x11-toolkits/qt6-declarative/distinfo b/x11-toolkits/qt6-declarative/distinfo index a3d1c863703d..e00ebe1c7a56 100644 --- a/x11-toolkits/qt6-declarative/distinfo +++ b/x11-toolkits/qt6-declarative/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701110281 -SHA256 (KDE/Qt/6.6.1/qtdeclarative-everywhere-src-6.6.1.tar.xz) = 7effd7338e6658464ce9554dc88d1bf93a39d1415501be2c4b34c098b608995c -SIZE (KDE/Qt/6.6.1/qtdeclarative-everywhere-src-6.6.1.tar.xz) = 34349560 +TIMESTAMP = 1707970403 +SHA256 (KDE/Qt/6.6.2/qtdeclarative-everywhere-src-6.6.2.tar.xz) = c39ce9a7c4468f7399c9ced0fbe6ef9c8d6550efc4b893297aa3cfb965b3d84c +SIZE (KDE/Qt/6.6.2/qtdeclarative-everywhere-src-6.6.2.tar.xz) = 34361600 diff --git a/x11-toolkits/qt6-graphs/distinfo b/x11-toolkits/qt6-graphs/distinfo index 733d3fa6a7d7..4623a8191a75 100644 --- a/x11-toolkits/qt6-graphs/distinfo +++ b/x11-toolkits/qt6-graphs/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102945 -SHA256 (KDE/Qt/6.6.1/qtgraphs-everywhere-src-6.6.1.tar.xz) = c8968d03cf5d3c46732c97d8e46e405d79c963150fee0de1fab8e59116556477 -SIZE (KDE/Qt/6.6.1/qtgraphs-everywhere-src-6.6.1.tar.xz) = 3827440 +TIMESTAMP = 1707970406 +SHA256 (KDE/Qt/6.6.2/qtgraphs-everywhere-src-6.6.2.tar.xz) = 46ac2dedbf76807c2a44a438db772e4ab44fd25ce4d285316f9ab2dc6f8349a6 +SIZE (KDE/Qt/6.6.2/qtgraphs-everywhere-src-6.6.2.tar.xz) = 3818792 diff --git a/x11-toolkits/qt6-quick3d/distinfo b/x11-toolkits/qt6-quick3d/distinfo index f2619dddb9bc..bb64c2fcc563 100644 --- a/x11-toolkits/qt6-quick3d/distinfo +++ b/x11-toolkits/qt6-quick3d/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102991 -SHA256 (KDE/Qt/6.6.1/qtquick3d-everywhere-src-6.6.1.tar.xz) = 151500ee2223d61b5f83a3a033323812a5438eef9703546f6dbb837db8ce8422 -SIZE (KDE/Qt/6.6.1/qtquick3d-everywhere-src-6.6.1.tar.xz) = 59170016 +TIMESTAMP = 1707970434 +SHA256 (KDE/Qt/6.6.2/qtquick3d-everywhere-src-6.6.2.tar.xz) = fcdc9f8955ea12ca8ffa4d202edec2ac2b70f3955e50a17157bf7d19dab93a38 +SIZE (KDE/Qt/6.6.2/qtquick3d-everywhere-src-6.6.2.tar.xz) = 65602548 diff --git a/x11-toolkits/qt6-quicktimeline/distinfo b/x11-toolkits/qt6-quicktimeline/distinfo index f4460c88f975..1333b7ad68aa 100644 --- a/x11-toolkits/qt6-quicktimeline/distinfo +++ b/x11-toolkits/qt6-quicktimeline/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102993 -SHA256 (KDE/Qt/6.6.1/qtquicktimeline-everywhere-src-6.6.1.tar.xz) = 3860f548327d425beb3772eddde1670986646912e2a11721ea37d18199ffe168 -SIZE (KDE/Qt/6.6.1/qtquicktimeline-everywhere-src-6.6.1.tar.xz) = 113688 +TIMESTAMP = 1707970435 +SHA256 (KDE/Qt/6.6.2/qtquicktimeline-everywhere-src-6.6.2.tar.xz) = 8c4e5273c85a23e93da3375ce5e97261707fe9800076aaf164e7e00cc14d9919 +SIZE (KDE/Qt/6.6.2/qtquicktimeline-everywhere-src-6.6.2.tar.xz) = 104816 diff --git a/x11-toolkits/qt6-shadertools/distinfo b/x11-toolkits/qt6-shadertools/distinfo index 486dc3fb8bc9..08776e493b4a 100644 --- a/x11-toolkits/qt6-shadertools/distinfo +++ b/x11-toolkits/qt6-shadertools/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701102995 -SHA256 (KDE/Qt/6.6.1/qtshadertools-everywhere-src-6.6.1.tar.xz) = 08338fe4f54954928e41a8a5450627e61bca115039706c28161bf967785e73bb -SIZE (KDE/Qt/6.6.1/qtshadertools-everywhere-src-6.6.1.tar.xz) = 1063468 +TIMESTAMP = 1707970437 +SHA256 (KDE/Qt/6.6.2/qtshadertools-everywhere-src-6.6.2.tar.xz) = 628bead7ff4e7f42cb910f47d2adefbdea0d8c71a0234baef8ca709bf467b92f +SIZE (KDE/Qt/6.6.2/qtshadertools-everywhere-src-6.6.2.tar.xz) = 1054668 diff --git a/x11-toolkits/qt6-virtualkeyboard/distinfo b/x11-toolkits/qt6-virtualkeyboard/distinfo index fc2ea8214e03..b7ba56b8392f 100644 --- a/x11-toolkits/qt6-virtualkeyboard/distinfo +++ b/x11-toolkits/qt6-virtualkeyboard/distinfo @@ -1,3 +1,3 @@ -TIMESTAMP = 1701103001 -SHA256 (KDE/Qt/6.6.1/qtvirtualkeyboard-everywhere-src-6.6.1.tar.xz) = 993cde36de23985f0444f379877d58e8b0e76c05dd078e1292251b04c98d7baa -SIZE (KDE/Qt/6.6.1/qtvirtualkeyboard-everywhere-src-6.6.1.tar.xz) = 3732976 +TIMESTAMP = 1707970440 +SHA256 (KDE/Qt/6.6.2/qtvirtualkeyboard-everywhere-src-6.6.2.tar.xz) = 6142fddb88eb3ed03a97e0d86f7b3121207845b3ec84a92522a78b97886ed81e +SIZE (KDE/Qt/6.6.2/qtvirtualkeyboard-everywhere-src-6.6.2.tar.xz) = 3723036 |