Skip to content
Snippets Groups Projects
Commit 2499594c authored by Keeley Hammond's avatar Keeley Hammond
Browse files

chore: [23-x-y] cherry-pick 2 changes from Release-0-M113

* 81d7b3e6138c from chromium
* cf90db14f2e1 from chromium
parent 0eb53be2
No related merge requests found
......@@ -139,3 +139,5 @@ cherry-pick-63686953dc22.patch
merge_m112_remove_the_second_weakptrfactory_from.patch
merge_m112_check_spdyproxyclientsocket_is_alive_after_write.patch
check_callback_availability_in.patch
cherry-pick-81d7b3e6138c.patch
cherry-pick-cf90db14f2e1.patch
From 81d7b3e6138cb98ddbedc86a7eea328b00b267c7 Mon Sep 17 00:00:00 2001
From: Joey Arhar <jarhar@chromium.org>
Date: Fri, 21 Apr 2023 20:53:40 +0000
Subject: [PATCH] M112: Cherry pick libxml CVE fix
This patch cherry-picks a fix for [CVE-2023-29469] from libxml:
https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
I cherry-picked these by going into my libxml checkout, checking out the
commit that libxml is at for this M112 branch, cherry-picking the CVE
fixes, then running the roll script on all platforms.
Bug: 1433328
Change-Id: Iaee58b0890f7190386cca3e430286f39ccbbdb02
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4456592
Commit-Queue: David Baron <dbaron@chromium.org>
Reviewed-by: David Baron <dbaron@chromium.org>
Commit-Queue: Joey Arhar <jarhar@chromium.org>
Auto-Submit: Joey Arhar <jarhar@chromium.org>
Cr-Commit-Position: refs/branch-heads/5615@{#1325}
Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
---
diff --git a/third_party/libxml/README.chromium b/third_party/libxml/README.chromium
index 6d0a1fa..d1002e2a 100644
--- a/third_party/libxml/README.chromium
+++ b/third_party/libxml/README.chromium
@@ -19,5 +19,6 @@
in chromium's copy of maldoca. See https://github.com/google/maldoca/issues/87
- Add helper classes in the chromium/ subdirectory.
- Delete various unused files, see chromium/roll.py
+- Cherry picked fix for CVE-2023-29469
This import was generated by the chromium/roll.py script.
diff --git a/third_party/libxml/linux/doc/Makefile b/third_party/libxml/linux/doc/Makefile
index 4ab8a0e..b2859bd28 100644
--- a/third_party/libxml/linux/doc/Makefile
+++ b/third_party/libxml/linux/doc/Makefile
@@ -308,7 +308,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/doc/devhelp/Makefile b/third_party/libxml/linux/doc/devhelp/Makefile
index 09140c4c..35157eb 100644
--- a/third_party/libxml/linux/doc/devhelp/Makefile
+++ b/third_party/libxml/linux/doc/devhelp/Makefile
@@ -247,7 +247,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/doc/examples/Makefile b/third_party/libxml/linux/doc/examples/Makefile
index de49a6e..fc3112d 100644
--- a/third_party/libxml/linux/doc/examples/Makefile
+++ b/third_party/libxml/linux/doc/examples/Makefile
@@ -339,7 +339,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/example/Makefile b/third_party/libxml/linux/example/Makefile
index 64704cc..12da414d 100644
--- a/third_party/libxml/linux/example/Makefile
+++ b/third_party/libxml/linux/example/Makefile
@@ -264,7 +264,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/fuzz/Makefile b/third_party/libxml/linux/fuzz/Makefile
index 1a2b430..f7bad83 100644
--- a/third_party/libxml/linux/fuzz/Makefile
+++ b/third_party/libxml/linux/fuzz/Makefile
@@ -328,7 +328,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/include/private/Makefile b/third_party/libxml/linux/include/private/Makefile
index f510bae..99296fc2 100644
--- a/third_party/libxml/linux/include/private/Makefile
+++ b/third_party/libxml/linux/include/private/Makefile
@@ -216,7 +216,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/python/Makefile b/third_party/libxml/linux/python/Makefile
index e8a0aa0..cd842b7 100644
--- a/third_party/libxml/linux/python/Makefile
+++ b/third_party/libxml/linux/python/Makefile
@@ -355,7 +355,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/python/tests/Makefile b/third_party/libxml/linux/python/tests/Makefile
index fe38ee49..d2b2db6 100644
--- a/third_party/libxml/linux/python/tests/Makefile
+++ b/third_party/libxml/linux/python/tests/Makefile
@@ -247,7 +247,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/linux/xstc/Makefile b/third_party/libxml/linux/xstc/Makefile
index ccb07dc..51c32e7a 100644
--- a/third_party/libxml/linux/xstc/Makefile
+++ b/third_party/libxml/linux/xstc/Makefile
@@ -216,7 +216,7 @@
RANLIB = ranlib
RDL_CFLAGS =
RDL_LIBS =
-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
SED = /usr/bin/sed
SET_MAKE =
SHELL = /bin/sh
diff --git a/third_party/libxml/src/dict.c b/third_party/libxml/src/dict.c
index 1335387..d0208da1f 100644
--- a/third_party/libxml/src/dict.c
+++ b/third_party/libxml/src/dict.c
@@ -431,7 +431,8 @@
xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
unsigned long value = seed;
- if (name == NULL) return(0);
+ if ((name == NULL) || (namelen <= 0))
+ return(value);
value += *name;
value <<= 5;
if (namelen > 10) {
From cf90db14f2e18cd17c421a277dacdfafb313e0c3 Mon Sep 17 00:00:00 2001
From: Keren Zhu <kerenzhu@chromium.org>
Date: Mon, 24 Apr 2023 15:36:21 +0000
Subject: [PATCH] [M112] Fix ScopedObservation UaF in BubbleDialogDelegate::AnchorWidgetObserver
A ScopedObservation can outlive the aura::Window it observes, leading to
a use-after-free error in ~ScopedObservation(). The problem occurs in
BubbleDialogDelegate::AnchorWidgetObserver. This fix listens for
OnWindowDestroying() and resets the observation to prevent the UaF.
(cherry picked from commit 72bd6a1018548ee63a2ec06d6c7714d3a8cdf8a8)
Bug: 1423360
Change-Id: I742b4624b2664dea3fd97db7b399fcd15e45c8fe
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4455016
Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
Commit-Queue: Keren Zhu <kerenzhu@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1133511}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4466947
Reviewed-by: Allen Bauer <kylixrd@chromium.org>
Cr-Commit-Position: refs/branch-heads/5615@{#1353}
Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
---
diff --git a/ui/views/bubble/bubble_dialog_delegate_view.cc b/ui/views/bubble/bubble_dialog_delegate_view.cc
index fea3d6b..8561f40 100644
--- a/ui/views/bubble/bubble_dialog_delegate_view.cc
+++ b/ui/views/bubble/bubble_dialog_delegate_view.cc
@@ -308,6 +308,13 @@
owner_->OnAnchorBoundsChanged();
}
}
+
+ // If the native window is closed by the OS, OnWidgetDestroying() won't
+ // fire. Instead, OnWindowDestroying() will fire before aura::Window
+ // destruction. See //docs/ui/views/widget_destruction.md.
+ void OnWindowDestroying(aura::Window* window) override {
+ window_observation_.Reset();
+ }
#endif
private:
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment