chore: [23-x-y] cherry-pick 2 changes from Release-0-M113

* 81d7b3e6138c from chromium * cf90db14f2e1 from chromium

chore: [23-x-y] cherry-pick 2 changes from Release-0-M113
* 81d7b3e6138c from chromium * cf90db14f2e1 from chromium
2499594c · Keeley Hammond · 0eb53be2 · 2499594c · 2499594c · 2499594c
Commit 2499594c authored 2 years ago by Keeley Hammond
--- a/patches/chromium/.patches
+++ b/patches/chromium/.patches
@@ -139,3 +139,5 @@ cherry-pick-63686953dc22.patch
 merge_m112_remove_the_second_weakptrfactory_from.patch
 merge_m112_check_spdyproxyclientsocket_is_alive_after_write.patch
 check_callback_availability_in.patch
+cherry-pick-81d7b3e6138c.patch
+cherry-pick-cf90db14f2e1.patch
--- a/patches/chromium/cherry-pick-81d7b3e6138c.patch
+++ b/patches/chromium/cherry-pick-81d7b3e6138c.patch
+From 81d7b3e6138cb98ddbedc86a7eea328b00b267c7 Mon Sep 17 00:00:00 2001
+From: Joey Arhar <jarhar@chromium.org>
+Date: Fri, 21 Apr 2023 20:53:40 +0000
+Subject: [PATCH] M112: Cherry pick libxml CVE fix
+
+This patch cherry-picks a fix for [CVE-2023-29469] from libxml:
+https://gitlab.gnome.org/GNOME/libxml2/-/commit/547edbf1cbdccd46b2e8ff322a456eaa5931c5df
+
+I cherry-picked these by going into my libxml checkout, checking out the
+commit that libxml is at for this M112 branch, cherry-picking the CVE
+fixes, then running the roll script on all platforms.
+
+Bug: 1433328
+Change-Id: Iaee58b0890f7190386cca3e430286f39ccbbdb02
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4456592
+Commit-Queue: David Baron <dbaron@chromium.org>
+Reviewed-by: David Baron <dbaron@chromium.org>
+Commit-Queue: Joey Arhar <jarhar@chromium.org>
+Auto-Submit: Joey Arhar <jarhar@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5615@{#1325}
+Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
+---
+
+diff --git a/third_party/libxml/README.chromium b/third_party/libxml/README.chromium
+index 6d0a1fa..d1002e2a 100644
+--- a/third_party/libxml/README.chromium
+++ b/third_party/libxml/README.chromium
+@@ -19,5 +19,6 @@
+   in chromium's copy of maldoca. See https://github.com/google/maldoca/issues/87
+ - Add helper classes in the chromium/ subdirectory.
+ - Delete various unused files, see chromium/roll.py
+- Cherry picked fix for CVE-2023-29469
+ 
+ This import was generated by the chromium/roll.py script.
+diff --git a/third_party/libxml/linux/doc/Makefile b/third_party/libxml/linux/doc/Makefile
+index 4ab8a0e..b2859bd28 100644
+--- a/third_party/libxml/linux/doc/Makefile
+++ b/third_party/libxml/linux/doc/Makefile
+@@ -308,7 +308,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/doc/devhelp/Makefile b/third_party/libxml/linux/doc/devhelp/Makefile
+index 09140c4c..35157eb 100644
+--- a/third_party/libxml/linux/doc/devhelp/Makefile
+++ b/third_party/libxml/linux/doc/devhelp/Makefile
+@@ -247,7 +247,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/doc/examples/Makefile b/third_party/libxml/linux/doc/examples/Makefile
+index de49a6e..fc3112d 100644
+--- a/third_party/libxml/linux/doc/examples/Makefile
+++ b/third_party/libxml/linux/doc/examples/Makefile
+@@ -339,7 +339,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/example/Makefile b/third_party/libxml/linux/example/Makefile
+index 64704cc..12da414d 100644
+--- a/third_party/libxml/linux/example/Makefile
+++ b/third_party/libxml/linux/example/Makefile
+@@ -264,7 +264,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/fuzz/Makefile b/third_party/libxml/linux/fuzz/Makefile
+index 1a2b430..f7bad83 100644
+--- a/third_party/libxml/linux/fuzz/Makefile
+++ b/third_party/libxml/linux/fuzz/Makefile
+@@ -328,7 +328,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/include/private/Makefile b/third_party/libxml/linux/include/private/Makefile
+index f510bae..99296fc2 100644
+--- a/third_party/libxml/linux/include/private/Makefile
+++ b/third_party/libxml/linux/include/private/Makefile
+@@ -216,7 +216,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/python/Makefile b/third_party/libxml/linux/python/Makefile
+index e8a0aa0..cd842b7 100644
+--- a/third_party/libxml/linux/python/Makefile
+++ b/third_party/libxml/linux/python/Makefile
+@@ -355,7 +355,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/python/tests/Makefile b/third_party/libxml/linux/python/tests/Makefile
+index fe38ee49..d2b2db6 100644
+--- a/third_party/libxml/linux/python/tests/Makefile
+++ b/third_party/libxml/linux/python/tests/Makefile
+@@ -247,7 +247,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/linux/xstc/Makefile b/third_party/libxml/linux/xstc/Makefile
+index ccb07dc..51c32e7a 100644
+--- a/third_party/libxml/linux/xstc/Makefile
+++ b/third_party/libxml/linux/xstc/Makefile
+@@ -216,7 +216,7 @@
+ RANLIB = ranlib
+ RDL_CFLAGS = 
+ RDL_LIBS = 
+-RELDATE = Wed Feb 22 2023
+RELDATE = Thu Apr 20 2023
+ SED = /usr/bin/sed
+ SET_MAKE = 
+ SHELL = /bin/sh
+diff --git a/third_party/libxml/src/dict.c b/third_party/libxml/src/dict.c
+index 1335387..d0208da1f 100644
+--- a/third_party/libxml/src/dict.c
+++ b/third_party/libxml/src/dict.c
+@@ -431,7 +431,8 @@
+ xmlDictComputeFastKey(const xmlChar *name, int namelen, int seed) {
+     unsigned long value = seed;
+ 
+-    if (name == NULL) return(0);
+    if ((name == NULL) || (namelen <= 0))
+        return(value);
+     value += *name;
+     value <<= 5;
+     if (namelen > 10) {
--- a/patches/chromium/cherry-pick-cf90db14f2e1.patch
+++ b/patches/chromium/cherry-pick-cf90db14f2e1.patch
+From cf90db14f2e18cd17c421a277dacdfafb313e0c3 Mon Sep 17 00:00:00 2001
+From: Keren Zhu <kerenzhu@chromium.org>
+Date: Mon, 24 Apr 2023 15:36:21 +0000
+Subject: [PATCH] [M112] Fix ScopedObservation UaF in BubbleDialogDelegate::AnchorWidgetObserver
+
+A ScopedObservation can outlive the aura::Window it observes, leading to
+a use-after-free error in ~ScopedObservation(). The problem occurs in
+BubbleDialogDelegate::AnchorWidgetObserver. This fix listens for
+OnWindowDestroying() and resets the observation to prevent the UaF.
+
+(cherry picked from commit 72bd6a1018548ee63a2ec06d6c7714d3a8cdf8a8)
+
+Bug: 1423360
+Change-Id: I742b4624b2664dea3fd97db7b399fcd15e45c8fe
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4455016
+Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
+Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
+Commit-Queue: Keren Zhu <kerenzhu@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1133511}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4466947
+Reviewed-by: Allen Bauer <kylixrd@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5615@{#1353}
+Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
+---
+
+diff --git a/ui/views/bubble/bubble_dialog_delegate_view.cc b/ui/views/bubble/bubble_dialog_delegate_view.cc
+index fea3d6b..8561f40 100644
+--- a/ui/views/bubble/bubble_dialog_delegate_view.cc
+++ b/ui/views/bubble/bubble_dialog_delegate_view.cc
+@@ -308,6 +308,13 @@
+       owner_->OnAnchorBoundsChanged();
+     }
+   }
+
+  // If the native window is closed by the OS, OnWidgetDestroying() won't
+  // fire. Instead, OnWindowDestroying() will fire before aura::Window
+  // destruction. See //docs/ui/views/widget_destruction.md.
+  void OnWindowDestroying(aura::Window* window) override {
+    window_observation_.Reset();
+  }
+ #endif
+ 
+  private: