github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: cherry-pick 4 changes from Release-0-M116 (#39557)

Browse Source 
* chore: [25-x-y] cherry-pick 3 changes from Release-0-M116

* 8ff63d378f2c from v8
* 5486190be556 from angle
* d671b099a57d from v8

* chore: update patches

* chore: cherry-pick missing changes

---------

Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com>
This commit is contained in:
Pedro Pontes
2023-08-21 03:42:57 +01:00
committed by GitHub
parent 39bdf64347
commit 31aa0dacee
9 changed files with 386 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
patches/angle/.patches
View File

@@ -2,3 +2,4 @@ cherry-pick-d0ee0197ddff.patch
cherry-pick-285c7712c506.patch
cherry-pick-2bf945775fe6.patch
cherry-pick-cafe56b591ed.patch
cherry-pick-5486190be556.patch

42
patches/angle/cherry-pick-5486190be556.patch Normal file
View File

@@ -0,0 +1,42 @@
From 5486190be5565f9b5567fbd252a10425af3d59ee Mon Sep 17 00:00:00 2001
From: Geoff Lang <geofflang@chromium.org>
Date: Fri, 21 Jul 2023 13:45:52 -0400
Subject: [PATCH] [M114-LTS] Fix read size validation for RGBX formats.
GL_RGBX8_ANGLE is the only format where the upload format is 3-channel
RGB, whilethe download format is 4-channel RGBX. As such, the internal
format corresponding to format+type expects 3-byte input/output. The
format is fixed here for readPixels to output 4 bytes per pixel.
Bug: chromium:1458046
Change-Id: Iec737ed64bade003cfab50dc5f595eb4875e81e4
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4706957
Commit-Queue: Shahbaz Youssefi <syoussefi@chromium.org>
(cherry picked from commit 430a4f559cbc2bcd5d026e8b36ee46ddd80e9651)
Reviewed-on: https://chromium-review.googlesource.com/c/angle/angle/+/4765136
Commit-Queue: Daniel Yip <danielyip@google.com>
Auto-Submit: Daniel Yip <danielyip@google.com>
(cherry picked from commit 4a372ad49ceddea6c13f79adb212a777ec770a66)
---
diff --git a/src/libANGLE/formatutils.cpp b/src/libANGLE/formatutils.cpp
index f2845dc..bb1389aaa 100644
--- a/src/libANGLE/formatutils.cpp
+++ b/src/libANGLE/formatutils.cpp
@@ -1702,7 +1702,15 @@
GLuint InternalFormat::computePixelBytes(GLenum formatType) const
{
const auto &typeInfo = GetTypeInfo(formatType);
- GLuint components = typeInfo.specialInterpretation ? 1u : componentCount;
+ GLuint components = componentCount;
+ if (sizedInternalFormat == GL_RGBX8_ANGLE)
+ {
+ components = 4;
+ }
+ else if (typeInfo.specialInterpretation)
+ {
+ components = 1;
+ }
return components * typeInfo.bytes;
}

1
patches/chromium/.patches
View File

@@ -133,3 +133,4 @@ cherry-pick-aa23556ff213.patch
cherry-pick-abb3ebd3d2ef.patch
cherry-pick-83b0bdb696d8.patch
cherry-pick-e40cb330b645.patch
networkcontext_don_t_access_url_loader_factories_during_destruction.patch

93
patches/chromium/networkcontext_don_t_access_url_loader_factories_during_destruction.patch Normal file
View File

@@ -0,0 +1,93 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Adam Rice <ricea@chromium.org>
Date: Tue, 8 Aug 2023 08:48:51 +0000
Subject: NetworkContext: Don't access url_loader_factories_ during destruction
Move the contents of `url_loader_factories_` to a temporary variable in
the destructor of network::NetworkContext so that re-entrant calls to
DestroyURLLoaderFactory() don't happen after it has started being
destroyed.
BUG=1465833
(cherry picked from commit e579b20308290df03f045c5d0ccb852d96b24ce3)
Change-Id: I476f0865256bdcba4ec934688597e69991968f84
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4733351
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Adam Rice <ricea@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1177648}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4756334
Bot-Commit: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Auto-Submit: Adam Rice <ricea@chromium.org>
Commit-Queue: Rubber Stamper <rubber-stamper@appspot.gserviceaccount.com>
Cr-Commit-Position: refs/branch-heads/5845@{#1252}
Cr-Branched-From: 5a5dff63a4a4c63b9b18589819bebb2566c85443-refs/heads/main@{#1160321}
diff --git a/services/network/network_context.cc b/services/network/network_context.cc
index 0f31bafe0f56edce4d695058a94d721a2e92acd1..0945464b5df7745ca9cdfe7ee87eaf5ee8bce9e4 100644
--- a/services/network/network_context.cc
+++ b/services/network/network_context.cc
@@ -721,6 +721,8 @@ NetworkContext::NetworkContext(
}
NetworkContext::~NetworkContext() {
+ is_destructing_ = true;
+
// May be nullptr in tests.
if (network_service_)
network_service_->DeregisterNetworkContext(this);
@@ -778,6 +780,12 @@ NetworkContext::~NetworkContext() {
}
}
#endif // BUILDFLAG(IS_DIRECTORY_TRANSFER_REQUIRED)
+
+ // Clear `url_loader_factories_` before deleting the contents, as it can
+ // result in re-entrant calls to DestroyURLLoaderFactory().
+ std::set<std::unique_ptr<cors::CorsURLLoaderFactory>,
+ base::UniquePtrComparator>
+ url_loader_factories = std::move(url_loader_factories_);
}
// static
@@ -1021,6 +1029,9 @@ void NetworkContext::DisableQuic() {
void NetworkContext::DestroyURLLoaderFactory(
cors::CorsURLLoaderFactory* url_loader_factory) {
+ if (is_destructing_) {
+ return;
+ }
auto it = url_loader_factories_.find(url_loader_factory);
DCHECK(it != url_loader_factories_.end());
url_loader_factories_.erase(it);
diff --git a/services/network/network_context.h b/services/network/network_context.h
index 5a15c65967b73e54ea742c4f44ee40dd8c2add1e..81866e0ee2bbda938782fff27a7c8c9d3459730c 100644
--- a/services/network/network_context.h
+++ b/services/network/network_context.h
@@ -927,6 +927,10 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
// according to the spec.
bool acam_preflight_spec_conformant_ = true;
+ // True once the destructor has been called. Used to guard against re-entrant
+ // calls to DestroyURLLoaderFactory().
+ bool is_destructing_ = false;
+
// Indicating whether
// https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name is
// supported.
@@ -935,13 +939,8 @@ class COMPONENT_EXPORT(NETWORK_SERVICE) NetworkContext
// CorsURLLoaderFactory assumes that fields owned by the NetworkContext always
// live longer than the factory. Therefore we want the factories to be
- // destroyed before other fields above. In particular:
- // - This must be below |url_request_context_| so that the URLRequestContext
- // outlives all the URLLoaderFactories and URLLoaders that depend on it;
- // for the same reason, it must also be below |network_context_|.
- // - This must be below |loader_count_per_process_| that is touched by
- // CorsURLLoaderFactory::DestroyURLLoader (see also
- // https://crbug.com/1174943).
+ // destroyed before other fields above. This is accomplished by explicitly
+ // clearing `url_loader_factories_` in the destructor.
std::set<std::unique_ptr<cors::CorsURLLoaderFactory>,
base::UniquePtrComparator>
url_loader_factories_;

4
patches/config.json
View File

@@ -21,5 +21,7 @@
"src/electron/patches/ReactiveObjC": "src/third_party/squirrel.mac/vendor/ReactiveObjC",
"src/electron/patches/webrtc": "src/third_party/webrtc"
"src/electron/patches/webrtc": "src/third_party/webrtc",
"src/electron/patches/skia": "src/third_party/skia"
}

1
patches/skia/.patches Normal file
View File

@@ -0,0 +1 @@
enforce_an_upper_limit_of_715_million_path_verbs_in_skpath.patch

118
patches/skia/enforce_an_upper_limit_of_715_million_path_verbs_in_skpath.patch Normal file
View File

@@ -0,0 +1,118 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: John Stiles <johnstiles@google.com>
Date: Thu, 3 Aug 2023 13:33:52 -0400
Subject: Enforce an upper limit of 715 million path verbs in SkPath.
Bug: chromium:1464215
Change-Id: Iedb7d73fc80de5ffb881b664dd77314cc2c6b108
Reviewed-on: https://skia-review.googlesource.com/c/skia/+/735316
Reviewed-by: Brian Osman <brianosman@google.com>
Commit-Queue: John Stiles <johnstiles@google.com>
diff --git a/relnotes/path_715M.md b/relnotes/path_715M.md
new file mode 100644
index 0000000000000000000000000000000000000000..7be9a40f1fc5b4f6432c490725b05d536d497fb1
--- /dev/null
+++ b/relnotes/path_715M.md
@@ -0,0 +1 @@
+SkPath now enforces an upper limit of 715 million path verbs.
diff --git a/src/core/SkPath.cpp b/src/core/SkPath.cpp
index d08c5958d5aabbbdc83a103a350844b40d0814b8..19d0a74504bf34870db18d9c20458d68721d7f5e 100644
--- a/src/core/SkPath.cpp
+++ b/src/core/SkPath.cpp
@@ -34,6 +34,7 @@
#include <cmath>
#include <cstring>
#include <iterator>
+#include <limits.h>
#include <utility>
struct SkPath_Storage_Equivalent {
@@ -3421,43 +3422,52 @@ bool SkPath::IsCubicDegenerate(const SkPoint& p1, const SkPoint& p2,
SkPathVerbAnalysis sk_path_analyze_verbs(const uint8_t vbs[], int verbCount) {
SkPathVerbAnalysis info = {false, 0, 0, 0};
-
bool needMove = true;
bool invalid = false;
- for (int i = 0; i < verbCount; ++i) {
- switch ((SkPathVerb)vbs[i]) {
- case SkPathVerb::kMove:
- needMove = false;
- info.points += 1;
- break;
- case SkPathVerb::kLine:
- invalid |= needMove;
- info.segmentMask |= kLine_SkPathSegmentMask;
- info.points += 1;
- break;
- case SkPathVerb::kQuad:
- invalid |= needMove;
- info.segmentMask |= kQuad_SkPathSegmentMask;
- info.points += 2;
- break;
- case SkPathVerb::kConic:
- invalid |= needMove;
- info.segmentMask |= kConic_SkPathSegmentMask;
- info.points += 2;
- info.weights += 1;
- break;
- case SkPathVerb::kCubic:
- invalid |= needMove;
- info.segmentMask |= kCubic_SkPathSegmentMask;
- info.points += 3;
- break;
- case SkPathVerb::kClose:
- invalid |= needMove;
- needMove = true;
- break;
- default:
- invalid = true;
- break;
+
+ if (verbCount >= (INT_MAX / 3)) {
+ // A path with an extremely high number of quad, conic or cubic verbs could cause
+ // `info.points` to overflow. To prevent against this, we reject extremely large paths. This
+ // check is conservative and assumes the worst case (in particular, it assumes that every
+ // verb consumes 3 points, which would only happen for a path composed entirely of cubics).
+ // This limits us to 700 million verbs, which is large enough for any reasonable use case.
+ invalid = true;
+ } else {
+ for (int i = 0; i < verbCount; ++i) {
+ switch ((SkPathVerb)vbs[i]) {
+ case SkPathVerb::kMove:
+ needMove = false;
+ info.points += 1;
+ break;
+ case SkPathVerb::kLine:
+ invalid |= needMove;
+ info.segmentMask |= kLine_SkPathSegmentMask;
+ info.points += 1;
+ break;
+ case SkPathVerb::kQuad:
+ invalid |= needMove;
+ info.segmentMask |= kQuad_SkPathSegmentMask;
+ info.points += 2;
+ break;
+ case SkPathVerb::kConic:
+ invalid |= needMove;
+ info.segmentMask |= kConic_SkPathSegmentMask;
+ info.points += 2;
+ info.weights += 1;
+ break;
+ case SkPathVerb::kCubic:
+ invalid |= needMove;
+ info.segmentMask |= kCubic_SkPathSegmentMask;
+ info.points += 3;
+ break;
+ case SkPathVerb::kClose:
+ invalid |= needMove;
+ needMove = true;
+ break;
+ default:
+ invalid = true;
+ break;
+ }
}
}
info.valid = !invalid;

1
patches/v8/.patches
View File

@@ -9,3 +9,4 @@ fix_disable_implies_dcheck_for_node_stream_array_buffers.patch
force_cppheapcreateparams_to_be_noncopyable.patch
chore_allow_customizing_microtask_policy_per_context.patch
fix_set_proper_instruction_start_for_builtin.patch
cherry-pick-8ff63d378f2c.patch

126
patches/v8/cherry-pick-8ff63d378f2c.patch Normal file
View File

@@ -0,0 +1,126 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <syg@chromium.org>
Date: Wed, 2 Aug 2023 17:41:03 -0700
Subject: Merged: [builtins] Clear FixedArray slot in Promise builtins
Fixed: chromium:1468943
(cherry picked from commit a84849ed718932b94dc877bb44a2d38eb8a0aef9)
Change-Id: Ia2b181c373c15bd1840e2a1572c0e930cddcd788
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/4753495
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Auto-Submit: Shu-yu Guo <syg@chromium.org>
Cr-Commit-Position: refs/branch-heads/11.6@{#28}
Cr-Branched-From: e29c028f391389a7a60ee37097e3ca9e396d6fa4-refs/heads/11.6.189@{#3}
Cr-Branched-From: 95cbef20e2aa556a1ea75431a48b36c4de6b9934-refs/heads/main@{#88340}
diff --git a/src/builtins/promise-all-element-closure.tq b/src/builtins/promise-all-element-closure.tq
index db3fb0134cf5bf0065174153171ef44a726a6fff..036e3c7b7473eae98f39a6da4472e826420086c8 100644
--- a/src/builtins/promise-all-element-closure.tq
+++ b/src/builtins/promise-all-element-closure.tq
@@ -175,11 +175,22 @@ transitioning macro PromiseAllResolveElementClosure<F: type>(
*NativeContextSlot(
nativeContext, ContextSlot::JS_ARRAY_PACKED_ELEMENTS_MAP_INDEX);
- // If resolve and reject handlers close over values to keep track of whether
- // an input promise is already settled, mark the values array as COW before
- // letting it escape to user code.
- if (hasResolveAndRejectClosures) MakeFixedArrayCOW(values);
-
+ // After this point, values escapes to user code.
+ //
+ // If resolve and reject handlers close over values to keep track of
+ // whether an input promise is already settled, mark the values array as
+ // COW. The original values array is still needed to guard against resolve
+ // or reject being called multiple times for an element.
+ //
+ // Otherwise, clear the slot.
+ if (hasResolveAndRejectClosures) {
+ MakeFixedArrayCOW(values);
+ } else {
+ *ContextSlot(
+ promiseContext,
+ PromiseAllResolveElementContextSlots::
+ kPromiseAllResolveElementValuesSlot) = kEmptyFixedArray;
+ }
const valuesArray = NewJSArray(arrayMap, values);
Call(promiseContext, resolve, Undefined, valuesArray);
}
diff --git a/src/builtins/promise-all.tq b/src/builtins/promise-all.tq
index 4d131abb44b7593d3e361d1d2f971380ee91850c..7205279526fa9edd93f154feb9694c22cae68606 100644
--- a/src/builtins/promise-all.tq
+++ b/src/builtins/promise-all.tq
@@ -278,15 +278,16 @@ Reject(JSAny) {
check(remainingElementsCount >= 0);
+ const valuesRef:&FixedArray = ContextSlot(
+ resolveElementContext,
+ PromiseAllResolveElementContextSlots::
+ kPromiseAllResolveElementValuesSlot);
+ const values = *valuesRef;
+
if (remainingElementsCount > 0) {
// Pre-allocate the backing store for the {values} to the desired
// capacity. We may already have elements in "values" - this happens
// when the Thenable calls the resolve callback immediately.
- const valuesRef:&FixedArray = ContextSlot(
- resolveElementContext,
- PromiseAllResolveElementContextSlots::
- kPromiseAllResolveElementValuesSlot);
- const values = *valuesRef;
// 'index' is a 1-based index and incremented after every Promise. Later we
// use 'values' as a 0-based array, so capacity 'index - 1' is enough.
const newCapacity = SmiUntag(index) - 1;
@@ -301,19 +302,23 @@ Reject(JSAny) {
// Let valuesArray be CreateArrayFromList(values).
// Perform ? Call(resultCapability.[[Resolve]], undefined,
// « valuesArray »).
-
- const values: FixedArray = *ContextSlot(
- resolveElementContext,
- PromiseAllResolveElementContextSlots::
- kPromiseAllResolveElementValuesSlot);
const arrayMap =
*NativeContextSlot(
nativeContext, ContextSlot::JS_ARRAY_PACKED_ELEMENTS_MAP_INDEX);
+ // After this point, values escapes to user code.
+ //
// If resolve and reject handlers close over values to keep track of
// whether an input promise is already settled, mark the values array as
- // COW before letting it escape to user code.
- if (hasResolveAndRejectClosures) MakeFixedArrayCOW(values);
+ // COW. The original values array is still needed to guard against resolve
+ // or reject being called multiple times for an element.
+ //
+ // Otherwise, clear the slot.
+ if (hasResolveAndRejectClosures) {
+ MakeFixedArrayCOW(values);
+ } else {
+ *valuesRef = kEmptyFixedArray;
+ }
const valuesArray = NewJSArray(arrayMap, values);
Call(nativeContext, UnsafeCast<JSAny>(resolve), Undefined, valuesArray);
diff --git a/src/builtins/promise-any.tq b/src/builtins/promise-any.tq
index 7e707e649f11bc946a6d1173180d7293fe94d8ce..45bafac0e6b09143b69b21a7292f9ed6b9c46239 100644
--- a/src/builtins/promise-any.tq
+++ b/src/builtins/promise-any.tq
@@ -313,10 +313,14 @@ Reject(JSAny) {
// We may already have elements in "errors" - this happens when the
// Thenable calls the reject callback immediately.
- const errors: FixedArray = *ContextSlot(
+ const errorsRef:&FixedArray = ContextSlot(
rejectElementContext,
PromiseAnyRejectElementContextSlots::
kPromiseAnyRejectElementErrorsSlot);
+ const errors: FixedArray = *errorsRef;
+
+ // After this point, errors escapes to user code. Clear the slot.
+ *errorsRef = kEmptyFixedArray;
check(errors.length == index - 1);
const error = ConstructAggregateError(errors);