github/electron
1
1
Fork 0
mirror of https://github.com/electron/electron.git synced 2026-04-10 03:01:51 -04:00
Code Issues Packages Projects Releases Wiki Activity

chore: bump chromium to 122.0.6261.156 (29-x-y) (#41765)

Browse Source 
* chore: bump chromium in DEPS to 122.0.6261.156

* chore: update patches

---------

Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com>
Co-authored-by: John Kleinschmidt <jkleinsc@electronjs.org>
This commit is contained in:
electron-roller[bot]
2024-04-03 15:53:09 -04:00
committed by GitHub
parent fe4d3a2484
commit e656c270a2
13 changed files with 2 additions and 2109 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
DEPS
View File

@@ -2,7 +2,7 @@ gclient_gn_args_from = 'src'
vars = {
'chromium_version':
'122.0.6261.148',
'122.0.6261.156',
'node_version':
'v20.9.0',
'nan_version':

3
patches/chromium/.patches
View File

@@ -133,6 +133,3 @@ fix_getcursorscreenpoint_wrongly_returns_0_0.patch
fix_add_support_for_skipping_first_2_no-op_refreshes_in_thumb_cap.patch
remove_dxdiag_telemetry_code.patch
cherry-pick-2607ddacd643.patch
m122_webcodecs_disable_async_videoframe_readback_to_mitigate_a.patch
fix_paintimage_deserialization_arbitrary-read_issue.patch
reland_sensors_winrt_call_onreadingchangedcallback_via.patch

36
patches/chromium/fix_paintimage_deserialization_arbitrary-read_issue.patch
View File

@@ -1,36 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Peng Huang <penghuang@chromium.org>
Date: Wed, 20 Mar 2024 16:22:16 +0000
Subject: Fix PaintImage deserialization arbitrary-read issue
(cherry picked from commit 47e8386c97ac7a84a96866fbd35422b99a01de5a)
Bug: 327183408
Change-Id: I09927fbae60b666aaa370e3aba01607cdb977a25
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5370455
Reviewed-by: Sunny Sachanandani <sunnyps@chromium.org>
Commit-Queue: Peng Huang <penghuang@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1272930}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5382202
Auto-Submit: Peng Huang <penghuang@chromium.org>
Commit-Queue: Sunny Sachanandani <sunnyps@chromium.org>
Cr-Commit-Position: refs/branch-heads/6261@{#1106}
Cr-Branched-From: 9755d9d81e4a8cb5b4f76b23b761457479dbb06b-refs/heads/main@{#1250580}
diff --git a/cc/paint/paint_op_reader.cc b/cc/paint/paint_op_reader.cc
index 22a044734c898997d13f34a04b10e356cc86717e..46c385054b1575cff7ad2ae38be237deea081914 100644
--- a/cc/paint/paint_op_reader.cc
+++ b/cc/paint/paint_op_reader.cc
@@ -1572,9 +1572,10 @@ inline void PaintOpReader::DidRead(size_t bytes_read) {
// All data are aligned with PaintOpWriter::kDefaultAlignment at least.
size_t aligned_bytes =
base::bits::AlignUp(bytes_read, PaintOpWriter::kDefaultAlignment);
- memory_ += aligned_bytes;
DCHECK_LE(aligned_bytes, remaining_bytes_);
- remaining_bytes_ -= aligned_bytes;
+ bytes_read = std::min(aligned_bytes, remaining_bytes_);
+ memory_ += bytes_read;
+ remaining_bytes_ -= bytes_read;
}
} // namespace cc

80
patches/chromium/m122_webcodecs_disable_async_videoframe_readback_to_mitigate_a.patch
View File

@@ -1,80 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Eugene Zemtsov <eugene@chromium.org>
Date: Mon, 25 Mar 2024 19:28:44 +0000
Subject: webcodecs: Disable async VideoFrame readback to mitigate a race
(cherry picked from commit fdc363eb7a1c1c194a02a4cb340534b1501b0f95)
Bug: 330575496
Change-Id: I187a113528da9d1c4316186e3dd24f91dbfd818b
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5386784
Commit-Queue: Eugene Zemtsov <eugene@chromium.org>
Reviewed-by: Dale Curtis <dalecurtis@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#1277172}
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5391828
Reviewed-by: Eugene Zemtsov <eugene@chromium.org>
Commit-Queue: Dale Curtis <dalecurtis@chromium.org>
Reviewed-by: Xiaohan Wang <xhwang@chromium.org>
Commit-Queue: Xiaohan Wang <xhwang@chromium.org>
Auto-Submit: Dale Curtis <dalecurtis@chromium.org>
Cr-Commit-Position: refs/branch-heads/6261@{#1124}
Cr-Branched-From: 9755d9d81e4a8cb5b4f76b23b761457479dbb06b-refs/heads/main@{#1250580}
diff --git a/content/test/data/gpu/webcodecs/copyTo.html b/content/test/data/gpu/webcodecs/copyTo.html
index ec2455c9c18900ad911ce98f326139cbdeabd84f..9453c8d361a572b500e86b1249896bc4114ebe27 100644
--- a/content/test/data/gpu/webcodecs/copyTo.html
+++ b/content/test/data/gpu/webcodecs/copyTo.html
@@ -118,6 +118,16 @@ Take frames coming from various sources and read them using copyTo().
let frame = await source.getNextFrame();
let size = frame.allocationSize();
+ // Readback a whole frame to a regular buffer detach it
+ {
+ let buf = new ArrayBuffer(size);
+ TEST.assert(readWholeBuffer(buf) == 0, "Buffer should be zero");
+ let copy_promise = frame.copyTo(buf);
+ buf.transfer(1);
+ let layout = await copy_promise;
+ TEST.assert(layout, "layout is empty / ArrayBuffer");
+ }
+
// Readback a whole frame to a regular buffer and send it to a worker
{
let {worker, worker_promise } = makeWorker();
@@ -158,4 +168,5 @@ Take frames coming from various sources and read them using copyTo().
TEST.log('Test completed');
}
addManualTestButton([{'source_type': 'offscreen'}]);
+ addManualTestButton([{'source_type': 'arraybuffer'}]);
</script>
diff --git a/third_party/blink/renderer/modules/webcodecs/video_frame.cc b/third_party/blink/renderer/modules/webcodecs/video_frame.cc
index 279359ea2d536358ce946e6f7d8feec2dfcc160c..e37dd9568399283f8006dfd1578c0e5b57566830 100644
--- a/third_party/blink/renderer/modules/webcodecs/video_frame.cc
+++ b/third_party/blink/renderer/modules/webcodecs/video_frame.cc
@@ -80,6 +80,11 @@ namespace blink {
namespace {
+// Controls if VideoFrame.copyTo() reads GPU frames asynchronously
+BASE_FEATURE(kVideoFrameAsyncCopyTo,
+ "VideoFrameAsyncCopyTo",
+ base::FEATURE_DISABLED_BY_DEFAULT);
+
media::VideoPixelFormat ToMediaPixelFormat(V8VideoPixelFormat::Enum fmt) {
switch (fmt) {
case V8VideoPixelFormat::Enum::kI420:
@@ -1217,9 +1222,11 @@ ScriptPromise VideoFrame::copyTo(ScriptState* script_state,
} else {
DCHECK(local_frame->HasTextures());
- if (auto* resolver = CopyToAsync(script_state, local_frame, src_rect,
- destination, dest_layout)) {
- return resolver->Promise();
+ if (base::FeatureList::IsEnabled(kVideoFrameAsyncCopyTo)) {
+ if (auto* resolver = CopyToAsync(script_state, local_frame, src_rect,
+ destination, dest_layout)) {
+ return resolver->Promise();
+ }
}
if (!CopyTexturablePlanes(*local_frame, src_rect, dest_layout, buffer)) {

1690
patches/chromium/reland_sensors_winrt_call_onreadingchangedcallback_via.patch
View File

File diff suppressed because it is too large Load Diff

4
patches/config.json
View File

@@ -12,7 +12,5 @@
{ "patch_dir": "src/electron/patches/ReactiveObjC", "repo": "src/third_party/squirrel.mac/vendor/ReactiveObjC" },
{ "patch_dir": "src/electron/patches/webrtc", "repo": "src/third_party/webrtc" },
{ "patch_dir": "src/electron/patches/reclient-configs", "repo": "src/third_party/engflow-reclient-configs" },
{ "patch_dir": "src/electron/patches/angle", "repo": "src/third_party/angle" },
{ "patch_dir": "src/electron/patches/libvpx", "repo": "src/third_party/libvpx/source/libvpx" },
{ "patch_dir": "src/electron/patches/dxc", "repo": "src/third_party/dawn/third_party/dxc" }
{ "patch_dir": "src/electron/patches/angle", "repo": "src/third_party/angle" }
]

1
patches/dxc/.patches
View File

@@ -1 +0,0 @@
fix_hlmatrixlowerpass_leaving_call_to_dangling_functionval.patch

36
patches/dxc/fix_hlmatrixlowerpass_leaving_call_to_dangling_functionval.patch
View File

@@ -1,36 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Antonio Maiorano <amaiorano@google.com>
Date: Wed, 20 Mar 2024 17:15:40 -0400
Subject: Fix HLMatrixLowerPass leaving call to dangling FunctionVal
When lowering an hl.cast, when the operand was an undef matrix, the pass would insert a call to a mat2vec stub, but since the undef value is not
an alloca, it never gets handled, and the call to the temporary stub
remains. Since the stub FunctionVal gets deleted, when the instruction
is accessed in a future pass, it reads a dangling pointer.
The fix is to handle undef similarly to how constant 0 is handled, and
to return an undef vector from lowerHLCast.
Bug: chromium:328958020
Change-Id: Id31e3aa326d9cb9f03ea97139f14dc5292cd6f7b
Reviewed-on: https://chromium-review.googlesource.com/c/external/github.com/microsoft/DirectXShaderCompiler/+/5383595
Reviewed-by: Ben Clayton <bclayton@chromium.org>
Reviewed-by: David Neto <dneto@google.com>
Reviewed-by: Kenneth Russell <kbr@chromium.org>
diff --git a/lib/HLSL/HLMatrixLowerPass.cpp b/lib/HLSL/HLMatrixLowerPass.cpp
index ca8a8a33fdb475542b3705f3f7a8b8af2554a21f..d5959eb9335465f67d8e7ef7d7ab4eb720274226 100644
--- a/lib/HLSL/HLMatrixLowerPass.cpp
+++ b/lib/HLSL/HLMatrixLowerPass.cpp
@@ -421,6 +421,11 @@ Value *HLMatrixLowerPass::getLoweredByValOperand(Value *Val,
if (isa<ConstantAggregateZero>(Val))
return ConstantAggregateZero::get(LoweredTy);
+ // Lower undef mat as undef vec
+ if (isa<UndefValue>(Val)) {
+ return UndefValue::get(LoweredTy);
+ }
+
// Return a mat-to-vec translation stub
FunctionType *TranslationStubTy =
FunctionType::get(LoweredTy, {Ty}, /* isVarArg */ false);

2
patches/libvpx/.patches
View File

@@ -1,2 +0,0 @@
fix_to_buffer_alloc_for_vp9_bitstream_worker_data.patch
vp9_fix_to_integer_overflow_test.patch

190
patches/libvpx/fix_to_buffer_alloc_for_vp9_bitstream_worker_data.patch
View File

@@ -1,190 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marco Paniconi <marpan@google.com>
Date: Wed, 13 Mar 2024 10:58:17 -0700
Subject: Fix to buffer alloc for vp9_bitstream_worker_data
The code was using the bitstream_worker_data when it
wasn't allocated for big enough size. This is because
the existing condition was to only re-alloc the
bitstream_worker_data when current dest_size was larger
than the current frame_size. But under resolution change
where frame_size is increased, beyond the current dest_size,
we need to allow re-alloc to the new size.
The existing condition to re-alloc when dest_size is
larger than frame_size (which is not required) is kept
for now.
Also increase the dest_size to account for image format.
Added tests, for both ROW_MT=0 and 1, that reproduce
the failures in the bugs below.
Note: this issue only affects the REALTIME encoding path.
Bug: b/329088759, b/329674887, b/329179808
Change-Id: Icd65dbc5317120304d803f648d4bd9405710db6f
(cherry picked from commit c29e63728316486082dd6083c2062434b441b77d)
diff --git a/test/encode_api_test.cc b/test/encode_api_test.cc
index d838b4338550619d131567a0fc8b5b22a719ba96..e1702e4c4e83c16b4043cf6da50829344af6bb6a 100644
--- a/test/encode_api_test.cc
+++ b/test/encode_api_test.cc
@@ -676,7 +676,7 @@ vpx_image_t *CreateImage(const unsigned int width, const unsigned int height) {
// Emulates the WebCodecs VideoEncoder interface.
class VP9Encoder {
public:
- explicit VP9Encoder(int speed) : speed_(speed) {}
+ explicit VP9Encoder(int speed) : speed_(speed), row_mt_(0) {}
~VP9Encoder();
void Configure(unsigned int threads, unsigned int width, unsigned int height,
@@ -685,6 +685,7 @@ class VP9Encoder {
private:
const int speed_;
+ const unsigned int row_mt_;
bool initialized_ = false;
vpx_codec_enc_cfg_t cfg_;
vpx_codec_ctx_t enc_;
@@ -719,6 +720,7 @@ void VP9Encoder::Configure(unsigned int threads, unsigned int width,
cfg_.rc_max_quantizer = 58;
ASSERT_EQ(vpx_codec_enc_init(&enc_, iface, &cfg_, 0), VPX_CODEC_OK);
ASSERT_EQ(vpx_codec_control(&enc_, VP8E_SET_CPUUSED, speed_), VPX_CODEC_OK);
+ ASSERT_EQ(vpx_codec_control(&enc_, VP9E_SET_ROW_MT, row_mt_), VPX_CODEC_OK);
initialized_ = true;
return;
}
@@ -1078,6 +1080,92 @@ TEST(EncodeAPI, Buganizer317105128) {
encoder.Configure(16, 1920, 1, VPX_CBR, VPX_DL_REALTIME);
}
+TEST(EncodeAPI, Buganizer329088759RowMT0) {
+ VP9Encoder encoder(8, 0, VPX_BITS_8, VPX_IMG_FMT_I444);
+ encoder.Configure(/*threads=*/8, /*width=*/1686, /*height=*/398, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/0, /*width=*/1686, /*height=*/1, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/0, /*width=*/1482, /*height=*/113, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/0, /*width=*/881, /*height=*/59, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Configure(/*threads=*/13, /*width=*/1271, /*height=*/385, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/2, /*width=*/1, /*height=*/62, VPX_VBR,
+ VPX_DL_REALTIME);
+}
+
+TEST(EncodeAPI, Buganizer329088759RowMT1) {
+ VP9Encoder encoder(8, 1, VPX_BITS_8, VPX_IMG_FMT_I444);
+ encoder.Configure(/*threads=*/8, /*width=*/1686, /*height=*/398, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Encode(/*key_frame=*/false);
+ // Needs to set threads to non-zero to repro the issue.
+ encoder.Configure(/*threads=*/2, /*width=*/1686, /*height=*/1, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/2, /*width=*/1482, /*height=*/113, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/2, /*width=*/881, /*height=*/59, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Configure(/*threads=*/13, /*width=*/1271, /*height=*/385, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/2, /*width=*/1, /*height=*/62, VPX_VBR,
+ VPX_DL_REALTIME);
+}
+
+#if CONFIG_VP9_HIGHBITDEPTH
+TEST(EncodeAPI, Buganizer329674887RowMT0BitDepth12) {
+ VP9Encoder encoder(8, 0, VPX_BITS_12, VPX_IMG_FMT_I444);
+ encoder.Configure(/*threads=*/2, /*width=*/1030, /*height=*/583, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/0, /*width=*/1030, /*height=*/1, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/0, /*width=*/548, /*height=*/322, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/16, /*width=*/24, /*height=*/583, VPX_CBR,
+ VPX_DL_GOOD_QUALITY);
+}
+
+TEST(EncodeAPI, Buganizer329179808RowMT0BitDepth10) {
+ VP9Encoder encoder(4, 0, VPX_BITS_10, VPX_IMG_FMT_I444);
+ encoder.Configure(/*threads=*/16, /*width=*/1488, /*height=*/5, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/16, /*width=*/839, /*height=*/1, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/11, /*width=*/657, /*height=*/5, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+}
+
+TEST(EncodeAPI, Buganizer329179808RowMT1BitDepth10) {
+ VP9Encoder encoder(4, 1, VPX_BITS_10, VPX_IMG_FMT_I444);
+ encoder.Configure(/*threads=*/16, /*width=*/1488, /*height=*/5, VPX_VBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/true);
+ encoder.Configure(/*threads=*/16, /*width=*/839, /*height=*/1, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+ encoder.Configure(/*threads=*/11, /*width=*/657, /*height=*/5, VPX_CBR,
+ VPX_DL_REALTIME);
+ encoder.Encode(/*key_frame=*/false);
+}
+#endif
+
#endif // CONFIG_VP9_ENCODER
} // namespace
diff --git a/vp9/encoder/vp9_bitstream.c b/vp9/encoder/vp9_bitstream.c
index ca56d14aa1e31e4791f8772316e449b771aae4fc..88a031e5fc1cf7b6cf0a441664dbbc62006c1790 100644
--- a/vp9/encoder/vp9_bitstream.c
+++ b/vp9/encoder/vp9_bitstream.c
@@ -962,6 +962,14 @@ void vp9_bitstream_encode_tiles_buffer_dealloc(VP9_COMP *const cpi) {
}
}
+static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
+ VP9_COMMON *const cm = &cpi->common;
+ const int image_bps =
+ (8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
+ (1 + (cm->bit_depth > 8));
+ return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+}
+
static void encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
VP9_COMMON *const cm = &cpi->common;
int i;
@@ -972,7 +980,7 @@ static void encode_tiles_buffer_alloc(VP9_COMP *const cpi) {
memset(cpi->vp9_bitstream_worker_data, 0, worker_data_size);
for (i = 1; i < cpi->num_workers; ++i) {
cpi->vp9_bitstream_worker_data[i].dest_size =
- cpi->oxcf.width * cpi->oxcf.height;
+ encode_tiles_buffer_alloc_size(cpi);
CHECK_MEM_ERROR(&cm->error, cpi->vp9_bitstream_worker_data[i].dest,
vpx_malloc(cpi->vp9_bitstream_worker_data[i].dest_size));
}
@@ -987,8 +995,8 @@ static size_t encode_tiles_mt(VP9_COMP *cpi, uint8_t *data_ptr) {
int tile_col = 0;
if (!cpi->vp9_bitstream_worker_data ||
- cpi->vp9_bitstream_worker_data[1].dest_size >
- (cpi->oxcf.width * cpi->oxcf.height)) {
+ cpi->vp9_bitstream_worker_data[1].dest_size !=
+ encode_tiles_buffer_alloc_size(cpi)) {
vp9_bitstream_encode_tiles_buffer_dealloc(cpi);
encode_tiles_buffer_alloc(cpi);
}

28
patches/libvpx/vp9_fix_to_integer_overflow_test.patch
View File

@@ -1,28 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Marco Paniconi <marpan@google.com>
Date: Sat, 16 Mar 2024 10:39:28 -0700
Subject: vp9: fix to integer overflow test
failure for the 16k test: issue introduced
in: c29e637283
Bug: b/329088759, b/329674887, b/329179808
Change-Id: I88e8a36b7f13223997c3006c84aec9cfa48c0bcf
(cherry picked from commit 19832b1702d5b0adf616a0e080abd5207c8445b5)
diff --git a/vp9/encoder/vp9_bitstream.c b/vp9/encoder/vp9_bitstream.c
index 88a031e5fc1cf7b6cf0a441664dbbc62006c1790..d3c029da4bacafdb19aa6bfb9865ccbf2db33393 100644
--- a/vp9/encoder/vp9_bitstream.c
+++ b/vp9/encoder/vp9_bitstream.c
@@ -967,7 +967,9 @@ static int encode_tiles_buffer_alloc_size(VP9_COMP *const cpi) {
const int image_bps =
(8 + 2 * (8 >> (cm->subsampling_x + cm->subsampling_y))) *
(1 + (cm->bit_depth > 8));
- return cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+ const int64_t size =
+ (int64_t)cpi->oxcf.width * cpi->oxcf.height * image_bps / 8;
+ return (int)size;
}
static void encode_tiles_buffer_alloc(VP9_COMP *const cpi) {

1
patches/v8/.patches
View File

@@ -1,3 +1,2 @@
chore_allow_customizing_microtask_policy_per_context.patch
deps_add_v8_object_setinternalfieldfornodecore.patch
merged_wasm_check_for_type-definition_count_limit.patch

38
patches/v8/merged_wasm_check_for_type-definition_count_limit.patch
View File

@@ -1,38 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Manos Koukoutos <manoskouk@chromium.org>
Date: Thu, 21 Mar 2024 11:38:08 +0100
Subject: Merged: [wasm] Check for type-definition count limit
(cherry picked from commit b852ad701db21d6db5b34e66f4ec1cdccd2ec4d4)
Bug: chromium:330575498
Change-Id: I395f0ed6d823b7d1e139da6551486e3627d65724
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5378419
Commit-Queue: Jakob Kummerow <jkummerow@chromium.org>
Reviewed-by: Jakob Kummerow <jkummerow@chromium.org>
Auto-Submit: Manos Koukoutos <manoskouk@chromium.org>
Cr-Original-Commit-Position: refs/heads/main@{#92941}
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/5380190
Reviewed-by: Francis McCabe <fgm@chromium.org>
Commit-Queue: Adam Klein <adamk@chromium.org>
Reviewed-by: Adam Klein <adamk@chromium.org>
Cr-Commit-Position: refs/branch-heads/12.2@{#50}
Cr-Branched-From: 6eb5a9616aa6f8c705217aeb7c7ab8c037a2f676-refs/heads/12.2.281@{#1}
Cr-Branched-From: 44cf56d850167c6988522f8981730462abc04bcc-refs/heads/main@{#91934}
diff --git a/src/wasm/module-decoder-impl.h b/src/wasm/module-decoder-impl.h
index a4c1f5991f0498eab922faa42f69b30b21b423f0..b56dda7afb6a355a998fff57ac14b3fc26c09b7a 100644
--- a/src/wasm/module-decoder-impl.h
+++ b/src/wasm/module-decoder-impl.h
@@ -690,6 +690,11 @@ class ModuleDecoderImpl : public Decoder {
}
} else {
if (tracer_) tracer_->TypeOffset(pc_offset());
+ if (initial_size + 1 > kV8MaxWasmTypes) {
+ errorf(pc(), "Type definition count exceeds maximum %zu",
+ kV8MaxWasmTypes);
+ return;
+ }
// Similarly to above, we need to resize types for a group of size 1.
module_->types.resize(initial_size + 1);
module_->isorecursive_canonical_type_ids.resize(initial_size + 1);