commit 18d50134ef14e770c05f7f7596d6f2bcb235236d
Author: Kevin Kofler <kevin.kofler(a)chello.at>
Date: Thu Jul 27 03:06:53 2017 +0200
Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit
* Thu Jul 27 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org> -
5.6.3-0.2.20170712gitee719ad313e564
- Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit
qt5-qtwebengine-freeworld.spec | 16 ++-
qtwebengine-chromium-CVE-2017-5052.patch | 58 ++++++++++
qtwebengine-chromium-CVE-2017-5054-debug.patch | 39 +++++++
qtwebengine-chromium-CVE-2017-5054.patch | 145 +++++++++++++++++++++++++
4 files changed, 257 insertions(+), 1 deletion(-)
---
diff --git a/qt5-qtwebengine-freeworld.spec b/qt5-qtwebengine-freeworld.spec
index b1e60f1..aecd7a5 100644
--- a/qt5-qtwebengine-freeworld.spec
+++ b/qt5-qtwebengine-freeworld.spec
@@ -32,7 +32,7 @@
Summary: Qt5 - QtWebEngine components (freeworld version)
Name: qt5-qtwebengine-freeworld
Version: 5.6.3
-Release: 0.1.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist}
+Release: 0.2.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist}
%global major_minor %(echo %{version} | cut -d. -f-2)
%global major %(echo %{version} | cut -d. -f1)
@@ -95,6 +95,14 @@ Patch11: qtwebengine-opensource-src-5.7.1-skia-neon.patch
# feature detection for ARM Linux." and enable the detection also for Chromium
Patch12: qtwebengine-opensource-src-5.7.1-webrtc-neon-detect.patch
+# security patches from
codereview.qt-project.org (Qt Gerrit):
+# [Backport] CVE-2017-5052 -
https://codereview.qt-project.org/#/c/200312/
+Patch100: qtwebengine-chromium-CVE-2017-5052.patch
+# [Backport] CVE-2017-5054 -
https://codereview.qt-project.org/#/c/200313/
+Patch101: qtwebengine-chromium-CVE-2017-5054.patch
+# Fix broken debug build -
https://codereview.qt-project.org/#/c/200401/
+Patch102: qtwebengine-chromium-CVE-2017-5054-debug.patch
+
# the architectures theoretically supported by the version of V8 used (#1298011)
# You may need some minor patching to build on one of the secondary
# architectures, e.g., to add to the Qt -> Chromium -> V8 arch translations.
@@ -299,6 +307,9 @@ This version is compiled with support for patent-encumbered codecs
enabled.
%prep
%setup -q -n %{qt_module}-opensource-src-%{version}%{?prerelease:-%{prerelease}}
+%patch100 -p1 -b .CVE-2017-5052
+%patch101 -p1 -b .CVE-2017-5054
+%patch102 -p1 -b .CVE-2017-5054-debug
%patch0 -p1 -b .linux-pri
%patch1 -p1 -b .no-icudtl-dat
%patch2 -p1 -b .fix-extractcflag
@@ -391,6 +402,9 @@ echo "%{_libdir}/%{name}" \
%changelog
+* Thu Jul 27 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org> -
5.6.3-0.2.20170712gitee719ad313e564
+- Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit
+
* Sun Jul 16 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org> -
5.6.3-0.1.20170712gitee719ad313e564
- Update to 5.6 branch revision ee719ad313e564d4e6f06d74b313ae179169466f
- Add snapshot_qtwebengine.sh and the FFmpeg cleaning scripts that it runs
diff --git a/qtwebengine-chromium-CVE-2017-5052.patch
b/qtwebengine-chromium-CVE-2017-5052.patch
new file mode 100644
index 0000000..27f57e9
--- /dev/null
+++ b/qtwebengine-chromium-CVE-2017-5052.patch
@@ -0,0 +1,58 @@
+From 2c15cc053c4bbb8a3ad3bf9b52c0502cd0a632f8 Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek(a)qt.io>
+Date: Tue, 18 Jul 2017 13:33:07 +0200
+Subject: [PATCH] [Backport] CVE-2017-5052
+
+Search the entire subtree when looking for the end of an inline continuation chain.
+
+Inlines may be nested, so we may not find the last inline in the chain as a
+direct child of the anonymous blocks. We need to search the entire subtree.
+Don't do this with anonymous blocks that wrap block children (the block-level
+DOM children of the inline-level objects), though. We're not going to find
+anything interesting there.
+
+This fix is speculative; the original bug report didn't come with a test case.
+
+BUG=662767
+
+Review-Url:
https://codereview.chromium.org/2738503004
+Cr-Commit-Position: refs/heads/master@{#455420}
+(cherry picked from commit e72c8c06b956706b54648589f807086d17340831)
+
+Review-Url:
https://codereview.chromium.org/2769703003 .
+Cr-Commit-Position: refs/branch-heads/2987@{#862}
+Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
+
+Change-Id: Ia89df9909da88b8891ae89fc18ffdc9d042c8eaa
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+---
+ chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
+index 618a4ed..665b1e1 100644
+--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
++++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
+@@ -1029,11 +1029,18 @@ LayoutRect LayoutInline::absoluteClippedOverflowRect() const
+ endContinuation = nextContinuation;
+
+ for (LayoutBlock* currBlock = containingBlock(); currBlock &&
currBlock->isAnonymousBlock(); currBlock = toLayoutBlock(currBlock->nextSibling()))
{
++ bool walkChildrenOnly = !currBlock->childrenInline();
+ for (LayoutObject* curr = currBlock->firstChild(); curr; curr =
curr->nextSibling()) {
+ LayoutRect rect(curr->clippedOverflowRectForPaintInvalidation(view()));
+ context(FloatRect(rect));
+- if (curr == endContinuation)
++ if (walkChildrenOnly)
++ continue;
++ for (LayoutObject* walker = curr; walker;
++ walker = walker->nextInPreOrder(curr)) {
++ if (walker != endContinuation)
++ continue;
+ return LayoutRect(enclosingIntRect(floatResult));
++ }
+ }
+ }
+ return LayoutRect();
+--
+2.7.4
+
diff --git a/qtwebengine-chromium-CVE-2017-5054-debug.patch
b/qtwebengine-chromium-CVE-2017-5054-debug.patch
new file mode 100644
index 0000000..1da84d5
--- /dev/null
+++ b/qtwebengine-chromium-CVE-2017-5054-debug.patch
@@ -0,0 +1,39 @@
+From 4854a4fa365527b57f66f72eab1c07cfc5b2b9fd Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek(a)qt.io>
+Date: Wed, 19 Jul 2017 16:43:04 +0200
+Subject: [PATCH] Fix broken debug build introduced in security backport
+
+Fix DCHECK to call HasSufficientCapacity instead of
+HasSufficientCapacityToAdd (introduced in chromium's v8 a76d133f769).
+Avoid right-shifting a negative integer in HasSufficientCapacity.
+
+Change-Id: Id5370803896814f7536d7a026985b27e689c902e
+---
+ chromium/v8/src/objects.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/3rdparty/chromium/v8/src/objects.cc
b/src/3rdparty/chromium/v8/src/objects.cc
+index 9b463de..673a219 100644
+--- a/src/3rdparty/chromium/v8/src/objects.cc
++++ b/src/3rdparty/chromium/v8/src/objects.cc
+@@ -17281,7 +17281,7 @@ bool HashTable<Derived, Shape,
Key>::HasSufficientCapacity(int n) {
+ // Return true if:
+ // 50% is still free after adding n elements and
+ // at most 50% of the free elements are deleted elements.
+- if (nod <= (capacity - nof) >> 1) {
++ if ((nof < capacity) && ((nod <= (capacity - nof) >> 1))) {
+ int needed_free = nof >> 1;
+ if (nof + needed_free <= capacity) return true;
+ }
+@@ -18171,7 +18171,7 @@ Handle<Derived> Dictionary<Derived, Shape,
Key>::NewEmpty(
+ Isolate* isolate, PretenureFlag pretenure) {
+ Handle<Derived> dict = DerivedHashTable::New(isolate, 1, pretenure);
+ // Attempt to add one element to the empty dictionary must cause reallocation.
+- DCHECK(!dict->HasSufficientCapacityToAdd(1));
++ DCHECK(!dict->HasSufficientCapacity(1));
+ // Initialize the next enumeration index.
+ dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex);
+ return dict;
+--
+2.7.4
+
diff --git a/qtwebengine-chromium-CVE-2017-5054.patch
b/qtwebengine-chromium-CVE-2017-5054.patch
new file mode 100644
index 0000000..4d40131
--- /dev/null
+++ b/qtwebengine-chromium-CVE-2017-5054.patch
@@ -0,0 +1,145 @@
+From 9966a98c2c90603a7ed3c7bd61609d441b782116 Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek(a)qt.io>
+Date: Tue, 16 May 2017 13:04:46 +0200
+Subject: [PATCH] [Backport] CVE-2017-5054
+
+Merged: [runtime] Ensure that canonical empty dictionaries reallocate upon addition.
+
+Revision: 17ac7c5f4d712c914030e1fb7247d2083b04b929
+
+BUG=chromium:699166
+LOG=N
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+
+Reviewed-on:
https://chromium-review.googlesource.com/456703
+Reviewed-by: Igor Sheludko <ishell(a)chromium.org>
+Cr-Commit-Position: refs/branch-heads/5.8@{#35}
+Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
+Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
+
+Change-Id: Icb1453cc24519319992629b13846cb46d7e9fc85
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io>
+---
+ chromium/v8/src/heap/heap.cc | 4 ++--
+ chromium/v8/src/objects.cc | 26 +++++++++++++++++++++++++-
+ chromium/v8/src/objects.h | 7 +++++++
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/src/3rdparty/chromium/v8/src/heap/heap.cc
b/src/3rdparty/chromium/v8/src/heap/heap.cc
+index 7983d47..f93adb8 100644
+--- a/src/3rdparty/chromium/v8/src/heap/heap.cc
++++ b/src/3rdparty/chromium/v8/src/heap/heap.cc
+@@ -2753,7 +2753,7 @@ void Heap::CreateInitialObjects() {
+ set_intrinsic_function_names(*intrinsic_names);
+
+ Handle<NameDictionary> empty_properties_dictionary =
+- NameDictionary::New(isolate(), 0, TENURED);
++ NameDictionary::NewEmpty(isolate(), TENURED);
+ empty_properties_dictionary->SetRequiresCopyOnCapacityChange();
+ set_empty_properties_dictionary(*empty_properties_dictionary);
+
+@@ -2850,7 +2850,7 @@ void Heap::CreateInitialObjects() {
+ set_script_list(Smi::FromInt(0));
+
+ Handle<SeededNumberDictionary> slow_element_dictionary =
+- SeededNumberDictionary::New(isolate(), 0, TENURED);
++ SeededNumberDictionary::NewEmpty(isolate(), TENURED);
+ slow_element_dictionary->set_requires_slow_elements();
+ set_empty_slow_element_dictionary(*slow_element_dictionary);
+
+diff --git a/src/3rdparty/chromium/v8/src/objects.cc
b/src/3rdparty/chromium/v8/src/objects.cc
+index 5601768..9b463de 100644
+--- a/src/3rdparty/chromium/v8/src/objects.cc
++++ b/src/3rdparty/chromium/v8/src/objects.cc
+@@ -17082,7 +17082,13 @@ Handle<Derived> HashTable<Derived, Shape,
Key>::New(
+ if (capacity > HashTable::kMaxCapacity) {
+ v8::internal::Heap::FatalProcessOutOfMemory("invalid table size", true);
+ }
++ return New(isolate, capacity, pretenure);
++}
+
++template <typename Derived, typename Shape, typename Key>
++Handle<Derived> HashTable<Derived, Shape, Key>::New(Isolate* isolate,
++ int capacity,
++ PretenureFlag pretenure) {
+ Factory* factory = isolate->factory();
+ int length = EntryToIndex(capacity);
+ Handle<FixedArray> array = factory->NewFixedArray(length, pretenure);
+@@ -17095,7 +17101,6 @@ Handle<Derived> HashTable<Derived, Shape, Key>::New(
+ return table;
+ }
+
+-
+ // Find entry for key otherwise return kNotFound.
+ template <typename Derived, typename Shape>
+ int NameDictionaryBase<Derived, Shape>::FindEntry(Handle<Name> key) {
+@@ -17363,6 +17368,10 @@ template Handle<SeededNumberDictionary>
+ Dictionary<SeededNumberDictionary, SeededNumberDictionaryShape, uint32_t>::
+ New(Isolate*, int at_least_space_for, PretenureFlag pretenure);
+
++template Handle<SeededNumberDictionary>
++Dictionary<SeededNumberDictionary, SeededNumberDictionaryShape,
++ uint32_t>::NewEmpty(Isolate*, PretenureFlag pretenure);
++
+ template Handle<UnseededNumberDictionary>
+ Dictionary<UnseededNumberDictionary, UnseededNumberDictionaryShape, uint32_t>::
+ New(Isolate*, int at_least_space_for, PretenureFlag pretenure);
+@@ -17371,6 +17380,10 @@ template Handle<NameDictionary>
+ Dictionary<NameDictionary, NameDictionaryShape, Handle<Name> >::
+ New(Isolate*, int n, PretenureFlag pretenure);
+
++template Handle<NameDictionary>
++Dictionary<NameDictionary, NameDictionaryShape, Handle<Name>>::NewEmpty(
++ Isolate*, PretenureFlag pretenure);
++
+ template Handle<GlobalDictionary>
+ Dictionary<GlobalDictionary, GlobalDictionaryShape, Handle<Name> >::New(
+ Isolate*, int n, PretenureFlag pretenure);
+@@ -18154,6 +18167,17 @@ Handle<FixedArray> Dictionary<Derived, Shape,
Key>::BuildIterationIndicesArray(
+
+
+ template <typename Derived, typename Shape, typename Key>
++Handle<Derived> Dictionary<Derived, Shape, Key>::NewEmpty(
++ Isolate* isolate, PretenureFlag pretenure) {
++ Handle<Derived> dict = DerivedHashTable::New(isolate, 1, pretenure);
++ // Attempt to add one element to the empty dictionary must cause reallocation.
++ DCHECK(!dict->HasSufficientCapacityToAdd(1));
++ // Initialize the next enumeration index.
++ dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex);
++ return dict;
++}
++
++template <typename Derived, typename Shape, typename Key>
+ Handle<FixedArray>
+ Dictionary<Derived, Shape, Key>::GenerateNewEnumerationIndices(
+ Handle<Derived> dictionary) {
+diff --git a/src/3rdparty/chromium/v8/src/objects.h
b/src/3rdparty/chromium/v8/src/objects.h
+index d737a18..151ab52 100644
+--- a/src/3rdparty/chromium/v8/src/objects.h
++++ b/src/3rdparty/chromium/v8/src/objects.h
+@@ -3199,6 +3199,9 @@ class HashTable : public HashTableBase {
+ protected:
+ friend class ObjectHashTable;
+
++ MUST_USE_RESULT static Handle<Derived> New(Isolate* isolate, int capacity,
++ PretenureFlag pretenure);
++
+ // Find the entry at which to insert element with the given key that
+ // has the given hash value.
+ uint32_t FindInsertionEntry(uint32_t hash);
+@@ -3415,6 +3418,10 @@ class Dictionary: public HashTable<Derived, Shape, Key> {
+ int at_least_space_for,
+ PretenureFlag pretenure = NOT_TENURED);
+
++ // Creates an dictionary with minimal possible capacity.
++ MUST_USE_RESULT static Handle<Derived> NewEmpty(
++ Isolate* isolate, PretenureFlag pretenure = NOT_TENURED);
++
+ // Ensures that a new dictionary is created when the capacity is checked.
+ void SetRequiresCopyOnCapacityChange();
+
+--
+2.7.4
+