Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit

* Thu Jul 27 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.3-0.2.20170712gitee719ad313e564 - Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit
2017-07-27 02:53:12 +02:00 · 2017-07-27 02:53:12 +02:00 · 61a977ec34
commit 61a977ec34
parent 624a3c54f4
4 changed files with 257 additions and 1 deletions
--- a/qt5-qtwebengine.spec
+++ b/qt5-qtwebengine.spec
@ -37,7 +37,7 @@
 Summary: Qt5 - QtWebEngine components
 Name:    qt5-qtwebengine
 Version: 5.6.3
-Release: 0.1.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist}
+Release: 0.2.%{snapdate}git%(c=%{snaphash}; echo ${c:0:14})%{?dist}

 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details
 # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html
@ -98,6 +98,14 @@ Patch11: qtwebengine-opensource-src-5.7.1-skia-neon.patch
 # feature detection for ARM Linux." and enable the detection also for Chromium
 Patch12: qtwebengine-opensource-src-5.7.1-webrtc-neon-detect.patch

+# security patches from codereview.qt-project.org (Qt Gerrit):
+# [Backport] CVE-2017-5052 - https://codereview.qt-project.org/#/c/200312/
+Patch100: qtwebengine-chromium-CVE-2017-5052.patch
+# [Backport] CVE-2017-5054 - https://codereview.qt-project.org/#/c/200313/
+Patch101: qtwebengine-chromium-CVE-2017-5054.patch
+# Fix broken debug build - https://codereview.qt-project.org/#/c/200401/
+Patch102: qtwebengine-chromium-CVE-2017-5054-debug.patch
+
 # the architectures theoretically supported by the version of V8 used (#1298011)
 # You may need some minor patching to build on one of the secondary
 # architectures, e.g., to add to the Qt -> Chromium -> V8 arch translations.
@ -317,6 +325,9 @@ BuildArch: noarch

 %prep
 %setup -q -n %{qt_module}-opensource-src-%{version}%{?prerelease:-%{prerelease}}
+%patch100 -p1 -b .CVE-2017-5052
+%patch101 -p1 -b .CVE-2017-5054
+%patch102 -p1 -b .CVE-2017-5054-debug
 %patch0 -p1 -b .linux-pri
 %patch1 -p1 -b .no-icudtl-dat
 %patch2 -p1 -b .fix-extractcflag
@ -498,6 +509,9 @@ sed -i -e "s|%{version} \${_Qt5WebEngine|%{_qt5_version} \${_Qt5WebEngine|" \


 %changelog
+* Thu Jul 27 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.3-0.2.20170712gitee719ad313e564
+- Add the backports fixing CVE-2017-5052 and CVE-2017-5054 from Qt Gerrit
+
 * Sat Jul 15 2017 Kevin Kofler <Kevin@tigcc.ticalc.org> - 5.6.3-0.1.20170712gitee719ad313e564
 - Update to 5.6 branch revision ee719ad313e564d4e6f06d74b313ae179169466f
 - Sync FFmpeg cleaning scripts from 5.7, upstream backported its Chromium
--- a/qtwebengine-chromium-CVE-2017-5052.patch
+++ b/qtwebengine-chromium-CVE-2017-5052.patch
@ -0,0 +1,58 @@
+From 2c15cc053c4bbb8a3ad3bf9b52c0502cd0a632f8 Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek@qt.io>
+Date: Tue, 18 Jul 2017 13:33:07 +0200
+Subject: [PATCH] [Backport] CVE-2017-5052
+
+Search the entire subtree when looking for the end of an inline continuation chain.
+
+Inlines may be nested, so we may not find the last inline in the chain as a
+direct child of the anonymous blocks. We need to search the entire subtree.
+Don't do this with anonymous blocks that wrap block children (the block-level
+DOM children of the inline-level objects), though. We're not going to find
+anything interesting there.
+
+This fix is speculative; the original bug report didn't come with a test case.
+
+BUG=662767
+
+Review-Url: https://codereview.chromium.org/2738503004
+Cr-Commit-Position: refs/heads/master@{#455420}
+(cherry picked from commit e72c8c06b956706b54648589f807086d17340831)
+
+Review-Url: https://codereview.chromium.org/2769703003 .
+Cr-Commit-Position: refs/branch-heads/2987@{#862}
+Cr-Branched-From: ad51088c0e8776e8dcd963dbe752c4035ba6dab6-refs/heads/master@{#444943}
+
+Change-Id: Ia89df9909da88b8891ae89fc18ffdc9d042c8eaa
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp | 9 ++++++++-
+ 1 file changed, 8 insertions(+), 1 deletion(-)
+
+diff --git a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
+index 618a4ed..665b1e1 100644
+--- a/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
+++ b/src/3rdparty/chromium/third_party/WebKit/Source/core/layout/LayoutInline.cpp
+@@ -1029,11 +1029,18 @@ LayoutRect LayoutInline::absoluteClippedOverflowRect() const
+         endContinuation = nextContinuation;
+ 
+     for (LayoutBlock* currBlock = containingBlock(); currBlock && currBlock->isAnonymousBlock(); currBlock = toLayoutBlock(currBlock->nextSibling())) {
+        bool walkChildrenOnly = !currBlock->childrenInline();
+         for (LayoutObject* curr = currBlock->firstChild(); curr; curr = curr->nextSibling()) {
+             LayoutRect rect(curr->clippedOverflowRectForPaintInvalidation(view()));
+             context(FloatRect(rect));
+-            if (curr == endContinuation)
+            if (walkChildrenOnly)
+              continue;
+            for (LayoutObject* walker = curr; walker;
+               walker = walker->nextInPreOrder(curr)) {
+                if (walker != endContinuation)
+                    continue;
+                 return LayoutRect(enclosingIntRect(floatResult));
+	    }
+         }
+     }
+     return LayoutRect();
+-- 
+2.7.4
+
--- a/qtwebengine-chromium-CVE-2017-5054-debug.patch
+++ b/qtwebengine-chromium-CVE-2017-5054-debug.patch
@ -0,0 +1,39 @@
+From 4854a4fa365527b57f66f72eab1c07cfc5b2b9fd Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek@qt.io>
+Date: Wed, 19 Jul 2017 16:43:04 +0200
+Subject: [PATCH] Fix broken debug build introduced in security backport
+
+Fix DCHECK to call HasSufficientCapacity instead of
+HasSufficientCapacityToAdd (introduced in chromium's v8  a76d133f769).
+Avoid right-shifting a negative integer in HasSufficientCapacity.
+
+Change-Id: Id5370803896814f7536d7a026985b27e689c902e
+---
+ chromium/v8/src/objects.cc | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/3rdparty/chromium/v8/src/objects.cc b/src/3rdparty/chromium/v8/src/objects.cc
+index 9b463de..673a219 100644
+--- a/src/3rdparty/chromium/v8/src/objects.cc
+++ b/src/3rdparty/chromium/v8/src/objects.cc
+@@ -17281,7 +17281,7 @@ bool HashTable<Derived, Shape, Key>::HasSufficientCapacity(int n) {
+   // Return true if:
+   //   50% is still free after adding n elements and
+   //   at most 50% of the free elements are deleted elements.
+-  if (nod <= (capacity - nof) >> 1) {
+  if ((nof < capacity) && ((nod <= (capacity - nof) >> 1))) {
+     int needed_free = nof >> 1;
+     if (nof + needed_free <= capacity) return true;
+   }
+@@ -18171,7 +18171,7 @@ Handle<Derived> Dictionary<Derived, Shape, Key>::NewEmpty(
+     Isolate* isolate, PretenureFlag pretenure) {
+   Handle<Derived> dict = DerivedHashTable::New(isolate, 1, pretenure);
+   // Attempt to add one element to the empty dictionary must cause reallocation.
+-  DCHECK(!dict->HasSufficientCapacityToAdd(1));
+  DCHECK(!dict->HasSufficientCapacity(1));
+   // Initialize the next enumeration index.
+   dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex);
+   return dict;
+-- 
+2.7.4
+
--- a/qtwebengine-chromium-CVE-2017-5054.patch
+++ b/qtwebengine-chromium-CVE-2017-5054.patch
@ -0,0 +1,145 @@
+From 9966a98c2c90603a7ed3c7bd61609d441b782116 Mon Sep 17 00:00:00 2001
+From: Michal Klocek <michal.klocek@qt.io>
+Date: Tue, 16 May 2017 13:04:46 +0200
+Subject: [PATCH] [Backport] CVE-2017-5054
+
+Merged: [runtime] Ensure that canonical empty dictionaries reallocate upon addition.
+
+Revision: 17ac7c5f4d712c914030e1fb7247d2083b04b929
+
+BUG=chromium:699166
+LOG=N
+NOTRY=true
+NOPRESUBMIT=true
+NOTREECHECKS=true
+
+Reviewed-on: https://chromium-review.googlesource.com/456703
+Reviewed-by: Igor Sheludko <ishell@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5.8@{#35}
+Cr-Branched-From: eda659cc5e307f20ac1ad542ba12ab32eaf4c7ef-refs/heads/5.8.283@{#1}
+Cr-Branched-From: 4310cd02d2160b1457baed81a2f40063eb264a21-refs/heads/master@{#43429}
+
+Change-Id: Icb1453cc24519319992629b13846cb46d7e9fc85
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ chromium/v8/src/heap/heap.cc |  4 ++--
+ chromium/v8/src/objects.cc   | 26 +++++++++++++++++++++++++-
+ chromium/v8/src/objects.h    |  7 +++++++
+ 3 files changed, 34 insertions(+), 3 deletions(-)
+
+diff --git a/src/3rdparty/chromium/v8/src/heap/heap.cc b/src/3rdparty/chromium/v8/src/heap/heap.cc
+index 7983d47..f93adb8 100644
+--- a/src/3rdparty/chromium/v8/src/heap/heap.cc
+++ b/src/3rdparty/chromium/v8/src/heap/heap.cc
+@@ -2753,7 +2753,7 @@ void Heap::CreateInitialObjects() {
+   set_intrinsic_function_names(*intrinsic_names);
+ 
+   Handle<NameDictionary> empty_properties_dictionary =
+-      NameDictionary::New(isolate(), 0, TENURED);
+      NameDictionary::NewEmpty(isolate(), TENURED);
+   empty_properties_dictionary->SetRequiresCopyOnCapacityChange();
+   set_empty_properties_dictionary(*empty_properties_dictionary);
+ 
+@@ -2850,7 +2850,7 @@ void Heap::CreateInitialObjects() {
+   set_script_list(Smi::FromInt(0));
+ 
+   Handle<SeededNumberDictionary> slow_element_dictionary =
+-      SeededNumberDictionary::New(isolate(), 0, TENURED);
+      SeededNumberDictionary::NewEmpty(isolate(), TENURED);
+   slow_element_dictionary->set_requires_slow_elements();
+   set_empty_slow_element_dictionary(*slow_element_dictionary);
+ 
+diff --git a/src/3rdparty/chromium/v8/src/objects.cc b/src/3rdparty/chromium/v8/src/objects.cc
+index 5601768..9b463de 100644
+--- a/src/3rdparty/chromium/v8/src/objects.cc
+++ b/src/3rdparty/chromium/v8/src/objects.cc
+@@ -17082,7 +17082,13 @@ Handle<Derived> HashTable<Derived, Shape, Key>::New(
+   if (capacity > HashTable::kMaxCapacity) {
+     v8::internal::Heap::FatalProcessOutOfMemory("invalid table size", true);
+   }
+  return New(isolate, capacity, pretenure);
+}
+ 
+template <typename Derived, typename Shape, typename Key>
+Handle<Derived> HashTable<Derived, Shape, Key>::New(Isolate* isolate,
+                                                    int capacity,
+                                                    PretenureFlag pretenure) {
+   Factory* factory = isolate->factory();
+   int length = EntryToIndex(capacity);
+   Handle<FixedArray> array = factory->NewFixedArray(length, pretenure);
+@@ -17095,7 +17101,6 @@ Handle<Derived> HashTable<Derived, Shape, Key>::New(
+   return table;
+ }
+ 
+-
+ // Find entry for key otherwise return kNotFound.
+ template <typename Derived, typename Shape>
+ int NameDictionaryBase<Derived, Shape>::FindEntry(Handle<Name> key) {
+@@ -17363,6 +17368,10 @@ template Handle<SeededNumberDictionary>
+ Dictionary<SeededNumberDictionary, SeededNumberDictionaryShape, uint32_t>::
+     New(Isolate*, int at_least_space_for, PretenureFlag pretenure);
+ 
+template Handle<SeededNumberDictionary>
+Dictionary<SeededNumberDictionary, SeededNumberDictionaryShape,
+           uint32_t>::NewEmpty(Isolate*, PretenureFlag pretenure);
+
+ template Handle<UnseededNumberDictionary>
+ Dictionary<UnseededNumberDictionary, UnseededNumberDictionaryShape, uint32_t>::
+     New(Isolate*, int at_least_space_for, PretenureFlag pretenure);
+@@ -17371,6 +17380,10 @@ template Handle<NameDictionary>
+ Dictionary<NameDictionary, NameDictionaryShape, Handle<Name> >::
+     New(Isolate*, int n, PretenureFlag pretenure);
+ 
+template Handle<NameDictionary>
+Dictionary<NameDictionary, NameDictionaryShape, Handle<Name>>::NewEmpty(
+    Isolate*, PretenureFlag pretenure);
+
+ template Handle<GlobalDictionary>
+ Dictionary<GlobalDictionary, GlobalDictionaryShape, Handle<Name> >::New(
+     Isolate*, int n, PretenureFlag pretenure);
+@@ -18154,6 +18167,17 @@ Handle<FixedArray> Dictionary<Derived, Shape, Key>::BuildIterationIndicesArray(
+ 
+ 
+ template <typename Derived, typename Shape, typename Key>
+Handle<Derived> Dictionary<Derived, Shape, Key>::NewEmpty(
+    Isolate* isolate, PretenureFlag pretenure) {
+  Handle<Derived> dict = DerivedHashTable::New(isolate, 1, pretenure);
+  // Attempt to add one element to the empty dictionary must cause reallocation.
+  DCHECK(!dict->HasSufficientCapacityToAdd(1));
+  // Initialize the next enumeration index.
+  dict->SetNextEnumerationIndex(PropertyDetails::kInitialIndex);
+  return dict;
+}
+
+template <typename Derived, typename Shape, typename Key>
+ Handle<FixedArray>
+ Dictionary<Derived, Shape, Key>::GenerateNewEnumerationIndices(
+     Handle<Derived> dictionary) {
+diff --git a/src/3rdparty/chromium/v8/src/objects.h b/src/3rdparty/chromium/v8/src/objects.h
+index d737a18..151ab52 100644
+--- a/src/3rdparty/chromium/v8/src/objects.h
+++ b/src/3rdparty/chromium/v8/src/objects.h
+@@ -3199,6 +3199,9 @@ class HashTable : public HashTableBase {
+  protected:
+   friend class ObjectHashTable;
+ 
+  MUST_USE_RESULT static Handle<Derived> New(Isolate* isolate, int capacity,
+                                             PretenureFlag pretenure);
+
+   // Find the entry at which to insert element with the given key that
+   // has the given hash value.
+   uint32_t FindInsertionEntry(uint32_t hash);
+@@ -3415,6 +3418,10 @@ class Dictionary: public HashTable<Derived, Shape, Key> {
+       int at_least_space_for,
+       PretenureFlag pretenure = NOT_TENURED);
+ 
+  // Creates an dictionary with minimal possible capacity.
+  MUST_USE_RESULT static Handle<Derived> NewEmpty(
+      Isolate* isolate, PretenureFlag pretenure = NOT_TENURED);
+
+   // Ensures that a new dictionary is created when the capacity is checked.
+   void SetRequiresCopyOnCapacityChange();
+ 
+-- 
+2.7.4
+