From e09eea6b881da699e81918a74ad113982436b9e4 Mon Sep 17 00:00:00 2001 From: Pedro Pontes Date: Tue, 27 Jul 2021 02:16:42 +0200 Subject: [PATCH] chore: cherry-pick 79fc7bcbc9 from chromium. (#30183) * chore: cherry-pick 79fc7bcbc9 from chromium. * chore: update patches Co-authored-by: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Co-authored-by: Electron Bot --- patches/chromium/.patches | 1 + ...use-after-free_with_xslt_strip-space.patch | 431 ++++++++++++++++++ 2 files changed, 432 insertions(+) create mode 100644 patches/chromium/fix_use-after-free_with_xslt_strip-space.patch diff --git a/patches/chromium/.patches b/patches/chromium/.patches index 6749d55824b60..fdbaaa9d1e8f1 100644 --- a/patches/chromium/.patches +++ b/patches/chromium/.patches @@ -175,5 +175,6 @@ cherry-pick-b77b38a3380c.patch cherry-pick-d9556a80a790.patch cherry-pick-910e9e40d376.patch cherry-pick-ff0d013f60fa.patch +fix_use-after-free_with_xslt_strip-space.patch cherry-pick-3feda0244490.patch cherry-pick-cd98d7c0dae9.patch diff --git a/patches/chromium/fix_use-after-free_with_xslt_strip-space.patch b/patches/chromium/fix_use-after-free_with_xslt_strip-space.patch new file mode 100644 index 0000000000000..9c4f22214c388 --- /dev/null +++ b/patches/chromium/fix_use-after-free_with_xslt_strip-space.patch @@ -0,0 +1,431 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Joey Arhar +Date: Wed, 16 Jun 2021 02:41:13 +0000 +Subject: Fix use-after-free with XSLT strip-space + +Fixed: 1219209 +Change-Id: I3baab9d1b419407d964a80f10c6ca05e0294554f +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2965632 +Commit-Queue: Joey Arhar +Reviewed-by: Stephen Chenney +Cr-Commit-Position: refs/heads/master@{#892861} + +diff --git a/third_party/blink/web_tests/external/wpt/xslt/strip-space-crash.xml b/third_party/blink/web_tests/external/wpt/xslt/strip-space-crash.xml +new file mode 100644 +index 0000000000000000000000000000000000000000..61a906a5e74b9c88061c565615187f9970baff72 +--- /dev/null ++++ b/third_party/blink/web_tests/external/wpt/xslt/strip-space-crash.xml +@@ -0,0 +1,33 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ +diff --git a/third_party/libxslt/chromium/Fix-use-after-free-in-xsltApplyTemplates.patch b/third_party/libxslt/chromium/Fix-use-after-free-in-xsltApplyTemplates.patch +new file mode 100644 +index 0000000000000000000000000000000000000000..9b4c28d8756d6cf95027fc105ec875be5f71d952 +--- /dev/null ++++ b/third_party/libxslt/chromium/Fix-use-after-free-in-xsltApplyTemplates.patch +@@ -0,0 +1,195 @@ ++From: Nick Wellnhofer ++Date: Sat, 12 Jun 2021 20:02:53 +0200 ++Subject: [PATCH] Fix use-after-free in xsltApplyTemplates ++ ++xsltApplyTemplates without a select expression could delete nodes in ++the source document. ++ ++1. Text nodes with strippable whitespace ++ ++Whitespace from input documents is already stripped, so there's no ++need to strip it again. Under certain circumstances, xsltApplyTemplates ++could be fooled into deleting text nodes that are still referenced, ++resulting in a use-after-free. ++ ++2. The DTD ++ ++The DTD was only unlinked, but there's no good reason to do this just ++now. Maybe it was meant as a micro-optimization. ++ ++3. Unknown nodes ++ ++Useless and dangerous as well, especially with XInclude nodes. ++See https://gitlab.gnome.org/GNOME/libxml2/-/issues/268 ++ ++Simply stop trying to uselessly delete nodes when applying a template. ++This part of the code is probably a leftover from a time where ++xsltApplyStripSpaces wasn't implemented yet. Also note that ++xsltApplyTemplates with a select expression never tried to delete ++nodes. ++ ++Also stop xsltDefaultProcessOneNode from deleting nodes for the same ++reasons. ++--- ++ libxslt/transform.c | 119 +++----------------------------------------- ++ 1 file changed, 7 insertions(+), 112 deletions(-) ++ ++diff --git a/libxslt/transform.c b/libxslt/transform.c ++index 04522154..3aba354f 100644 ++--- a/libxslt/transform.c +++++ b/libxslt/transform.c ++@@ -1895,7 +1895,7 @@ static void ++ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, ++ xsltStackElemPtr params) { ++ xmlNodePtr copy; ++- xmlNodePtr delete = NULL, cur; +++ xmlNodePtr cur; ++ int nbchild = 0, oldSize; ++ int childno = 0, oldPos; ++ xsltTemplatePtr template; ++@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, ++ return; ++ } ++ /* ++- * Handling of Elements: first pass, cleanup and counting +++ * Handling of Elements: first pass, counting ++ */ ++ cur = node->children; ++ while (cur != NULL) { ++- switch (cur->type) { ++- case XML_TEXT_NODE: ++- case XML_CDATA_SECTION_NODE: ++- case XML_DOCUMENT_NODE: ++- case XML_HTML_DOCUMENT_NODE: ++- case XML_ELEMENT_NODE: ++- case XML_PI_NODE: ++- case XML_COMMENT_NODE: ++- nbchild++; ++- break; ++- case XML_DTD_NODE: ++- /* Unlink the DTD, it's still reachable using doc->intSubset */ ++- if (cur->next != NULL) ++- cur->next->prev = cur->prev; ++- if (cur->prev != NULL) ++- cur->prev->next = cur->next; ++- break; ++- default: ++-#ifdef WITH_XSLT_DEBUG_PROCESS ++- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, ++- "xsltDefaultProcessOneNode: skipping node type %d\n", ++- cur->type)); ++-#endif ++- delete = cur; ++- } +++ if (IS_XSLT_REAL_NODE(cur)) +++ nbchild++; ++ cur = cur->next; ++- if (delete != NULL) { ++-#ifdef WITH_XSLT_DEBUG_PROCESS ++- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, ++- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); ++-#endif ++- xmlUnlinkNode(delete); ++- xmlFreeNode(delete); ++- delete = NULL; ++- } ++- } ++- if (delete != NULL) { ++-#ifdef WITH_XSLT_DEBUG_PROCESS ++- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, ++- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); ++-#endif ++- xmlUnlinkNode(delete); ++- xmlFreeNode(delete); ++- delete = NULL; ++ } ++ ++ /* ++@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, ++ xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; ++ #endif ++ int i; ++- xmlNodePtr cur, delNode = NULL, oldContextNode; +++ xmlNodePtr cur, oldContextNode; ++ xmlNodeSetPtr list = NULL, oldList; ++ xsltStackElemPtr withParams = NULL; ++ int oldXPProximityPosition, oldXPContextSize; ++@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, ++ else ++ cur = NULL; ++ while (cur != NULL) { ++- switch (cur->type) { ++- case XML_TEXT_NODE: ++- if ((IS_BLANK_NODE(cur)) && ++- (cur->parent != NULL) && ++- (cur->parent->type == XML_ELEMENT_NODE) && ++- (ctxt->style->stripSpaces != NULL)) { ++- const xmlChar *val; ++- ++- if (cur->parent->ns != NULL) { ++- val = (const xmlChar *) ++- xmlHashLookup2(ctxt->style->stripSpaces, ++- cur->parent->name, ++- cur->parent->ns->href); ++- if (val == NULL) { ++- val = (const xmlChar *) ++- xmlHashLookup2(ctxt->style->stripSpaces, ++- BAD_CAST "*", ++- cur->parent->ns->href); ++- } ++- } else { ++- val = (const xmlChar *) ++- xmlHashLookup2(ctxt->style->stripSpaces, ++- cur->parent->name, NULL); ++- } ++- if ((val != NULL) && ++- (xmlStrEqual(val, (xmlChar *) "strip"))) { ++- delNode = cur; ++- break; ++- } ++- } ++- /* Intentional fall-through */ ++- case XML_ELEMENT_NODE: ++- case XML_DOCUMENT_NODE: ++- case XML_HTML_DOCUMENT_NODE: ++- case XML_CDATA_SECTION_NODE: ++- case XML_PI_NODE: ++- case XML_COMMENT_NODE: ++- xmlXPathNodeSetAddUnique(list, cur); ++- break; ++- case XML_DTD_NODE: ++- /* Unlink the DTD, it's still reachable ++- * using doc->intSubset */ ++- if (cur->next != NULL) ++- cur->next->prev = cur->prev; ++- if (cur->prev != NULL) ++- cur->prev->next = cur->next; ++- break; ++- case XML_NAMESPACE_DECL: ++- break; ++- default: ++-#ifdef WITH_XSLT_DEBUG_PROCESS ++- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, ++- "xsltApplyTemplates: skipping cur type %d\n", ++- cur->type)); ++-#endif ++- delNode = cur; ++- } +++ if (IS_XSLT_REAL_NODE(cur)) +++ xmlXPathNodeSetAddUnique(list, cur); ++ cur = cur->next; ++- if (delNode != NULL) { ++-#ifdef WITH_XSLT_DEBUG_PROCESS ++- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, ++- "xsltApplyTemplates: removing ignorable blank cur\n")); ++-#endif ++- xmlUnlinkNode(delNode); ++- xmlFreeNode(delNode); ++- delNode = NULL; ++- } ++ } ++ } ++ ++-- ++2.20.1 (Apple Git-117) ++ +diff --git a/third_party/libxslt/chromium/roll.py b/third_party/libxslt/chromium/roll.py +index 352bbd6d937f19c5cbb409f184f5b4e0abf4b7b3..c438a9eb96dcc62ca827fb4a647fb2cf1cc8cc0b 100755 +--- a/third_party/libxslt/chromium/roll.py ++++ b/third_party/libxslt/chromium/roll.py +@@ -67,6 +67,7 @@ import tempfile + PATCHES = [ + 'get-file-attributes-a.patch', + 'xslt-locale.patch', ++ 'Fix-use-after-free-in-xsltApplyTemplates.patch', + ] + + +diff --git a/third_party/libxslt/src/libxslt.spec b/third_party/libxslt/src/libxslt.spec +index 80b320fb86980367cddc579c386c24a2a1708f7c..7fb51e275fa4cc4a2bfc613ffb3868f464deeb5a 100644 +--- a/third_party/libxslt/src/libxslt.spec ++++ b/third_party/libxslt/src/libxslt.spec +@@ -128,5 +128,5 @@ rm -fr %{buildroot} + %doc python/tests/*.xsl + + %changelog +-* Fri Nov 8 2019 Daniel Veillard ++* Tue Jun 15 2021 Daniel Veillard + - upstream release 1.1.34 see http://xmlsoft.org/XSLT/news.html +diff --git a/third_party/libxslt/src/libxslt/transform.c b/third_party/libxslt/src/libxslt/transform.c +index d1c479320eca266c7b0996e3c16d47e7d6c5aaa9..265f5b3856f785f565691e2f5939c99275183e7f 100644 +--- a/third_party/libxslt/src/libxslt/transform.c ++++ b/third_party/libxslt/src/libxslt/transform.c +@@ -1895,7 +1895,7 @@ static void + xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStackElemPtr params) { + xmlNodePtr copy; +- xmlNodePtr delete = NULL, cur; ++ xmlNodePtr cur; + int nbchild = 0, oldSize; + int childno = 0, oldPos; + xsltTemplatePtr template; +@@ -1968,54 +1968,13 @@ xsltDefaultProcessOneNode(xsltTransformContextPtr ctxt, xmlNodePtr node, + return; + } + /* +- * Handling of Elements: first pass, cleanup and counting ++ * Handling of Elements: first pass, counting + */ + cur = node->children; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_ELEMENT_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- nbchild++; +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: skipping node type %d\n", +- cur->type)); +-#endif +- delete = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ nbchild++; + cur = cur->next; +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; +- } +- } +- if (delete != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_PROCESS_NODE,xsltGenericDebug(xsltGenericDebugContext, +- "xsltDefaultProcessOneNode: removing ignorable blank node\n")); +-#endif +- xmlUnlinkNode(delete); +- xmlFreeNode(delete); +- delete = NULL; + } + + /* +@@ -4864,7 +4823,7 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + xsltStylePreCompPtr comp = (xsltStylePreCompPtr) castedComp; + #endif + int i; +- xmlNodePtr cur, delNode = NULL, oldContextNode; ++ xmlNodePtr cur, oldContextNode; + xmlNodeSetPtr list = NULL, oldList; + xsltStackElemPtr withParams = NULL; + int oldXPProximityPosition, oldXPContextSize; +@@ -4998,73 +4957,9 @@ xsltApplyTemplates(xsltTransformContextPtr ctxt, xmlNodePtr node, + else + cur = NULL; + while (cur != NULL) { +- switch (cur->type) { +- case XML_TEXT_NODE: +- if ((IS_BLANK_NODE(cur)) && +- (cur->parent != NULL) && +- (cur->parent->type == XML_ELEMENT_NODE) && +- (ctxt->style->stripSpaces != NULL)) { +- const xmlChar *val; +- +- if (cur->parent->ns != NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, +- cur->parent->ns->href); +- if (val == NULL) { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- BAD_CAST "*", +- cur->parent->ns->href); +- } +- } else { +- val = (const xmlChar *) +- xmlHashLookup2(ctxt->style->stripSpaces, +- cur->parent->name, NULL); +- } +- if ((val != NULL) && +- (xmlStrEqual(val, (xmlChar *) "strip"))) { +- delNode = cur; +- break; +- } +- } +- /* Intentional fall-through */ +- case XML_ELEMENT_NODE: +- case XML_DOCUMENT_NODE: +- case XML_HTML_DOCUMENT_NODE: +- case XML_CDATA_SECTION_NODE: +- case XML_PI_NODE: +- case XML_COMMENT_NODE: +- xmlXPathNodeSetAddUnique(list, cur); +- break; +- case XML_DTD_NODE: +- /* Unlink the DTD, it's still reachable +- * using doc->intSubset */ +- if (cur->next != NULL) +- cur->next->prev = cur->prev; +- if (cur->prev != NULL) +- cur->prev->next = cur->next; +- break; +- case XML_NAMESPACE_DECL: +- break; +- default: +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: skipping cur type %d\n", +- cur->type)); +-#endif +- delNode = cur; +- } ++ if (IS_XSLT_REAL_NODE(cur)) ++ xmlXPathNodeSetAddUnique(list, cur); + cur = cur->next; +- if (delNode != NULL) { +-#ifdef WITH_XSLT_DEBUG_PROCESS +- XSLT_TRACE(ctxt,XSLT_TRACE_APPLY_TEMPLATES,xsltGenericDebug(xsltGenericDebugContext, +- "xsltApplyTemplates: removing ignorable blank cur\n")); +-#endif +- xmlUnlinkNode(delNode); +- xmlFreeNode(delNode); +- delNode = NULL; +- } + } + } +