chore: Chromium backports M87-1 (#26932)

* chore: chromium backports M87-1

Contains applicable backports from M87-1 release
CVE-2020-16037
CVE-2020-16041
CVE-2020-16042

* chore: cherry-pick 381c4b5679 from chromium. (#26832)

* fix: message box missing an "OK" button in GTK (#26915)

Co-authored-by: Mimi <1119186082@qq.com>

* chore: cherry-pick d8d64b7cd244 from chromium (#26892)

* chore: cherry-pick 290fe9c6e245 from v8 (#26896)

* docs: add missing deprecated systemPreferences APIs to breaking-changes (#26934)

Co-authored-by: Milan Burda <milan.burda@gmail.com>

* chore: cherry-pick 3abc372c9c00 from chromium (#26894)

* chore: cherry-pick 3abc372c9c00 from chromium

* resolve conflict

* fix: Avoid crashing in NativeViewHost::SetParentAccessible on Windows 10 (#26949)

* fix: Avoid crashing in NativeViewHost::SetParentAccessible on Windows

This fixes #26905. The patch was obtained from @deepak1556, who in turn
got it from the Microsoft Teams folks.

I believe the crash started happening due to the changes in
https://chromium.googlesource.com/chromium/src.git/+/5c6c8e994bce2bfb867279ae5068e9f9134e70c3%5E!/#F15

This affects Electron 9 and later.

Notes: Fix occasional crash on Windows

* Update .patches

* update patches

Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com>
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
Co-authored-by: Electron Bot <electron@github.com>

* fix: Upload all *.dll.pdb to symbol server (#26964)

Fixes #26961.

Notes: Add Electron DLLs like libGLESv2.dll to symbol server

Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com>

* fix: restrict sendToFrame to same-process frames by default (#26875) (#26927)

* fix: restrict sendToFrame to same-process frames by default (#26875)

* missed a conflict

* fix build

* fix build again

* fix usage of defer

* Bump v10.2.0

* chore: cherry-pick 6763a713f957 from skia (#26956)

* chore: chromium backports M87-1

PR feedback: add links to changes in the upstream

Co-authored-by: Andrey Belenko <anbelen@microsoft.com>
Co-authored-by: Pedro Pontes <pepontes@microsoft.com>
Co-authored-by: trop[bot] <37223003+trop[bot]@users.noreply.github.com>
Co-authored-by: Mimi <1119186082@qq.com>
Co-authored-by: Jeremy Rose <jeremya@chromium.org>
Co-authored-by: Milan Burda <milan.burda@gmail.com>
Co-authored-by: Biru Mohanathas <birunthan@mohanathas.com>
Co-authored-by: Electron Bot <electron@github.com>
Co-authored-by: Michaela Laurencin <35157522+mlaurencin@users.noreply.github.com>

patches/chromium/.patches

@@ -125,6 +125,8 @@ merge_m86_ensure_that_buffers_used_by_imagedecoder_haven_t_been.patch
 cherry-pick-2d18de63acf1.patch
 only_zero_out_cross-origin_audio_that_doesn_t_get_played_out.patch
 fix_setparentacessibile_crash_win.patch
+backport_1142331.patch
+backport_1151865.patch
 cherry-pick-19aeffd4d93f.patch
 cherry-pick-4794770cf175.patch
 cherry-pick-79440c3a0675.patch

patches/chromium/backport_1142331.patch

@@ -0,0 +1,141 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <anbelen@microsoft.com>
+Date: Thu, 10 Dec 2020 18:04:03 +0100
+Subject: Chromium backport: crbug.com/1142331
+
+M87-1
+Clipboard: Fix UaP in ClipboardWriter/FileReaderLoader
+https://chromium-review.googlesource.com/c/chromium/src/+/2536946
+CVE-2020-16037
+
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
+index fc5f32d86fd2cc4aeeaadddc94da6ce5e8e7990a..9c72fb55426f685045418947427406016d947589 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
+@@ -104,7 +104,7 @@ ScriptPromise ClipboardPromise::CreateForWriteText(ExecutionContext* context,
+
+ ClipboardPromise::ClipboardPromise(ExecutionContext* context,
+                                    ScriptState* script_state)
+-    : ExecutionContextClient(context),
++    : ExecutionContextLifecycleObserver(context),
+       script_state_(script_state),
+       script_promise_resolver_(
+           MakeGarbageCollected<ScriptPromiseResolver>(script_state)),
+@@ -483,13 +483,20 @@ scoped_refptr<base::SingleThreadTaskRunner> ClipboardPromise::GetTaskRunner() {
+   return GetExecutionContext()->GetTaskRunner(TaskType::kUserInteraction);
+ }
+
++// ExecutionContextLifecycleObserver implementation.
++void ClipboardPromise::ContextDestroyed() {
++  script_promise_resolver_->Reject(MakeGarbageCollected<DOMException>(
++      DOMExceptionCode::kNotAllowedError, "Document detached."));
++  clipboard_writer_.Clear();
++}
++
+ void ClipboardPromise::Trace(Visitor* visitor) const {
+   visitor->Trace(script_state_);
+   visitor->Trace(script_promise_resolver_);
+   visitor->Trace(clipboard_writer_);
+   visitor->Trace(permission_service_);
+   visitor->Trace(clipboard_item_data_);
+-  ExecutionContextClient::Trace(visitor);
++  ExecutionContextLifecycleObserver::Trace(visitor);
+ }
+
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
+index 18efbc8c632dd7061fb31437529f1b14a25beb3a..307ce3b51a7c75b60301885685f5c0d780997250 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
+@@ -26,7 +26,7 @@ class ExecutionContext;
+ class ClipboardItemOptions;
+
+ class ClipboardPromise final : public GarbageCollected<ClipboardPromise>,
+-                               public ExecutionContextClient {
++                               public ExecutionContextLifecycleObserver {
+   USING_GARBAGE_COLLECTED_MIXIN(ClipboardPromise);
+
+  public:
+@@ -83,6 +83,9 @@ class ClipboardPromise final : public GarbageCollected<ClipboardPromise>,
+   LocalFrame* GetLocalFrame() const;
+   scoped_refptr<base::SingleThreadTaskRunner> GetTaskRunner();
+
++  // ExecutionContextLifecycleObserver
++  void ContextDestroyed() override;
++
+   Member<ScriptState> script_state_;
+   Member<ScriptPromiseResolver> script_promise_resolver_;
+
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
+index 2891db58d47b30575efd782ae1c7cf8ee7558cc4..4b224c9679ca51c01328479685970235f35a32fd 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
+@@ -188,9 +188,12 @@ ClipboardWriter::ClipboardWriter(SystemClipboard* system_clipboard,
+       file_reading_task_runner_(promise->GetExecutionContext()->GetTaskRunner(
+           TaskType::kFileReading)),
+       system_clipboard_(system_clipboard),
+-      raw_system_clipboard_(raw_system_clipboard) {}
++      raw_system_clipboard_(raw_system_clipboard),
++      self_keep_alive_(PERSISTENT_FROM_HERE, this) {}
+
+-ClipboardWriter::~ClipboardWriter() = default;
++ClipboardWriter::~ClipboardWriter() {
++  DCHECK(!file_reader_);
++}
+
+ // static
+ bool ClipboardWriter::IsValidType(const String& type, bool is_raw) {
+@@ -220,7 +223,9 @@ void ClipboardWriter::DidFinishLoading() {
+   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+   DOMArrayBuffer* array_buffer = file_reader_->ArrayBufferResult();
+   DCHECK(array_buffer);
++
+   file_reader_.reset();
++  self_keep_alive_.Clear();
+
+   worker_pool::PostTask(
+       FROM_HERE, CrossThreadBindOnce(&ClipboardWriter::DecodeOnBackgroundThread,
+@@ -230,6 +235,8 @@ void ClipboardWriter::DidFinishLoading() {
+ }
+
+ void ClipboardWriter::DidFail(FileErrorCode error_code) {
++  file_reader_.reset();
++  self_keep_alive_.Clear();
+   promise_->RejectFromReadOrDecodeFailure();
+ }
+
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
+index 527b063cd20900653dc37027bef8d24af31fb6de..3de3f5ad34b8ebf378421c64c917e3091e5343c6 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
+@@ -9,6 +9,7 @@
+ #include "third_party/blink/renderer/core/fileapi/blob.h"
+ #include "third_party/blink/renderer/core/fileapi/file_reader_loader_client.h"
+ #include "third_party/blink/renderer/platform/heap/heap.h"
++#include "third_party/blink/renderer/platform/heap/self_keep_alive.h"
+ #include "third_party/skia/include/core/SkImage.h"
+
+ namespace blink {
+@@ -27,6 +28,11 @@ class RawSystemClipboard;
+ //     take advantage of vulnerabilities in their decoders. In
+ //     ClipboardRawDataWriter, this decoding is skipped.
+ // (3) Writing the blob's decoded contents to the system clipboard.
++//
++// ClipboardWriter is owned only by itself and ClipboardPromise. It keeps
++// itself alive for the duration of FileReaderLoader's async operations using
++// SelfKeepAlive, and keeps itself alive afterwards during cross-thread
++// operations by using WrapCrossThreadPersistent.
+ class ClipboardWriter : public GarbageCollected<ClipboardWriter>,
+                         public FileReaderLoaderClient {
+  public:
+@@ -80,6 +86,10 @@ class ClipboardWriter : public GarbageCollected<ClipboardWriter>,
+   Member<SystemClipboard> system_clipboard_;
+   // Access to the global unsanitized system clipboard.
+   Member<RawSystemClipboard> raw_system_clipboard_;
++
++  // Oilpan: ClipboardWriter must remain alive until Member<T>::Clear() is
++  // called, to keep the FileReaderLoader alive and avoid unexpected UaPs.
++  SelfKeepAlive<ClipboardWriter> self_keep_alive_;
+ };
+
+ }  // namespace blink

patches/chromium/backport_1151865.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <anbelen@microsoft.com>
+Date: Thu, 10 Dec 2020 22:16:48 +0100
+Subject: Chromium backport: crbug.com/1151865
+
+M87-1
+Reject mojom::DataElement serialization if array size read failed
+https://chromium-review.googlesource.com/c/chromium/src/+/2567130
+CVE-2020-16041
+
+diff --git a/services/network/public/cpp/url_request_mojom_traits.cc b/services/network/public/cpp/url_request_mojom_traits.cc
+index ce1478f6df691d5b1f7862a45ac3989a43e2d814..881bcb23ab3291e61088458f46c446fe9e7fb7cf 100644
+--- a/services/network/public/cpp/url_request_mojom_traits.cc
++++ b/services/network/public/cpp/url_request_mojom_traits.cc
+@@ -286,6 +286,8 @@ bool StructTraits<network::mojom::DataElementDataView, network::DataElement>::
+   if (data.type() == network::mojom::DataElementType::kBytes) {
+     if (!data.ReadBuf(&out->buf_))
+       return false;
++    if (data.length() != out->buf_.size())
++      return false;
+   }
+   out->type_ = data.type();
+   out->data_pipe_getter_ = data.TakeDataPipeGetter<

patches/v8/.patches

@@ -15,6 +15,7 @@ cherry-pick-8c725f7b5bbf.patch
 cherry-pick-146bd99e762b.patch
 cherry-pick-633f67caa6d0.patch
 cherry-pick-290fe9c6e245.patch
+backport_1151890.patch
 cherry-pick-63166010061d.patch
 merged_deoptimizer_stricter_checks_during_deoptimization.patch
 merged_compiler_mark_jsstoreinarrayliteral_as_needing_a_frame.patch

patches/v8/backport_1151890.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <anbelen@microsoft.com>
+Date: Thu, 10 Dec 2020 22:08:54 +0100
+Subject: Chromium backport: crbug.com/1151890
+
+M87-1
+Fix possibly-uninitialized leading digit on right shift
+https://chromium-review.googlesource.com/c/v8/v8/+/2565245
+CVE-2020-16042
+
+diff --git a/src/objects/bigint.cc b/src/objects/bigint.cc
+index 2f8337db979d767dd421b5cf02ded59061ac64f4..d62e4cc00c8459adecaada32599ca25c7d1ad9e4 100644
+--- a/src/objects/bigint.cc
++++ b/src/objects/bigint.cc
+@@ -1862,6 +1862,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
+   DCHECK_LE(result_length, length);
+   Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
+   if (bits_shift == 0) {
++    // Zero out any overflow digit (see "rounding_can_overflow" above).
++    result->set_digit(result_length - 1, 0);
+     for (int i = digit_shift; i < length; i++) {
+       result->set_digit(i - digit_shift, x->digit(i));
+     }