rpm/libqt5-qtwebengine
SHA256
1
0
Fork 0
forked from pool/libqt5-qtwebengine
Code Pull Requests Activity

Accepting request 928291 from KDE:Qt:5.15

Browse Source 
OBS-URL: https://build.opensuse.org/request/show/928291
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtwebengine?expand=0&rev=74
This commit is contained in:
Dominique Leuenberger 2021-11-03 16:25:23 +00:00 committed by Git OBS Bridge
commit fd1f2ab729
13 changed files with 82 additions and 433 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
0001-return-ENOSYS-for-clone3.patch
View File

@ -1,42 +0,0 @@
From 218438259dd795456f0a48f67cbe5b4e520db88b Mon Sep 17 00:00:00 2001
From: Matthew Denton <mpdenton@chromium.org>
Date: Thu, 3 Jun 2021 20:06:13 +0000
Subject: [PATCH] Linux sandbox: return ENOSYS for clone3
Because clone3 uses a pointer argument rather than a flags argument, we
cannot examine the contents with seccomp, which is essential to
preventing sandboxed processes from starting other processes. So, we
won't be able to support clone3 in Chromium. This CL modifies the
BPF policy to return ENOSYS for clone3 so glibc always uses the fallback
to clone.
Bug: 1213452
Change-Id: I7c7c585a319e0264eac5b1ebee1a45be2d782303
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2936184
Reviewed-by: Robert Sesek <rsesek@chromium.org>
Commit-Queue: Matthew Denton <mpdenton@chromium.org>
Cr-Commit-Position: refs/heads/master@{#888980}
---
.../sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 8 ++++++++
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 3c67b124786..81cb25e139e 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -165,6 +165,14 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
return RestrictCloneToThreadsAndEPERMFork();
}
+ // clone3 takes a pointer argument which we cannot examine, so return ENOSYS
+ // to force the libc to use clone. See https://crbug.com/1213452.
+ #if defined(__NR_clone3)
+ if (sysno == __NR_clone3) {
+ return Error(ENOSYS);
+ }
+ #endif
+
if (sysno == __NR_fcntl)
return RestrictFcntlCommands();
--
2.32.0

4
_service
View File

@ -1,11 +1,11 @@
<services>
<service name="tar_scm" mode="disabled">
<param name="changesgenerate">enable</param>
<param name="version">5.15.6</param>
<param name="version">5.15.7</param>
<param name="url">git://code.qt.io/qt/qtwebengine.git</param>
<param name="scm">git</param>
<param name="filename">qtwebengine-everywhere-src</param>
<param name="revision">v5.15.6-lts</param>
<param name="revision">v5.15.7-lts</param>
</service>
<service name="recompress" mode="disabled">
<param name="file">*.tar</param>

2
_servicedata
View File

@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">git://code.qt.io/qt/qtwebengine.git</param>
<param name="changesrevision">2acbba86362ac3a1c2d8c20390dc263875f8f09c</param></service></servicedata>
<param name="changesrevision">f0a1cb8da24518c03858b85378f9ad82b0603a1a</param></service></servicedata>

149
chromium-glibc-2.33.patch
View File

@ -1,149 +0,0 @@
# Patch made by Kevin Kofler <Kevin@tigcc.ticalc.org>
# https://bugzilla.redhat.com/show_bug.cgi?id=1904652
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 4772dc0..1f31d3a 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -268,6 +268,18 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
}
#endif
+#if defined(__NR_newfstatat)
+ if (sysno == __NR_newfstatat) {
+ return RewriteFstatatSIGSYS();
+ }
+#endif
+
+#if defined(__NR_fstatat64)
+ if (sysno == __NR_fstatat64) {
+ return RewriteFstatatSIGSYS();
+ }
+#endif
+
if (SyscallSets::IsFileSystem(sysno) ||
SyscallSets::IsCurrentDirectory(sysno)) {
return Error(fs_denied_errno);
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
index 76eb324..ad95656 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
@@ -6,6 +6,8 @@
#include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+#include <errno.h>
+#include <fcntl.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct arch_seccomp_data& args,
return -ENOSYS;
}
+intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
+ void* aux) {
+ switch (args.nr) {
+#if defined(__NR_newfstatat)
+ case __NR_newfstatat:
+#endif
+#if defined(__NR_fstatat64)
+ case __NR_fstatat64:
+#endif
+#if defined(__NR_newfstatat) || defined(__NR_fstatat64)
+ if (*reinterpret_cast<const char *>(args.args[1]) == '\0'
+ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
+ return sandbox::sys_fstat64(static_cast<int>(args.args[0]),
+ reinterpret_cast<struct stat64 *>(args.args[2]));
+ } else {
+ errno = EACCES;
+ return -1;
+ }
+ break;
+#endif
+ }
+
+ CrashSIGSYS_Handler(args, aux);
+
+ // Should never be reached.
+ RAW_CHECK(false);
+ return -ENOSYS;
+}
+
bpf_dsl::ResultExpr CrashSIGSYS() {
return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
}
@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() {
return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
}
+bpf_dsl::ResultExpr RewriteFstatatSIGSYS() {
+ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL);
+}
+
void AllocateCrashKeys() {
#if !defined(OS_NACL_NONSFI)
if (seccomp_crash_key)
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
index 7a958b9..d0bfab7 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFailure(const arch_seccomp_data& args,
// sched_setparam(), sched_setscheduler()
SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
void* aux);
+// If the fstatat syscall is actually a disguised fstat, calls the regular fstat
+// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler.
+SANDBOX_EXPORT intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
+ void* aux);
// Variants of the above functions for use with bpf_dsl.
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSKill();
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
+SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS();
// Allocates a crash key so that Seccomp information can be recorded.
void AllocateCrashKeys();
diff --git a/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc b/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc
index fcfd2aa..5396b36 100644
--- a/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc
+++ b/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc
@@ -261,4 +261,13 @@ int sys_sigaction(int signum,
#endif // defined(MEMORY_SANITIZER)
+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf)
+{
+#if defined(__NR_fstat64)
+ return syscall(__NR_fstat64, fd, buf);
+#else
+ return syscall(__NR_fstat, fd, buf);
+#endif
+}
+
} // namespace sandbox
diff --git a/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h b/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h
index 1975bfb..ed7ee5a 100644
--- a/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h
+++ b/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h
@@ -17,6 +17,7 @@ struct sock_fprog;
struct rlimit64;
struct cap_hdr;
struct cap_data;
+struct stat64;
namespace sandbox {
@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int signum,
const struct sigaction* act,
struct sigaction* oldact);
+// Recent glibc rewrites fstat to fstatat.
+SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf);
+
} // namespace sandbox
#endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_

24
chromium-harfbuzz-3.0.0.patch
View File

@ -1,24 +0,0 @@
Subject: Fix build with harfbuzz 3.0.0
Upstream backport copied from Arch and rebased.
# https://github.com/chromium/chromium/commit/b289f6f3fcbc
diff --git a/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc b/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
index 8ff0540d9a..20a7d37474 100644
--- a/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
+++ b/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
@@ -72,9 +72,11 @@ sk_sp<SkData> SubsetFont(SkTypeface* typeface, const GlyphUsage& usage) {
hb_set_t* glyphs =
hb_subset_input_glyph_set(input.get()); // Owned by |input|.
usage.ForEach(base::BindRepeating(&AddGlyphs, base::Unretained(glyphs)));
- hb_subset_input_set_retain_gids(input.get(), true);
+ hb_subset_input_set_flags(input.get(), HB_SUBSET_FLAGS_RETAIN_GIDS);
- HbScoped<hb_face_t> subset_face(hb_subset(face.get(), input.get()));
+ HbScoped<hb_face_t> subset_face(hb_subset_or_fail(face.get(), input.get()));
+ if (!subset_face)
+ return nullptr;
HbScoped<hb_blob_t> subset_blob(hb_face_reference_blob(subset_face.get()));
if (!subset_blob)
return nullptr;

26
chromium-older-harfbuzz.patch
View File

@ -1,26 +0,0 @@
From: Fabian Vogt <fvogt@suse.com>
Subject: Fix build with harfbuzz < 2.9.0
Index: qtwebengine-everywhere-src-5.15.6/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
===================================================================
--- qtwebengine-everywhere-src-5.15.6.orig/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
+++ qtwebengine-everywhere-src-5.15.6/src/3rdparty/chromium/components/paint_preview/common/subset_font.cc
@@ -71,11 +71,18 @@ sk_sp<SkData> SubsetFont(SkTypeface* typ
hb_set_t* glyphs =
hb_subset_input_glyph_set(input.get()); // Owned by |input|.
usage.ForEach(base::BindRepeating(&AddGlyphs, base::Unretained(glyphs)));
+#if HB_VERSION_ATLEAST(2,9,0)
hb_subset_input_set_flags(input.get(), HB_SUBSET_FLAGS_RETAIN_GIDS);
HbScoped<hb_face_t> subset_face(hb_subset_or_fail(face.get(), input.get()));
if (!subset_face)
return nullptr;
+#else
+ hb_subset_input_set_retain_gids(input.get(), true);
+
+ HbScoped<hb_face_t> subset_face(hb_subset(face.get(), input.get()));
+#endif
+
HbScoped<hb_blob_t> subset_blob(hb_face_reference_blob(subset_face.get()));
if (!subset_blob)
return nullptr;

62
fix1163766.patch
View File

@ -1,62 +0,0 @@
From eaae274cb1975be558d8a535ba2310bc67c073a6 Mon Sep 17 00:00:00 2001
From: "Bernhard M. Wiedemann" <bwiedemann suse de>
Date: Wed, 24 Mar 2021 16:00:08 +0100
Subject: [PATCH] https://bugzilla.opensuse.org/show_bug.cgi?id=1163766
seccomp filters disallow a new kernel syscall to get time
used on i586
---
src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 6 ++++++
src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h | 8 ++++++++
src/3rdparty/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc | 3 +++
3 files changed, 17 insertions(+)
Index: qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
===================================================================
--- qtwebengine-everywhere-src-5.15.3.orig/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
+++ qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/linux/system_headers/x86_32_linux_syscalls.h
@@ -1710,5 +1710,13 @@
#define __NR_clone3 435
#endif
+#if !defined(__NR_clock_gettime64)
+#define __NR_clock_gettime64 403
+#endif
+
+#if !defined(__NR_clock_nanosleep_time64)
+#define __NR_clock_nanosleep_time64 407
+#endif
+
#endif // SANDBOX_LINUX_SYSTEM_HEADERS_X86_32_LINUX_SYSCALLS_H_
Index: qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc
===================================================================
--- qtwebengine-everywhere-src-5.15.3.orig/src/3rdparty/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc
+++ qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/policy/linux/bpf_ime_policy_linux.cc
@@ -32,6 +32,9 @@ ResultExpr ImeProcessPolicy::EvaluateSys
#if defined(__NR_clock_gettime)
case __NR_clock_gettime:
#endif
+#if defined(__NR_clock_gettime64)
+ case __NR_clock_gettime64:
+#endif
return Allow();
// https://crbug.com/991435
#if defined(__NR_getrusage)
Index: qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
===================================================================
--- qtwebengine-everywhere-src-5.15.3.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ qtwebengine-everywhere-src-5.15.3/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -161,6 +161,12 @@ ResultExpr EvaluateSyscallImpl(int fs_de
return RestrictClockID();
}
+#if defined(__NR_clock_gettime64)
+ if (sysno == __NR_clock_gettime64 || sysno == __NR_clock_nanosleep_time64) {
+ return RestrictClockID();
+ }
+#endif
+
if (sysno == __NR_clone) {
return RestrictCloneToThreadsAndEPERMFork();
}

65
libqt5-qtwebengine.changes
View File

@ -1,3 +1,68 @@
-------------------------------------------------------------------
Fri Oct 29 09:53:05 UTC 2021 - christophe@krop.fr
- Update to version 5.15.7:
* Update Chromium:
[Backport] Linux sandbox: update syscalls numbers on 32-bit platforms
[Backport] sandbox: linux: allow clock_nanosleep & gettime64
[Backport] Linux sandbox: update syscall numbers for all platforms.
[Backport] Ease HarfBuzz API change with feature detection
[Backport] Security bug 1248665
[Backport] CVE-2021-37975 : Use after free in V8
[Backport] CVE-2021-37980 : Inappropriate implementation in Sandbox
[Backport] CVE-2021-37979 : Heap buffer overflow in WebRTC (2/2)
[Backport] CVE-2021-37979 : Heap buffer overflow in WebRTC (1/2)
[Backport] CVE-2021-37978 : Heap buffer overflow in Blink
[Backport] CVE-2021-30616: Use after free in Media.
[Backport] CVE-2021-37962 : Use after free in Performance Manager (2/2)
[Backport] CVE-2021-37962 : Use after free in Performance Manager (1/2)
[Backport] CVE-2021-37973 : Use after free in Portals
[Backport] CVE-2021-37971 : Incorrect security UI in Web Browser UI.
[Backport] CVE-2021-37968 : Inappropriate implementation in Background Fetch API
[Backport] CVE-2021-37967 : Inappropriate implementation in Background Fetch API
[Backport] Linux sandbox: return ENOSYS for clone3
[Backport] Linux sandbox: fix fstatat() crash
[Backport] Reland "Reland "Linux sandbox syscall broker: use struct kernel_stat""
[Backport] Security bug 1238178 (2/2)
[Backport] Security bug 1238178 (1/2)
[Backport] CVE-2021-30633: Use after free in Indexed DB API (2/2)
[Backport] CVE-2021-30633: Use after free in Indexed DB API (1/2)
[Backport] CVE-2021-30630: Inappropriate implementation in Blink
[Backport] CVE-2021-30629: Use after free in Permissions
[Backport] CVE-2021-30628: Stack buffer overflow in ANGLE
[Backport] CVE-2021-30627: Type Confusion in Blink layout
[Backport] CVE-2021-30626: Out of bounds memory access in ANGLE
[Backport] CVE-2021-30625: Use after free in Selection API
[Backport] Security bug 1206289
[Backport] CVE-2021-30613: Use after free in Base internals
[Backport] Security bug 1227228
[Backport] CVE-2021-30618: Inappropriate implementation in DevTools
* Update patch level
* Blacklist certificate test until certicates have been renewed
* Block CORS from local URLs when remote access is not enabled
* Do not wait on weak_pointer for termination errors
* Support MSVC_VER 16.8
* Fix wrong save file filter for Markdown Editor example
* Add Chromium version source documentation
* Bump version from 5.15.6 to 5.15.7
* Fix crash when clicking on a link in PDF
- Drop openSUSE patches:
* fix1163766.patch. Should be addressed with:
https://github.com/qt/qtwebengine-chromium/commit/652f834de
https://github.com/qt/qtwebengine-chromium/commit/faae106ed
https://github.com/qt/qtwebengine-chromium/commit/6b7b3f1bf
* chromium-glibc-2.33.patch. Should be addressed with the
[Backport] Linux sandbox: fix fstatat() crash and
Reland "Reland "Linux sandbox syscall broker: use struct kernel_stat""
changes.
* chromium-older-harfbuzz.patch
- Drop upstream changes:
* 0001-return-ENOSYS-for-clone3.patch
* chromium-harfbuzz-3.0.0.patch
* skia-harfbuzz-3.0.0.patch
- Rebase patches:
* sandbox-statx-futex_time64.patch
-------------------------------------------------------------------
Tue Sep 21 11:34:41 UTC 2021 - Fabian Vogt <fvogt@suse.com>

21
libqt5-qtwebengine.spec
View File

@ -29,35 +29,26 @@
%global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries
Name: libqt5-qtwebengine
Version: 5.15.6
Version: 5.15.7
Release: 0
Summary: Qt 5 WebEngine Library
License: LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
Group: Development/Libraries/X11
URL: https://www.qt.io
%define base_name libqt5
%define real_version 5.15.6
%define so_version 5.15.6
%define real_version 5.15.7
%define so_version 5.15.7
%define tar_version qtwebengine-everywhere-src-%{version}
Source: %{tar_version}.tar.xz
# PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6
Patch0: armv6-ffmpeg-no-thumb.patch
# PATCH-FIX-OPENSUSE disable-gpu-when-using-nouveau-boo-1005323.diff
Patch1: disable-gpu-when-using-nouveau-boo-1005323.diff
Patch2: fix1163766.patch
Patch3: sandbox-statx-futex_time64.patch
Patch2: sandbox-statx-futex_time64.patch
# PATCH-FIX-OPENSUSE
Patch4: rtc-dont-use-h264.patch
Patch3: rtc-dont-use-h264.patch
# PATCH-FIX-UPSTREAM
Patch5: chromium-glibc-2.33.patch
# PATCH-FIX-UPSTREAM
Patch6: 0001-Fix-build-with-glibc-2.34.patch
# PATCH-FIX-UPSTREAM
Patch7: 0001-return-ENOSYS-for-clone3.patch
Patch8: chromium-harfbuzz-3.0.0.patch
Patch9: skia-harfbuzz-3.0.0.patch
# PATCH-FIX-OPENSUSE
Patch10: chromium-older-harfbuzz.patch
Patch4: 0001-Fix-build-with-glibc-2.34.patch
# http://www.chromium.org/blink is not ported to PowerPC & s390
ExcludeArch: ppc ppc64 ppc64le s390 s390x
# Try to fix i586 MemoryErrors with rpmlint

3
qtwebengine-everywhere-src-5.15.6.tar.xz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0acc53400520e0c60c32065b914ed53660788051e826b49de45137833002bb75
size 319566384

3
qtwebengine-everywhere-src-5.15.7.tar.xz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3b7360ee119506bb89016f97ee0e5391fa5b3967b542f10092909feeaef460f7
size 319447784

10
sandbox-statx-futex_time64.patch
View File

@ -8,11 +8,11 @@ Return -ENOSYS instead to trigger the fallback in glibc.
futex_time64 is also used internally in glibc, so handle that as well.
The signature is identical where it matters.
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 3c67b124786..4772dc096f5 100644
diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
index 6f7768f7d..b3335e2bf 100644
--- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -194,6 +194,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
@@ -203,6 +203,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
if (sysno == __NR_futex)
return RestrictFutex();
@ -24,8 +24,8 @@ index 3c67b124786..4772dc096f5 100644
if (sysno == __NR_set_robust_list)
return Error(EPERM);
@@ -257,6 +262,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
return RestrictKillTarget(current_pid, sysno);
@@ -283,6 +288,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
return RewriteFstatatSIGSYS(fs_denied_errno);
}
+#if defined(__NR_statx)

104
skia-harfbuzz-3.0.0.patch
View File

@ -1,104 +0,0 @@
Subject: Fix build with harfbuzz 3.0.0
Upstream backport copied from Arch and rebased.
# Minimal diff for harfbuzz 3.0.0 support; based on:
# https://github.com/google/skia/commit/66684b17b382
# https://github.com/google/skia/commit/51d83abcd24a
diff --git a/src/3rdparty/chromium/third_party/skia/gn/skia.gni b/src/3rdparty/chromium/third_party/skia/gn/skia.gni
index d98fdc19ee..199335d5c4 100644
--- a/src/3rdparty/chromium/third_party/skia/gn/skia.gni
+++ b/src/3rdparty/chromium/third_party/skia/gn/skia.gni
@@ -34,8 +34,6 @@ declare_args() {
skia_include_multiframe_procs = false
skia_lex = false
skia_libgifcodec_path = "third_party/externals/libgifcodec"
- skia_pdf_subset_harfbuzz =
- false # TODO: set skia_pdf_subset_harfbuzz to skia_use_harfbuzz.
skia_qt_path = getenv("QT_PATH")
skia_skqp_global_error_tolerance = 0
skia_tools_require_resources = false
@@ -99,6 +97,10 @@ declare_args() {
skia_use_libfuzzer_defaults = true
}
+declare_args() {
+ skia_pdf_subset_harfbuzz = skia_use_harfbuzz
+}
+
declare_args() {
skia_compile_sksl_tests = skia_compile_processors
skia_enable_fontmgr_android = skia_use_expat && skia_use_freetype
diff --git a/src/3rdparty/chromium/third_party/skia/src/pdf/SkPDFSubsetFont.cpp b/src/3rdparty/chromium/third_party/skia/src/pdf/SkPDFSubsetFont.cpp
index 81c37eef3a..2340a7937b 100644
--- a/src/3rdparty/chromium/third_party/skia/src/pdf/SkPDFSubsetFont.cpp
+++ b/src/3rdparty/chromium/third_party/skia/src/pdf/SkPDFSubsetFont.cpp
@@ -49,6 +49,37 @@ static sk_sp<SkData> to_data(HBBlob blob) {
blob.release());
}
+template<typename...> using void_t = void;
+template<typename T, typename = void>
+struct SkPDFHarfBuzzSubset {
+ // This is the HarfBuzz 3.0 interface.
+ // hb_subset_flags_t does not exist in 2.0. It isn't dependent on T, so inline the value of
+ // HB_SUBSET_FLAGS_RETAIN_GIDS until 2.0 is no longer supported.
+ static HBFace Make(T input, hb_face_t* face) {
+ // TODO: When possible, check if a font is 'tricky' with FT_IS_TRICKY.
+ // If it isn't known if a font is 'tricky', retain the hints.
+ hb_subset_input_set_flags(input, 2/*HB_SUBSET_FLAGS_RETAIN_GIDS*/);
+ return HBFace(hb_subset_or_fail(face, input));
+ }
+};
+template<typename T>
+struct SkPDFHarfBuzzSubset<T, void_t<
+ decltype(hb_subset_input_set_retain_gids(std::declval<T>(), std::declval<bool>())),
+ decltype(hb_subset_input_set_drop_hints(std::declval<T>(), std::declval<bool>())),
+ decltype(hb_subset(std::declval<hb_face_t*>(), std::declval<T>()))
+ >>
+{
+ // This is the HarfBuzz 2.0 (non-public) interface, used if it exists.
+ // This code should be removed as soon as all users are migrated to the newer API.
+ static HBFace Make(T input, hb_face_t* face) {
+ hb_subset_input_set_retain_gids(input, true);
+ // TODO: When possible, check if a font is 'tricky' with FT_IS_TRICKY.
+ // If it isn't known if a font is 'tricky', retain the hints.
+ hb_subset_input_set_drop_hints(input, false);
+ return HBFace(hb_subset(face, input));
+ }
+};
+
static sk_sp<SkData> subset_harfbuzz(sk_sp<SkData> fontData,
const SkPDFGlyphUse& glyphUsage,
int ttcIndex) {
@@ -71,11 +102,10 @@ static sk_sp<SkData> subset_harfbuzz(sk_sp<SkData> fontData,
hb_set_t* glyphs = hb_subset_input_glyph_set(input.get());
glyphUsage.getSetValues([&glyphs](unsigned gid) { hb_set_add(glyphs, gid);});
- hb_subset_input_set_retain_gids(input.get(), true);
- // TODO: When possible, check if a font is 'tricky' with FT_IS_TRICKY.
- // If it isn't known if a font is 'tricky', retain the hints.
- hb_subset_input_set_drop_hints(input.get(), false);
- HBFace subset(hb_subset(face.get(), input.get()));
+ HBFace subset = SkPDFHarfBuzzSubset<hb_subset_input_t*>::Make(input.get(), face.get());
+ if (!subset) {
+ return nullptr;
+ }
HBBlob result(hb_face_reference_blob(subset.get()));
return to_data(std::move(result));
}
diff --git a/src/3rdparty/chromium/third_party/skia/third_party/harfbuzz/BUILD.gn b/src/3rdparty/chromium/third_party/skia/third_party/harfbuzz/BUILD.gn
index 173830de62..4156607ef9 100644
--- a/src/3rdparty/chromium/third_party/skia/third_party/harfbuzz/BUILD.gn
+++ b/src/3rdparty/chromium/third_party/skia/third_party/harfbuzz/BUILD.gn
@@ -14,6 +14,9 @@ if (skia_use_system_harfbuzz) {
system("harfbuzz") {
include_dirs = [ "/usr/include/harfbuzz" ]
libs = [ "harfbuzz" ]
+ if (skia_pdf_subset_harfbuzz) {
+ libs += [ "harfbuzz-subset" ]
+ }
}
} else {
third_party("harfbuzz") {