chore: Chromium backports M87-1 (#26931)

patches/chromium/.patches

@@ -164,3 +164,5 @@ cherry-pick-ecdec1fb0f42.patch
 cherry-pick-2d18de63acf1.patch
 only_zero_out_cross-origin_audio_that_doesn_t_get_played_out.patch
 fix_setparentacessibile_crash_win.patch
+backport_1142331.patch
+backport_1151865.patch

patches/chromium/backport_1142331.patch

@@ -0,0 +1,140 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <[email protected]>
+Date: Thu, 10 Dec 2020 18:03:59 +0100
+Subject: Chromium backport: crbug.com/1142331
+
+M87-1
+Clipboard: Fix UaP in ClipboardWriter/FileReaderLoader
+https://chromium-review.googlesource.com/c/chromium/src/+/2536946
+CVE-2020-16037
+
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
+index 47bd085c92ff97e30b82f48b99bece2d3f8ffbd7..5b9d059291a8c60e33c15f5d981cea06045f4044 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.cc
+@@ -101,7 +101,7 @@ ScriptPromise ClipboardPromise::CreateForWriteText(ExecutionContext* context,
+ 
+ ClipboardPromise::ClipboardPromise(ExecutionContext* context,
+                                    ScriptState* script_state)
+-    : ExecutionContextClient(context),
++    : ExecutionContextLifecycleObserver(context),
+       script_state_(script_state),
+       script_promise_resolver_(
+           MakeGarbageCollected<ScriptPromiseResolver>(script_state)),
+@@ -396,12 +396,19 @@ scoped_refptr<base::SingleThreadTaskRunner> ClipboardPromise::GetTaskRunner() {
+   return GetExecutionContext()->GetTaskRunner(TaskType::kUserInteraction);
+ }
+ 
++// ExecutionContextLifecycleObserver implementation.
++void ClipboardPromise::ContextDestroyed() {
++  script_promise_resolver_->Reject(MakeGarbageCollected<DOMException>(
++      DOMExceptionCode::kNotAllowedError, "Document detached."));
++  clipboard_writer_.Clear();
++}
++
+ void ClipboardPromise::Trace(Visitor* visitor) {
+   visitor->Trace(script_state_);
+   visitor->Trace(script_promise_resolver_);
+   visitor->Trace(clipboard_writer_);
+   visitor->Trace(clipboard_item_data_);
+-  ExecutionContextClient::Trace(visitor);
++  ExecutionContextLifecycleObserver::Trace(visitor);
+ }
+ 
+ }  // namespace blink
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
+index c2c7286149238db914087af743cc4c0042da95ba..65f4797b2e3eb45dd4c6f1ba8fda608d1488edef 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_promise.h
+@@ -24,7 +24,7 @@ class LocalFrame;
+ class ExecutionContext;
+ 
+ class ClipboardPromise final : public GarbageCollected<ClipboardPromise>,
+-                               public ExecutionContextClient {
++                               public ExecutionContextLifecycleObserver {
+   USING_GARBAGE_COLLECTED_MIXIN(ClipboardPromise);
+ 
+  public:
+@@ -74,6 +74,9 @@ class ClipboardPromise final : public GarbageCollected<ClipboardPromise>,
+   LocalFrame* GetLocalFrame() const;
+   scoped_refptr<base::SingleThreadTaskRunner> GetTaskRunner();
+ 
++  // ExecutionContextLifecycleObserver
++  void ContextDestroyed() override;
++
+   Member<ScriptState> script_state_;
+   Member<ScriptPromiseResolver> script_promise_resolver_;
+ 
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
+index 625934d39c613f2fce0f6a55b15f8e4a8ca604b6..7ae1f48e9dd9dac609b263462eeb15d30452ac2b 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.cc
+@@ -181,9 +181,12 @@ ClipboardWriter::ClipboardWriter(SystemClipboard* system_clipboard,
+       file_reading_task_runner_(promise->GetExecutionContext()->GetTaskRunner(
+           TaskType::kFileReading)),
+       system_clipboard_(system_clipboard),
+-      raw_system_clipboard_(raw_system_clipboard) {}
++      raw_system_clipboard_(raw_system_clipboard),
++      self_keep_alive_(PERSISTENT_FROM_HERE, this) {}
+ 
+-ClipboardWriter::~ClipboardWriter() = default;
++ClipboardWriter::~ClipboardWriter() {
++  DCHECK(!file_reader_);
++}
+ 
+ // static
+ bool ClipboardWriter::IsValidType(const String& type) {
+@@ -209,7 +212,9 @@ void ClipboardWriter::DidFinishLoading() {
+   DCHECK_CALLED_ON_VALID_SEQUENCE(sequence_checker_);
+   DOMArrayBuffer* array_buffer = file_reader_->ArrayBufferResult();
+   DCHECK(array_buffer);
++
+   file_reader_.reset();
++  self_keep_alive_.Clear();
+ 
+   worker_pool::PostTask(
+       FROM_HERE, CrossThreadBindOnce(&ClipboardWriter::DecodeOnBackgroundThread,
+@@ -219,6 +224,8 @@ void ClipboardWriter::DidFinishLoading() {
+ }
+ 
+ void ClipboardWriter::DidFail(FileErrorCode error_code) {
++  file_reader_.reset();
++  self_keep_alive_.Clear();
+   promise_->RejectFromReadOrDecodeFailure();
+ }
+ 
+diff --git a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
+index 45eb4bd91c0b7db4fc3648518e62f4071945a9e7..5241032714512405aaa0135ffa081ea4fa702851 100644
+--- a/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
++++ b/third_party/blink/renderer/modules/clipboard/clipboard_writer.h
+@@ -10,6 +10,7 @@
+ #include "third_party/blink/renderer/core/fileapi/blob.h"
+ #include "third_party/blink/renderer/core/fileapi/file_reader_loader_client.h"
+ #include "third_party/blink/renderer/platform/heap/heap.h"
++#include "third_party/blink/renderer/platform/heap/self_keep_alive.h"
+ #include "third_party/skia/include/core/SkImage.h"
+ 
+ namespace blink {
+@@ -27,6 +28,11 @@ class RawSystemClipboard;
+ // (2) Decoding the blob's contents to avoid RCE in native applications that may
+ //     take advantage of vulnerabilities in their decoders.
+ // (3) Writing the blob's decoded contents to the system clipboard.
++//
++// ClipboardWriter is owned only by itself and ClipboardPromise. It keeps
++// itself alive for the duration of FileReaderLoader's async operations using
++// SelfKeepAlive, and keeps itself alive afterwards during cross-thread
++// operations by using WrapCrossThreadPersistent.
+ class ClipboardWriter : public GarbageCollected<ClipboardWriter>,
+                         public FileReaderLoaderClient {
+  public:
+@@ -80,6 +86,10 @@ class ClipboardWriter : public GarbageCollected<ClipboardWriter>,
+   Member<SystemClipboard> system_clipboard_;
+   // Access to the global unsanitized system clipboard.
+   Member<RawSystemClipboard> raw_system_clipboard_;
++
++  // Oilpan: ClipboardWriter must remain alive until Member<T>::Clear() is
++  // called, to keep the FileReaderLoader alive and avoid unexpected UaPs.
++  SelfKeepAlive<ClipboardWriter> self_keep_alive_;
+ };
+ 
+ }  // namespace blink

patches/chromium/backport_1151865.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <[email protected]>
+Date: Thu, 10 Dec 2020 22:16:52 +0100
+Subject: Chromium backport: crbug.com/1151865
+
+M87-1
+Reject mojom::DataElement serialization if array size read failed
+https://chromium-review.googlesource.com/c/chromium/src/+/2567130
+CVE-2020-16041
+
+diff --git a/services/network/public/cpp/url_request_mojom_traits.cc b/services/network/public/cpp/url_request_mojom_traits.cc
+index 022fdd9ee17e64b9819ed4fb1c1af80a02566360..f3edb5f1a0ff0492800de551483a7720955d7f55 100644
+--- a/services/network/public/cpp/url_request_mojom_traits.cc
++++ b/services/network/public/cpp/url_request_mojom_traits.cc
+@@ -255,6 +255,8 @@ bool StructTraits<network::mojom::DataElementDataView, network::DataElement>::
+   if (data.type() == network::mojom::DataElementType::kBytes) {
+     if (!data.ReadBuf(&out->buf_))
+       return false;
++    if (data.length() != out->buf_.size())
++      return false;
+   }
+   out->type_ = data.type();
+   out->data_pipe_getter_ = data.TakeDataPipeGetter<

patches/v8/.patches

@@ -19,3 +19,4 @@ cherry-pick-815b12dfb5ec.patch
 cherry-pick-8c725f7b5bbf.patch
 cherry-pick-146bd99e762b.patch
 cherry-pick-290fe9c6e245.patch
+backport_1151890.patch

patches/v8/backport_1151890.patch

@@ -0,0 +1,23 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Andrey Belenko <[email protected]>
+Date: Thu, 10 Dec 2020 22:09:07 +0100
+Subject: Chromium backport: crbug.com/1151890
+
+M87-1
+Fix possibly-uninitialized leading digit on right shift
+https://chromium-review.googlesource.com/c/v8/v8/+/2565245
+CVE-2020-16042
+
+diff --git a/src/objects/bigint.cc b/src/objects/bigint.cc
+index dfc302e77c894519d647e005e02d74764d6b6b6a..3a9e169757526dd65161f50c10ca1d4bdea62767 100644
+--- a/src/objects/bigint.cc
++++ b/src/objects/bigint.cc
+@@ -1862,6 +1862,8 @@ Handle<BigInt> MutableBigInt::RightShiftByAbsolute(Isolate* isolate,
+   DCHECK_LE(result_length, length);
+   Handle<MutableBigInt> result = New(isolate, result_length).ToHandleChecked();
+   if (bits_shift == 0) {
++    // Zero out any overflow digit (see "rounding_can_overflow" above).
++    result->set_digit(result_length - 1, 0);
+     for (int i = digit_shift; i < length; i++) {
+       result->set_digit(i - digit_shift, x->digit(i));
+     }