Browse Source

Update to 88.0.4324.182-1

extensions
wchen342 2 years ago
parent
commit
c403efd588
Signed by: wchen342 GPG Key ID: 9C19365D69B04CEC
  1. 16
      CHANGELOG.md
  2. 1
      README.md
  3. 6
      build.sh
  4. 251
      patches/Bromite/AImageReader-CFI-crash-mitigations.patch
  5. 2
      patches/Bromite/Remove-account-permissions-from-manifest.patch
  6. 2
      patches/Other/debug-fix.patch
  7. 6
      patches/Unobtainium/kill-GCM.patch
  8. 1
      patches/series
  9. 6
      patches/ungoogled-chromium-android/Enable-update-notification.patch
  10. 2
      patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.auth.patch
  11. 2
      patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.cast.patch
  12. 2
      patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.common-auth-signin-dynamic-com.google.android.gms.tasks.patch

16
CHANGELOG.md

@ -1,3 +1,19 @@
# 88.0.4324.182-1
* Upstream important security fix
<details>
<summary>CVE list</summary>
[1138143] High CVE-2021-21149: Stack overflow in Data Transfer.
[1172192] High CVE-2021-21150: Use after free in Downloads.
[1165624] High CVE-2021-21151: Use after free in Payments.
[1166504] High CVE-2021-21152: Heap buffer overflow in Media.
[1155974] High CVE-2021-21153: Stack overflow in GPU Process.
[1173269] High CVE-2021-21154: Heap buffer overflow in Tab Strip.
[1175500] High CVE-2021-21155: Heap buffer overflow in Tab Strip.
[1177341] High CVE-2021-21156: Heap buffer overflow in V8.
[1170657] Medium CVE-2021-21157: Use after free in Web Sockets.
</details>
# 88.0.4324.152-3
* Extension version only:
* Fix two bugs related to uninitialized web contents upon restoring the browser activity

1
README.md

@ -177,6 +177,7 @@ There are three methods to install extensions:
1. Download extension following the instructions [here](https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#downloading-the-crx-file).
1. Optionally, you can use a third-party website to download the `crx` file. However, do so at your own risk, as I will take *absolutely no* responsibility for problems caused by using a third party website or service.
2. Extract the `crx` file into a folder with`unzip`/`7z` and copy the folder to your device.
1. For an alternative way to extract the crx` file on device, see [this comment](https://github.com/ungoogled-software/ungoogled-chromium-android/issues/49#issuecomment-767683754).
3. **Notice for Android 10**: as a workaround for a [permission issue](https://github.com/wchen342/ungoogled-chromium-android/issues/27), you need to enable "Allow from unknown source" for "Ungoogled Chromium Extensions".
4. **Make sure you also give storage access**.
5. Open `chrome://extensions/` and enable Developer mode.

6
build.sh

@ -11,10 +11,10 @@ trichrome_chrome_apk_target=trichrome_library_apk
webview_target=system_webview_apk
trichrome_webview_target=trichrome_webview_apk
chromium_version=88.0.4324.152
ungoogled_chromium_version=88.0.4324.150
chromium_version=88.0.4324.182
ungoogled_chromium_version=88.0.4324.182
ungoogled_chromium_revision=1
ungoogled_chromium_android_revision=3
ungoogled_chromium_android_revision=1
# Show env
pwd

251
patches/Bromite/AImageReader-CFI-crash-mitigations.patch

@ -0,0 +1,251 @@
From: csagan5 <[email protected]>
Date: Tue, 5 May 2020 07:22:20 +0200
Subject: AImageReader CFI crash mitigations
Revert "gpu/android: Remove setup for disabling AImageReader."
This reverts commit dcd5a39518246eb999f1cc63bf1ec95d93fd5b2f.
Revert "Remove flags to enable/disable AImageReader."
This reverts commit 463fa0f2e3b9e418bc26e2c8954463f0b0f76634.
Disable AImageReader for ARM64/P and ARM64/Q
Restore GPU bug blacklist for AImageReader on ARM and Qualcomm CPUs
Restore the AImageReader blacklist for ARM/ARM64/Qualcomm chipsets which causes
crashes on Android 9 and 10 (at different code locations).
See discussions at:
* https://github.com/bromite/bromite/issues/445
* https://github.com/bromite/bromite/issues/814
---
base/android/android_image_reader_compat.cc | 8 +++++++-
base/android/android_image_reader_compat.h | 4 ++++
chrome/browser/flag-metadata.json | 2 +-
gpu/config/gpu_driver_bug_list.json | 16 ++++++++++++++++
gpu/config/gpu_finch_features.cc | 11 ++++++++++-
gpu/config/gpu_finch_features.h | 1 +
gpu/config/gpu_util.cc | 8 ++++++++
gpu/config/gpu_workaround_list.txt | 1 +
gpu/ipc/service/gpu_init.cc | 5 +++++
gpu/ipc/service/stream_texture_android.cc | 11 ++++++++++-
media/base/media_switches.cc | 4 ++++
media/base/media_switches.h | 1 +
12 files changed, 68 insertions(+), 4 deletions(-)
--- a/base/android/android_image_reader_compat.cc
+++ b/base/android/android_image_reader_compat.cc
@@ -23,6 +23,8 @@
namespace base {
namespace android {
+bool AndroidImageReader::disable_support_ = false;
+
AndroidImageReader& AndroidImageReader::GetInstance() {
// C++11 static local variable initialization is
// thread-safe.
@@ -30,8 +32,12 @@ AndroidImageReader& AndroidImageReader::
return *instance;
}
+void AndroidImageReader::DisableSupport() {
+ disable_support_ = true;
+}
+
bool AndroidImageReader::IsSupported() {
- return is_supported_;
+ return !disable_support_ && is_supported_;
}
AndroidImageReader::AndroidImageReader() : is_supported_(LoadFunctions()) {}
--- a/base/android/android_image_reader_compat.h
+++ b/base/android/android_image_reader_compat.h
@@ -22,6 +22,9 @@ class BASE_EXPORT AndroidImageReader {
// Thread safe GetInstance.
static AndroidImageReader& GetInstance();
+ // Disable image reader support.
+ static void DisableSupport();
+
// Check if the image reader usage is supported. This function returns TRUE
// if android version is >=OREO, image reader support is not disabled and all
// the required functions are loaded.
@@ -59,6 +62,7 @@ class BASE_EXPORT AndroidImageReader {
jobject ANativeWindow_toSurface(JNIEnv* env, ANativeWindow* window);
private:
+ static bool disable_support_;
friend class base::NoDestructor<AndroidImageReader>;
AndroidImageReader();
--- a/chrome/browser/flag-metadata.json
+++ b/chrome/browser/flag-metadata.json
@@ -1712,7 +1712,7 @@
{
"name": "enable-image-reader",
"owners": [ "vikassoni", "khushalsagar" ],
- "expiry_milestone": 90
+ "expiry_milestone": -1
},
{
"name": "enable-immersive-fullscreen-toolbar",
--- a/gpu/config/gpu_driver_bug_list.json
+++ b/gpu/config/gpu_driver_bug_list.json
@@ -3255,6 +3255,22 @@
]
},
{
+ "id":335,
+ "cr_bugs": [1051705],
+ "description": "Disable AImageReader on ARM GPUs",
+ "os": {
+ "type": "android",
+ "version": {
+ "op": "<",
+ "value": "10"
+ }
+ },
+ "gl_vendor": "ARM.*",
+ "features": [
+ "disable_aimagereader"
+ ]
+ },
+ {
"id": 336,
"cr_bugs": [625785],
"description": "DXVA video decoder crashes on some AMD GPUs.",
--- a/gpu/config/gpu_finch_features.cc
+++ b/gpu/config/gpu_finch_features.cc
@@ -38,6 +38,11 @@ bool FieldIsInBlocklist(const char* curr
} // namespace
#if defined(OS_ANDROID)
+
+// Use android AImageReader when playing videos with MediaPlayer.
+const base::Feature kAImageReaderMediaPlayer{"AImageReaderMediaPlayer",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+
// Used to limit GL version to 2.0 for skia raster on Android.
const base::Feature kUseGles2ForOopR{"UseGles2ForOopR",
base::FEATURE_ENABLED_BY_DEFAULT};
@@ -55,7 +60,11 @@ const base::FeatureParam<std::string> kA
// Use AImageReader for MediaCodec and MediaPlyer on android.
const base::Feature kAImageReader{"AImageReader",
- base::FEATURE_ENABLED_BY_DEFAULT};
+#ifdef ARCH_CPU_ARM64
+ base::FEATURE_DISABLED_BY_DEFAULT};
+#else
+ base::FEATURE_ENABLED_BY_DEFAULT};
+#endif
// If webview-draw-functor-uses-vulkan is set, use vulkan for composite and
// raster.
--- a/gpu/config/gpu_finch_features.h
+++ b/gpu/config/gpu_finch_features.h
@@ -17,6 +17,7 @@ namespace features {
// All features in alphabetical order. The features should be documented
// alongside the definition of their values in the .cc file.
#if defined(OS_ANDROID)
+GPU_EXPORT extern const base::Feature kAImageReaderMediaPlayer;
GPU_EXPORT extern const base::Feature kUseGles2ForOopR;
GPU_EXPORT extern const base::Feature kAndroidSurfaceControl;
GPU_EXPORT extern const base::Feature kAImageReader;
--- a/gpu/config/gpu_util.cc
+++ b/gpu/config/gpu_util.cc
@@ -111,6 +111,9 @@ GpuFeatureStatus GetAndroidSurfaceContro
#if !defined(OS_ANDROID)
return kGpuFeatureStatusDisabled;
#else
+ if (blocklisted_features.count(GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL))
+ return kGpuFeatureStatusBlocklisted;
+
if (!gpu_preferences.enable_android_surface_control)
return kGpuFeatureStatusDisabled;
@@ -327,6 +330,11 @@ void AdjustGpuFeatureStatusToWorkarounds
gpu_feature_info->status_values[GPU_FEATURE_TYPE_ACCELERATED_WEBGL2] =
kGpuFeatureStatusBlocklisted;
}
+
+ if (gpu_feature_info->IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+ gpu_feature_info->status_values[GPU_FEATURE_TYPE_ANDROID_SURFACE_CONTROL] =
+ kGpuFeatureStatusBlocklisted;
+ }
}
// Estimates roughly user total disk space by counting in the drives where
--- a/gpu/config/gpu_workaround_list.txt
+++ b/gpu/config/gpu_workaround_list.txt
@@ -13,6 +13,7 @@ decode_encode_srgb_for_generatemipmap
depth_stencil_renderbuffer_resize_emulation
disable_2d_canvas_auto_flush
disable_accelerated_av1_decode
+disable_aimagereader
disable_accelerated_vp8_decode
disable_accelerated_vp8_encode
disable_accelerated_vp9_decode
--- a/gpu/ipc/service/gpu_init.cc
+++ b/gpu/ipc/service/gpu_init.cc
@@ -464,6 +464,11 @@ bool GpuInit::InitializeAndStartSandbox(
}
}
+ // Disable AImageReader if the workaround is enabled.
+ if (gpu_feature_info_.IsWorkaroundEnabled(DISABLE_AIMAGEREADER)) {
+ base::android::AndroidImageReader::DisableSupport();
+ }
+
if (gpu_feature_info_.status_values[GPU_FEATURE_TYPE_VULKAN] !=
kGpuFeatureStatusEnabled ||
!InitializeVulkan()) {
--- a/gpu/ipc/service/stream_texture_android.cc
+++ b/gpu/ipc/service/stream_texture_android.cc
@@ -6,6 +6,7 @@
#include <string.h>
+#include "base/android/android_image_reader_compat.h"
#include "base/android/scoped_hardware_buffer_fence_sync.h"
#include "base/bind.h"
#include "base/feature_list.h"
@@ -47,7 +48,15 @@ std::unique_ptr<ui::ScopedMakeCurrent> M
}
TextureOwner::Mode GetTextureOwnerMode() {
- return features::IsAImageReaderEnabled()
+ const bool a_image_reader_supported =
+ base::android::AndroidImageReader::GetInstance().IsSupported();
+
+ // TODO(vikassoni) : Currently we have 2 different flags to enable/disable
+ // AImageReader - one for MCVD and other for MediaPlayer here. Merge those 2
+ // flags into a single flag. Keeping the 2 flags separate for now since finch
+ // experiment using this flag is in progress.
+ return a_image_reader_supported && features::IsAImageReaderEnabled() &&
+ base::FeatureList::IsEnabled(features::kAImageReaderMediaPlayer)
? TextureOwner::Mode::kAImageReaderInsecure
: TextureOwner::Mode::kSurfaceTextureInsecure;
}
--- a/media/base/media_switches.cc
+++ b/media/base/media_switches.cc
@@ -575,6 +575,10 @@ const base::Feature kMediaDrmPreprovisio
const base::Feature kMediaDrmPreprovisioningAtStartup{
"MediaDrmPreprovisioningAtStartup", base::FEATURE_ENABLED_BY_DEFAULT};
+// Enables the Android Image Reader path for Video decoding(for AVDA and MCVD)
+const base::Feature kAImageReaderVideoOutput{"AImageReaderVideoOutput",
+ base::FEATURE_ENABLED_BY_DEFAULT};
+
// Prevents using SurfaceLayer for videos. This is meant to be used by embedders
// that cannot support SurfaceLayer at the moment.
const base::Feature kDisableSurfaceLayerForVideo{
--- a/media/base/media_switches.h
+++ b/media/base/media_switches.h
@@ -194,6 +194,7 @@ MEDIA_EXPORT extern const base::Feature
MEDIA_EXPORT extern const base::Feature kMediaDrmPersistentLicense;
MEDIA_EXPORT extern const base::Feature kMediaDrmPreprovisioning;
MEDIA_EXPORT extern const base::Feature kMediaDrmPreprovisioningAtStartup;
+MEDIA_EXPORT extern const base::Feature kAImageReaderVideoOutput;
MEDIA_EXPORT extern const base::Feature kDisableSurfaceLayerForVideo;
MEDIA_EXPORT extern const base::Feature kCanPlayHls;
MEDIA_EXPORT extern const base::Feature kPictureInPictureAPI;

2
patches/Bromite/Remove-account-permissions-from-manifest.patch

@ -43,7 +43,7 @@ Subject: Remove all sync and account permissions/features from manifest
{% block extra_uses_permissions %}
{% endblock %}
@@ -884,16 +876,6 @@ by a child template that "extends" this
@@ -874,16 +866,6 @@ by a child template that "extends" this
android:resource="@xml/file_paths" />
</provider>

2
patches/Other/debug-fix.patch

@ -154,7 +154,7 @@ Subject: Remove DCHECK and other lines causing Debug builds to fail
for (ShortcutMap::const_iterator it(
--- a/components/omnibox/browser/autocomplete_controller.cc
+++ b/components/omnibox/browser/autocomplete_controller.cc
@@ -727,9 +727,6 @@ void AutocompleteController::UpdateResul
@@ -716,9 +716,6 @@ void AutocompleteController::UpdateResul
// Need to validate before invoking CopyOldMatches as the old matches are not
// valid against the current input.

6
patches/Unobtainium/kill-GCM.patch

@ -36,7 +36,7 @@ Subject: kill GCM
"java/src/org/chromium/chrome/browser/ChromeBackupAgentImpl.java",
"java/src/org/chromium/chrome/browser/ChromeBackupWatcher.java",
"java/src/org/chromium/chrome/browser/ChromeBaseAppCompatActivity.java",
@@ -1343,10 +1342,6 @@ chrome_java_sources = [
@@ -1344,10 +1343,6 @@ chrome_java_sources = [
"java/src/org/chromium/chrome/browser/send_tab_to_self/SendTabToSelfShareActivity.java",
"java/src/org/chromium/chrome/browser/services/AccountsChangedReceiver.java",
"java/src/org/chromium/chrome/browser/services/AndroidChildAccountHelper.java",
@ -73,7 +73,7 @@ Subject: kill GCM
<uses-permission android:name="com.android.launcher.permission.INSTALL_SHORTCUT"/>
<uses-permission android:name="com.google.android.apps.now.CURRENT_ACCOUNT_ACCESS" />
@@ -989,36 +984,6 @@ by a child template that "extends" this
@@ -979,36 +974,6 @@ by a child template that "extends" this
android:configChanges="orientation|keyboardHidden|keyboard|screenSize|mcc|mnc|screenLayout|smallestScreenSize"
android:hardwareAccelerated="false" />
@ -110,7 +110,7 @@ Subject: kill GCM
<!-- Android Notification service listener -->
<service android:name="org.chromium.chrome.browser.notifications.NotificationService"
android:exported="false"/>
@@ -1042,28 +1007,10 @@ by a child template that "extends" this
@@ -1032,28 +997,10 @@ by a child template that "extends" this
android:exported="false"
android:permission="android.permission.BIND_JOB_SERVICE"/>

1
patches/series

@ -50,3 +50,4 @@ Bromite/Revert-flags-remove-disable-pull-to-refresh-effect.patch
Bromite/updater-disable-updater-pings.patch
Bromite/Add-bookmark-import-export-actions.patch
Bromite/Disable-DRM-media-origin-IDs-preprovisioning.patch
Bromite/AImageReader-CFI-crash-mitigations.patch

6
patches/ungoogled-chromium-android/Enable-update-notification.patch

@ -261,7 +261,7 @@
"java/src/org/chromium/chrome/browser/download/DownloadActivity.java",
"java/src/org/chromium/chrome/browser/download/DownloadBroadcastManagerImpl.java",
"java/src/org/chromium/chrome/browser/download/DownloadController.java",
@@ -1071,6 +1072,7 @@ chrome_java_sources = [
@@ -1072,6 +1073,7 @@ chrome_java_sources = [
"java/src/org/chromium/chrome/browser/omaha/inline/InlineUpdateController.java",
"java/src/org/chromium/chrome/browser/omaha/inline/InlineUpdateControllerFactory.java",
"java/src/org/chromium/chrome/browser/omaha/inline/NoopInlineUpdateController.java",
@ -396,7 +396,7 @@
}
--- a/chrome/browser/flags/android/chrome_feature_list.cc
+++ b/chrome/browser/flags/android/chrome_feature_list.cc
@@ -523,6 +523,7 @@ const base::Feature kIncognitoScreenshot
@@ -526,6 +526,7 @@ const base::Feature kIncognitoScreenshot
const base::Feature kInlineUpdateFlow{"InlineUpdateFlow",
base::FEATURE_DISABLED_BY_DEFAULT};
@ -426,7 +426,7 @@
return std::make_unique<UpdateNotificationConfig>();
--- a/chrome/android/java/AndroidManifest.xml
+++ b/chrome/android/java/AndroidManifest.xml
@@ -1087,7 +1087,7 @@ by a child template that "extends" this
@@ -1077,7 +1077,7 @@ by a child template that "extends" this
<service android:name="org.chromium.chrome.browser.tracing.TracingNotificationService"
android:exported="false"/>

2
patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.auth.patch

@ -460,7 +460,7 @@ Subject: Remove dependency on com.google.android.gms.auth
}
--- a/content/test/BUILD.gn
+++ b/content/test/BUILD.gn
@@ -2608,7 +2608,6 @@ if (is_android) {
@@ -2609,7 +2609,6 @@ if (is_android) {
testonly = true
sources = content_java_sources_needing_jni
deps = [

2
patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.cast.patch

@ -1421,7 +1421,7 @@ Subject: Remove dependency on com.google.android.gms.cast
<!-- This activity is used to restart the main Chrome process. Should never be exported. -->
<activity android:name="org.chromium.chrome.browser.BrowserRestartActivity"
android:launchMode="singleInstance"
@@ -1207,12 +1197,6 @@ by a child template that "extends" this
@@ -1197,12 +1187,6 @@ by a child template that "extends" this
<meta-data android:name="com.google.ar.core" android:value="optional" />
{% endif %}

2
patches/ungoogled-chromium-android/Remove-dependency-on-com.google.android.gms.common-auth-signin-dynamic-com.google.android.gms.tasks.patch

@ -504,7 +504,7 @@ Subject: Remove dependency on
"//components/download/public/common:public_java",
--- a/content/test/BUILD.gn
+++ b/content/test/BUILD.gn
@@ -2608,9 +2608,6 @@ if (is_android) {
@@ -2609,9 +2609,6 @@ if (is_android) {
testonly = true
sources = content_java_sources_needing_jni
deps = [

Loading…
Cancel
Save