From 74d2d301b11f2edfde69f0515e2fd74882ab6dab Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen Date: Wed, 13 Feb 2019 13:03:23 +0100 Subject: Update Chromium MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changes: 5c76f0592d0e [Backport] Fix for CVE-2019-5776 8b78be4530ae [Backport] Fix for CVE-2019-5775 and CVE-2019-5777 297b64d3d7d7 [Backport] Fix for CVE-2019-5779 42b4075a690d [Backport] Fix for CVE-2019-5783 5ee5529dea3a [Backport] Fix for CVE-2019-5781 5bebe28ae4d0 [Backport] Fix for security issue 912508 48192fb6548b [Backport] Update sqlite 3709910608cd [Backport] Fix for security issue 908358 Task-number: QTBUG-73417 Change-Id: If451e38f04bc4df90230acd51192a38c184df304 Reviewed-by: Michael Brüning --- src/3rdparty | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src') diff --git a/src/3rdparty b/src/3rdparty index 7b5e48775..370991060 160000 --- a/src/3rdparty +++ b/src/3rdparty @@ -1 +1 @@ -Subproject commit 7b5e48775b3ac89f49d4b0f74b7db03540cc212b +Subproject commit 3709910608cd43db9272312e7ae8ca817b4a9b63 -- cgit v1.2.3 From 0f2fe6447aa057587b08584a43767447e04982d9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?J=C3=BCri=20Valdmann?= Date: Thu, 14 Feb 2019 10:42:04 +0100 Subject: Fix crash in tst_Spellchecking::spellcheck The test tst_Spellchecking::spellcheck crashes when run with QT_LOGGING_RULES=qt.accessibility.cache.debug=true which triggers debug output from QAccessible::registerAccessibleInterface and QAccessible::deleteAccessibleInterface These functions are called during the construction/destruction of BrowserAccessibilityQt. The problem is that BrowserAccessibilityQt is not necessarily in a valid state at these times: BrowserAccessibilityQt relies on it's manager to be *fully* initialized yet BrowserAccessibilityQt may be constructed/destructed *during* the managers construction/destruction. The solution is to override QAccessibleInterface::isValid to return true only if the manager is in a valid state too. This disables the debug output and avoids the crash. Fixes: QTBUG-72878 Change-Id: Icffe4e503145133c24535fb094bbcb606568e57c Reviewed-by: Allan Sandfeld Jensen Reviewed-by: Peter Varga --- src/core/browser_accessibility_manager_qt.cpp | 6 ++++++ src/core/browser_accessibility_manager_qt.h | 3 +++ src/core/browser_accessibility_qt.cpp | 3 ++- 3 files changed, 11 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/core/browser_accessibility_manager_qt.cpp b/src/core/browser_accessibility_manager_qt.cpp index 644a0a9f0..7fb1386c5 100644 --- a/src/core/browser_accessibility_manager_qt.cpp +++ b/src/core/browser_accessibility_manager_qt.cpp @@ -76,6 +76,12 @@ BrowserAccessibilityManagerQt::BrowserAccessibilityManagerQt( , m_parentObject(parentObject) { Initialize(initialTree); + m_valid = true; // BrowserAccessibilityQt can start using the AXTree +} + +BrowserAccessibilityManagerQt::~BrowserAccessibilityManagerQt() +{ + m_valid = false; // BrowserAccessibilityQt should stop using the AXTree } QAccessibleInterface *BrowserAccessibilityManagerQt::rootParentAccessible() diff --git a/src/core/browser_accessibility_manager_qt.h b/src/core/browser_accessibility_manager_qt.h index a2d6db458..87c8875ba 100644 --- a/src/core/browser_accessibility_manager_qt.h +++ b/src/core/browser_accessibility_manager_qt.h @@ -57,14 +57,17 @@ public: const ui::AXTreeUpdate& initialTree, BrowserAccessibilityDelegate* delegate, BrowserAccessibilityFactory* factory = new BrowserAccessibilityFactory()); + ~BrowserAccessibilityManagerQt() override; void FireBlinkEvent(ax::mojom::Event event_type, BrowserAccessibility* node) override; QAccessibleInterface *rootParentAccessible(); + bool isValid() const { return m_valid; } private: Q_DISABLE_COPY(BrowserAccessibilityManagerQt) QObject *m_parentObject; + bool m_valid = false; }; } diff --git a/src/core/browser_accessibility_qt.cpp b/src/core/browser_accessibility_qt.cpp index a672ccc06..29fbbc542 100644 --- a/src/core/browser_accessibility_qt.cpp +++ b/src/core/browser_accessibility_qt.cpp @@ -68,7 +68,8 @@ BrowserAccessibilityQt::BrowserAccessibilityQt() bool BrowserAccessibilityQt::isValid() const { - return true; + auto managerQt = static_cast(manager_); + return managerQt && managerQt->isValid(); } QObject *BrowserAccessibilityQt::object() const -- cgit v1.2.3 From c8dcc8cffa82c482734bcafce64496840c1e4988 Mon Sep 17 00:00:00 2001 From: Kirill Burtsev Date: Tue, 5 Feb 2019 15:48:13 +0100 Subject: Doc: Fix type of WebEngineDownloadItem::view property MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change-Id: I46fc228d99ad6d89d6f2a79a7f3c3352befe0a64 Reviewed-by: Leena Miettinen Reviewed-by: Jüri Valdmann --- src/webengine/api/qquickwebenginedownloaditem.cpp | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/webengine/api/qquickwebenginedownloaditem.cpp b/src/webengine/api/qquickwebenginedownloaditem.cpp index a80f163d5..b69e6b7da 100644 --- a/src/webengine/api/qquickwebenginedownloaditem.cpp +++ b/src/webengine/api/qquickwebenginedownloaditem.cpp @@ -593,12 +593,14 @@ bool QQuickWebEngineDownloadItem::isPaused() const } /*! - \qmlproperty bool WebEngineDownloadItem::view + \qmlproperty WebEngineView WebEngineDownloadItem::view \readonly \since QtWebEngine 1.8 Returns the view the download was requested on. If the download was not triggered by content in a view, \c nullptr is returned. + + \sa WebEngineView */ QQuickWebEngineView *QQuickWebEngineDownloadItem::view() const { -- cgit v1.2.3 From 755f7e414583c5458c2d421d047a1c7890c8d8d2 Mon Sep 17 00:00:00 2001 From: Kirill Burtsev Date: Mon, 11 Feb 2019 19:13:01 +0100 Subject: Set download state to finished when cancelling or destroying the download item MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Task-number: QTBUG-73839 Change-Id: Ieebaa802bdfe0c410618e4213a9bedbbae9d0f61 Reviewed-by: Michael Brüning Reviewed-by: Jüri Valdmann --- src/webengine/api/qquickwebenginedownloaditem.cpp | 20 ++++++++++++++++---- src/webengine/api/qquickwebenginedownloaditem_p_p.h | 1 + src/webenginewidgets/api/qwebenginedownloaditem.cpp | 19 ++++++++++++++----- src/webenginewidgets/api/qwebenginedownloaditem_p.h | 4 +++- 4 files changed, 34 insertions(+), 10 deletions(-) (limited to 'src') diff --git a/src/webengine/api/qquickwebenginedownloaditem.cpp b/src/webengine/api/qquickwebenginedownloaditem.cpp index b69e6b7da..7d1382876 100644 --- a/src/webengine/api/qquickwebenginedownloaditem.cpp +++ b/src/webengine/api/qquickwebenginedownloaditem.cpp @@ -185,10 +185,8 @@ void QQuickWebEngineDownloadItemPrivate::update(const ProfileAdapterClient::Down Q_EMIT q->totalBytesChanged(); } - if (info.done != downloadFinished) { - downloadFinished = info.done; - Q_EMIT q->isFinishedChanged(); - } + if (info.done) + setFinished(); if (info.paused != downloadPaused) { downloadPaused = info.paused; @@ -206,6 +204,17 @@ void QQuickWebEngineDownloadItemPrivate::updateState(QQuickWebEngineDownloadItem } } +void QQuickWebEngineDownloadItemPrivate::setFinished() +{ + Q_Q(QQuickWebEngineDownloadItem); + + if (downloadFinished) + return; + + downloadFinished = true; + Q_EMIT q->isFinishedChanged(); +} + /*! \qmlmethod void WebEngineDownloadItem::accept() @@ -255,6 +264,7 @@ void QQuickWebEngineDownloadItem::cancel() return; d->updateState(QQuickWebEngineDownloadItem::DownloadCancelled); + d->setFinished(); // We directly cancel the download if the user cancels before // it even started, so no need to notify the profile here. @@ -617,6 +627,8 @@ QQuickWebEngineDownloadItem::QQuickWebEngineDownloadItem(QQuickWebEngineDownload QQuickWebEngineDownloadItem::~QQuickWebEngineDownloadItem() { + if (!isFinished()) + cancel(); if (d_ptr->profile) d_ptr->profile->d_ptr->profileAdapter()->removeDownload(d_ptr->downloadId); } diff --git a/src/webengine/api/qquickwebenginedownloaditem_p_p.h b/src/webengine/api/qquickwebenginedownloaditem_p_p.h index 4b89335bd..f444c04a5 100644 --- a/src/webengine/api/qquickwebenginedownloaditem_p_p.h +++ b/src/webengine/api/qquickwebenginedownloaditem_p_p.h @@ -85,6 +85,7 @@ public: void update(const QtWebEngineCore::ProfileAdapterClient::DownloadItemInfo &info); void updateState(QQuickWebEngineDownloadItem::DownloadState newState); + void setFinished(); }; QT_END_NAMESPACE diff --git a/src/webenginewidgets/api/qwebenginedownloaditem.cpp b/src/webenginewidgets/api/qwebenginedownloaditem.cpp index 55d4fcca8..f0f0958a5 100644 --- a/src/webenginewidgets/api/qwebenginedownloaditem.cpp +++ b/src/webenginewidgets/api/qwebenginedownloaditem.cpp @@ -197,11 +197,8 @@ void QWebEngineDownloadItemPrivate::update(const ProfileAdapterClient::DownloadI Q_EMIT q->downloadProgress(receivedBytes, totalBytes); } - if (info.done != downloadFinished) { - downloadFinished = info.done; - if (downloadFinished) - Q_EMIT q->finished(); - } + if (info.done) + setFinished(); if (downloadPaused != info.paused) { downloadPaused = info.paused; @@ -209,6 +206,15 @@ void QWebEngineDownloadItemPrivate::update(const ProfileAdapterClient::DownloadI } } +void QWebEngineDownloadItemPrivate::setFinished() +{ + if (downloadFinished) + return; + + downloadFinished = true; + Q_EMIT q_ptr->finished(); +} + /*! Accepts the current download request, which will start the download. @@ -262,6 +268,7 @@ void QWebEngineDownloadItem::cancel() } else { d->downloadState = QWebEngineDownloadItem::DownloadCancelled; Q_EMIT stateChanged(d->downloadState); + d->setFinished(); } } @@ -653,6 +660,8 @@ QWebEngineDownloadItem::QWebEngineDownloadItem(QWebEngineDownloadItemPrivate *p, */ QWebEngineDownloadItem::~QWebEngineDownloadItem() { + if (!isFinished()) + cancel(); if (auto profileAdapter = d_ptr->profile->profileAdapter()) profileAdapter->removeDownload(d_ptr->downloadId); } diff --git a/src/webenginewidgets/api/qwebenginedownloaditem_p.h b/src/webenginewidgets/api/qwebenginedownloaditem_p.h index bdcda5be6..b3bc8a3fe 100644 --- a/src/webenginewidgets/api/qwebenginedownloaditem_p.h +++ b/src/webenginewidgets/api/qwebenginedownloaditem_p.h @@ -53,7 +53,7 @@ #include "qtwebenginewidgetsglobal.h" -#include "qwebenginedownloaditem_p.h" +#include "qwebenginedownloaditem.h" #include "qwebengineprofile_p.h" #include @@ -84,6 +84,8 @@ public: QWebEnginePage *page; void update(const QtWebEngineCore::ProfileAdapterClient::DownloadItemInfo &info); + + void setFinished(); }; QT_END_NAMESPACE -- cgit v1.2.3 From 7537526093c92e89672d1e952a9baceecaa91730 Mon Sep 17 00:00:00 2001 From: Kirill Burtsev Date: Mon, 11 Feb 2019 19:21:03 +0100 Subject: Remove download properly on profile destruction to avoid use after free MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In the Widgets API, download items are children of the profile and are destroyed when the parent profile destroys its children. The download item's destructor can therefore not access the profile, as it would cause a heap-use-after-free crashes. On quick side turn ongoing downloads cleanup to match widgets one. Fixes: QTBUG-73839 Change-Id: Iabb379e91187e3e68ebcd4693fec35883b72b1f2 Reviewed-by: Michael Brüning Reviewed-by: Jüri Valdmann --- src/webengine/api/qquickwebenginedownloaditem.cpp | 2 -- src/webengine/api/qquickwebengineprofile.cpp | 28 +++++++++++++------- src/webengine/api/qquickwebengineprofile_p.h | 4 ++- .../api/qwebenginedownloaditem.cpp | 4 +-- src/webenginewidgets/api/qwebengineprofile.cpp | 30 ++++++++++++++-------- src/webenginewidgets/api/qwebengineprofile_p.h | 2 ++ 6 files changed, 45 insertions(+), 25 deletions(-) (limited to 'src') diff --git a/src/webengine/api/qquickwebenginedownloaditem.cpp b/src/webengine/api/qquickwebenginedownloaditem.cpp index 7d1382876..981d11633 100644 --- a/src/webengine/api/qquickwebenginedownloaditem.cpp +++ b/src/webengine/api/qquickwebenginedownloaditem.cpp @@ -629,8 +629,6 @@ QQuickWebEngineDownloadItem::~QQuickWebEngineDownloadItem() { if (!isFinished()) cancel(); - if (d_ptr->profile) - d_ptr->profile->d_ptr->profileAdapter()->removeDownload(d_ptr->downloadId); } QT_END_NAMESPACE diff --git a/src/webengine/api/qquickwebengineprofile.cpp b/src/webengine/api/qquickwebengineprofile.cpp index ddc71602b..26fcf28f7 100644 --- a/src/webengine/api/qquickwebengineprofile.cpp +++ b/src/webengine/api/qquickwebengineprofile.cpp @@ -175,13 +175,6 @@ QQuickWebEngineProfilePrivate::~QQuickWebEngineProfilePrivate() m_profileAdapter->removeClient(this); } - for (QQuickWebEngineDownloadItem *download : qAsConst(m_ongoingDownloads)) { - if (download) - download->cancel(); - } - - m_ongoingDownloads.clear(); - if (m_profileAdapter != QtWebEngineCore::ProfileAdapter::defaultProfileAdapter()) delete m_profileAdapter; } @@ -215,6 +208,23 @@ void QQuickWebEngineProfilePrivate::cancelDownload(quint32 downloadId) void QQuickWebEngineProfilePrivate::downloadDestroyed(quint32 downloadId) { m_ongoingDownloads.remove(downloadId); + if (m_profileAdapter) + m_profileAdapter->removeDownload(downloadId); +} + +void QQuickWebEngineProfilePrivate::cleanDownloads() +{ + for (auto download : m_ongoingDownloads.values()) { + if (!download) + continue; + + if (!download->isFinished()) + download->cancel(); + + if (m_profileAdapter) + m_profileAdapter->removeDownload(download->id()); + } + m_ongoingDownloads.clear(); } void QQuickWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) @@ -239,6 +249,7 @@ void QQuickWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) QQuickWebEngineDownloadItem *download = new QQuickWebEngineDownloadItem(itemPrivate, q); m_ongoingDownloads.insert(info.id, download); + QObject::connect(download, &QQuickWebEngineDownloadItem::destroyed, q, [id = info.id, this] () { downloadDestroyed(id); }); QQmlEngine::setObjectOwnership(download, QQmlEngine::JavaScriptOwnership); Q_EMIT q->downloadRequested(download); @@ -252,7 +263,6 @@ void QQuickWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) if (state == QQuickWebEngineDownloadItem::DownloadRequested) { // Delete unaccepted downloads. info.accepted = false; - m_ongoingDownloads.remove(info.id); delete download; } } @@ -275,7 +285,6 @@ void QQuickWebEngineProfilePrivate::downloadUpdated(const DownloadItemInfo &info if (info.state != ProfileAdapterClient::DownloadInProgress) { Q_EMIT q->downloadFinished(download); - m_ongoingDownloads.remove(info.id); } } @@ -380,6 +389,7 @@ QQuickWebEngineProfile::QQuickWebEngineProfile(QQuickWebEngineProfilePrivate *pr */ QQuickWebEngineProfile::~QQuickWebEngineProfile() { + d_ptr->cleanDownloads(); } /*! diff --git a/src/webengine/api/qquickwebengineprofile_p.h b/src/webengine/api/qquickwebengineprofile_p.h index d31ded0ec..2b1a5b134 100644 --- a/src/webengine/api/qquickwebengineprofile_p.h +++ b/src/webengine/api/qquickwebengineprofile_p.h @@ -53,7 +53,7 @@ #include "profile_adapter_client.h" #include "profile_adapter.h" -#include "qquickwebengineprofile_p.h" +#include "qquickwebengineprofile.h" #include #include @@ -80,6 +80,8 @@ public: void cancelDownload(quint32 downloadId); void downloadDestroyed(quint32 downloadId); + void cleanDownloads(); + void downloadRequested(DownloadItemInfo &info) override; void downloadUpdated(const DownloadItemInfo &info) override; diff --git a/src/webenginewidgets/api/qwebenginedownloaditem.cpp b/src/webenginewidgets/api/qwebenginedownloaditem.cpp index f0f0958a5..deb92bfd3 100644 --- a/src/webenginewidgets/api/qwebenginedownloaditem.cpp +++ b/src/webenginewidgets/api/qwebenginedownloaditem.cpp @@ -660,10 +660,10 @@ QWebEngineDownloadItem::QWebEngineDownloadItem(QWebEngineDownloadItemPrivate *p, */ QWebEngineDownloadItem::~QWebEngineDownloadItem() { + // MEMO Items are owned by profile by default and will be destroyed on profile's destruction + // It's not safe to access profile in that case, so we rely on profile to clean up items if (!isFinished()) cancel(); - if (auto profileAdapter = d_ptr->profile->profileAdapter()) - profileAdapter->removeDownload(d_ptr->downloadId); } QT_END_NAMESPACE diff --git a/src/webenginewidgets/api/qwebengineprofile.cpp b/src/webenginewidgets/api/qwebengineprofile.cpp index 03ce5e0bc..0d12fdae1 100644 --- a/src/webenginewidgets/api/qwebengineprofile.cpp +++ b/src/webenginewidgets/api/qwebengineprofile.cpp @@ -175,13 +175,6 @@ QWebEngineProfilePrivate::~QWebEngineProfilePrivate() m_profileAdapter->removeClient(this); } - for (QWebEngineDownloadItem *download : qAsConst(m_ongoingDownloads)) { - if (download) - download->cancel(); - } - - m_ongoingDownloads.clear(); - if (m_profileAdapter != QtWebEngineCore::ProfileAdapter::defaultProfileAdapter()) delete m_profileAdapter; @@ -196,6 +189,23 @@ ProfileAdapter* QWebEngineProfilePrivate::profileAdapter() const void QWebEngineProfilePrivate::downloadDestroyed(quint32 downloadId) { m_ongoingDownloads.remove(downloadId); + if (m_profileAdapter) + m_profileAdapter->removeDownload(downloadId); +} + +void QWebEngineProfilePrivate::cleanDownloads() +{ + for (auto download : m_ongoingDownloads.values()) { + if (!download) + continue; + + if (!download->isFinished()) + download->cancel(); + + if (m_profileAdapter) + m_profileAdapter->removeDownload(download->id()); + } + m_ongoingDownloads.clear(); } void QWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) @@ -219,6 +229,7 @@ void QWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) QWebEngineDownloadItem *download = new QWebEngineDownloadItem(itemPrivate, q); m_ongoingDownloads.insert(info.id, download); + QObject::connect(download, &QWebEngineDownloadItem::destroyed, q, [id = info.id, this] () { downloadDestroyed(id); }); Q_EMIT q->downloadRequested(download); @@ -232,7 +243,6 @@ void QWebEngineProfilePrivate::downloadRequested(DownloadItemInfo &info) if (state == QWebEngineDownloadItem::DownloadRequested) { // Delete unaccepted downloads. info.accepted = false; - m_ongoingDownloads.remove(info.id); delete download; } } @@ -250,9 +260,6 @@ void QWebEngineProfilePrivate::downloadUpdated(const DownloadItemInfo &info) } download->d_func()->update(info); - - if (download->isFinished()) - m_ongoingDownloads.remove(info.id); } /*! @@ -301,6 +308,7 @@ QWebEngineProfile::QWebEngineProfile(QWebEngineProfilePrivate *privatePtr, QObje */ QWebEngineProfile::~QWebEngineProfile() { + d_ptr->cleanDownloads(); } /*! diff --git a/src/webenginewidgets/api/qwebengineprofile_p.h b/src/webenginewidgets/api/qwebengineprofile_p.h index 9ff8df849..4a76f457f 100644 --- a/src/webenginewidgets/api/qwebengineprofile_p.h +++ b/src/webenginewidgets/api/qwebengineprofile_p.h @@ -81,6 +81,8 @@ public: void downloadDestroyed(quint32 downloadId); + void cleanDownloads(); + void downloadRequested(DownloadItemInfo &info) override; void downloadUpdated(const DownloadItemInfo &info) override; -- cgit v1.2.3