.circleci/config/base.yml

@@ -243,14 +243,27 @@ step-depot-tools-get: &step-depot-tools-get
         sed -i '/ninjalog_uploader_wrapper.py/d' ./depot_tools/autoninja
         # Remove swift-format dep from cipd on macOS until we send a patch upstream.
         cd depot_tools
-        patch gclient.py -R \<<'EOF'
-      676,677c676
-      <         packages = dep_value.get('packages', [])
-      <         for package in (x for x in packages if "infra/3pp/tools/swift-format" not in x.get('package')):
-      ---
-      >         for package in dep_value.get('packages', []):
+        cat > gclient.diff \<< 'EOF'
+      diff --git a/gclient.py b/gclient.py
+      index 3a9c5c6..f222043 100755
+      --- a/gclient.py
+      +++ b/gclient.py
+      @@ -712,7 +712,8 @@ class Dependency(gclient_utils.WorkItem, DependencySettings):
+      
+             if dep_type == 'cipd':
+               cipd_root = self.GetCipdRoot()
+      -        for package in dep_value.get('packages', []):
+      +        packages = dep_value.get('packages', [])
+      +        for package in (x for x in packages if "infra/3pp/tools/swift-format" not in x.get('package')):
+                 deps_to_add.append(
+                     CipdDependency(
+                         parent=self,
       EOF
+        git apply --3way gclient.diff
       fi
+      # Ensure depot_tools does not update.
+      test -d depot_tools && cd depot_tools
+      touch .disable_auto_update
 
 step-depot-tools-add-to-path: &step-depot-tools-add-to-path
   run:

patches/chromium/.patches

@@ -158,3 +158,4 @@ cherry-pick-f098ff0d1230.patch
 cherry-pick-f58218891f8c.patch
 wayland_ensure_dnd_buffer_size_is_a_multiple_of_scale.patch
 m112_cherry_pick_libxml_cve_fix.patch
+m112_fix_scopedobservation_uaf_in.patch

patches/chromium/m112_fix_scopedobservation_uaf_in.patch

@@ -0,0 +1,43 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keren Zhu <kerenzhu@chromium.org>
+Date: Mon, 24 Apr 2023 15:36:21 +0000
+Subject: Fix ScopedObservation UaF in
+ BubbleDialogDelegate::AnchorWidgetObserver
+
+A ScopedObservation can outlive the aura::Window it observes, leading to
+a use-after-free error in ~ScopedObservation(). The problem occurs in
+BubbleDialogDelegate::AnchorWidgetObserver. This fix listens for
+OnWindowDestroying() and resets the observation to prevent the UaF.
+
+(cherry picked from commit 72bd6a1018548ee63a2ec06d6c7714d3a8cdf8a8)
+
+Bug: 1423360
+Change-Id: I742b4624b2664dea3fd97db7b399fcd15e45c8fe
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4455016
+Code-Coverage: Findit <findit-for-me@appspot.gserviceaccount.com>
+Reviewed-by: Elly Fong-Jones <ellyjones@chromium.org>
+Commit-Queue: Keren Zhu <kerenzhu@chromium.org>
+Cr-Original-Commit-Position: refs/heads/main@{#1133511}
+Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/4466947
+Reviewed-by: Allen Bauer <kylixrd@chromium.org>
+Cr-Commit-Position: refs/branch-heads/5615@{#1353}
+Cr-Branched-From: 9c6408ef696e83a9936b82bbead3d41c93c82ee4-refs/heads/main@{#1109224}
+
+diff --git a/ui/views/bubble/bubble_dialog_delegate_view.cc b/ui/views/bubble/bubble_dialog_delegate_view.cc
+index 2a84e8f5a7078e76dd40208c0265df3db06a7621..ad7f33ebcb5a09dc5ca97ddbcd5b8bc21a9fb529 100644
+--- a/ui/views/bubble/bubble_dialog_delegate_view.cc
++++ b/ui/views/bubble/bubble_dialog_delegate_view.cc
+@@ -318,6 +318,13 @@ class BubbleDialogDelegate::AnchorWidgetObserver : public WidgetObserver,
+       owner_->OnAnchorBoundsChanged();
+     }
+   }
++
++  // If the native window is closed by the OS, OnWidgetDestroying() won't
++  // fire. Instead, OnWindowDestroying() will fire before aura::Window
++  // destruction. See //docs/ui/views/widget_destruction.md.
++  void OnWindowDestroying(aura::Window* window) override {
++    window_observation_.Reset();
++  }
+ #endif
+
+  private: