From 360844281a45dc6eb17168e5330c4bfd2df73ebc Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Wed, 31 Aug 2022 00:59:36 +0200
Subject: [PATCH 1/2] chromium: 104.0.5112.101 -> 105.0.5195.52

https://chromereleases.googleblog.com/2022/08/stable-channel-update-for-desktop_30.html

This update includes 24 security fixes.

CVEs:
CVE-2022-3038 CVE-2022-3039 CVE-2022-3040 CVE-2022-3041 CVE-2022-3042
CVE-2022-3043 CVE-2022-3044 CVE-2022-3045 CVE-2022-3046 CVE-2022-3047
CVE-2022-3048 CVE-2022-3049 CVE-2022-3050 CVE-2022-3051 CVE-2022-3052
CVE-2022-3053 CVE-2022-3054 CVE-2022-3055 CVE-2022-3056 CVE-2022-3057
CVE-2022-3058
---
 .../browsers/chromium/upstream-info.json      | 20 +++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

diff --git a/pkgs/applications/networking/browsers/chromium/upstream-info.json b/pkgs/applications/networking/browsers/chromium/upstream-info.json
index bbdb3b3a929..b5361e24afb 100644
--- a/pkgs/applications/networking/browsers/chromium/upstream-info.json
+++ b/pkgs/applications/networking/browsers/chromium/upstream-info.json
@@ -1,21 +1,21 @@
 {
   "stable": {
-    "version": "104.0.5112.101",
-    "sha256": "0nrghgngxdn9richjnxii9y94dg5zpwc3gd3vx609r4xaphibw30",
-    "sha256bin64": "1cj2mi3g5wl376wc52jgqg28h7izbsqm2gji526zkhmgb7rwq4sw",
+    "version": "105.0.5195.52",
+    "sha256": "0hkwjilzy0x28knm6nrkywnsmldhz4kgpnxka2iaghihkjzb4wfw",
+    "sha256bin64": "12wn4vrwakazdcf5wh4m7m5iws8wb30d2vsw128ynq31skmazkn4",
     "deps": {
       "gn": {
-        "version": "2022-06-08",
+        "version": "2022-07-11",
         "url": "https://gn.googlesource.com/gn",
-        "rev": "2ecd43a10266bd091c98e6dcde507c64f6a0dad3",
-        "sha256": "1q06vsz9b4bb764wy1wy8n177z2pgpm97kq3rl1hmq185mz5fhra"
+        "rev": "9ef321772ecc161937db69acb346397e0ccc484d",
+        "sha256": "0j85kgf8c1psys6kfsq5mph8n80hcbzhr7d2blqiiysmjj0wc6ng"
       }
     },
     "chromedriver": {
-      "version": "104.0.5112.79",
-      "sha256_linux": "1naxi6pa5l9ciwzlqimcwqfjsqzyqndg1i0hp6zwh20wfvcfms3w",
-      "sha256_darwin": "0lgls8vsv31apgxjvksqaaiqj78q5v3bs0mnrxhfbw7cbhf6wxk5",
-      "sha256_darwin_aarch64": "11rjqdd65zibhb1gvdwy0slcdpvwh77mkhcj5hdg4hdlysd1a3a2"
+      "version": "105.0.5195.19",
+      "sha256_linux": "0v0dxzd6kal420xpqchyfm7q96caf19mr46lmq3pg0a374wwg9cw",
+      "sha256_darwin": "09dqqv9dnvbqw0dh99953w9l6n2wnplqrf3620apwsjg2krkbaif",
+      "sha256_darwin_aarch64": "01d8di1cmh2ai18k8ly3730vksb1yib7q7wjbk7wkd7wq33gqdcc"
     }
   },
   "beta": {

From d932886d6ea5b4e5bf07247e54c29f77b9b69a20 Mon Sep 17 00:00:00 2001
From: Michael Weiss <dev.primeos@gmail.com>
Date: Fri, 2 Sep 2022 00:45:51 +0200
Subject: [PATCH 2/2] chromium: Fix the build

The build was failing with the following error:
```
[18950/51180] SOLINK ./libvk_swiftshader.sotls_transport_interface/dtls_transport_interface.omputils.o[K.otch.oos.oKx/unbundle:default)fault)ault)
FAILED: libvk_swiftshader.so libvk_swiftshader.so.TOC
python3 "../../build/toolchain/gcc_solink_wrapper.py" --readelf="readelf" --nm="nm"  --sofile="./libvk_swiftshader.so" --tocfile="./libvk_swiftshader.so.TOC" --output="./libvk_swiftshader.so" -- clang++ -shared -Wl,-soname="libvk_swiftshader.so" -Wl,-Bsymbolic -Wl,--version-script=../../third_party/swiftshader/src/Vulkan/vk_swiftshader.lds -fuse-ld=lld -Wl,--fatal-warnings -Wl,--build-id=sha1 -fPIC -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--icf=all -Wl,--color-diagnostics -Wl,-mllvm,-instcombine-lower-dbg-declare=0 -flto=thin -Wl,--thinlto-jobs=all -Wl,--thinlto-cache-dir=thinlto-cache -Wl,--thinlto-cache-policy=cache_size=10\%:cache_size_bytes=40g:cache_size_files=100000 -Wl,-mllvm,-import-instr-limit=30 -fwhole-program-vtables -Wl,--no-call-graph-profile-sort -m64 -no-canonical-prefixes -Wl,-O2 -Wl,--gc-sections -rdynamic -Wl,-z,defs -Wl,--as-needed -nostdlib++ -Wl,--lto-O0 -fsanitize=cfi-vcall -fsanitize=cfi-icall -o "./libvk_swiftshader.so" @"./libvk_swiftshader.so.rsp"
ld.lld: error: unable to find library -l:libffi_pic.a
clang++: error: linker command failed with exit code 1 (use -v to see invocation)
```

This turned out to be a regression from b6b51374fc7. That change was
bad/undesirable in the first place and I only applied it to quickly fix
another build error caused by incompatible wayland-protocols header
files from a newer system version (Chromium bundles version 1.21 while
we already package 1.26).

The better fix for that wayland-protocols build issue is to pull in a
patch that is already used/tested by the Arch package [0] and seems to
originate from [1] (not sure if that patch was formally submitted yet).

Alternatives to that patch would be to (we should probably first try the
first approach if need be):
1) Build with wayland-protocols 1.21 from the system (by overriding the
   Nixpkgs package).
2) Dynamically link against libffi by patching [2] to use the other
   branch (`default_toolchain == "//build/toolchain/cros:target"`).

Some additional details can be found in the GitHub PR [3].
Huge thanks to Lorenz Brun for his great analysis that enabled me to fix
the build so that we can finally merge the update to Chromium M105
(which contains many important security fixes!).

[0]: https://github.com/archlinux/svntogit-packages/commit/a353833a5a731abfaa465b658f61894a516aa49b
[1]: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
[2]: https://source.chromium.org/chromium/chromium/src/+/refs/tags/105.0.5195.52:build/config/linux/libffi/BUILD.gn
[3]: https://github.com/NixOS/nixpkgs/pull/189033

Co-Authored-By: Lorenz Brun <lorenz@brun.one>
---
 .../networking/browsers/chromium/common.nix   |  9 +++--
 .../angle-wayland-include-protocol.patch      | 38 +++++++++++++++++++
 2 files changed, 43 insertions(+), 4 deletions(-)
 create mode 100644 pkgs/applications/networking/browsers/chromium/patches/angle-wayland-include-protocol.patch

diff --git a/pkgs/applications/networking/browsers/chromium/common.nix b/pkgs/applications/networking/browsers/chromium/common.nix
index 1bad824b4e5..5a3c9271789 100644
--- a/pkgs/applications/networking/browsers/chromium/common.nix
+++ b/pkgs/applications/networking/browsers/chromium/common.nix
@@ -160,6 +160,11 @@ let
       ./patches/no-build-timestamps.patch
       # For bundling Widevine (DRM), might be replaceable via bundle_widevine_cdm=true in gnFlags:
       ./patches/widevine-79.patch
+    ] ++ optionals (chromiumVersionAtLeast "105") [
+      # Required to fix the build with a more recent wayland-protocols version
+      # (we currently package 1.26 in Nixpkgs while Chromium bundles 1.21):
+      # Source: https://bugs.chromium.org/p/angleproject/issues/detail?id=7582#c1
+      ./patches/angle-wayland-include-protocol.patch
     ];
 
     postPatch = ''
@@ -289,10 +294,6 @@ let
       rtc_use_pipewire = true;
       # Disable PGO because the profile data requires a newer compiler version (LLVM 14 isn't sufficient):
       chrome_pgo_phase = 0;
-    } // optionalAttrs (chromiumVersionAtLeast "105") {
-      # https://bugs.chromium.org/p/chromium/issues/detail?id=1334390:
-      use_system_libwayland = false;
-      use_system_wayland_scanner = false;
     } // optionalAttrs proprietaryCodecs {
       # enable support for the H.264 codec
       proprietary_codecs = true;
diff --git a/pkgs/applications/networking/browsers/chromium/patches/angle-wayland-include-protocol.patch b/pkgs/applications/networking/browsers/chromium/patches/angle-wayland-include-protocol.patch
new file mode 100644
index 00000000000..424da9d2911
--- /dev/null
+++ b/pkgs/applications/networking/browsers/chromium/patches/angle-wayland-include-protocol.patch
@@ -0,0 +1,38 @@
+diff -upr a/third_party/angle/BUILD.gn b/third_party/angle/BUILD.gn
+--- a/third_party/angle/BUILD.gn	2022-08-17 19:38:11.000000000 +0000
++++ b/third_party/angle/BUILD.gn	2022-08-18 11:04:09.061751111 +0000
+@@ -489,6 +489,12 @@ config("angle_vulkan_wayland_config") {
+   if (angle_enable_vulkan && angle_use_wayland &&
+       defined(vulkan_wayland_include_dirs)) {
+     include_dirs = vulkan_wayland_include_dirs
++  } else if (angle_enable_vulkan && angle_use_wayland) {
++    include_dirs = [
++      "$wayland_gn_dir/src/src",
++      "$wayland_gn_dir/include/src",
++      "$wayland_gn_dir/include/protocol",
++    ]
+   }
+ }
+ 
+@@ -1073,6 +1079,7 @@ if (angle_use_wayland) {
+     include_dirs = [
+       "$wayland_dir/egl",
+       "$wayland_dir/src",
++      "$wayland_gn_dir/include/protocol",
+     ]
+   }
+ 
+diff -upr a/third_party/angle/src/third_party/volk/BUILD.gn b/third_party/angle/src/third_party/volk/BUILD.gn
+--- a/third_party/angle/src/third_party/volk/BUILD.gn	2022-08-17 19:38:12.000000000 +0000
++++ b/third_party/angle/src/third_party/volk/BUILD.gn	2022-08-18 11:04:36.499828006 +0000
+@@ -21,6 +21,9 @@ source_set("volk") {
+   configs += [ "$angle_root:angle_no_cfi_icall" ]
+   public_deps = [ "$angle_vulkan_headers_dir:vulkan_headers" ]
+   if (angle_use_wayland) {
+-    include_dirs = [ "$wayland_dir/src" ]
++    include_dirs = [
++      "$wayland_dir/src",
++      "$wayland_gn_dir/include/protocol",
++    ]
+   }
+ }