[Backport] CVE-2022-2612: Side-channel information leakage in Keyboard input

Manual cherry-pick of patch originally reviewed on https://chromium-review.googlesource.com/c/chromium/src/+/3707218: DOM Code conversion cleanups Improvements to the DOM Code conversion APIs: - All APIs now accept strings via StringPiece, and return them as std::strings, since almost all callers store returned values in std::strings anyway. - Common contiguous DomCodes (e.g. US_A->US_Z) have their names dynamically generated, rather than requiring a lookup through the table. Some incidental cleanups: - Removed unused code-string to USB & native conversions. - Tidied up comments to group conversions better. (cherry picked from commit 31103fab10169feb448d4d0c18bc73ed946c6628) Bug: 1321350 Change-Id: I67f2603c281fa11d1b4d8dce86f3455a1f7c75c2 Reviewed-by: Matthew Denton <mpdenton@chromium.org> Commit-Queue: Michael Spang <spang@chromium.org> Reviewed-by: Kevin Marshall <kmarshall@chromium.org> Auto-Submit: Wez <wez@chromium.org> Reviewed-by: Michael Spang <spang@chromium.org> Cr-Original-Commit-Position: refs/heads/main@{#1013780} Commit-Queue: Avi Drissman <avi@chromium.org> Reviewed-by: Avi Drissman <avi@chromium.org> Commit-Queue: Wez <wez@chromium.org> Reviewed-by: Wez <wez@chromium.org> Cr-Commit-Position: refs/branch-heads/5112@{#236} Cr-Branched-From: b13d3fe7b3c47a56354ef54b221008afa754412e-refs/heads/main@{#1012729} Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Wez <wez@chromium.org> 2022-06-23 18:56:12 +0000
committer: Michael Brüning <michael.bruning@qt.io> 2022-08-08 15:24:48 +0000
commit: 2e3686e72481396fa8b75187c87d386cf6151be4 (patch)
tree: c2a72ca6fdedb0918a5e9d8ce549658a171b5fbe
parent: 916ffc811be5c59186abe7550e3b3959ec186985 (diff)
download: qtwebengine-chromium-2e3686e72481396fa8b75187c87d386cf6151be4.tar.gz
2 files changed, 43 insertions, 45 deletions
diff --git a/chromium/ui/events/keycodes/dom/keycode_converter.cc b/chromium/ui/events/keycodes/dom/keycode_converter.cc
index 99bc1a1c625..fcd39d413bc 100644
--- a/chromium/ui/events/keycodes/dom/keycode_converter.cc
+++ b/chromium/ui/events/keycodes/dom/keycode_converter.cc
@@ -6,6 +6,7 @@
 
 #include "base/cxx17_backports.h"
 #include "base/logging.h"
+#include "base/strings/stringprintf.h"
 #include "base/strings/utf_string_conversion_utils.h"
 #include "build/build_config.h"
 #include "ui/events/keycodes/dom/dom_code.h"
@@ -233,7 +234,7 @@ KeyboardCode KeycodeConverter::MapPositionalDomCodeToUSShortcutKey(
 #endif
 
 // static
-DomCode KeycodeConverter::CodeStringToDomCode(const std::string& code) {
+DomCode KeycodeConverter::CodeStringToDomCode(base::StringPiece code) {
   if (code.empty())
     return DomCode::NONE;
   for (auto& mapping : kDomCodeMappings) {
@@ -246,9 +247,29 @@ DomCode KeycodeConverter::CodeStringToDomCode(const std::string& code) {
 }
 
 // static
-const char* KeycodeConverter::DomCodeToCodeString(DomCode dom_code) {
+std::string KeycodeConverter::DomCodeToCodeString(DomCode dom_code) {
+  const auto usb_keycode = static_cast<uint32_t>(dom_code);
+
+  // Generate some continuous runs of codes, rather than looking them up.
+  if (dom_code >= DomCode::US_A && dom_code <= DomCode::US_Z) {
+    const int index = usb_keycode - static_cast<uint32_t>(DomCode::US_A);
+    return base::StringPrintf("Key%c", 'A' + index);
+  } else if (dom_code >= DomCode::DIGIT1 && dom_code <= DomCode::DIGIT0) {
+    const int index = usb_keycode - static_cast<uint32_t>(DomCode::DIGIT1);
+    return base::StringPrintf("Digit%d", (index + 1) % 10);
+  } else if (dom_code >= DomCode::NUMPAD1 && dom_code <= DomCode::NUMPAD0) {
+    const int index = usb_keycode - static_cast<uint32_t>(DomCode::NUMPAD1);
+    return base::StringPrintf("Numpad%d", (index + 1) % 10);
+  } else if (dom_code >= DomCode::F1 && dom_code <= DomCode::F12) {
+    const int index = usb_keycode - static_cast<uint32_t>(DomCode::F1);
+    return base::StringPrintf("F%d", index + 1);
+  } else if (dom_code >= DomCode::F13 && dom_code <= DomCode::F24) {
+    const int index = usb_keycode - static_cast<uint32_t>(DomCode::F13);
+    return base::StringPrintf("F%d", index + 13);
+  }
+
   for (auto& mapping : kDomCodeMappings) {
-    if (mapping.usb_keycode == static_cast<uint32_t>(dom_code)) {
+    if (mapping.usb_keycode == usb_keycode) {
       if (mapping.code)
         return mapping.code;
       break;
@@ -307,7 +328,7 @@ DomKeyLocation KeycodeConverter::DomCodeToLocation(DomCode dom_code) {
 }
 
 // static
-DomKey KeycodeConverter::KeyStringToDomKey(const std::string& key) {
+DomKey KeycodeConverter::KeyStringToDomKey(base::StringPiece key) {
   if (key.empty())
     return DomKey::NONE;
   // Check for standard key names.
@@ -325,12 +346,12 @@ DomKey KeycodeConverter::KeyStringToDomKey(const std::string& key) {
   }
   // Otherwise, if the string contains a single Unicode character,
   // the key value is that character.
+  const auto key_length = static_cast<int32_t>(key.length());
   int32_t char_index = 0;
   uint32_t character;
-  if (base::ReadUnicodeCharacter(key.c_str(),
-                                 static_cast<int32_t>(key.length()),
-                                 &char_index, &character) &&
-      key[++char_index] == 0) {
+  if (base::ReadUnicodeCharacter(key.data(), key_length, &char_index,
+                                 &character) &&
+      ++char_index == key_length) {
     return DomKey::FromCharacter(character);
   }
   return DomKey::NONE;
@@ -449,22 +470,4 @@ uint32_t KeycodeConverter::DomCodeToUsbKeycode(DomCode dom_code) {
   return InvalidUsbKeycode();
 }
 
-// static
-uint32_t KeycodeConverter::CodeStringToUsbKeycode(const std::string& code) {
-  if (code.empty())
-    return InvalidUsbKeycode();
-
-  for (auto& mapping : kDomCodeMappings) {
-    if (mapping.code && code == mapping.code) {
-      return mapping.usb_keycode;
-    }
-  }
-  return InvalidUsbKeycode();
-}
-
-// static
-int KeycodeConverter::CodeStringToNativeKeycode(const std::string& code) {
-  return UsbKeycodeToNativeKeycode(CodeStringToUsbKeycode(code));
-}
-
 }  // namespace ui
diff --git a/chromium/ui/events/keycodes/dom/keycode_converter.h b/chromium/ui/events/keycodes/dom/keycode_converter.h
index 852237481ea..5f3474dd968 100644
--- a/chromium/ui/events/keycodes/dom/keycode_converter.h
+++ b/chromium/ui/events/keycodes/dom/keycode_converter.h
@@ -9,6 +9,7 @@
 #include <stdint.h>
 #include <string>
 
+#include "base/strings/string_piece.h"
 #include "build/build_config.h"
 #include "ui/events/keycodes/dom/dom_key.h"
 
@@ -91,11 +92,11 @@ class KeycodeConverter {
   static KeyboardCode MapPositionalDomCodeToUSShortcutKey(DomCode code);
 #endif
 
-  // Convert a UI Events |code| string value into a DomCode.
-  static DomCode CodeStringToDomCode(const std::string& code);
-
-  // Convert a DomCode into a UI Events |code| string value.
-  static const char* DomCodeToCodeString(DomCode dom_code);
+  // Conversion between DOM Code string and DomCode enum values.
+  // Returns the invalid value if the supplied code is not recognized,
+  // or has no mapping.
+  static DomCode CodeStringToDomCode(base::StringPiece code);
+  static std::string DomCodeToCodeString(DomCode dom_code);
 
   // Return the DomKeyLocation of a DomCode. The DomKeyLocation distinguishes
   // keys with the same meaning, and therefore the same DomKey or non-located
@@ -108,10 +109,10 @@ class KeycodeConverter {
   // - a key name from http://www.w3.org/TR/DOM-Level-3-Events-key/, or
   // - a single Unicode character (represented in UTF-8).
   // Returns DomKey::NONE for other inputs, including |nullptr|.
-  static DomKey KeyStringToDomKey(const std::string& key);
+  static DomKey KeyStringToDomKey(base::StringPiece key);
 
   // Convert a DomKey into a UI Events |key| string value.
-  // For an invalid DomKey, returns an empty string.
+  // Returns an empty string for invalid DomKey values.
   static std::string DomKeyToKeyString(DomKey dom_key);
 
   // Returns true if the DomKey is a modifier.
@@ -128,24 +129,18 @@ class KeycodeConverter {
   // Return the value that identifies an invalid USB keycode.
   static uint32_t InvalidUsbKeycode();
 
-  // Convert a USB keycode into an equivalent platform native keycode.
+  // Conversion between USB keycode and native keycode values.
+  // Returns the invalid value if the supplied code is not recognized,
+  // or has no mapping.
   static int UsbKeycodeToNativeKeycode(uint32_t usb_keycode);
-
-  // Convert a platform native keycode into an equivalent USB keycode.
   static uint32_t NativeKeycodeToUsbKeycode(int native_keycode);
 
-  // Convert a USB keycode into a DomCode.
+  // Conversion between USB keycode and DomCode values.
+  // Returns the "invalid" value if the supplied key code is not
+  // recognized.
   static DomCode UsbKeycodeToDomCode(uint32_t usb_keycode);
-
-  // Convert a DomCode into a USB keycode.
   static uint32_t DomCodeToUsbKeycode(DomCode dom_code);
 
-  // Convert a UI Event |code| string into a USB keycode value.
-  static uint32_t CodeStringToUsbKeycode(const std::string& code);
-
-  // Convert a UI Event |code| string into a native keycode.
-  static int CodeStringToNativeKeycode(const std::string& code);
-
   // Static methods to support testing.
   static size_t NumKeycodeMapEntriesForTest();
   static const KeycodeMapEntry* GetKeycodeMapForTest();
author	Wez <wez@chromium.org>	2022-06-23 18:56:12 +0000
committer	Michael Brüning <michael.bruning@qt.io>	2022-08-08 15:24:48 +0000
commit	2e3686e72481396fa8b75187c87d386cf6151be4 (patch)
tree	c2a72ca6fdedb0918a5e9d8ce549658a171b5fbe
parent	916ffc811be5c59186abe7550e3b3959ec186985 (diff)
download	qtwebengine-chromium-2e3686e72481396fa8b75187c87d386cf6151be4.tar.gz