Merging internal commits for release/8.0#11787
Merged
gpaskaleva-msft merged 10 commits intoJul 17, 2026
Merged
Conversation
…ernal/release/8.0 Resolves mirror conflict for branch release/8.0 (GitHub → AzDO internal). Ref: #11677 Commits being merged: - b9fef20 Update branding to 8.0.29 (#11685) - 6e3dff9 Update dependencies from dotnet/arcade build 20260528.3 (#11676) ---- #### AI description (iteration 1) #### PR Classification Dependency version update and internal branch merge to update toolset packages and increment the patch version. #### PR Summary This pull request merges changes from release/8.0 into internal/release/8.0, updating Microsoft.DotNet.Arcade toolset dependencies and incrementing the patch version. - `eng/Version.Details.xml` and `global.json`: Updated Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.CodeAnalysis, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.ApiCompat, and Microsoft.DotNet.GenAPI from version 8.0.0-beta.26224.3 to 8.0.0-beta.26278.3 - `eng/Versions.props`: Incremented PatchVersion from 28 to 29 - `NuGet.config`: Removed temporary darc-int package sources for dotnet-runtime and dotnet-winforms <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
This PR addresses multiple MSRC-reported security vulnerabilities in WPF's native rendering pipeline by adding bounds checks and overflow protection to prevent out-of-bounds writes and heap corruption. ## Changes ### 1. Pixel Shader bytecode validation **File:** `WpfGfx/core/fxjit/PixelShader/pstrans.cpp` - Reject excessively large shader bytecode (> 1MB) to prevent integer overflow in allocation calculations - Validate sampler register numbers against `PSTR_MAX_TEXTURE_SAMPLERS` before array indexing - Validate input register numbers against `PSTR_MAX_NUMINPUTREG` before use - Validate texture register numbers against `PSTR_MAX_NUMTEXTUREREG` before use - Cap source parameter count at `PSTR_MAX_NUMSRCPARAMS` to prevent OOB writes - Validate sampler stage index before use in texture lookup paths - Gracefully fail with `E_FAIL` instead of corrupting heap memory ### 2. GuidelineCollection heap overflow fix **File:** `WpfGfx/core/common/guidelinecollection.cpp` - Add safe integer multiplication (`UIntMult`/`UIntAdd`) for allocation size calculation in `CSnappingFrame::PushFrame` - Prevents heap corruption when `uCountX + uCountY` would cause `sizeof(float) * uCount * 2` to overflow ### 3. System.Printing gradient band overflow fix **File:** `System.Printing/CPP/src/GDIExporter/gdirt.cpp` - Cap gradient group range to 10,000 in `FillLinearGradient` to prevent integer overflow in band/vertex/index calculations - Returns `E_NOTIMPL` for excessively large gradient ranges ## Opt-out Switches All fixes are gated behind AppContext switches for servicing safety: ## Testing - Validated with crafted malicious pixel shader bytecode PoCs that previously caused OOB heap writes - Verified that well-formed shaders and documents continue to render correctly - Confirmed opt-out switches disable the checks when set ## Risk **Low.** All changes add early-exit validation before existing code paths. No behavioral change for valid inputs. ---- #### AI description (iteration 1) #### PR Classification Security bug fix to add bounds checking and input validation to prevent integer overflow vulnerabilities in WPF pixel shader and printing components. #### PR Summary This PR implements security fixes by adding bounds checking protection to WPF's pixel shader processing and GDI printing to prevent integer overflow attacks. The changes introduce AppContext switches to allow disabling the protection if needed for compatibility. - `pstrans.cpp`: Added validation for bytecode size limits, source parameter counts, register numbers (sampler, input, texture), and token counts to prevent buffer overflows - `guidelinecollection.cpp`: Added integer overflow checks using `UIntMult` and `UIntAdd` for memory allocation size calculations - `gdirt.cpp`: Added maximum gradient group range validation (10000) to prevent integer overflow in gradient band calculations - `PrintingSwitches.h` and `WpfGfxSwitches.h` (via includes): Introduced AppContext switches `Switch.MS.Inte...
This PR addresses multiple vulnerabilities where WPF's restrictive/unsafe XAML loading path could be bypassed, allowing attacker-controlled XAML to instantiate dangerous types (e.g., `ObjectDataProvider` → `Process.Start`) and achieve Remote Code Execution.
## Changes
### 1. Async XamlReader.LoadAsync taint propagation fix
**File:** `System/Windows/Markup/XamlReader.cs`
The synchronous `WpfXamlLoader` propagates `IsUnsafe = true` to nested-load-capable objects (`ResourceDictionary`, `Frame`, `NavigationWindow`) when loaded under `RestrictiveXamlXmlReader`. The asynchronous `LoadAsync` path was missing this propagation, allowing a first-stage async-loaded `ResourceDictionary` to load second-stage unrestricted XAML via its `Source` property.
**Fix:** Add the same taint propagation in `LoadAsync`'s `AfterBeginInitHandler`:
```csharp
if (_textReader is RestrictiveXamlXmlReader && args != null)
{
if (args.Instance is ResourceDictionary rd)
rd.IsUnsafe = true;
else if (args.Instance is Frame frame)
frame.NavigationService.IsUnsafe = true;
else if (args.Instance is NavigationWindow nw)
nw.NavigationService.IsUnsafe = true;
}
```
### 2. FixedPage NavigateUri → NavigationService unsafe taint
**File:** `System/Windows/Navigation/NavigationService.cs`
When navigation originates from a FixedPage element (Path, Canvas, Glyphs, or FixedPage) carrying `FixedPage.NavigateUri`, the target content could be attacker-controlled XAML within an XPS package. The `NavigationService` was not marked as unsafe in this path, allowing the XAML loader to process the content without restrictions.
**Fix:** Detect FixedPage-origin navigation in `OnRequestNavigate` and set `IsUnsafe = true` before the navigation proceeds.
### 3. XAML deserialization bypass in Undo and Clipboard paths
**Files:**
- `MS/Internal/Ink/ClipboardProcessor.cs`
- `System/Windows/Documents/TextTreeDeleteContentUndoUnit.cs`
Both the clipboard paste (InkCanvas) and text undo code paths call `XamlReader.Load` to deserialize stored XAML without the restrictive reader. An attacker who can influence clipboard content or trigger undo of crafted content could instantiate arbitrary types.
**Fix:** Pass `useRestrictiveXamlReader: true` to `XamlReader.Load` in both paths.
## Attack Scenarios Addressed
| Vector | Before | After |
|--------|--------|-------|
| XPS document with Frame → async ResourceDictionary → ObjectDataProvider | RCE | Blocked by restrictive reader |
| XPS FixedPage NavigateUri → attacker XAML part | RCE | Blocked (NavigationService marked unsafe) |
| Clipboard/Undo XAML deserialization with gadget types | RCE | Blocked by restrictive reader |
## Testing
- Validated with PoC: XPS package exploiting async taint gap on .NET 10(previously vulnerable) now blocks payload
- Verified synchronous restrictive path remains unaffected
- Confirmed normal XPS rendering, clipboard, and undo operations continue to work
## Risk
**Low.** The changes enforce the...
…ernal/release/8.0 Resolves mirror conflict for branch release/8.0 (GitHub → AzDO internal). Ref: #11710 ---- #### AI description (iteration 1) #### PR Classification Dependency updates and version increment to resolve mirror conflicts between release branches. #### PR Summary This pull request merges release/8.0 into internal/release/8.0 by updating toolset dependencies and incrementing the patch version number. - **`/eng/Version.Details.xml`**: Updated Microsoft.DotNet.Arcade.Sdk, Microsoft.DotNet.CodeAnalysis, Microsoft.DotNet.Helix.Sdk, Microsoft.DotNet.ApiCompat, and Microsoft.DotNet.GenAPI from version 8.0.0-beta.26224.3 to 8.0.0-beta.26278.3 - **`/eng/Version.Details.xml`**: Updated Microsoft.DotNet.Wpf.DncEng from version 8.0.0-rtm.26253.1 to 8.0.0-rtm.26309.3 - **`/eng/Versions.props`**: Incremented PatchVersion from 28 to 29 - **`/global.json`**: Updated MSBuild SDK versions for Microsoft.DotNet.Arcade.Sdk and Microsoft.DotNet.Helix.Sdk to match Version.Details.xml changes <!-- GitOpsUserAgent=GitOps.Apps.Server.pullrequestcopilot -->
…t-winforms
- Coherency Updates:
- Microsoft.NETCore.Platforms: from 8.0.28-servicing.26264.13 to 8.0.29-servicing.26315.23 (parent: Microsoft.Private.Winforms)
- Microsoft.NETCore.App.Ref: from 8.0.28 to 8.0.29 (parent: Microsoft.Private.Winforms)
- Microsoft.NETCore.App.Runtime.win-x64: from 8.0.28 to 8.0.29 (parent: Microsoft.Private.Winforms)
- VS.Redist.Common.NetCore.SharedFramework.x64.8.0: from 8.0.28-servicing.26264.13 to 8.0.29-servicing.26315.23 (parent: Microsoft.Private.Winforms)
…otnet-winforms build 20260625.2 On relative base path root Microsoft.Dotnet.WinForms.ProjectTemplates , Microsoft.Private.Winforms From Version 8.0.29-servicing.26316.1 -> To Version 8.0.29-servicing.26325.2 System.Drawing.Common From Version 8.0.29 -> To Version 8.0.29 Dependency coherency updates On relative base path root Microsoft.NETCore.Platforms,VS.Redist.Common.NetCore.SharedFramework.x64.8.0 From Version 8.0.29-servicing.26315.23 -> To Version 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms) Microsoft.NETCore.App.Ref,Microsoft.NETCore.App.Runtime.win-x64 From Version 8.0.29 -> To Version 8.0.29 (parent: Microsoft.Private.Winforms) System.Security.Cryptography.Xml From Version 8.0.3 -> To Version 8.0.4 (parent: Microsoft.Private.Winforms)
…ng/internal/dotnet-winforms This pull request updates the following dependencies [marker]: <> (Begin:Coherency Updates) ## Coherency Updates The following updates ensure that dependencies with a *CoherentParentDependency* attribute were produced in a build used as input to the parent dependency's build. See [Dependency Description Format](https://github.com/dotnet/arcade/blob/master/Documentation/DependencyDescriptionFormat.md#dependency-description-overview) [DependencyUpdate]: <> (Begin) - **Coherency Updates**: - **Microsoft.NETCore.Platforms**: from 8.0.29-servicing.26315.23 to 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms) - **Microsoft.NETCore.App.Ref**: from 8.0.29 to 8.0.29 (parent: Microsoft.Private.Winforms) - **Microsoft.NETCore.App.Runtime.win-x64**: from 8.0.29 to 8.0.29 (parent: Microsoft.Private.Winforms) - **VS.Redist.Common.NetCore.SharedFramework.x64.8.0**: from 8.0.29-servicing.26315.23 to 8.0.29-servicing.26324.3 (parent: Microsoft.Private.Winforms) - **System.Security.Cryptography.Xml**: from 8.0.3 to 8.0.4 (parent: Microsoft.Private.Winforms) [DependencyUpdate]: <> (End) [marker]: <> (End:Coherency Updates) [marker]: <> (Begin:0ce99e90-7dcb-4849-5aa3-08dbd5a5c716) ## From https://dev.azure.com/dnceng/internal/_git/dotnet-winforms - **Subscription**: [0ce99e90-7dcb-4849-5aa3-08dbd5a5c716](https://maestro.dot.net/subscriptions?search=0ce99e90-7dcb-4849-5aa3-08dbd5a5c716) - **Build**: [20260625.2](https://dev.azure.com/dnceng/internal/_build/results?buildId=3008190) ([320236](https://maestro.dot.net/channel/3880/azdo:dnceng:internal:dotnet-winforms/build/320236)) - **Date Produced**: June 25, 2026 5:17:41 PM UTC - **Commit**: [997e819eac134e12bc1b2e50d8644d1aadd387d1](https://dev.azure.com/dnceng/internal/_git/dotnet-winforms?_a=history&version=GC997e819eac134e12bc1b2e50d8644d1aadd387d1) - **Branch**: [refs/heads/internal/release/8.0](https://dev.azure.com/dnceng/internal/_git/dotnet-winforms?version=GBrefs/heads/internal/release/8.0) [DependencyUpdate]: <> (Begin) - **Dependency Updates**: - From [8.0.29-servicing.26316.1 to 8.0.29-servicing.26325.2][1] - Microsoft.Dotnet.WinForms.ProjectTemplates - Microsoft.Private.Winforms - From [8.0.29 to 8.0.29][1] - System.Drawing.Common [1]: https://dev.azure.com/dnceng/internal/_git/dotnet-winforms/branches?baseVersion=GCe126432737a0d81e9e6cea3ae9467828ab9529db&targetVersion=GC997e819eac134e12bc1b2e50d8644d1aadd387d1&_a=files [DependencyUpdate]: <> (End) [marker]: <> (End:0ce99e90-7dcb-4849-5aa3-08dbd5a5c716)
…-merge-8.0-2026-07-14-2022
vinnarayana-msft
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Microsoft Reviewers: Open in CodeFlow